Question

1. Compare the implementation of a compliance program with the risk management process.

a. Describe the procedures that should occur after a compliance program is implemented.

b. Dwight is the new Chief Risk Officer (CRO) and head of internal audit for a large, multi-national organization. When he reviews the organization’s compliance program, he finds that the procedure in the employee handbook directs employees to report questionable practices to their direct supervisor. Explain whether Dwight should change this reporting practice

Answer 1

1. A compliance program is a set of internal policies and procedures of a company to comply with laws, rules, and regulations or to uphold business reputation. A compliance team examines the rules set forth by government bodies, creates a compliance program, implements it throughout the company, and enforces adherence to the program.

In business, risk management is defined as the process of identifying, monitoring and managing potential risks in order to minimize the negative impact they may have on an organization. Examples of potential risks include security breaches, data loss, cyber attacks, system failures and natural disasters. An effective risk management process will help identify which risks pose the biggest threat to an organization and provide guidelines for handling them.

Most boards of directors are keenly aware that they need to oversee compliance regulations to protect the company from risks. With the board of directors covering the bases of compliance oversight, you may be wondering if there is any work left for risk managers to do.

It’s true that risk managers need to be aware of compliance risks, but the bulk of their role needs to focus on risks as they pertain to strategic planning. This is where strong and clear communication between the board of directors and the risk managers is vital.

One of the primary duties of the board is strategic planning, which is a continual process. As the board explores new avenues for the company to increase its market share, new risks are bound to accompany those new opportunities.

The risk management team needs to work in tandem with the board of directors as they discuss strategic plans. Risk managers have the task of asking and evaluating the hard questions about who, what, where, how and why new planning strategies pose new risks to the company. Their findings form a new basis for discussion for management and the board of directors from the perspective of whether certain new directions are worth pursuing.

a) For organizations looking to build a new compliance program, this lack of uniformity makes the process of building all the more difficult. There is no reference program to start with or set of guidelines around the number of people, technology, focus, etc. Implementing a compliance program is more about empowering the organization to do the right thing and ultimately protect the company from risk rather than avoiding prosecution.

Establishing effective policies and procedures does not begin and end with regulations. It takes the right amount of collaboration, the right types of distributive mediums, and the right methods to measure understanding. All of these things take an enormous amount of time and energy, but automating them with a software solution can increase efficiency, and ensure compliance with company policies and procedures. Following are the steps to ensure the compliance program;

• Meet with divisional managers to ensure the policies and procedures being created are feasible for individual departments.
• Determine the best format of policies for different audiences.
• Make Policies and Procedures easily accessible to the employees.
• Set deadlines for each policy and procedure to be acknowledged.
• Determine the best way to measure the understanding the employees have of policies and procedures.

Meet with divisional leaders to ensure the policies and procedures are feasible

The first step to ensuring compliance begins with involving the leaders of each section of the organization. Policies are often created by someone within an organization that does not have a comprehensive understanding of the daily tasks within each department. Involving others, even if just for a 30 minute interview surrounding a policy, ensures that the new policies:

Are not misunderstood

Use the correct terminology

Make sense to the employee

Determine the best format of policies for the audience

Different departments contain different personalities, schedules, and daily experiences. To ensure compliance with policies and procedures, make sure that it delivered to the employees through vessels they are comfortable with. A benefit to meeting with divisional manager is that we can leverage more information from them, including how the policies will be best received. Examples of different vessel requirements include situations where employees do not access computers during the work day but may have a company smart phone, making them a better candidate for a video presentation of their policies and procedures.

Make Policies and Procedures easily accessible to the employees

Not only should spend time ensuring that the organization of your policies and procedures makes logical sense, should also make sure that an employee from any department, and any level of management, should be able to find the policies that apply to them within 3 clicks. This will help ensure they do not get frustrated and abandon their attempt at being compliant.

Structure your folders by:

Department

Type of Policy (EX: Management “ Fire Drill Procedure)

And give links to these shared drives to the appropriate managers.

Set deadlines for each policy and procedure to be acknowledged

Setting deadlines for acknowledgment does not just mean establishing an Outlook Calendar reminder on their effective date.

Once the policies and procedures have been created and are accessible, set up weekly meetings with all managers to ensure they have a successful plan in place to ensure their employees compliance understanding.

If company send out surveys to each employee, send scheduled email reminders for them to guarantee they have received the policies and procedures, and know the deadlines.Include a contact number and email address within their reminders in case they have questions.

To manage this process without slowing down the email servers, consider using a software solution for policies and procedures. Solutions such as ConvergePoint are built into SharePoint, stay behind the firewall, and access Active Directory, so there is no need of worry about working an entirely new program into the company.

Determine the best way to measure understanding

Each policy and procedure is an individual, and should be treated as such. Standardized all accepted responses are okay for some standard policies, but ensuring compliance with procedures should go a step further to guarantee understanding. Depending on the task or field, taking quizzes, scheduling practice runs, or the combination of both can dramatically increase the employee compliance with policies and procedures.

b) Mr. Dwight should change its reporting practice of employees. In a corporate any grievance about collegues can be reported to supervisor and he will report to the higher management after some basic investigation. A corporate compliance program is generally defined as a formal program specifying an organization’s policies, procedures, and actions within a process to help prevent and detect violations of laws and regulations. It goes beyond a corporate code-of-conduct since it is an operational program, not simply a code of expected ethical behavior. Clearly, a code-of-conduct is an important component of a compliance program and ethics remains the heart and soul of all corporate compliance programs. Any questionable practice against this should be reported to Compliance Officer. A compliance officer is an individual who ensures that a company complies with its outside regulatory and legal requirements as well as internal policies and by laws.Compliance officers have a duty to their employer to work with management and staff to identify and manage regulatory risk. So employees should directly report to the Compliance Officer rather than Supervisor.