For many compliance professionals, the concept of an effective compliance program is not a new one. The problem lies with trying to decrypt what effective really means, what regulators actually look for, and how you can prove your program is effective.
Many people argue that the true goal of compliance is to create and implement processes and procedures that help mitigate the risk of a compliance breach. However, the fact remains that if a breach occurs, your ability to prove that your compliance program follows regulatory guidelines can reduce your culpability score and lead to significant reductions in fines and penalties.
To bring clarity to these ethics and compliance issues, Mitratech’s Jason Cropper recently interviewed former Department of Justice compliance consultant Hui Chen. Read the interview here.
In the meantime, we are kicking off seven weeks worth of weekly blogs to explore each of the seven Hallmarks of an effective compliance program. Through examining these hallmarks, laid out by the Federal Sentencing Guidelines of Organizations, we can help you understand what regulators are looking for and what it takes to make your compliance efforts truly effective.
Over the next seven weeks, we will explore the following hallmarks:
- Written policies and procedures
- Program oversight
- Ethical due care
- Training and communications
- Monitoring and effectiveness
- Enforcement and internal investigations
Today, we’ll take a look at the first measure of effectiveness – a company’s written policies and procedures.
Written policies and procedures
Written policies form the basis of a company’s expectations and conduct, while procedures implement these standards. However, simply having policies and procedures is not enough.
With the February 2017 release of their “Evaluation of a Corporate Compliance Program,” The Department of Justice (DOJ) gave insight into their investigation process. The publication highlights commonly asked questions, and the core investigative elements that consider management and review, accessibility and operational integration.
“A company’s code of conduct is often the foundation upon which an effective compliance program is built,” the publication states. The code helps ensure that policies and procedures are managed effectively, owned by the appropriate departments and individuals, and reviewed periodically. These three steps are essential elements in any compliance program.
Organizations that cannot clearly evidence the genesis and history of a policy with periodic reviews are not able to demonstrate the type of rigor regulators look for. By maintaining written policies, organizations have a chance to prove that their company places significant value on the conduct expected of its employees.
Once implemented, many organizations fail to provide a clearly communicated program that is relevant and accessible to their employees.
Hui Chen challenges organizations to consider the purpose of their policies and procedures and to question whether they are just completing a tick-box exercise or actually effectively impacting the behavior of their employees.
“I have rarely met anybody who engaged in misconduct that honestly did not know what they were doing was wrong,” Chen states. “The problem is not with knowledge. The problem is with behavior. You should be measuring behavior.”
An organization’s attention to accessibility provides evidence to regulators that they are doing all they can to best educate their employees and ensure that employees have the information they need, relevant to their role, to conduct business in an ethical and compliant fashion.
After ensuring that policies and procedures are consistently managed, reviewed, accessible and relevant, organizations should focus on the operational implementation. They should be able to demonstrate that policies are actually working and evidence employee understanding with ongoing measurements.
In her interview, Chen mentioned that organizations should continuously reflect on how their system works. Adapting policies and procedures is a critical component for remediation, which we’ll discuss more in depth in the blog post for the seventh hallmark.
While policies and procedures are only one out of seven hallmarks of an effective compliance program, they are the foundation on which these programs are built. You cannot have a robust and effective compliance program without this base.
Check back next week as we cover the second hallmark – program oversight. Until then, please visit our website for information on how Mitratech can assist you in implementing an effective compliance program.