Creating a compliance program: vigilance, integrity, and ethics
Business is a world with rules—with excellent reason. In the pursuit of success, the temptation to search for a shortcut can be impossible to resist. Some of the earliest regulations for businesses came in the form of labor laws, closely followed by quality standards, environmental controls, and, more recently, financial laws and data collection and privacy mandates.
Corporate compliance with these rules is not as straightforward as it sounds. The nuances of existing laws leave a lot to interpretation, and the onslaught of new regulations can keep a company scrambling. That’s why companies must implement a compliance program.
Companies need to stay on top of the changing laws—and they need to ensure that every employee is part of the effort.
What does a compliance program accomplish?
Until recently, compliance departments existed primarily to document adherence to rules. Today, however, a compliance team has greater responsibility—and a lot more at stake.
Today’s compliance activities include creating and managing systems that ensure data security and privacy, as well as physical security at every level of the company. Not only that, but these programs hold the torch of ethics that guide how every person in the company behaves.
The charter of a compliance program should:
- Detect and prevent behaviors and technologies that violate various laws
- Manage the risk of non‐compliance and react quickly and appropriately to potential and real violations
- Ensure that regulators and law enforcement have access to all the compliance documentation they require
- Assure company officers and the board of directors that the company is doing everything it can to manage the risk of non‐compliance
- Educate employees about workplace compliance and increase their awareness of actions and behaviors that could put them and the company at risk
Okay, we need a workplace compliance program. Where should we start?
As with so many things in life, starting an effective corporate compliance program begins with a commitment. Beginning with the Board of Directors and the senior management acknowledging their responsibility to the employees, shareholders, and each other is the first step.
They need to use this promise as the impetus for selecting people who will have every-day duties to seek out risks, surface them, and find answers to solve the issues they’ve seen.
This team, together with a chief compliance officer (CCO), sets the tone for the program that the entire company can embrace. Taking compliance seriously, both as a legal matter and as a point of personal pride and integrity, should be baked into the corporate culture from the top down.
Take stock of where you are and where you want to be
Once you’ve established your team’s charter, it’s time to look at what you have.
Conduct a thorough audit of all your compliance procedures to learn:
- What steps the company is already taking to guard against non-compliance?
- How many procedures in place are outdated?
- Which new global and regional mandates need to be addressed, and how?
Compare your policies and procedures with current laws and discover where the opportunity for improvement lies. Don’t be dismayed by what you might find. Part of this exercise is to find gaps in existing procedures and write a new policy or process where one is missing.
These are some of the questions you should be able to answer before you formalize a compliance program:
- Who is ultimately in charge?
- What happens if you’re found to be out of compliance?
- What if an employee discovers a non-compliant incident or procedure? How should that be escalated?
- What will happen if there is a regulation change, or if new mandates are initiated? How will we incorporate new laws?
Conduct risk assessments: what’s the worst that could happen?
What are your weak points? Where are some potential cracks in the armor? That’s where risk assessments come in. Do you know which areas of your company might be in the danger zone for non-compliance? Corporate compliance officers should work with the compliance teams to find ways to mend the cracks before they become an expensive problem.
Keeping a finger on the pulse regarding due diligence, access controls, investigation protocols, and disciplinary measures is a good way to get a snapshot of unacceptable risk. Still, metrics and documentation will prove your case and help you get issues solved before they become compliance disasters.
“Some of the worst compliance failures in history came from companies with great policies; the companies simply lacked the will or ability to execute procedures that enforced those policies,” a recent paper on workplace compliance from Deloitte & Touche reported. In other words, having a policy or procedure in place doesn’t guarantee compliance. It requires governance. Someone has to know the policy, someone must be in charge of ensuring it’s carried out, and someone must oversee that the mitigation actually solves the compliance issue.
Write a plan: it’s the soul of the organization
A written compliance program is more than a set of policies. The soul of the organization lives in that document. It contains the values of the company that all employees should know and agree with.
These policies should include:
- Organizational values: What does your company value? What is your level of commitment to upholding the letter of the law and respect for privacy, customer wishes, and employee safety? Spell it out—not just for current employees, but for future ones, as well.
- Executive leadership: Leading by example, the executives and senior managers should be the ones who set the tone for expectations for the rest of the employees.
- A consistent message: When you work with third-party agencies and vendors, it’s easy for external messaging to conflict with policies. That’s why vendors must also be on board with your compliance and ethics directives.
- Freedom to speak: The best way to find out about any non-compliance is to hear it from front line employees. Employees can save lives, prevent lawsuits, and initiate improvements to the company, its compliance, and its products.
- Accountability: Who’s responsible if there is a breach? Things do go wrong, and when the senior leadership takes responsibility, while initially painful, it restores the company in the eyes of the public—and the legislators.
Keeping track of the compliance program’s progress
Testing controls and compliance levels is an essential part of compliance programs. What needs to be tested and monitored? There are many books published by lawmakers that discuss guidance for corporate compliance in depth. Some companies even go so far as to hire outside consultants to conduct tests—sort of a “secret shopper” of the compliance industry.
But that means that workplace compliance teams need to work hands-on at every level and gain an expert’s understanding of how internal controls work.
Provide employees ongoing training—and listen when they talk
Every employee should be trained annually about updates to policies and procedures, informed about new laws that will take effect, and understand what it means to the company and to them personally. If you have access to online training management software or a learning management system (LMS), you can purchase or produce training modules that also quiz and score each employee’s proficiency.
At the same time, however, it’s important to listen to your employees’ concerns. Whistleblowers aren’t trying to cause trouble; they want to help the company stay on the right side of the law.
In recent months, employees at some of the largest tech companies in the world voiced ethical questions about data privacy in anonymized samples, transparency in advertising, and the use of personal information to train artificial intelligence. Every issue is valid when a company is charting new territory, and it should be valued as such.
Business is complicated, but workplace compliance doesn’t have to be
It’s easy to see that corporate compliance is everyone’s job, but direction comes straight from the top. Compliance comes in the form of major initiatives, but sometimes, small changes, like a visitor management system to keep accurate and confidential visitor logs, go a long way toward achieving goals.
It cannot be overstated: compliance may be environmentally mandated, but they are rooted in the basic principle of human ethics. We already know the right things to do—compliance programs help companies be sure.
Want to know more about compliance? Download our newest ebook, The Essential Guide to Workplace Compliance.