Keys to a Tailor-Made Compliance Program
Is there an order for implementing processes of a compliance program? This was an interesting question from the audience after a recent webinar, where I covered processes of a compliance program (see Figure 1).
Figure 1: Compliance Cycle
All these processes are important and often applicable to all organizations, however, the challenge is, where do I start? During the webinar my colleague Ladd Muzzy and I stated that there is no required order for implementing the processes seen above. An organization can choose to begin with any process depending on where the highest business value can be achieved or the how biggest pain point can be resolved. For example, one could decide to start with documenting regulatory requirements in the Governance, Risk and Compliance (GRC) Framework, before performing control testing and reporting the results.
The compliance enforcement cycle
Compliance needs to be embedded in the organization and complying is mandatory in its nature. Non-compliance can have major financial impacts in addition to reputation. Compliance starts with documenting control objectives from external requirements (laws and regulations), internal requirements (policies) and risks identified in business processes. This is not a onetime activity, it also needs to cover:
- managing changes coming from various external and internal sources
- performing impact assessments; what business activities, locations, policies, control objectives, etc. are affected by the changes
- updating processes to inform and train the organization.
The first line business management continuously tests control effectiveness while the second line Compliance monitors successful executions by the first line. Optionally the third line Internal Audit can perform independent audits over the control test results. Risks can be compared between business units by mapping control objectives to risks and executing compliance risk assessments.
Identified issues need a mitigating action plan or acceptance by the business. Timely follow-up to actions needs to be tracked, including notifications and alerts. Regulatory exams and inquiries can be seen as a specific type of action plan to ensure timely and high-quality follow-ups, meeting deadlines and taking advantage of the information from previous activities.
Empower the Management Team to interpret results and act accordingly
Reports show compliance per control objectives, compliance categories, external and internal requirements, activities, locations, business units, controls, etc. However, it is essential to have a dashboard to provide to the management team insight on the compliance status and what issues require their immediate attention.
- What issues require immediate attention to resolve?
- What is the risk if they are not solved in a timely manner?
- How serious is the consequence of non-compliance?
- Are there any gaps in the compliance program?
- Are controls in high risk compliance areas, or is a specific business unit performing poorly?
- What are the causes of poor performance, for example by people, processes or systems?
Organizations should embed a solid set of compliance processes while reducing the costs and burden of compliance. This can be achieved by implementing a sophisticated GRC software platform. All compliance steps and processes should be implemented in an integrated platform which reuses information as much as possible and provides meaningful reports to management.