I recently had the pleasure of co-hosting a great corporate compliance benchmarking session with Matt Kelly, editor and chief executive officer of Radical Compliance, at the SCCE New York & Boston Regional Compliance And Ethics Conference on March 3. I was incredibly excited, as benchmarking is one of my favorite things to do in my role as a compliance and privacy officer for a health system’s faculty practice plan and accountable care organization. I am in a perpetual state of benchmarking, it seems. I work at an academic medical center and am part of the Association of American Medical Colleges Compliance Officers Forum (COF). The COF comprises compliance leaders and provides a national forum for networking, professional development, and collaborative opportunities. We meet monthly to discuss many topics, sharing information we can take back and apply to our work.
Corporate compliance benchmarking is a process that organizations use to measure their compliance programs against industry best practices, assess program effectiveness, and identify improvement areas. The primary goal of benchmarking is to ensure an organization complies with legal and regulatory requirements and internal policies and procedures. This process is essential for mitigating risks associated with noncompliance, such as fines, lawsuits, and reputational damage.
There are several steps involved in the benchmarking process. The first step is identifying relevant benchmarks, such as industry standards or best practices. This can be done through research or by consulting with external experts. I find it helps to identify areas for improvement through numerous domains, systems, or processes within the organization. Simply put, it detects strengths and weaknesses as well as considerations for best practices. There are various types of benchmarking. One can benchmark internally between divisions or teams to calibrate across your organization. Another option—probably the most common—is to benchmark against your industry peers both locally and across your entire market. Knowing what others are doing helps you stay competitive.
Conference structure
For this conference session, I had the opportunity to benchmark against different industries. I found this appealing because I knew I could glean similar metrics and operational data to help me improve my own program. The session had 12 polling questions organized into three categories:
-
Is the corporation’s compliance program well-designed?
-
Is the corporation’s compliance program adequately resourced and empowered to function effectively?
-
Does the corporation’s compliance program work in practice?
Although the survey software did not allow for multiple responses (resulting in some questions not being entirely accurate), good information was shared in the chat, including conversations on data analytics, ephemeral messaging platforms (on work and personal devices), and the impact of noncompliance on compensation.
Compliance program design
The first six questions focused on how the audience felt about the design of their compliance program. When asked if the respondent’s organization has some structured observation or celebration of compliance—a Compliance Day, Compliance Week, or Compliance Month—the slim majority responded that they have nothing formal in place. This was closely followed by a Compliance Week, then Compliance Month, and a handful answering that they have a Compliance Day.
As you may know, SCCE & HCCA provide a complimentary Corporate Compliance & Ethics Week resource toolkit with content to use to celebrate this week every November.[1] Fun fact: The first Corporate Compliance & Ethics Week was held in May 2005 as an event that could assist members of SCCE & HCCA with the need to educate staff on the importance of compliance and ethics.
Audits and messaging
The next question dealt with whether the compliance department had auditing rights on third parties, and the answer was divided into thirds. Although one-third didn’t find the question applicable to their scope of work, the other two-thirds were split about exercising their audit rights without reasonable suspicion of a breach. Someone mentioned that their right to audit is spelled out in their business associate agreements and that software monitors vendor security profiles continuously. Overall, it sounded like third-party risk management is an area of development. With only one-third of respondents replying that they audit third parties regularly, this area of risk management likely needs improvement. Third-party vendors can pose significant risks to an organization, as they often have access to sensitive data and systems. Conducting audits helps mitigate these risks by identifying potential vulnerabilities and ensuring vendors meet security and compliance requirements.
The next two questions focused on ephemeral messaging platforms like Snapchat, BeReal, Signal, and DingTalk. These applications allow users to automatically delete messages, which is a hot topic and compliance risk. The U.S. Department of Justice updated their Evaluation of Corporate Compliance Programs this March, with language about ephemeral messaging found on pages 17 and 18.[2] In addition, Mary Shirley recently published an article on the update.[3] Forty-seven percent answered that they have adequate controls in place to prevent staff from using ephemeral messaging platforms on their work devices for business communications, with the same percentage answering that they did not. However, 62% responded “no” when asked if they have adequate controls in place to prevent staff from using ephemeral messaging platforms on their personal devices for business communications, while 35% said “yes.”
To mitigate these risks, businesses need to implement controls that balance security with usability. These controls should include policies and guidelines, secure communication tools, and monitoring mechanisms to ensure employees follow the organization's communication policies. Regular training and awareness programs are also essential to educate employees about the risks of ephemeral messaging and how to avoid them.
Compensation and discipline
The next question was about whether compliance adherence in their companies affected compensation, and I was not surprised when more than half the audience answered “no.” This is a wish-list item for many compliance leaders and can prove difficult with contracting. However, some did answer “yes,” citing how not completing compliance training or repeated policy violations affected compensation. I shared an example of a former employer who suspended parking privileges for those in noncompliance—with very successful results.
Next was the question about whether attendees have a disciplinary framework in place to provide consistency of disciplinary action, with 70% answering they do. As we know, a disciplinary framework is a set of rules, policies, and procedures that an organization establishes to regulate employee behavior and enforce disciplinary action when necessary. The importance of having a disciplinary framework in place cannot be overstated, as it ensures disciplinary action is consistent and fair for all employees. By having a clear set of expectations, consequences, and procedures in place, employees can feel secure in their jobs and know that their actions will be treated fairly and consistently. It’s great to see that having a disciplinary framework was the norm for our attendees.
Resourcing and development
The following four questions focused on program resourcing in order to function effectively. When asked what attendees’ organizations call their function, 59% answered “Compliance,” 25% answered “Compliance and Ethics,” 9% answered “Governance, Risk, and Compliance (GRC),” and the rest answered “Ethics/Other.”
When asked about what areas their functions have responsibility for, almost three-quarters of the group responded “Compliance,” with small groups responding with “Ethics and Conflicts of Interest,” “Enterprise Risk Management,” and “Privacy.” Unfortunately, there was a glitch with the polling where one could not check all that applied to their scope. In my experience, compliance departments typically include conflicts of interest and privacy functions. Therefore, it was difficult to ascertain whether the answers reflected the person’s role or the department’s overall function. It was good to see that the term “compliance” is still the word of choice to describe the function of work, and I don’t see that going away any time soon. And I suspect that if the multi-answer function worked, we would have been given a better picture of all the components in the audience’s scope of work. I have the title of compliance and privacy officer, as that is the scope of my work.
I was thrilled to see that 95% of the audience answered “yes” when asked if their organization’s compliance staff had the opportunity to attend paid professional development on the company’s dime and time. I have seen firsthand the power of sponsored professional development. I’m proud to say that on my team, we have had more than half receive promotions and additional credentials thanks in part to the boot camps, conferences, and academies attended with support from our department’s budget. So for the 5% of you who answered “no” or readers in a similar position, please feel free to contact me so we can brainstorm ways to get buy-in from your leadership!
Vendors and analytics
Another question asked was about changing service providers or vendors. About one-third did not think the question applied to their scope of work, while another third responded that they consider this every three years. The rest of the audience answered either annually or every two years. I was happy to see that this is a recurring item to be reviewed, as the use of vendors seems to be increasing across the industry. And with this, ensuring you have the right vendors in place is important.
The last two polling questions focused on data analytics and key performance indicators (KPIs). First, the audience was asked if they have incorporated data analytics in their compliance program, with a resounding 86% answering “yes.” Next, we spent a few moments discussing the importance of data analytics and how you see it all around you once you tap into it. This was followed up with a multiple-choice question asking what information is used for analytics or KPIs. Although attendees ultimately could not choose multiple answers, more than half answered that they use analytics for training completion rates. Analytics and KPIs were also used for hotline reporting rates, violations of policy, and root cause analysis of violations. By analyzing data on an ongoing basis, compliance teams can identify areas of improvement for the compliance program itself, allowing companies to continually refine their policies and procedures to better align with legal and regulatory requirements.
Conclusion
Corporate compliance benchmarking is essential for all organizations, regardless of size or industry. It helps ensure the organization meets its legal and regulatory obligations and can help prevent costly noncompliance issues. Companies can maintain a strong reputation and avoid potential legal and financial consequences by regularly assessing and improving their compliance programs.
By reading this article, I hope you were able to gain some insight into the hot compliance topics your peers are facing and the tools they are using to mitigate risk. Regardless of title or scope, we all have a role to play in ensuring our organizations function in a compliant and ethical manner.
Takeaways
-
Benchmarking is an effective tool for comparing your organization with industry standards.
-
Ephemeral messaging raises significant risks for businesses looking to secure their communications.
-
A disciplinary framework is essential for any organization to promote responsible behavior among employees and maintain a safe and productive work environment.
-
Using third-party vendors can affect an organization’s reputation, so ensuring vendors are trustworthy and reliable is paramount.
-
Data analytics can provide valuable insights to help better understand and mitigate the risks associated with noncompliance—and ultimately strengthen the overall compliance program.