Competitive business has become synonymous with ethical business. Yet, keeping up with the heavy and complex web of regulations has made compliance all the more burdensome.
Establishing an effecttive compliance program has, thus, become a quest for any company not only looking to escape the long stick of the law, but seeking to position itself as a competitive business and ethical business partner.
The renewed focus on anticorruption laws and compliance regulations has put an even greater emphasis on the importance of building and maintaining an effective corporate compliance program. There is no one specific structure or program example that can be defined as the perfect program. In other words, no one-size-fits-all compliance program out there can attend to the specific needs of your organization, any one program would have to correspond to your company’s risk areas, size, resources, industry segment, business locations, etc.
That said, a checklist of the main areas needed to be addressed by your compliance program can be roughly categorized into seven main components:
■ Risk assessment;
■ Policies and Code of Conduct;
■ Exception requests to manage gifts and entertainment;
■ Due diligence;
■ Training;
■ Hot line and case management, and
■ Reporting and monitoring.
The extent of complexity of the underlying procedures of each component should be, as stressed above, measured and applied to match the needs and risks faced by your company. GAN Integrity—www.ganintegrity.com—has developed an e-guide that can help you.
Successful compliance programs rest on a foundation of successful risk assessments. No amount of policy, procedure, internal control or tone at the top will accomplish much, if those tools are addressing the wrong risks in the wrong way. Yet, performing risk assessments can prove to be a difficult art to master, not only because they encompass a dizzying range of risks— from anti-bribery, whistle-blower retaliation to data privacy, and much more, but also since no standard risk-assessment template can be applied to assess all of the risks your company contends with. Organizations face risks that are unique to their structure within their industry and in relation to their business partners and the geography in which they operate.
To get started, you need to decide which function will perform the compliance risk assessment. Then you will have to gather all the correct and necessary information. An effective compliance risk assessment requires the compliance officer to think expansively about the types of information necessary to give a correct measurement of the risk in question—and what parts of the organization can help to provide it. For instance, when assessing the risks around proper due diligence of third parties, the compliance function may need to enlist the procurement or accounting departments. Assessing the impact of your training program might depend much more on your cooperation with the HR department.
Once company risks have been identified, they must be measured. Fundamentally, a risk assessment measures how well the internal controls at an organization work to blunt the likelihood that the identified risk will happen. Conclude your findings with a summary or a written report that outlines the most likely compliance failures. Mainly, how internal controls are insufficient (poor accounting controls; outdated investigation procedures; unclear document retention policies; and so forth), and which areas require stronger internal control mechanisms. Ideally, the report would also include action items to be implemented. An automated platform would allow you to continuously update your risk assessment. Fortunately, we are cooperating with a Singapore company, Straits Interactive, which provides an effective software platform for data privacy and corporate governance. That software also makes risk analysis possible and provides ecommendations which security gaps need to be addressed.
There is no doubt that, as your organization expands and changes—as does the environment in which it operates—more risks will emerge in the future, whether they come from business operations, third parties, government regulation or external forces. Thus, keeping your risk assessment up to date will prove vital to ensuring continuous compliance.
As noted, compliance programs are not a one-size-fits-all affair. It is essential to understand the critical components of a program and then tailor each aspect to the specific needs of the business. Technology is the backbone of any successful program, allowing compliance teams to focus on the company as a whole, as opposed to tracking data manually. When the team can elevate to a more strategic position, compliance can be viewed less as a crisis intervention team and more as a critical business partner.
****
Comments are welcome; assistance can be provided both regarding the e-guide of GAN Integrity and the software solution of Straits Interactive—e-mail me at Schumacher@eitsc.com.
Image credits: abthai | dreamstime.com