Steve McGraw (US) - How to Demonstrate the Effectiveness of Your Compliance and Ethics Programs, Step-by-Step

With expanded regulations going into effect in many industries, organizations must not only show that they have compliance and ethics programs in place, but be capable of demonstrating that their programs are actually working. Regulators are increasingly working to prevent organizations from “going through the motions” of compliance and instead requiring them to proactively show the substance behind their programs.

There are several guidelines and tools available for organizations. The most commonly cited resource is the list of seven elements of effective compliance and ethics programs that were revised in 2010 by the United States Sentencing Commission when they modified the U.S. Federal Sentencing Guidelines.  These provisions set forth the attributes of effective compliance and ethics programs.

For any compliance self-assessment, facilitated by the use of an existing tool or some other means, the depth and timeliness of the evidence is critical to success.  For example, let’s consider a common process such as managing an organization’s code of conduct. We’ll look at various techniques, progressing from very basic and potentially high-risk, up through highly effective approaches offering increased protections and the potential for reduced sanctions and fines resulting from audits and reviews. 

1.    At the most basic level, a regulated organization should publish a code of conduct and revise periodically.  However, if this is the extent of the organization’s management of the code of conduct, an audit or review is likely to identify significant deficiencies, leaving the organization exposed to the possibility of maximum penalties in terms of fines and sanctions. 

2.    Taking the next step, the organization should distribute the code of conduct directly to all employees and collect attestations indicating that the code has been read and understood.  Any compliance gaps identified should be remediated, possibly through enhanced training.  Going to this level is an improvement but may still leave an auditor wanting to know how the organization knows that employees really read and understood the code of conduct.

3.    Going a step further, the employee attestations could also include subject matter questions with scored results, allowing compliance officers to make an objective assessment of each employee’s understanding of the code of conduct.  As sub-par scores are logged, remediation tasks can be initiated, completed and logged.  This approach provides a more compelling body of evidence showing that the organization is proactively focused on assessing the effectiveness of the code of conduct using quantified measures.

4.    Having the ability to log, investigate and track any incidents related to the code of conduct, and monitor for recurring issues or trends that might require corrective actions, can also contribute to the body of evidence of a commitment to compliance.  

5.    Having the ability to make this evidentiary information available to auditors in a well organized, easily accessible manner is also important.  Maintaining time-based snapshots of this information can allow organizations to demonstrate the effectiveness of their compliance programs for any point in time.

Producing the evidence of compliance is typically the greatest challenge for an organization. This requires a determination of what the evidence needs to be, how the organization will monitor it and how often to update it so the organization has the ability at any point in time to say, “here’s the evidence that we have in place now, and here’s the evidence of the system that we had in place during the time period in question.”

Some may wonder why organizations would need to maintain this historical information. When a whistleblower submits an allegation to the government, due to bureaucracy or work backlogs, it can take regulators months or even years to come to the organization with the claim of a compliance or ethics breach.  It is critical that the organization have the ability to look back to the timeframe in question. This information must be provided accurately, consistently and confidently to the regulators in order for it to be effective – even if the whistleblower’s allegation is upheld. 

No compliance program can prevent every potential issue. But, if the organization can show that they were doing the right things, with a true intent of preventing issues, it could result in reduction in fines and sanctions. An organization is likely to incur higher fines and sanctions, as well as a higher likelihood of negative publicity, if they were found to be in violation of regulations and they were doing nothing or the bare minimum to prevent issues and ensure the effectiveness of their compliance program.  From the perspective of the board of directors for many organizations, the ability to demonstrate the effectiveness of their compliance programs is viewed as a critical component in the protection of the organization’s brand.

Steve McGraw is President and CEO of Compliance 360.


« Don Grantham (Europe) - Stamping out Piracy, a Mandate for Change


Matthew Prince (Global) - Migration to IPv6 »