5 Steps To Developing A Corporate Compliance ProgramPublished March 20, 2018 by Karen Walsh • 4 min read
Corporate compliance programs act as maps to risk reduction. Scaling an organization means incorporating additional regulatory requirements and best practices that prove your trustworthiness to potential customers. Although this process appears overwhelming at first, corporate compliance programs offer the foundation of a sound business strategy. The five steps to building a corporate compliance program support your organization’s current safety stance and allow you to move into new spaces thus increasing profitability.
What is the Purpose of a Corporate Compliance Program?
What is a corporate compliance program?
Corporate compliance programs formally combine an organization’s policies and procedures to create controls that align with federal regulations to prevent legal violations.
At its most basic level, your corporate compliance program allows you to keep your company safe from punitive damages arising out of a violation. At a more sophisticated level, a corporate compliance program reinforces a company’s commitment to mitigating fraud and aligns with strategic, operational, and financial reporting.
Why is a corporate compliance program important??
A corporate compliance program aggregates industry best practices and aligns them with federal regulatory requirements.
Initially, a company may decide to focus on industry standards such as the International Standards Organization (ISO) 27001 series. Early adoption of industry standards provides a starting point for efficient risk management as a start-up company. However, as the organization grows, that single standard may not meet business and customer needs.
For example, organizations looking to transition into the healthcare industry need to meet the federal Health and Insurance Portability and Accountability Act of 1996 (HIPAA) requirements as well. While ISO 27001 and HIPAA overlap in many areas, HIPAA also incorporates additional privacy and security requirements that impact a corporate compliance program.
What is a compliance officer?
Your organization’s compliance officer acts as your offensive coordinator. The individual reviews laws and standards then focuses on proactive strategies to meet those requirements.
Traditionally, the compliance officer, or compliance manager, needs to retain independence, from individuals within the organization potentially affected by federal sentencing guidelines to ensure appropriate segregation of duties during any potential investigation. The independence requirement means that your organization should carefully determine whether to have a chief compliance officer report to the Board of Directors, Chief Executive Officer, General Counsel, or Chief Financial Officer.
Step 1: Why Leadership Matters
Compliance requires leadership buy-in. Just as an offensive coordinator needs a team’s management to approve plays, so does your compliance manager need your c-suite and Board’s approval.
Leadership sets the overarching tone for compliance. For example, Enron and WorldCom’s unethical activities were the impetus for The Sarbanes-Oxley Act of 2002 (SOX). This regulatory requirement now affects not only public corporations but many smaller businesses. If leadership sees no value to ethics, the organization’s policy becomes meaningless as enforcement falls by the wayside. In football parlance, upper management becomes the Patriots videotaping the Jets/Giants defensive signals in 2007.
Although not technically illegal, the actions indeed fell outside the boundaries of ethics. If upper management sees no value to compliance, the program renders itself meaningless.
Step 2: How to Appropriately Assess Risk
Organizations must address internal and external risks that potentially compromise their compliance stance. Assessing your organization’s risks means incorporating not only legal risk for noncompliance but also your vendor risks and transaction risks.
Moreover, when reviewing risk, you need to determine what the sector risks apply. For example, an organization may incorporate both the media and hospitality sectors. For example, a luxury resort may choose to include YouTube videos as part of a marketing strategy. While this seems innocuous, if those videos use guest images without the individual’s permission, especially if the guests are children, regulatory requirements impact that strategy.
Risks come from many directions and incorporate many areas of an organization’s business. Understanding the various stakeholders and departments subject to controls can feel overwhelming.
Step 3: How to Establish Standards and Controls
Standards and controls must respond to identified risks. A compliance program should be holistic by incorporating the entire environment in which the organization lives.
For example, a healthcare provider may also accept credit card information for copays. That health care provider needs to determine not only controls surrounding electronic personal health information (ePHI) but also around cardholder information. While overlaps such as endpoint encryption and firewalls may overlap, additional controls, such as data segregation, may also impact the compliance stance.
This interdependence underlies the impact of information organizing.
Step 4: Why Training Matters
Effective compliance programs require employees who not only value standards and controls but understand the reasoning for them. Additionally, training encourages the needed overarching tone that makes a compliance program successful.
Step 5: How the Board and C-Suite Can Provide Oversight
Most compliance programs incorporate ongoing monitoring, auditing, and testing of controls. Referred to as governance, compliance, and risk (GRC), the continued review enables parties to the compliance effort to ensure no gaps exist.
However, monitoring means more than merely reviewing policies and procedures. It also requires organizations to test continually for assurance and to respond to weaknesses. Monitoring often incorporates audit requirements, whether external or internal, as part of the regulatory or industry standard.
These audits, based on tested reviews, then help ensure the Board of Directors through the audit committee remain informed of the organization’s compliance stance.
How Automating GRC Eases the Compliance Program Burden
ZenGRC’s GRC tool incorporates PCI DSS aligned vendor management questionnaires that aid organizations in their risk review and monitoring requirements.
With role-based authorizations, individuals within your organization have access to the compliance information they need to ensure ethical practices. Providing employees access to policies and procedures offers reference materials to help them adhere to regulatory requirements. Additionally, individuals within your organization such as the c-suite, compliance officer, and chief information security officer have access to the documents they need and the appropriate authorizations to update those documents based on their roles.
With ZenGRC’s seed content, your organization can add additional regulations or standards to its compliance program. This content provides the option to incorporate a gap analysis beforehand to show management the extra work needed to obtain full compliance by reviewing overlaps with current compliance requirements.
Finally, to help the Board of Directors and audit committee review risks and the associated compliance controls, ZenGRC offers easy-to-digest graphic reports that give at-a-glance insight into your compliance program.