Learning from our peers: Results from a compliance benchmarking conversation

Laura McNamara

Laura McNamara

Laura McNamara (laura.mcnamara@stonybrookmedicine.edu; linkedin.com/in/laura-mcnamara-mba-chc/) is the Compliance and Privacy Officer for Stony Brook Medicine’s Clinical Practice Management Plan Inc. and Accountable Care Organization in Stony Brook, New York, USA.
8 minute read

By Laura McNamara, MBA, MS, CHC, CHPC

I recently had the pleasure of co-hosting a great corporate compliance benchmarking session with Matt Kelly, editor and chief executive officer of Radical Compliance, at the SCCE New York & Boston Regional Compliance And Ethics Conference on March 3. I was incredibly excited, as benchmarking is one of my favorite things to do in my role as a compliance and privacy officer for a health system’s faculty practice plan and accountable care organization. I am in a perpetual state of benchmarking, it seems. I work at an academic medical center and am part of the Association of American Medical Colleges Compliance Officers Forum (COF). The COF comprises compliance leaders and provides a national forum for networking, professional development, and collaborative opportunities. We meet monthly to discuss many topics, sharing information we can take back and apply to our work.

Corporate compliance benchmarking is a process that organizations use to measure their compliance programs against industry best practices, assess program effectiveness, and identify improvement areas. The primary goal of benchmarking is to ensure an organization complies with legal and regulatory requirements and internal policies and procedures. This process is essential for mitigating risks associated with noncompliance, such as fines, lawsuits, and reputational damage.

There are several steps involved in the benchmarking process. The first step is identifying relevant benchmarks, such as industry standards or best practices. This can be done through research or by consulting with external experts. I find it helps to identify areas for improvement through numerous domains, systems, or processes within the organization. Simply put, it detects strengths and weaknesses as well as considerations for best practices. There are various types of benchmarking. One can benchmark internally between divisions or teams to calibrate across your organization. Another option—probably the most common—is to benchmark against your industry peers both locally and across your entire market. Knowing what others are doing helps you stay competitive.

Conference structure

For this conference session, I had the opportunity to benchmark against different industries. I found this appealing because I knew I could glean similar metrics and operational data to help me improve my own program. The session had 12 polling questions organized into three categories:

  1. Is the corporation’s compliance program well-designed?

  2. Is the corporation’s compliance program adequately resourced and empowered to function effectively?

  3. Does the corporation’s compliance program work in practice?

Although the survey software did not allow for multiple responses (resulting in some questions not being entirely accurate), good information was shared in the chat, including conversations on data analytics, ephemeral messaging platforms (on work and personal devices), and the impact of noncompliance on compensation.

Compliance program design

The first six questions focused on how the audience felt about the design of their compliance program. When asked if the respondent’s organization has some structured observation or celebration of compliance—a Compliance Day, Compliance Week, or Compliance Month—the slim majority responded that they have nothing formal in place. This was closely followed by a Compliance Week, then Compliance Month, and a handful answering that they have a Compliance Day.

As you may know, SCCE & HCCA provide a complimentary Corporate Compliance & Ethics Week resource toolkit with content to use to celebrate this week every November.[1] Fun fact: The first Corporate Compliance & Ethics Week was held in May 2005 as an event that could assist members of SCCE & HCCA with the need to educate staff on the importance of compliance and ethics.

Audits and messaging

The next question dealt with whether the compliance department had auditing rights on third parties, and the answer was divided into thirds. Although one-third didn’t find the question applicable to their scope of work, the other two-thirds were split about exercising their audit rights without reasonable suspicion of a breach. Someone mentioned that their right to audit is spelled out in their business associate agreements and that software monitors vendor security profiles continuously. Overall, it sounded like third-party risk management is an area of development. With only one-third of respondents replying that they audit third parties regularly, this area of risk management likely needs improvement. Third-party vendors can pose significant risks to an organization, as they often have access to sensitive data and systems. Conducting audits helps mitigate these risks by identifying potential vulnerabilities and ensuring vendors meet security and compliance requirements.

The next two questions focused on ephemeral messaging platforms like Snapchat, BeReal, Signal, and DingTalk. These applications allow users to automatically delete messages, which is a hot topic and compliance risk. The U.S. Department of Justice updated their Evaluation of Corporate Compliance Programs this March, with language about ephemeral messaging found on pages 17 and 18.[2] In addition, Mary Shirley recently published an article on the update.[3] Forty-seven percent answered that they have adequate controls in place to prevent staff from using ephemeral messaging platforms on their work devices for business communications, with the same percentage answering that they did not. However, 62% responded “no” when asked if they have adequate controls in place to prevent staff from using ephemeral messaging platforms on their personal devices for business communications, while 35% said “yes.”

To mitigate these risks, businesses need to implement controls that balance security with usability. These controls should include policies and guidelines, secure communication tools, and monitoring mechanisms to ensure employees follow the organization's communication policies. Regular training and awareness programs are also essential to educate employees about the risks of ephemeral messaging and how to avoid them.

Compensation and discipline

The next question was about whether compliance adherence in their companies affected compensation, and I was not surprised when more than half the audience answered “no.” This is a wish-list item for many compliance leaders and can prove difficult with contracting. However, some did answer “yes,” citing how not completing compliance training or repeated policy violations affected compensation. I shared an example of a former employer who suspended parking privileges for those in noncompliance—with very successful results.

Next was the question about whether attendees have a disciplinary framework in place to provide consistency of disciplinary action, with 70% answering they do. As we know, a disciplinary framework is a set of rules, policies, and procedures that an organization establishes to regulate employee behavior and enforce disciplinary action when necessary. The importance of having a disciplinary framework in place cannot be overstated, as it ensures disciplinary action is consistent and fair for all employees. By having a clear set of expectations, consequences, and procedures in place, employees can feel secure in their jobs and know that their actions will be treated fairly and consistently. It’s great to see that having a disciplinary framework was the norm for our attendees.

Resourcing and development

The following four questions focused on program resourcing in order to function effectively. When asked what attendees’ organizations call their function, 59% answered “Compliance,” 25% answered “Compliance and Ethics,” 9% answered “Governance, Risk, and Compliance (GRC),” and the rest answered “Ethics/Other.”

When asked about what areas their functions have responsibility for, almost three-quarters of the group responded “Compliance,” with small groups responding with “Ethics and Conflicts of Interest,” “Enterprise Risk Management,” and “Privacy.” Unfortunately, there was a glitch with the polling where one could not check all that applied to their scope. In my experience, compliance departments typically include conflicts of interest and privacy functions. Therefore, it was difficult to ascertain whether the answers reflected the person’s role or the department’s overall function. It was good to see that the term “compliance” is still the word of choice to describe the function of work, and I don’t see that going away any time soon. And I suspect that if the multi-answer function worked, we would have been given a better picture of all the components in the audience’s scope of work. I have the title of compliance and privacy officer, as that is the scope of my work.

I was thrilled to see that 95% of the audience answered “yes” when asked if their organization’s compliance staff had the opportunity to attend paid professional development on the company’s dime and time. I have seen firsthand the power of sponsored professional development. I’m proud to say that on my team, we have had more than half receive promotions and additional credentials thanks in part to the boot camps, conferences, and academies attended with support from our department’s budget. So for the 5% of you who answered “no” or readers in a similar position, please feel free to contact me so we can brainstorm ways to get buy-in from your leadership!

Vendors and analytics

Another question asked was about changing service providers or vendors. About one-third did not think the question applied to their scope of work, while another third responded that they consider this every three years. The rest of the audience answered either annually or every two years. I was happy to see that this is a recurring item to be reviewed, as the use of vendors seems to be increasing across the industry. And with this, ensuring you have the right vendors in place is important.

The last two polling questions focused on data analytics and key performance indicators (KPIs). First, the audience was asked if they have incorporated data analytics in their compliance program, with a resounding 86% answering “yes.” Next, we spent a few moments discussing the importance of data analytics and how you see it all around you once you tap into it. This was followed up with a multiple-choice question asking what information is used for analytics or KPIs. Although attendees ultimately could not choose multiple answers, more than half answered that they use analytics for training completion rates. Analytics and KPIs were also used for hotline reporting rates, violations of policy, and root cause analysis of violations. By analyzing data on an ongoing basis, compliance teams can identify areas of improvement for the compliance program itself, allowing companies to continually refine their policies and procedures to better align with legal and regulatory requirements.

Conclusion

Corporate compliance benchmarking is essential for all organizations, regardless of size or industry. It helps ensure the organization meets its legal and regulatory obligations and can help prevent costly noncompliance issues. Companies can maintain a strong reputation and avoid potential legal and financial consequences by regularly assessing and improving their compliance programs.

By reading this article, I hope you were able to gain some insight into the hot compliance topics your peers are facing and the tools they are using to mitigate risk. Regardless of title or scope, we all have a role to play in ensuring our organizations function in a compliant and ethical manner.

Takeaways

  • Benchmarking is an effective tool for comparing your organization with industry standards.

  • Ephemeral messaging raises significant risks for businesses looking to secure their communications.

  • A disciplinary framework is essential for any organization to promote responsible behavior among employees and maintain a safe and productive work environment.

  • Using third-party vendors can affect an organization’s reputation, so ensuring vendors are trustworthy and reliable is paramount.

  • Data analytics can provide valuable insights to help better understand and mitigate the risks associated with noncompliance—and ultimately strengthen the overall compliance program.

 
2 U.S. Department of Justice, Criminal Division, Evaluation of Corporate Compliance Programs, updated March 2023, https://www.justice.gov/criminal-fraud/page/file/937501/download.
3 Mary Shirley, “New DOJ Guidance Charts a Way Forward on Ephemeral Messaging,” Corporate Compliance Insights, March 8, 2023, https://www.corporatecomplianceinsights.com/doj-compliance-programs-mary/.
1 “Corporate Compliance & Ethics Week,” Society of Corporate Compliance and Ethics & Health Care Compliance Association, accessed March 22, 2023, https://www.hcca-info.org/about-hcca/corporate-compliance-ethics-week.

What to read next...

Sanctions compliance in an era of international conflict: An organizational imperative


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings