This is the third article in a three part series on building effective compliance programs.
Getting your compliance program up and running is a huge accomplishment. It’s also just the first step in an ongoing process. In prior posts on building effective compliance programs, we wrote about the importance of committing to compliance and defining your program. After you’ve defined your program, don’t assume it is perfectly designed. In fact, you should do just the opposite.
No program is perfect, and all require improvements and updates as your company grows, regulatory rules change, and the cybersecurity landscape evolves. To “mature” your company, you need to provide oversight and monitor your compliance activities.
The thing that distinguishes an advanced, mature compliance program from a basic one is the presence of a feedback loop — a method to effectively iterate on the program over and over again. Somewhat ironically, compliance programs improve significantly once companies admit that they’re imperfect and regularly in need of adjustment.
Feedback can come from different sources, including what you learn while investigating a report or from proactive monitoring.
• Reporting: You receive feedback on your compliance when you investigate an issue or question raised by an employee or third-party partner. The issue raised is either confirmed or not, and you can use this information to refine aspects of your program. Sources of reports can include:
- Discussions with HR.
- “Open-door” discussions with company leaders.
- Anonymous hotline reporting.
• Monitoring: You receive feedback by looking into issues that you know are risks to your company. These can be issues you identify during a risk assessment. Such monitoring reveals how much the issue threatens your compliance and gives you an opportunity to respond proactively. Most issues will relate to code of conduct topics such as fraud, bribery, or antitrust. Examples of monitoring can include:
• Fraud: review records and messages related to marketing spend and expense claims.
• Bribery: review messages involving interactions with customers, especially government agencies.
• Antitrust: review for messages exchanged with competitors.
If such monitoring involves personal information, you should notify employees. This can be done through your company handbook or other published corporate policy.
Building a Feedback Loop From the Ground Up
Regardless of whether you decide to rely on investigation or monitoring (ideally both) to look for feedback, you need a source of data to draw on. But a company first establishing a compliance program may not be set up to efficiently collect and review critical data because it exists in informal channels like paper documents, emails, text messages, and social media chats.
Technology tools serve as the foundation for efficient investigation and monitoring. This includes automated approval workflows (e.g., Concur or a Salesforce approval process) and advance archiving tools (e.g., ZixArchive) These automatically capture and store the documentation and communication you need in order to confirm you are compliant and understand the risks you face.
Email review is critical to most investigations. Archiving provides the tools to understand that data. It can index the contents of messages, complete with metadata, for search and retrieval. Search tools are designed to be intuitive and comprehensive so a user can explore data broadly or deeply — meaning a search can be run internally without the IT team. The right archiving tool can allow you to discretely share findings among different cross-functional teams who are stakeholders in the investigation.
To underscore the importance of technology, imagine managing compliance without it. Try tracking down, reviewing, or sharing analysis of months or years of paper files for written approvals. Or try searching an email .pst file containing 10 years of information — the results of such searching are slow, difficult to share and reproduce, and almost impossible to conduct iteratively (i.e., you have to start from scratch when following up on a new issue later).
Keeping the Feedback Loop Constantly Spinning
Monitoring the information inside your archives should be based on risk so you can focus and efficiently direct the use of your limited compliance resources. Reports and investigation are also important. You may be obligated to catch a reported noncompliance and mitigate. When problems are detected, it’s a good sign because it means your compliance program is working.
The best programs that are mature and optimized have this feedback loop spinning all the time. The highest levels of the company receive reports on these compliance activities. The compliance team can set the performance metrics based on what they know about the company and the feedback obtained. Moreover, the compliance team can conduct additional periodic reviews of their program, such as by conducting additional risk assessments.
As a general rule, it never pays to rest on your laurels when it comes to compliance. These fast-moving and interconnected issues change all the time. Instead of assuming you’re doing everything right, prove it. Ideally, all the evidence you need is inside an archive.