For regular readers of Risk & Compliance Matters, you’re surely familiar with the importance of maintaining a mature compliance program – and the benefits this has on an organization’s culture and adherence to regulatory requirements.
Whether formalizing a compliance program into a cohesive initiative for the first time or stepping back to audit the efficacy of an existing one, a program assessment may be in order. A robust assessment evaluates a compliance program as a whole as well as the strength of its parts.
The nine components below categorize your compliance program in a way that will best reveal the strengths of your work, as well as the actionable steps you’ll need to take for improvement.
A risk assessment is key to developing your organization’s risk profile. Your risk profile is an evaluation that identifies the unique risks your organization may face given its industry, geography and employee population. Part of this risk assessment should also address third-party risk, as these relationships are a significant part of your organization’s risk profile. A periodic, comprehensive risk assessment will help regularly identify potential legal, reputational and ethical risks.
Your program needs both appropriate oversight to protect from risk, and commitment from leadership to drive behavior and culture. Therefore, it is essential to inform and engage senior management about your program and its goals, and give a holistic view of the entire program. Those that have key oversight duties, including your board of directors, also need information and training on their responsibilities to help your organization achieve an effective compliance program.
Your policy assessment identifies that your organization has a code of conduct, as well as standards and procedures that ensure compliance with internal values and applicable governmental laws, rules and regulations. Your organization may also be subject to unique or high-risk areas. Assessing your program and organizational position will identify gaps where employees require specific guidance.
An effective compliance program has many touchpoints and overlapping elements with an organization’s HR department – such as policies about diversity, equity and inclusion, and harassment and discrimination. The efforts of your HR department and your compliance program should be complementary. Proper assessment of your program will ensure HR and compliance policies never conflict in what is expected or required of employees.
A strategic communications and training strategy that keeps employees informed of the policies they are responsible for knowing must accompany the policies and procedures in your compliance program. A regular and effective communications plan will ensure employees are aware of policies, that managers know their responsibility to respond to raised issues and that lessons learned are consistently used to improve culture.
Your reporting process is how employees elevate concerns to your compliance department. Your compliance assessment will evaluate this process to ensure employees can easily and comfortably report issues. It will also assess your program’s process to respond to and resolve those reports.
As with every assessment, a key step is evaluating the effectiveness of the assessment process itself. This is an opportunity to work with your internal audit team as well as other subject-matter experts who can provide insight to the mitigation of risk – or lack thereof – from program efforts. Properly monitoring your assessment method will ensure your program is in a consistent state of improvement.
There is always some variance between what your organization has communicated and what employees believe to be true. For better or worse, this balance shapes your organization’s culture. Your program assessment will evaluate the methods in place to drive culture and the effectiveness of those efforts to change behavior.
Apply findings from the reporting and response, and monitoring and assessment to make changes that will affect the overall culture. For example, if it is found that the program lacks fundamental training in harassment and that is causing negative impacts to the culture, apply that finding to develop a more robust training in the area of need. There are some remediations that can be done quickly such as updating existing policies and sending short trainings. However, some take longer to implement, such as creating and applying a new policy for the entire organization.
Periodic assessment of these components is necessary to keep up with an evolving regulatory environment and shifts in organizational culture due to growth, turnover, change in strategy, et cetera. Many organizations conduct periodic assessments of specific elements throughout the year, in addition to conducting full assessments on a three- to four-year cadence.
When evaluating your compliance program, a best practice is to use a simple grading system for each component:
- Green indicates best practices are being met with robust processes in place
- Yellow indicates the component is in process or partially meeting best practices
- Red indicates the component is not yet meeting best practices, or needs attention
Each component is evaluated using a questionnaire that describes organizational commitment to each area. After completing the questionnaire, it will be clear where areas of opportunity exist in order to better focus their efforts.
NAVEX is committed to providing resources to help all organizations improve their culture and establish a robust compliance program. To that end, NAVEX partnered with the Ethics and Compliance Initiative to provide a free Ethics, Risk, and Compliance Maturity Assessment. To learn more about the state of your program, take the assessment here.
We’re also pleased to announce the release of the recently updated Definitive Guide to Compliance Program Assessment, which includes the full questionnaire mentioned above, and many other resources to help assess, build and scale your compliance program. To learn more,