8 Steps to an Effective Compliance Programme | NAVEX Global

Week 1

Risk Assessment

A risk assessment is key to developing your organisation’s risk profile – the starting point of an effective programme. Your risk profile is an evaluation that identifies the unique risks your organisation may face given its industry, geography and employee population. A periodic, comprehensive risk assessment will help regularly identify potential criminal, reputational and ethical risks.

Need help managing and assessing your risks? Contact us to see how we can help.

Use the chart below as a self-assessment to see how you are currently evaluating your risks.

Green: We have the best practices in place with a robust process
Yellow: We are in the process of developing a robust process
Red: We do not have a process in place or know how to implement one

If your responses fell mostly in the green column, you have the right processes in place to get an accurate picture of your risks. If most of your responses fell in the yellow or red category, review the resources included below to get a better idea of where your risks may be.

Dig Deeper with These Risk Assessment Resources

Resource: Risk Assessment Framework

Use this framework to walk through the steps of a risk assessment process including the identification, assessment, mitigation, and ongoing monitoring and reporting of these risks.

Resource: Sample Risk Assessment Ranking & Reporting Process

Once you’ve identified the risks, it helps to map them out and prioritise them. Use this tool to create a heat map to prioritise your highest risk areas.

Resource: Anti-Bribery & Corruption Risk Assessment Checklist

Use this list to see the risks your organisation faces in regards to bribery and corruption.

Week 2

Programme Oversight, Structure & Leadership

A compliance programme cannot be effective without support of leadership and defined programme ownership. Your programme needs oversight to protect it from risk and commitment from leadership to drive employee behaviour and culture change. Those who do have key oversight duties, including your board of directors, also need to be informed and trained on their roles within the compliance programme.

Ask yourself the following questions to gauge if you have the appropriate level of leadership engagement:

Board of Directors

Is the board of directors knowledgeable about the content and operations of the ethics programme?
Does the board exercise reasonable oversight of the implementation and effectiveness of the programme and the organisation’s culture?
Is the board accessible to individuals with day-to-day responsibility including meeting with them in executive sessions?

Compliance Programme Leadership

Does the organisation have a high-level person and a person with day-to-day responsibility assigned to manage the compliance programme?
Does senior leadership understand and exercise their responsibilities to create and maintain a culture that supports compliance with the law and ethical conduct?
Is there an Ethics Committee or Council that receives information from the high-level person or the person with day-to-day responsibility and also provides practical input into the programme?
Have ethics responsibilities been assigned to line management? Are they knowledgeable about the content and operation of the ethics programme?

If it seems like your answer is "no" to many of these questions, take a moment with the resources below to learn how you can engage your board and leadership.

Dig Deeper with These Leadership Resources

Webinar: Become a Strategic Partner to the Board & C-Suite

See how you can gain a "seat at the table" with the board and c-suite by learning about the business, developing your strategic thinking skills and creating personal relationships.

White Paper: Four Key Board Responsibilities for Monitoring Risk & Compliance

Read about the key responsibilities the board should have to your compliance programme like direct access, promoting a culture of ethics and receiving relevant compliance training.

White Paper: Key Elements for Effective Compliance Programme Board Reporting

If you've gained the board's support, you'll also need to effectively report to them. Get practical tips and advice on how to successfully report your compliance outcomes to the board.

Week 3

Standards, Policies & Procedures

As we build on the foundations of an effective compliance programme, policies and procedures play a massive role. Your code of conduct is the first step in establishing effective policies and procedures as it is the cornerstone policy of your organisation. Beyond writing policies like your code of conduct, thought must also be given to how you will manage the ever-increasing number of polices organisations have today. In fact, according to the 2017 NAVEX Global Policy & Procedure Management Benchmark Report, 41 percent of organisations surveyed manage over 100 policies and procedures.

Managing the writing, editing, distributing and attesting to policies and procedures is no easy task.

Interested in finding out how you can more effectively manage your policies and procedures? Schedule a demo of PolicyTech to see how.

Use the chart below as a self-assessment to see how your policies and procedures, particularly your code of conduct, are measuring up to best practice standards.

Green: We have a best practice code of conduct in place
Yellow: We are in the process of developing our code of conduct
Red: We do not have a code of conduct in place and don't know where to start

If your responses fell mostly in the green column, you have a good handle on your code of conduct. Take a look at the resources below to learn more about effectively managing policies and procedures.

If your responses fell mostly in the yellow or red column, you have some writing to do. Take a look at the code of conduct eBook below for some advice on how to write and distribute your code of conduct.

Dig Deeper with These Policy Management Resources

eBook: Code of Conduct Tune Up

Is your code as effective as it could be? Do employees know where to find it and how to use it? Your code of conduct is one of the most vital documents that your company has. It helps guide employee behaviour and acts as a manual from which employees and leadership can refer to when faced with difficult decisions. Use this eBook as a resource to get your code of conduct to be the thoughtful and engaging document it's meant to be.

Definitive Guide: The Definitive Guide to Policy & Procedure Management

The Definitive Guide to Policy and Procedure Management is your go-to resource for effectively and efficiently managing your organisation’s employee handbook, Code of Conduct, and other policies and procedures. No matter where you are in your understanding of policy management, or how effective your current system may be, this guide offers practical perspectives and insights.

Assessment: Policy Management Programme Assessment

Strong compliance policies, as well as efficient policy management processes, are the foundation of a robust compliance programme. Use this assessment to see if your programme meets best practice and how automation can help.

Sample Policy: Sample Anti-Bribery Policy

Use this sample policy as a guide when building your organisation's policy on bribery and corruption. The policy is illustrative of elements that should be written in an anti-bribery and corruption policy.

Week 4

Alignment with HR Practices

Who an organisation chooses to hire sends a clear signal as to what the organisation’s top priorities are. A compliance programme can only be effective in an organisation with hiring practices that promote law abidance AND ethical conduct.

Does your organisation formally evaluate managers (in performance appraisals) on whether they live up to ethics and compliance responsibilities?

The most successful organisations have input from human resources and compliance on policies relating to hiring, promotions and performance reviews. Developing positive relationships between ethics and compliance and human resources paves the way for an ethical company culture and sends a clear message that unethical behaviour will not be tolerated.

See how policy management software can help you create HR policies more efficiently. Request a customised demo.

Use this framework as a basis for aligning your compliance programme with human resources.

Dig Deeper with These HR Related Resources

Sample Code of Conduct: Doing the Right Things Right, NAVEX Global's Code of Conduct

Take a look at our code of conduct. It clearly details important ethics and compliance and HR related policies.

Whitepaper: Are You Missing 82% of Your Ethics & Compliance Reports?

Read this white paper to learn about all the possible ways employees are reporting misconduct or HR issues. By training managers appropriately, you’ll get an accurate picture of ethics and HR issues that come through the hotline, web form and conversations with managers.

Week 5

Communications & Training

The policies and procedures in your compliance programme must be accompanied by a strategic communication plan and training programme to keep employees informed about the components of the programme and tested on the policies they’re responsible for knowing.

Communicate

Having all of the right policies in place and an effective reporting process for employees has no value if employees don’t know where to go to find policies or who to call when witnessing misconduct.

Work with departments across the organisation like Marketing and HR to develop a good communication plan so employees, leadership and third parties are crystal clear about the tools available to them and the expectations placed on them. Take a look at the example Awareness Materials below to help you communicate.

Need help with your ethics training and content? Get in touch with a NAVEX Global expert for a demo.

Train

Beyond knowing what tools employees have available to them, you must ensure they know what is expected of them. Compliance training ensures employees are up-to-date on specific legislation and your company’s policies. It’s best to provide training in a risk-based manner with the highest risk employees receiving applicable training first.

A common practice programme has the following elements:

Ethics and compliance training tied to a risk assessment
Managers are aware of their responsibilities and how to respond to issues
Leadership support is messaged throughout the programme
A multiyear education plan exists with various formats and lengths of training

A best practice programme takes them a step further to include:

Education deployed relative to an employee's role
Assessment of the effectiveness of the training deployed
Board and leadership training, not just briefing

Drive measurable value with your training programme with resources below.

Dig Deeper with These Compliance Training Resources

Sample Materials: Awareness Posters & Communications

Use these posters as examples of the type of communication that will educate employees about your whistleblower hotline and the other compliance tools available to them.

Definitive Guide: The Definitive Guide to Compliance Training

This guide will help you plan your compliance training programme and give you tools to help you gain leadership support, decide on which topics to train and tips on how to make employees aware of the training available to them.

Benchmark Report: 2017 E&C Compliance Training Benchmark Report

See how your programme compares to other compliance training programmes and the top issues and topics that other organisations are educating their employees on.

Template: Editable Multiyear Training Plan Template

This Excel document will help you plan out your training curriculum for the next three to five years so you can deploy the right training at the right time.

Week 6

Reporting & Response

Every compliance programme must offer ways for employees to easily and safely report issues without fear of retaliation, being shamed at work or even losing their job. The Ethics Resource Center revealed that 41% of employees have personally witnessed misconduct, 40% who witness it don’t report it and of those that do report, 82% reports are made directly to frontline managers.

Reporting and response programmes are a ground-level element of an effective compliance programme, but simply making a whistleblowing hotline available won’t be sufficient. Effective programmes provide at least three reporting options:

Hotline. Whether a whistleblower hotline is mandated for an organisation or not, it is still a standard and expected component of an effective compliance programme.
Web-based reporting. Some employees don’t feel comfortable speaking with a live operator about their issue or they may not have a private location available to make a call. Web-based reporting gives employees the chance to type information into an online form and take the time to review what they have written before submitting.
Open door intake. This is a web-based system that allows managers to input issues reported and actions taken into a centralised system. This helps HR and compliance departments to follow-up on cases consistently and confidentially.

Need help implementing an effective reporting programme? Contact a NAVEX Global expert today.

Use the following chart to assess the effectiveness of your current programme. If most of your responses fall into the red or yellow category, use the resources below to dig deeper in planning and implementing a whistleblower hotline programme.

Dig Deeper with These Resources on Reporting Programmes

Definitive Guide: The Definitive Guide to Incident Management

Use this guide to get everything you need to know about planning, implementing and measuring your incident management programme.

Benchmark Report: 2017 EMEA & APAC Whistleblowing Hotline Benchmark Report

Our benchmarks from over 7,500 reports gives you the data you need to compare your programme against others in your industry, region and company size.

Whitepaper: Whistleblowing 101: Speaking up about misconduct in the UK

See why having a reporting programme is essential if you are headquartered or do business in the UK.

Whitepaper: Whistleblower Hotlines & Incident Management Solutions: Major Challenges and Best Practice Recommendations

This whitepaper takes you through nine challenges you may face in implementing your whistleblower hotline programme and how you can overcome them.

Week 7

Culture

When an organisation’s policies, procedures, rewards or even its Code of Conduct are in conflict with its culture, culture wins. Therefore, in order to have an effective ethics and compliance programme, an organisation must pay as much attention to culture as it does to policies, training, auditing and other programme elements.

Compliance supports the strategic goals and mission of an organisation just as much as any other department or function. Achieving an effective ethics and compliance programme requires more than simply adding rules and additional layers of controls. Successful programmes are integrated efforts that align financial and compliance requirements with the organisation’s mission and values.

Forward thinking organisations strive to build a culture where all employees know that doing the right thing is expected, understand the standards that apply to them and are confident their management is committed to operating with integrity. These same employees should feel empowered to raise concerns about misconduct without fear of retaliation and believe their concerns will be addressed.

If doing the right thing is the expected practice, behaviour that is unethical or otherwise misaligned with organisational standards will stand out and can be more easily addressed. The only way to know this by assessing the organisation’s culture as part of the assessment of the ethics and compliance programme.

Answer the following questions to see if your culture is one that promotes ethics and respect.

Is all staff held equally responsible for their actions?
Does doing things right trump revenue and company goals when the rubber hits the road? Is unethical behaviour clearly seen as out of bounds?
Do employees believe that management will take appropriate action if misconduct is communicated to them?
Do employees believe they can raise issues to management or the 0800 number without fear of retaliation?
Is the program viewed as a paper programme or as a genuine commitment?

Dig Deeper with These Resources on Culture

Benchmark Report: 2017 EMEA & APAC Culture & Compliance Benchmark Report

Use this report to see the biggest challenges organisations across EMEA face in regards to their company culture and compliance programmes. You'll get metrics to see how your organisation compares and data to use when speaking with your leadership and board.

eBook: Memos to Managers: On Strengthening Culture & Preventing Workplace Harassment

See how you can train frontline managers to receive reports of unethical behaviour and encourage employees to speak-up without fear of retaliation.

Whitepaper: Strategies for Creating a Visionary Organisational Culture

After a major scandal, Serco Group rebuilt their programme and their culture from the ground up. Learn how they did it in this whitepaper.

Week 8

Ongoing Monitoring & Measuring

Measuring and monitoring your programme is the only way to know if your programme is truly effective. Effectiveness measurements can come from a variety of sources. In fact, using as many sources as possible is the most accurate way to get a "grade" for your programme. Use the following chart as a list of where to go internally and externally to find measurements and benchmarks to improve your programme.

Dig Deeper with These Resources on Effectiveness Measurement

Definitive Guide: The Definitive Guide to Compliance Programme Assessment

Use this guide as an overview of all the effectiveness elements and how they work together for overall programme effectiveness.

Webinar: How do I prove my E&C Programme is Effective? The Art & Science of Effectiveness Measurement

Use this webinar as a hands-on workshop with practical advice for measuring your programme effectiveness.

Weekly Content

Ask yourself the following questions to gauge if you have the appropriate level of leadership engagement:

Communicate

Train