10 Essential Components of an Effective Compliance Program
1. Governance & Oversight
Having appropriate leadership oversight and accountability is the first essential component of an effective compliance program. Sometimes, organizations will place audit, risk, and compliance with a lower-level administrative function. While this approach can help tick some boxes, the effectiveness is greatly improved when the program’s leadership and accountability reside at the organization’s highest level. Ideally, the audit, risk, and compliance program will report directly to the Board of Directors, who will help ensure appropriate governance, and oversight over the program. A strong GRC tool can help those charged with leadership, governance and oversight stay informed and help provide the necessary assurance that the audit, risk, and compliance programs are designed and operating effectively.
2. Risk Assessment
Risk assessments can take many forms, including:
- Risk surveys to identify top risk areas.
- Targeted risk review with risk wwners to evaluate the risks identified.
- Periodic risk aurveys to continually evaluate the top risk areas.
When the position of each risk is known (likelihood, impact, and other attributes), the organization can develop the appropriate response plan in the form of strategy, policy, process, and control. A GRC tool can help facilitate each type of risk assessment through automation, notifications, and reporting while also enabling effective and efficient response plans.
3. Policies, Processes, & Controls
Policies contain an organization’s standards, the rules it expects its employees to abide by. Policies should be clear, concise, and structured to remain relevant over time, minimizing the need for frequent updates. Policies should address key risk areas for a company. A good GRC tool helps ensure that every policy has a designated owner, that key risk areas are addressed, and that policies remain current and are regularly reviewed by employees.
Well-designed processes will help ensure that policies are followed in a way that is efficient and supports organizational needs. A good GRC tool helps ensure that documented processes and procedures have designated owners, that key risk areas are addressed, and that documentation remains current and is regularly reviewed by relevant employees.
Controls are the most basic activity that helps ensure that the most important risks of the organization are addressed. A good GRC tool will help ensure that key controls are assigned and operating effectively. This is facilitated through automation, notification, regular certification, and periodic testing.
4. Training & Awareness
Training & awareness activities should be tailored to employee needs to minimize the training burden while ensuring that employees are regularly trained on relevant topics. To be able to demonstrate that employees have been appropriately trained, organizations should have documentation showing that employees agree to follow company policies. Keeping this documentation is also helpful when unfortunate situations arise that require employee discipline. A good GRC tool will help facilitate the tracking of training & awareness activities such as executive messaging, policy certification, and regular training sessions.
5. Monitoring & Auditing
Management should have a way of monitoring compliance with policy and controls that does NOT rely solely on internal audit. This means that someone is tracking the regular completion of key controls so that corrective action can be applied if key controls are not performed timely or adequately. Additionally, Internal Audit’s role is to regularly test key controls, perform audits over high-risk areas, and periodically review and test the overall audit, risk, and compliance programs. A good GRC tool will facilitate these monitoring and auditing activities, including tracking any issues identified and the remediation thereof.
6. Whistleblower Reporting
It is important that employees have a way to anonymously report concerns about the organization that might relate to top risks, compliance or ethical issues, or other concerns. This is usually most efficiently achieved through the use of an anonymous reporting website coupled with periodic email awareness campaigns, posters with QR codes and messaging to encourage reporting, and other leadership communication emphasizing the importance of reporting suspicious, unethical, illegal, or otherwise inappropriate behavior. An organization should also have a strong process for reviewing, investigating, and appropriately addressing reports. This is usually best accomplished through a committee of senior individuals from legal, audit, compliance, HR, and finance. The role of the committee is to review incoming reports and ensure each is investigated and addressed appropriately. The committee should also help ensure that the investigation team is appropriately trained and that all those involved understand the non-retaliation policy and the importance of confidentiality. A good GRC tool will help facilitate the intake, investigation, resolution, review, confidentiality, and resolution of reports.
7. Enforcement & Discipline
Unfortunately, not all employees choose to follow organizational policies. To deal with these situations, it is helpful for organizations to have disciplinary guidelines taking into account an employee’s experience, seniority, the seriousness of the infraction, and patterns of behavior to determine appropriate outcomes. A good GRC tool will support this process by tracking key compliance activities, including the completion of policy certifications, training, reported concerns, and other activities that can help in determining the culpability of the employee.
8. 3rd Party & Vendor Compliance
Living in the connected world that we do, it is not enough to ensure your own organization’s compliance. Unfortunately, we all have to perform reasonable procedures to help ensure that the organizations we do business with are also behaving in an ethical and compliant manner. This can entail sending periodic surveys, obtaining certifications, training on your organization’s policies, including appropriate terms in contracts, and notifying them of reporting methods, including your anonymous whistleblower reporting mechanism. A good GRC tool will help facilitate these activities through automation, notification, tracking, and reporting.
9. Event Response & Corrective Action
Sometimes, errors occur. Sometimes, people do bad things. Sometimes, controls fail or are ineffective. When an issue is identified, it is important that it is evaluated and remediated as appropriate. When determining the remediation plan, an organization should attempt to determine the true root cause of the issue and address it at the right level. It is also important to track these events because sometimes, a certain portion of issues comes from a specific location, department, or leader. This level of tracking helps organizations respond and address issues appropriately. A good GRC tool will help facilitate the tracking, reporting, and remediation of issues through notification, automated workflows, and reporting.
10. Continuous Improvement
It is important to regularly review the audit, risk, and compliance programs to identify areas for improvement and to keep the program current with the most recent laws, regulations, and regulatory guidance. It is also helpful to benchmark against industry standards and best practices such as the DOJ’s Guidance on Effective Compliance Programs and ISO 37301, Compliance Management Systems. A good GRC tool will be flexible to your compliance program needs, allowing an organization to continue to grow and address evolving requirements.
Strengthen Your Compliance Program with Opal
Opal can facilitate the most critical components of any high-performing compliance program. Contact us if you would like to learn more.
