If you find yourself in a situation where you need to develop a compliance program, ask yourself, “What do I need to do, and where do I start?” look no further. What you need to do is determine what your product offerings will be so you know which regulatory frameworks are applicable for you to consider. You will then need to start with designing an effective compliance program based on the U.S. Department of Health and Human Services Office of Inspector General’s seven elements of an effective compliance program, considering your organization’s unique product offering(s), size, and structure. You are probably now asking yourself: “How do I do this?”
Designing and implementing a new compliance program is like setting sail and discovering a whole new world. We would suggest the following outline to get started:
Architect and design of the vessel
Getting the crew on board
Mapping the course
Adjusting to life in the new world
Architecture and design of the vessel
Begin by mapping out your compliance program’s structure and design. At this stage, the design should be drafted in a form that can be modified easily, as it is almost guaranteed to change as you move forward. The design and presentation are very important as they will be used to gain organizational leadership and staff buy-in. In drafting, you must consider and align with applicable regulatory frameworks (i.e., requirements), applicable audit protocols and reporting requirements, areas of risk, organizational size, knowledge and experience of available resources, and the organization’s culture, mission, values, and objectives.
The program structure should be designed around the seven elements of an effective program and intended to prevent, detect, and correct noncompliance issues. Examples of preventive measures include drafting policies and procedures, conducting training and routine risk assessments, and implementing structure with clear roles and responsibilities. Detective measures might include establishing effective communication and reporting channels, such as a hotline, and conducting both organizational and departmental monitoring and auditing activities and reporting. Each department should implement departmental monitoring to validate compliance with applicable requirements and make the results available to compliance. We recommend that the compliance department own the organizational monitoring and auditing of adherence to regulatory requirements to oversee the departmental processes. Organizational monitoring may include tracking and trending (e.g., dashboard reporting) to ensure the organization is compliant and always audit-ready. Auditing may include mock audits based on regulatory audit protocols but does not include other organizational audits typically performed by an internal audit department, such as financial control audits. Corrective measures include processes to support timely and thorough investigation and response to suspected or identified issues, impact analysis, root cause determinations, documentation, and reporting.
A key decision in the early stages of building your compliance program is to determine whether to build a centralized or hybrid structure. A centralized model is where the compliance department staff is made to manage all seven elements with minimal assistance from the operational areas. A hybrid model is where there is more shared responsibility, and processes are designed with operational and compliance responsibilities working hand in hand. Our experience has proven the hybrid model to be most effective and noted in multiple sources as an industry best practice. This model is also supported by the popular three lines of defense model, whereby the frontline staff is equipped to defend compliance as the first line; compliance serves as the second line by implementing the structure to support compliance and conducting oversight; and the third line is the area—such an internal audit—which provides formal, objective oversight such as audits. The program structure and design are heavily dependent on the culture of your organization and the knowledge and experience of available resources. When adopting a hybrid model, we recommend identifying, educating, and building strong relationships with an accountable owner in each operational area to serve as a liaison and subject matter expert for compliance. Additional resource needs should be considered once structure is defined.
The structure of your program must also consider the responsibilities, systems, processes, and cross-functional impact on other vital functions—if established independent of compliance, such as legal, human resources, internal audit, fraud, privacy, and security. These partners are critical allies to help carry out the compliance message and coordinate efficient execution of compliance program requirements—especially where responsibilities may overlap. It is vital to clearly define and coordinate the role of these partners early on to build them into the framework and avoid duplicative or contradictory work.
Getting the crew onboard
If you are implementing a new compliance program, it most likely means your organization is new, entering new product markets, or revamping ineffective programs. In any scenario, you must ensure that leadership and staff understand what compliance is and why it is needed. Collecting enough information in advance is valuable to know if buying in will require a significant change in culture or simple education. Compliance should share the fiscal, legal, and reputational value of compliance with the leadership team. It helps provide real-life examples of audit reports or prior enforcement to demonstrate the value of investing in compliance up-front.
Once you have laid the foundation, start working with leadership to show the company how the tone at the top has been set to support compliance program initiatives and objectives. Some ideas on doing this are to have leadership and compliance communicate expectations along with roles and responsibilities. It is a best practice to have the CEO write a letter of support and place it in the front of the code of conduct. Compliance should empower the crew with information and needed support to implement requirements within their respective departments. Educate the team early and often to help them gain a genuine understanding of the value, structure, and objectives of the compliance program. We found that some staff will get it, and others will not have a clue as to what compliance is, so an individualized approach is often helpful. Additionally, it is important to recognize that not everyone is familiar with the jargon compliance professionals use every day, so it is critical to break it down into small chunks and make it easy to ingest and apply.
Mapping the course
Now that you have buy-in, the next step is clearly defining and communicating specific tasks needed to implement and maintain the compliance program. This is most often achieved through a work plan that includes a detailed description of required tasks, timelines, and accountable owners. We recommend using two tools that we have found particularly helpful in the early stages of program development to produce a meaningful work plan: A compliance program effectiveness (CPE) gap analysis and an organizational risk assessment. To start, we recommend meeting with key stakeholders and varying levels of management to identify their levels of understanding of applicable requirements, related experience, departmental structure and resources, anticipated risks, and current operational procedures.
Using this information, outline current and needed processes or resources to effectuate the seven elements. Now, you have a CPE gap analysis. Next, compare the information collected with applicable regulatory, contractual, and compliance program requirements and required reporting or anticipated audits to identify areas where current processes or resources are not yet established or fully developed to support compliance; these are risk areas. The risk assessment should quantify inherent and residual risk by assigning scores to reflect each risk’s likelihood, impact, and mitigation rate to meaningfully prioritize tasks and effectively prevent or mitigate potential risks. We recommend—especially if entering new products with no or limited historical data—using common industry risks or trends derived from relevant audit or enforcement reports to identify potential risks.
We have found that accountability is vital to success in implementing a new program. We are not suggesting that compliance assign who owns what, but rather, compliance partners with stakeholders to make collaborative decisions and avoid operating in a vacuum. Each task should be assigned an accountable owner based on input from key stakeholders and leadership, the recommended owners’ knowledge, experience, authority and/or visibility, risk level, structure, and cross-functional impact. Frequent communication and transparency are crucial to maintaining momentum and enforcing accountability. We suggest frequent reviews, reporting, and easy access to the work plan to promote the level of communication needed for success. Once we have mapped this course, we are ready to set sail.
As we set sail by taking the required actions, we must focus on maintaining compliance. Compliance should not be an afterthought or a burden placed on top of processes but should be embedded in the culture and day-to-day procedures. We should ensure that the compliance program elements are understood and considered in all decisions being made and processes being built. Compliance should not be seen as the “naysayer” but rather invited to the table as a voice to consider the impact of compliance and support how the organization decides to do something. This requires communication strategies that may warrant routine meetings with individuals or groups with internal and external stakeholders and reiterating accountability of ownership and deadlines.
During this phase, we must pay special attention to any issues arising from reporting, monitoring, and/or auditing to ensure that they are investigated and resolved promptly. These issues may require us to pivot from our initial design and adjust where needed.
Maintain empathy, understanding, and support. There will be a lot of first times, and often change is difficult. We have found it helpful to continually demonstrate and communicate empathy with operations and any resistance to change by keeping an open door, making information and processes easy to follow, as well as continually offering support and individualized training. However, remember not to set a precedent of deviating from the processes early on—stay the course.
Adjusting to life in the new world
Now that you have a program in place, it’s time to adjust and maintain. We found that it helps to share plans or agendas that communicate ongoing or reoccurring events early and often. Consider activities performed by the compliance department, such as committee meetings, ongoing risk assessments, reporting to leadership and the board, monitoring and conducting mock internal audits, etc. Find a place where everyone knows to go to get this information and other resources. You might even consider branding the department resources to promote compliance.
Compliance with the applicable regulatory frameworks and company policies must be monitored continually. This includes validating operations and maintaining an audit-ready state. To do so, operational areas will need to maintain current and documented procedures, and conduct and document ongoing monitoring and departmental training. This activity should be reported to compliance and documented in a location accessible for review by compliance or retrieved for audit.
Depending on your compliance resources’ skills or technology resource availability, you can design a homegrown system with existing tools such as Microsoft SharePoint or purchase a governance, risk, and compliance (GRC) solution. Many GRC tools provide out-of-the-box solutions to perform automated monitoring, case management or publish and maintain records such as policies or training.
The organization will work together at all levels to ensure incidents are reported, investigated, and corrected to maintain compliance, enhance operational efficiency or consumer experience, and stay audit-ready.
Design a program unique to your organization’s product offerings, experience, size, and structure.
Invest in getting to know staff, developing genuine partnerships, and leveraging internal and external stakeholders.
Evaluate program effectiveness and participation often and be open to changing course when things aren’t working well.
Pace yourself; start simple and continually build to include more sophisticated processes and/or best practices.
Educate all levels of the organization early and often to develop understanding, support, and compliance.