Patty P. Tehrani, Esq.
Founder, Policy Patty Toolkit (www.policypatty.com) and author of the CCO Toolkit Series 1.0
Do you remember the last time you checked your compliance functions to see if they’re working as intended? As the Chief Compliance Officer (CCO), you run your organization’s Compliance Program (Program) and the various functions it encompasses. You know these controls are not optional, and frankly, they’re necessary to protect and run your highly regulated organization. But checking them while having to contend with a proliferation of new regulatory requirements and possibly more liability (Read more – Haider Settlement) is a daunting task. And that’s not all. You also have to contend with growing stakeholder expectations to drive value, produce sustainable cost-savings, and support business strategies all balanced against the need to remain compliant.
If you’re scratching your head and not sure what to do, take this quick survey to help you determine your next steps.
|1||Policy||Are your compliance policies and procedures current and maintained per a documented policy management process?|
|Are the roles and responsibilities for your compliance function documented?|
|3||Inventory||Do you maintain a current inventory of applicable laws and regulations that are integrated into your function, tracked, reported and acted on per a documented regulatory change management process?|
|4||Assessments||Are your compliance function controls included in your periodic assessments?|
|5||Communications and Training||Do you deliver periodic communications and training on your compliance function and related controls to raise and reinforce awareness?|
|6||Monitoring and Testing||Is your compliance function monitored and tested periodically to measure compliance and assess effectiveness with program requirements?|
|7||Procedures||Is your compliance function implemented through documented and current procedures?|
|8||Implementation||Do you require and confirm implementation of compliance function requirements?|
|9||Reporting||Do you report periodically to senior management and as applicable the board of directors on the compliance function?|
|10||Maintenance||Do you take steps to periodically review and where necessary update your compliance function to assure it remains current?|
How did you fare? Don’t worry if you ended up with more “no” responses than you would have liked. First, the good news is that you made this determination and not a regulator, litigant, or some other third-party. Second, you have lots of great information online to help you assess your compliance functions. But if you’re short on time and dealing with lots of priorities (which is most likely the case), here are a couple of tips. The first is to download my program checklist and adapt it as needed to do a quick check of your compliance function (click here). Next, if you have the time, do a more extensive review and engage your staff and other stakeholders (e.g., Legal, Risk, Finance, Operations, and business management) check your functions by answering the following questions:
- What are the objectives of these controls, such as:
- Protecting the organization’s reputation and value;
- Meeting the demands and expectations of internal and external stakeholders;
- Supporting business strategies in adherence with governance, ethics, risk management and compliance requirements; and
- Balancing remediation of non-compliance while protecting the organization against legal and regulatory enforcement.
- What types of controls you have for important compliance functions such as:
- Code of Conduct;
- Compliance Communications and Training;
- Compliance Monitoring;
- Compliance Program Assessment;
- Internal Investigations;
- Policy Management Framework;
- Preparing and Conducting Regulatory Exams;
- Regulatory Change Management; and
- Selecting Technology.
- What the function needs to do (see my CCO toolkit for more guidance);
- Which requirements (legal, regulatory and business) does the function address;
- Who helps and needs to help maintain and support the function;
- What key dates should be considered (remediating findings, rule change compliance date;
- What controls (e.g., policies, procedures, systems, etc.) are currently in place;
- How to assess the function to identify gaps and deficiencies (collectively, “gaps”);
- What gaps and deficiencies (gaps) are identified from the assessment;
- How to document an action plan for remediating in consideration of priorities, risks, resources, etc.;
- How to operationalize agreed upon measures to address gaps; and
- When to schedule the next review to assess the function.
While the scope and complexity of regulations may never dissipate, you can’t lose sight of what you need to do to keep your compliance functions and controls effective for your organization. Remember that to position Compliance for success, as Compliance leaders, you need effective compliance controls. However, you approach the assessment of these controls, always remember that you need to check them from time-to-time to see if:
- They are working;
- Their goals are being met;
- Their value is known and promoted; and
- Deficiencies are identified and remediated.