You have assessed the risk, embedded the controls, created the policies, and communicated to the business. You have spent a lot of time building the systems and procedures to support your compliance program but − are they working?
Testing for effectiveness is a vital part of a compliance program. A robust monitoring program enables organizations to identify and remediate compliance concerns before they become a major risk to the business. The goal of this testing is not solely to check if rules are being followed, but to also influence and support decision making when faced with ethical or compliance challenges.Through the process of compliance monitoring, reporting, and remediation, individuals will ultimately be better able to self-regulate and be more confident in their ability to make the right decision.
In this five-part series, I will share my thoughts and recommendations on how to build an effective monitoring program that will evolve your organization and support the continuous improvement of your compliance program.
Originating in the electronics industry, the term ‘closing the loop’ describes the actions needed to ensure a circuit is connected, working, and stable. This term is also commonly used to describe the final step in a process to make sure a cycle is complete. In the compliance world, ‘closing the loop’ means testing for program effectiveness; making sure the controls and processes in place result in the desired outcome − minimized risk.
The essential elements of a compliance program
The need to close the loop is identified in the Seven Essential Elements of a Compliance Program laid out in the US Sentencing Guidelines. Considered the gold standard road map to create a robust system of oversight, these guidelines state that, to have an effective compliance and ethics program, an organization shall:
- Exercise due diligence to prevent and detect criminal conduct; and
- Otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
To do this, a program must be designed, implemented, and enforced so that it is effective in detecting and preventing criminal or non-compliant conduct.
The guidelines also state that a company’s due diligence, relative to building and supporting a compliance program, doesn’t stop with the creation of standards. Companies must also ensure other activities take place since compliance is not a “check the box” task but a truly integrated part of an organizational structure.
Three key areas of focus
There are seven essential elements that should be used in formulating your compliance program. These can be grouped into three key areas of focus to reflect the full cycle of the program:
Assessment and administration
Activities in this category concentrate on the assessment of the compliance environment and the day-to-day administration of a program. The compliance environment is dynamic. Risks to an organization must continually be assessed. At a base level, there must be resources and effort dedicated to the program to ensure things are operating as intended and standards are enforced.
Controls and communication
The second step in the cycle of compliance is standards and protocols. Set in place to help protect the organization, these range from policies and standard operating procedures to tools and automated systems. Controls are created and implemented to help minimize the risk of non-compliance. Guidance, controls, and expectations of compliance must be communicated to the organization at large. Training and other support activities should be available to ensure everyone knows what they need to do and how to do it. The program should be perceived as having the support of leadership with communications taking place to help keep compliance top-of-mind.
Testing and reporting
The last step in the cycle of compliance is testing and reporting where reviews of activities are conducted to determine the effectiveness of programs. Results of the testing should be reported. Any risk observed should be managed through corrective and preventative actions and remediation.
In Part Two of this five-part blog series, I will talk more about the importance of testing and reporting and areas to monitor.
Can’t wait? You can listen to the entire “Closing the Loop” webinar now available on demand.