8 Steps to an Effective Compliance Program

Step 1

Risk Assessment

An effective program expects organizations to periodically assess the risk of criminal conduct and take appropriate steps to design, implement or modify each program element to reduce the risk of criminal conduct identified through this process. Periodic E&C risk assessments are an important “super” element of an ethics and compliance program and should serve as the foundation for all other program elements.

The risk assessment should identify the organization’s ethics, compliance and reputational risks, the employee population that creates the risk and the current and planned mitigation strategies to reduce risk to an acceptable level

Need help managing and assessing your risks? Contact us to see how we can help.

Use the chart below as a self-assessment to see how you are currently evaluating your risks.

Green: We have the best practices in place with a robust process
Yellow: We are in the process of developing a robust process
Red: We do not have a process in place or know how to implement one

If your responses fell mostly in the green column, you have the right processes in place to get an accurate picture of your risks. If most of your responses fell in the yellow or red category, review the resources included below to get a better idea of where your risks may be.

Dig Deeper with These Risk Assessment Resources

Framework: Risk Assessment Framework

Use this framework to walk through the steps of a risk assessment process including the identification, assessment, mitigation, and ongoing monitoring and reporting of these risks.

Framework: Sample Risk Assessment Ranking & Reporting Process

Once you’ve identified the risks, it helps to map them out and prioritize them. Use this tool to create a heat map to prioritize your highest risk areas.

White Paper: Anti-Bribery & Corruption Risk Assessment Checklist

Use this list to see the risks your organization faces in regards to bribery and corruption.

Step 2

Program Oversight, Structure & Leadership

A compliance program cannot be effective without support of leadership and defined program ownership. Your program needs oversight to protect it from risk and commitment from leadership to drive employee behavior and culture change. Those who do have key oversight duties, including your board of directors, also need to be informed and trained on their roles within the compliance program.

Ask yourself the following questions to gauge if you have the appropriate level of leadership engagement:

Board of Directors

Is the board of directors knowledgeable about the content and operations of the ethics program?
Does the board exercise reasonable oversight of the implementation and effectiveness of the program and the organization’s culture?
Is the board accessible to individuals with day-to-day responsibility including meeting with them in executive sessions?

Compliance Program Leadership

Does the organization have a high-level person and a person with day-to-day responsibility assigned to manage the compliance program?
Does senior leadership understand and exercise their responsibilities to create and maintain a culture that supports compliance with the law and ethical conduct?
Is there an Ethics Committee or Council that receives information from the high-level person or the person with day-to-day responsibility and also provides practical input into the program?
Have ethics responsibilities been assigned to line management? Are they knowledgeable about the content and operation of the ethics program?

If it seems like your answer is "no" to many of these questions, take a moment with the resources below to learn how you can engage your board and leadership.

Dig Deeper with These Leadership Resources

Webinar: Become a Strategic Partner to the Board & C-Suite

See how you can gain a "seat at the table" with the board and c-suite by learning about the business, developing your strategic thinking skills and creating personal relationships.

White Paper: Four Key Board Responsibilities for Monitoring Risk & Compliance

Read about the key responsibilities the board should have to your compliance program like direct access, promoting a culture of ethics and receiving relevant compliance training.

White Paper: Key Elements for Effective Compliance Program Board Reporting

If you've gained the board's support, you'll also need to effectively report to them. Get practical tips and advice on how to successfully report your compliance outcomes to the board.

Step 3

Standards, Policies & Procedures

As we build on the foundations of an effective compliance program, policies and procedures play a massive role. Your code of conduct is the first step in establishing effective policies and procedures as it is the cornerstone policy of your organization. Beyond writing policies like your code of conduct, thought must also be given to how you will manage the ever-increasing number of polices organizations have today. In fact, according to the 2017 NAVEX Global Policy & Procedure Management Benchmark Report, 41 percent of organizations surveyed manage over 100 policies and procedures.

Managing the writing, editing, distributing and attesting to policies and procedures is no easy task.

Interested in finding out how you can more effectively manage your policies and procedures? Schedule a demo of PolicyTech to see how.

Use the chart below as a self-assessment to see how your policies and procedures, particularly your code of conduct, are measuring up to best practice standards.

Green: We have a best practice code of conduct in place
Yellow: We are in the process of developing our code of conduct
Red: We do not have a code of conduct in place and don't know where to start

If your responses fell mostly in the green column, you have a good handle on your code of conduct. Take a look at the resources below to learn more about effectively managing policies and procedures.

If your responses fell mostly in the yellow or red column, you have some writing to do. Take a look at the code of conduct eBook below for some advice on how to write and distribute your code of conduct.

Dig Deeper with These Policy Management Resources

eBook: Code of Conduct Tune Up

Is your code as effective as it could be? Do employees know where to find it and how to use it? Your code of conduct is one of the most vital documents that your company has. It helps guide employee behavior and acts as a manual from which employees and leadership can refer to when faced with difficult decisions. Use this eBook as a resource to get your code of conduct to be the thoughtful and engaging document it's meant to be.

Definitive Guide: The Definitive Guide to Policy & Procedure Management

The Definitive Guide to Policy and Procedure Management is your go-to resource for effectively and efficiently managing your organization’s employee handbook, Code of Conduct, and other policies and procedures. No matter where you are in your understanding of policy management, or how effective your current system may be, this guide offers practical perspectives and insights.

Assessment: Policy Management Program Assessment

Strong compliance policies, as well as efficient policy management processes, are the foundation of a robust compliance program. Use this assessment to see if your program meets best practice and how automation can help.

Sample Policy: Anti-Discrimination, Bullying & Harassment

Use this sample policy as a guide to ensure that all employees are treated with dignity and respect . The policy is illustrative of elements that should be written in an anti-harassment policy

Step 4

Alignment with HR Practices

Who an organization chooses to hire sends a clear signal as to what the organization’s top priorities are. A compliance program can only be effective in an organization with hiring practices that promote law abidance AND ethical conduct.

Does your organization formally evaluate managers (in performance appraisals) on whether they live up to ethics and compliance responsibilities?

The most successful organizations have input from human resources and compliance on policies relating to hiring, promotions and performance reviews. Developing positive relationships between ethics and compliance and human resources paves the way for an ethical company culture and sends a clear message that unethical behavior will not be tolerated.

See how policy management software can help you create HR policies more efficiently. Request a customized demo.

Use this framework as a basis for aligning your compliance program with human resources.

Dig Deeper with These HR Related Resources

Sample Code of Conduct: Doing the Right Things Right, NAVEX Global's Code of Conduct

Take a look at our code of conduct. It clearly details important ethics and compliance and HR related policies.

Whitepaper: Are You Missing 82% of Your Ethics & Compliance Reports?

Read this whitepaper to learn about all the possible ways employees are reporting misconduct and HR issues. With appropriate and effective training, you’ll get an accurate picture of ethics and HR issues that come through the hotline, web form and conversations with managers.

Step 5

Communications & Training

The policies and procedures in your compliance program must be accompanied by a strategic communication plan and training program to keep employees informed about the components of the program and tested on the policies they’re responsible for knowing.

Communicate

Having all of the right policies in place and an effective reporting process for employees has no value if employees don’t know where to go to find policies or who to call when witnessing misconduct.

Work with departments across the organization like Marketing and HR to develop a good communication plan so employees, leadership and third parties are crystal clear about the tools available to them and the expectations placed on them. Take a look at the example Awareness Materials below to help you communicate.

Need help with your ethics training and content? Get in touch with a NAVEX Global expert for a demo.

Train

Beyond knowing what tools employees have available to them, you must ensure they know what is expected of them. Compliance training ensures employees are up-to-date on specific legislation and your company’s policies. It’s best to provide training in a risk-based manner with the highest risk employees receiving applicable training first.

A common practice program has the following elements:

Ethics and compliance training tied to a risk assessment
Managers are aware of their responsibilities and how to respond to issues
Leadership support is messaged throughout the program
A multiyear education plan exists with various formats and lengths of training

A best practice program takes them a step further to include:

Education deployed relative to an employee's role
Assessment of the effectiveness of the training deployed
Board and leadership training, not just briefing

Drive measurable value with your training program with resources below.

Dig Deeper with These Compliance Training Resources

Sample Materials: Awareness Posters & Communications

Use these posters as examples of the type of communication that will educate employees about your whistleblower hotline and the other compliance tools available to them.

Definitive Guide: The Definitive Guide to Compliance Training

This guide will help you plan your compliance training program and give you tools to help you gain leadership support, decide on which topics to train and tips on how to make employees aware of the training available to them.

Benchmark Report: 2017 E&C Compliance Training Benchmark Report

See how your program compares to other compliance training programs and the top issues and topics that other organizations are educating their employees on.

Template: Editable Multiyear Training Plan Template

This Excel document will help you plan out your training curriculum for the next three to five years so you can deploy the right training at the right time.

Step 6

Reporting & Response

Every compliance program must offer ways for employees to easily and safely report issues without fear of retaliation, being shamed at work or even losing their job. The Ethics Resource Center revealed that 41% of employees have personally witnessed misconduct, 40% who witness it don’t report it and of those that do report, 82% reports are made directly to frontline managers.

Reporting and response programs are a ground-level element of an effective compliance program, but simply making a whistleblowing hotline available won’t be sufficient. Effective programs provide at least three reporting options:

Hotline. Whether a whistleblower hotline is mandated for an organization or not, it is still a standard and expected component of an effective compliance program.
Web-based reporting. Some employees don’t feel comfortable speaking with a live operator about their issue or they may not have a private location available to make a call. Web-based reporting gives employees the chance to type information into an online form and take the time to review what they have written before submitting.
Open door intake. This is a web-based system that allows managers to input issues reported and actions taken into a centralized system. This helps HR and compliance departments to follow-up on cases consistently and confidentially.

Need help implementing an effective reporting program? Contact a NAVEX Global expert today.

Use the following chart to assess the effectiveness of your current program. If most of your responses fall into the red or yellow category, use the resources below to dig deeper in planning and implementing a whistleblower hotline program.

Dig Deeper with These Resources on Reporting Programs

Definitive Guide: The Definitive Guide to Incident Management

Use this guide to get everything you need to know about planning, implementing and measuring your incident management program.

Benchmark Report: 2018 Ethics & Compliance Hotline & Incident Management Benchmark Report

Our benchmarks give you the data you need to compare your program against others in your industry, region and company size.

Whitepaper: Whistleblower Hotlines & Incident Management Solutions: Major Challenges and Best Practice Recommendations

This whitepaper takes you through nine challenges you may face in implementing your whistleblower hotline program and how you can overcome them.

Step 7

Culture

When an organization’s policies, procedures, rewards or even its Code of Conduct are in conflict with its culture, culture wins. Therefore, in order to have an effective ethics and compliance program, an organization must pay as much attention to culture as it does to policies, training, auditing and other program elements.

Compliance supports the strategic goals and mission of an organization just as much as any other department or function. Achieving an effective ethics and compliance program requires more than simply adding rules and additional layers of controls. Successful programs are integrated efforts that align financial and compliance requirements with the organization’s mission and values.

Forward thinking organizations strive to build a culture where all employees know that doing the right thing is expected, understand the standards that apply to them and are confident their management is committed to operating with integrity. These same employees should feel empowered to raise concerns about misconduct without fear of retaliation and believe their concerns will be addressed.

If doing the right thing is the expected practice, behavior that is unethical or otherwise misaligned with organizational standards will stand out and can be more easily addressed. The only way to know this is by assessing the organization’s culture as part of the assessment of the ethics and compliance program.

Answer the following questions to see if your culture is one that promotes ethics and respect.

Dig Deeper with These Resources on Culture

eBook: 25 Simple Yet Overlooked Ways to Boost Your Ethics and Compliance Program

Get 25 actionable and easy to implement tips for improving your compliance program effectiveness. Whether your goal is to improve your organizational culture or boost program awareness, there's an idea in this eBook you can put to work in your organization today.

eBook: Memos to Managers: On Strengthening Culture & Preventing Workplace Harassment

See how you can train frontline managers to receive reports of unethical behavior and encourage employees to speak-up without fear of retaliation.

Whitepaper: Strategies for Creating a Visionary Organisational Culture

After a major scandal, Serco Group rebuilt their program and their culture from the ground up. Learn how they did it in this whitepaper.

Step 8

Ongoing Monitoring & Measuring

Measuring and monitoring your program is the only way to know if your program is truly effective. Effectiveness measurements can come from a variety of sources. In fact, using as many sources as possible is the most accurate way to get a "grade" for your program. Use the following chart as a list of where to go internally and externally to find measurements and benchmarks to improve your program.

The Importance of Benchmarking

Benchmarking is an important part of the assessment process. Benchmarks can be used to justify your budget or other resource requests, to create a prioritized list of improvement opportunities and to inform the timeline for incorporating those improvements.

Most importantly, benchmarking helps you understand whether your program is within the norms for your company’s size and industry—and where the program as a whole (or individual elements) may land on the continuum from substandard to best practice. In addition to using benchmarking to measure your program against peers, it is a critical step in designing your program for effectiveness that can withstand the scrutiny of external, governmental or regulatory parties.

An Approach to Benchmarking as Part of Your Assessment Process

» Determine the standards/guidelines on which your program is built. Are you using the U.S. Sentencing Guidelines framework? Or the model provided by ISO? Are there industry regulatory standards that apply to your business such as the OIG guidance for healthcare companies?

» Identify your program’s operating goal or the goal for each program component. For example, do you want your training and audit elements to be best practices and all other elements more aligned with common, effective practices?

» Select a program element or process to benchmark

» Identify the key structure, performance and effectiveness metrics

» Choose target organizations of desired size/industry to benchmark

» Collect and analyze data from target entities and published reports/surveys

» Identify opportunities for improvement based on your operating goal(s)

Ongoing Monitoring

The Guidelines require that organizations “take reasonable steps – to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.”2 The Guidelines also provide that organizations should evaluate periodically the effectiveness of the ethics and compliance program. This requirement is in addition to auditing and monitoring for violations. Here the audits are of the program processes (e.g., whether the Code is distributed or whether training takes place as required and so forth). As with every assessment, a key step is evaluating the effectiveness of your assessment process to ensure your program is having the desired impact on the culture at your organization.

Dig Deeper with These Resources on Effectiveness Measurement

Definitive Guide: The Definitive Guide to Compliance Program Assessment

Use this guide as an overview of all the effectiveness elements and how they work together for overall program effectiveness.

Webinar: How Do I Prove My E&C Program is Effective? The Art & Science of Effectiveness Measurement

Use this webinar as a hands-on workshop with practical advice for measuring your program effectiveness.