This is the first article in a three part series on building effective compliance programs.
Compliance is a pass or fail obligation. But achieving compliance, by contrast, can be a slow and systematic process.
Large companies with expansive legal and HR departments can throw lots of resources at the effort. For small and midsize companies, however, ensuring that compliance is comprehensive and consistent tends to be more challenging.
Smaller companies have just as much incentive to avoid the fines, lawsuits, and bad PR that come from compliance breaches. Litigation trolls and hackers target SMBs looking for weakness because SMBs have fewer resources to defend themselves. Fewer SMB resources also mean that an SMB often lacks the staff, expertise, and time needed to fully realize and implement a disciplined compliance approach.
Regardless of company size, however, here’s the typical hierarchy of compliance maturity:
- Ad hoc: Compliance lacks structure, accountability, oversight, and understanding.
- Fragmented: A compliance program exists but is not documented.
- Defined: Compliance program managers ensure that compliance is conducted according to a documented program.
- Mature: Monitoring and oversight is in place so that the company coordinates compliance activities throughout, and compliance reports are made to the highest levels of the company.
- Optimized: The company considers every decision it makes through a framework of compliance, tracking metrics and conducting periodic reviews. Meanwhile, the company engages in systematic process improvement that incorporates compliance feedback it receives.
Deploying a vigorous compliance program can be a time-consuming; however, it’s not impossible, even for companies that lack large in-house teams.
Compliance is about having the right tools deployed in the service of a smart strategy that resembles the scientific method. A company can start with a basic hypothesis — we are compliant — that it rigorously tests and retests to validate. Then, when issues are discovered, they systematically fix them: written policies are amended, employee training is updated, and finally, the solution is tested again. Considering that compliance is a moving target, it’s essential to have a strategy that can effectively adapt.
TAKING THE FIRST STEP: COMMITTING TO COMPLIANCE
In this blog, let’s look at the first step a company needs to take when it comes climbing the compliance ladder: moving from ad hoc to fragmented.
Early compliance efforts are disjointed since procedures and roles are not defined and set. To go beyond this, a company must make the fundamental decision to become compliant. Once this decision is made, the compliance program can be built around the commitment and intent. Specifically, corporate leaders demonstrate a commitment to compliance by doing the following:
- require a unified commitment to compliance across the company.
- provide periodic compliance messaging various ways, such by using: email, video/audio messages, all hands meetings, formal training, 1:1 conversations, business meetings. The messaging can be simple, for example: We grow with integrity; We abide by law; We treat each other and our customers with respect.
- participate in compliance planning and training.
- make certain employees responsible for the compliance program and hold them accountable for progress; and
- provide a personal example of how to conduct business with integrity and in accordance with law.
In sum, commitment means sustained, active engagement in support of building the compliance program.
NEXT UP: RISK ASSESSMENT
In most instances, laws and regulations outline a set of rules that must be followed and outcomes that must be achieved. Then it’s up to companies themselves to determine when, where, why, and how those rules impact operations. Eventually, all of those insights are reflected in the companywide compliance policy, which is updated as necessary.
In my next blog, I will discuss the next steps on a company’s journey to compliance and why a risk assessment is necessary to create a compliance policy that is unique to the company.