By Valerie Charles, chief strategy officer, GAN Integrity
Industries face dozens upon dozens of regulations they must comply with – ranging from health and safety concerns, to labor regulations and broader corporate compliance requirements.
To grapple with these, many companies will turn to compliance professionals, who are well aware of what needs to go into a compliance program to make it effective. However, your work is not done once that program has been implemented.
It is likely that you have exerted great thought and effort to create and set up systems; devising the right policies; figuring out the perfect due diligence, training and whistleblowing program; selecting the right vendor and more. However, running the program is just as critical as designing it. Just as much thought and effort must be put into the monitoring and review process.
Business changes as it pursues growth goals, from beginning operations in new markets to retaining new third parties and so on. Regulations and the laws that govern your industry and your business operations change as well, thus possibly rendering initial assessments of risks obsolete. Risks constantly change and evolve, as should your compliance program. All guidance released by enforcement authorities equally emphasize the above point: A stale program is a failed program, no matter how well your processes were designed in the first place.
The Foreign Corrupt Practices Act (FCPA), France’s Sapin II and the UK Bribery Act all equally emphasize monitoring and review to ensure that as risks change your controls adapt accordingly. Compliance officers must adopt an evaluative approach and ensure that the objectives set out by the compliance program are achieved and, whenever flaws or failures are detected, proactively addressed.
2012’s FCPA compliance guide states that “[The] DOJ and SEC evaluate whether companies regularly review and improve their compliance programs … [The] DOJ and SEC will give meaningful credit to thoughtful efforts … undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” The same goes for the UK Bribery Act, under which “adequate procedures” can only be a defense if they were in place before a breach happened.
In a similar vein, the DOJ’s 2017 release on how to evaluate the effectiveness of compliance programs has several guiding questions that address continuous evaluation and improvement. This may take several forms, including, but not limited to, internal audits, control testing of relevant controls, and collection and analysis of relevant data – as well as evolving updates, which mainly concerns updating risk assessments and review of internal controls. Remediation and follow-up should guide you in improving your compliance program.
These eight guidelines will help you properly monitor and review your compliance program:
- Make a plan: Create a plan in place and see it through to completion. Set one, two or three-year goals and make sure to measure results. Whether it is to rewrite your code of conduct or provide more and better workforce training, make sure you track the progress of your initiative to figure out whether or not your compliance program is evolving and keeping up with best practices.
- Provide training: Remember that building a human firewall is one of the most effective defenses against compliance breaches. Train your employees well. When employees recognize a reportable event and know how to report it, then you have managed to install a sound corporate compliance culture. You can even measure that engagement through survey results.
- Collect data: Gather as much data on your compliance activity as possible and consolidate that information in accurate and useful ways.
- Analyze proactively: Groom and aggregate your data. Analyze and track trends in compliance activity and report it to the proper executives. One example could be tracking trends in exception request submissions. If you have a greater number of exception requests, it could attest to your success at making people understand the policy and the process, or maybe it’s a sign that you have a bigger problem.
- Escalate: Design a well-defined and proper escalation system so that the right managers or risk owners can quickly and adequately respond to any identified red flags or breaches.
- Remediate: If failures and flaws are identified in the system, they should be addressed through the development of internal controls to match and mitigate those risks.
- Automate: By shifting from manual to automated reporting and monitoring processes, you will enable the flow of data to be constant and human intervention minimal, leaving less room for human error.
- Document: Don’t let documentation be an afterthought. Document all your efforts and keep auditable records that prove all of your compliance activities. A strong reporting system will always allow you to be prepared for any inquiry in case authorities come knocking at your door.
About the author:
Valerie serves as GAN Integrity’s chief strategy officer. With diverse industry experience, Valerie helps define and drive our strategic position in the compliance community, focused on thought leadership and growth strategy. She also leads GAN’s legal function with a focus on compliance, commercial & strategic transactions, employment, litigation and regulatory issues. Valerie has served as outside counsel, conducted internal investigations, and represented clients in connection with matters involving anti-bribery restrictions worldwide. She has also served as Associate General Counsel and Global Compliance Lead for an international technology company. Valerie Charles can be contacted at www.ganintegrity.com.