Introduction
The United States Sentencing Commission voted on April 7, 2010, to modify the Federal Sentencing Guidelines for organizations, including the provisions that set forth the attributes of effective compliance and ethics programs. Under the amended Federal Sentencing Guidelines, which went into effect on November 1, 2010, a convicted organization may be eligible for a reduced sentence if it has established an effective compliance and ethics program. The Guidelines now more fully describe the key attributes that a compliance and ethics program must exhibit for the organization to be eligible to receive benefits. These advantages include reduced fines, a reduced sentence or deferred prosecution.
Compliance guidance and mandates from various government agencies have evolved significantly over the last decade. Just a few short years ago, evidence demonstrating the establishment of a corporate compliance program consistent with the seven elements was viewed as sufficient. But now the focus has shifted from the mere presence of a compliance program to evidence that demonstrates the effectiveness of the compliance program. Regulators are now raising the stakes by asking the question: “Can you prove that your compliance program works?”
This article explores some specific actions and recommendations that can help organizations demonstrate the effectiveness of their compliance program. There are numerous concepts and specific tasks outlined in the article. While it would be difficult to implement all the suggestions all at once, this overview can serve as a useful guide for advancing your company’s compliance program.
What’s the Challenge?
For many organizations, moving beyond a “paper” compliance program to the ability to demonstrate the effectiveness of the compliance program presents significant challenges. These challenges include:
-
Lack of resources compounded by tasks requiring manual, labor-intensive processes
-
Existence of multiple, disparate systems for collecting and managing information
-
Lack of ability to view compliance risk across the organization
-
Inability to provide hard data to the regulators as evidence that the organization:
-
Is in full compliance with governing laws and regulations
-
Proactively monitors for compliance gaps
-
Initiates measures to remediate gaps and assigns accountability
-
Provides up-to-the-minute status reports of assessment results and resulting assignments.
-
The Building Blocks
With the proper tools and processes in place, demonstrating the effectiveness of your organization’s compliance program can be accomplished. Ideally the compliance process should provide global visibility to all compliance activities. The key building blocks include automation of processes; central visibility and control; and proof of compliance for audits.
Automation of Processes
Repetitive functions such as reviews and approvals, incident investigations, escalation, and others should be automated, and the tasks should be captured with a date and time stamp. Any automation should be designed to augment compliance staff, allowing them to focus more attention on high value activities and reduce manual workloads.
Central Visibility and Control
All information and documentation associated with the compliance program should be stored in a unified repository allowing for easy integration with other governance, risk and compliance (GRC) information such as regulatory content, policies and procedures, audits, and corrective action plans.
Proof of Compliance for Audits
Throughout the entire legal and regulatory compliance lifecycle, there needs to be a central collection point where all compliance and risk management documents and activities are easily tracked and linked back to their relevant laws, regulations and standards. This central collection point should serve as a body of evidence of compliance and enable the organization to easily demonstrate proof of compliance for any audit, investigation, exam, or accreditation review. Additionally, an advanced program should have the ability to provide external parties such as regulators ready access to the information required by an audit. This capability can be used to enhance credibility by demonstrating a commitment to transparency and cooperation with an “open door” approach.
Let’s take a look at each of the seven elements of a compliance program as outlined in the Federal Sentencing Guidelines and see how we can collect hard data that will clearly demonstrate the effectiveness of a compliance program.
-
Establish policies, procedures, and controls
-
Exercise effective compliance and ethics oversight
-
Exercise due diligence to avoid delegation of authority to unethical individuals
-
Communicate and educate employees on compliance and ethics programs
-
Monitor and audit compliance and ethics programs for effectiveness
-
Ensure consistent enforcement and discipline of violations
-
Respond appropriately to incidents and take steps to prevent future incidents.