Getting Started

Printer Friendly, PDF & Email

APPENDIX 3-A: Compliance Program Implementation Action Plan

ACTIONSRESPONSIBLE PARTYCOMMENTS
Compliance Officer and Committee
Select a compliance officer (CO)CEO/governing boardHigh level; position of power; “independent”/does not report to chief financial officer or general counsel

Select a compliance committee (CC):

  • Provide compliance and risk area training to the compliance committee

  • Identify specific compliance subtopics for implementation

  • Create subcommittees or task forces

  • Assign each task force to a specific compliance subtopic

CEO/governing board/CCRepresentative of key departments
Ensure CC meets as often as needed during implementation
Ensure CC meets on a regular basis (at least quarterly) after implementation
Risk Assessment (once structure is in place)

Conduct an organizational risk assessment and prioritize findings:

  • Identify any well-known industry risk areas

  • Identify all relevant laws, regulations, government, or regulatory body guidance

  • Identify any areas of previous compliance problems within the organization

  • Identify any areas of previous operational or financial problems within the organization

  • Identify any human resources-related problems within the organization

  • Request all departments to list their department’s areas of weakness or potential weaknesses

    • Complete the risk matrix

Policies and Procedures and Developing the Code of Conduct

Create and distribute code of conduct:

  • Draft compliance code of conduct

  • Obtain approval of code of conduct

  • Distribute and explain to all employees

  • Obtain signed attestation of code of conduct from all employees

CC

CC

CEO/governing board

CC

CC

Draft “structural” policies and procedures:

  • Mission/goals/directives of compliance

  • Role of compliance officer

  • Role of compliance committee

  • Role of management and board of directors

  • General compliance training

  • Specific compliance training

  • Annual compliance retraining

  • Testing of compliance education retention

  • Anonymous reporting mechanism

  • Open lines of communication

  • Feedback on reports

  • Nonretaliation policy

  • Auditing and monitoring

  • Auditing work plan

  • Auditor independence

  • Continuous/regular monitoring

  • Conducting background checks

  • Disciplinary action guidelines

  • Enforcement of disciplinary action

    • Corrective action plans—Responding to search warrants, subpoenas, and other formal requests for documents by external entities

Draft “substantive” policies and procedures:

  • Complete risk assessment (described above)

  • Draft specific substantive policies and procedures that address identified risk areas

Obtain approval of policies and procedures from compliance committee
Obtain approval of policies and procedures from executive committee
Obtain approval of policies and procedures from board of directors
Distribute and explain the policies and procedures to all employees
Obtain signed certification of receipt and understanding of policies and procedures from all employees

Review of policies and procedures

- Annually:

  • Review all compliance-related policies and procedures

  • Update policies and procedures as needed

  • Create new policies and procedures for new risk areas identified

  • Obtain required approvals of revised policies and procedures

  • Obtain proof of review for all nonrevised policies and procedures

  • Distribute revised policies and procedures to all appropriate employees/contractors

  • Obtain signed certification of receipt and understanding of revised policies and procedures from all applicable policies and procedures

- Upon revision of a process:

  • Review all compliance-related policies and procedures

  • Update policies and procedures as needed

  • Obtain required approvals of revised policies and procedures

  • Distribute revised policies and procedures to all appropriate employees/contractors

    • Obtain signed certification of receipt and understanding of revised policies and procedures from all applicable policies and procedures

Review of other departmental policies and procedures:

  • Prepare a departmental policy and procedure request memo (upon creation/implementation of the compliance program and annually thereafter)

  • Designate a task force or delegate specific policy and procedure to various task forces to review and recommend compliance-related revisions to each policy

  • Provide recommendations back to the departments with a timeline for each department to submit the revision or submit a written explanation of the process as it is and why it can’t be revised

  • Sign off on each revised policy and procedure and each policy and procedure that does not require revision

Memo should request from all departments copies of all operational, financial, or other compliance-related, department-specific policies and procedures

Training and Education

Build compliance training program:

  • Identify all employees that require general compliance training

  • Identify all employees that require specific/focused compliance training

  • Identify all vendors, contractors, and customers that require compliance training

  • Identify any other community members or other entities that require compliance education

  • Determine content and duration of general compliance training

  • Determine content and duration of specific compliance training

  • Determine content and duration of contractor/vendor compliance training

  • Determine content of community/customer/other entity compliance education

  • Determine frequency of training required

  • Determine most appropriate mode of general training

  • Determine most appropriate mode of specific training

  • Determine most appropriate mode of contractor/vendor training

  • Determine most appropriate mode of customer/community training

  • Determine most appropriate trainers

  • Develop training materials and presentation

  • Determine mechanism for tracking who has and has not been trained

  • Document training and education plan and schedule developed through above activities

Live, online, self-study

pamphlets, emails, mailers, radio/TV

compliance officer, human resources, consultant

PowerPoints, tailored-but-purchased training, content for consultants to present

Provide training:

  • Create evaluation forms for training

  • Collect evaluations and synthesize feedback

Refine training program:

  • Track who has and has not been trained

  • Identify alternative training/education methods

  • Implement alternative training/education methods

  • CO and CC regularly attend high-level compliance conferences/seminars

  • Subscribe to compliance journals/newsletters

  • Join compliance-related organizations

  • Subscribe to government and other mailing lists

Postings, pamphlets, monthly compliance newsletters, compliance tip of the week

Vital to ensure compliance leadership has most current information

Auditing and Monitoring
Complete risk assessment (described above)

Draft audit plans for each risk area identified:

  • Determine the objectives of the audit

  • Determine the appropriate sample selection method for each audit

  • Determine which documents will be audited

  • Determine the audit criteria

    • Determine if legal counsel should be involved in the audit process

Develop an audit schedule based on prioritization from risk matrixFrequency of each audit, how many audits at once, expected duration of each audit
Determine the appropriate party to conduct each auditInternal audit, outside consultant, compliance committee, compliance officer
Certify the independence/objectivity of the auditor
Conduct the audit
Determine the appropriate corrective action plan for any problems identified
Prepare a written audit report
Determine if legal counsel should be involved in the audit resolution based on findings
Develop surveys specific to each audienceEmployees, customers, board of directors
Survey employees, customers, and other individuals on compliance issues

Flow chart:

  • Flow chart specific processes

  • Identify potential compliance weaknesses in the process

  • Identify areas that lack sufficient checks and balances

  • Add areas identified to audit plan/schedule

  • Improve processes as indicated

  • Reflow chart with corrected process

  • Educate changes to affected employees

Ensure they understand the need for the revisions
Hold roundtable discussions regarding compliance
Quiz employees during staff meetingsTheoretical and applicable to their work area—(a) create questions that get employees thinking about compliance in a practical manner, (b) determine additional training needs, (c) prompt discussions regarding compliance
Receive regular reports from compliance committee on concerns in their respective departments
Send “secret shoppers” to anonymously review processes

Forms review:

  • Request from each department any forms that may cause a compliance problem

  • Review the forms

  • Provide recommendations for revisions to forms, as needed

    • Request to review the revised forms within a specified amount of time

Billing worksheet, dunning cycle statements, expense tracking forms, time and effort tracking forms
Effective Communication
Publicize the chain of command for reporting
Create a mechanism for anonymous reportingHotline, drop box, anonymous email, anonymous address
Maintain open lines of communication
Ensure that processes are in place to protect employees from retaliation
Develop a mechanism for providing feedback to anonymous reporters regarding issue resolution
Communicate with employees creatively and on an ongoing basis Postings, pamphlets, monthly compliance newsletters, compliance tip of the week
Disciplinary Guidelines
Determine an appropriate disciplinary action planVerbal, verbal, written, suspension, termination
Ensure that employees know and understand the consequences of noncompliance
Enforce disciplinary action plans when situations of noncompliance arise(1) Punish inappropriate behavior and (2) prevent future occurrences
Involve human resources and legal when appropriate
Responding Appropriately to Detected Offenses

Investigate the report of misconduct in a timely manner:

  • Interview appropriate personnel

  • Conduct site visits and walk-throughs

  • Research applicable laws, regulations, and guidance

  • Audit processes/documents as needed

  • Obtain legal opinions, if needed

Maintain all investigation documentation
Determine if misconduct has occurred

Develop a corrective action plan:

  • Create or revise policies and procedures to ensure misconduct is not repeated

  • Create or revise forms that may have influenced misconduct

  • Provide education to employee who acted inappropriately

  • Provide education to all employees on the specific misconduct

  • Revise flow charts or entire processes as needed

  • Implement the disciplinary action plan, as appropriate

    • Regularly audit and monitor processes affected to ensure future compliance

Memoranda, topic at staff meeting, email, new policy and procedure distributed
This document is only available to subscribers. Please log in or purchase access.