Wednesday, November 30, 2011
CORPORATE COMPLIANCE ACTION PLAN
CORPORATE COMPLIANCE ACTION PLAN
By John Kyriazoglou* (author’s credentials at the end of this document)
A compliance program refers to an organization's management plan for conducting all of its activities within the frameworks of law, rules and regulations.
It usually concerns:
(a) Identifying the laws, rules and regulations that apply to the activities of the organization,
(b) Identifying business areas where the activities of the organization are at risk of breaching these laws, rules and regulations,
(c) Establishing and executing systems, policies and procedures to try to avoid, prevent and protect against such breaches,
(d) Assigning specific compliance-related responsibilities to managers and professional staff and incorporating all compliance activities within the regular business operations of the organization,
(e) Changing behavior of all participants (board, managers, staff, external parties, etc.) through communication, education, training and coaching where this is necessary,
(f) Monitoring and reporting all compliance-related issues, and
(g) Reviewing, auditing and improving the whole compliance program and effort.
This compliance program could be implemented by a compliance action plan as follows:
The conceptual model that may be used for crafting the compliance action plan and ensuring its completeness, to the best and practical way possible, is the ADDIE Model, which is the acronym for analysis, design, development, implementation and evaluation, and its corresponding phases. This model (see, for more details: http://en.wikipedia.org/wiki/ADDIE_Model) gives us, from a practical perspective, an added level of confidence that we have not forgotten any phases in developing and implementing a compliance program.
Phase 1: Analysis of Compliance Requirements and Needs
The objective of this phase is to analyze the compliance requirements and needs impacting the organization and prepare it to manage its activities and operations in a compliance-effective environment. The actions required to be executed to complete this phase are:
Action 1: Carry out the analysis of the compliance landscape of the organization and the statutes, laws and regulations affecting all functions of the business the organization is involved in and the countries or states (provinces) it operates in.
Action 2: Define the constituent elements required by the specific organization in terms of funds, people, management structure, policies, systems, procedures, documentation, facilities, techniques, methods and tools to be effectively employed to carry out and implement the whole compliance process.
Action 3: Collect all compliance rules, regulations and standards affecting the organization.
Action 4: Carry out the analysis of the communication and training aspects and the readiness of the organization regarding compliance.
Action 5: Submit a report to the board of the analysis that includes a budget for the compliance process, and obtain approval and funds from the board for designing, development and operating a compliance program for the organization.
Phase 2: Design of the Compliance Function of the Organization
The objective of this phase is to design and set up an effective compliance program and a compliance officer and often a compliance committee who are responsible for collecting all relevant rules, regulations and standards applicable to the organization, organizing, developing, operating and monitoring the compliance program. The compliance officer and compliance committee must report directly to the organization’s governing body, and CEO, periodically and on an as-needed basis. The compliance officer must oversee the program, including making revisions as the company’s needs change, coordinating and participating in training and education for employees, independently investigating compliance matters and ensuring that any necessary corrective action is taken. The actions required to be executed to complete this phase are:
Action 1: Design the duties, roles and responsibilities of a Compliance Officer.
Action 2: Design the responsibilities of a Compliance Committee.
Action 3: Appoint the Compliance Officer.
Action 4: Establish the Compliance Committee.
Action 5. Design and issue a first draft of the Compliance Strategy and Program.
Action 6. Design, if required, the specifications of a computerized system to support the compliance process of the organization.
Action 7: Submit a report to the board of the design phase, making any required changes to the initial budget, and obtain approval and funds from the board for the execution of the next phase.
Phase 3: Development of Compliance Policies and Procedures
The objective of this phase is to carry out the development and distribution, by the compliance officer, of written compliance standards, systems, policies, procedures and practices to guide the organization and its employees on a day-to-day basis. These should include a code of conduct detailing the fundamental principles, values and framework for action within the organization, general corporate policies and procedures, a summary of critical laws, regulations and standards, and specific provisions for various administrative, production, customer service, sales, marketing, financial, information technology and other business functions within the organization, including any regulations that may apply to business units in other national jurisdictions. These should be easily understood by, and posted and communicated to, all affected employees, as well as participants in the activities of the organization. The actions required to be executed to complete this phase are:
Action 1. Develop and finalize the Compliance Program.
Action 2: Develop the corporate compliance policies, procedures, codes of conduct and the compliance records maintenance and retention system of the organization.
Action 3. Develop or obtain a ready-made software system, if required, to support the compliance process of the organization.
Action 4: Obtain board approval of all corporate compliance policies, procedures and codes of conduct.
Action 5: Distribute all compliance policies, procedures and codes of conduct to all staff and managers.
Action 6: Develop the compliance communication procedures.
Action 7: Develop the education and training plan and procedures for all compliance issues.
3. Implementation of Compliance Program
The objective of this phase is to fully implement the compliance program. It may not be enough to appoint a compliance officer and committee, even if they are excellent in carrying out their duties and roles. The compliance officer must create and maintain effective lines of communication with all employees. This should include a process, such as a hotline or other reporting system, to encourage questions and complaints and procedures to protect the confidentiality or reports and anonymity of the complainants and to protect employees against retaliation. The actions required to be executed to complete this phase are:
Action 1: Implement all Corporate Compliance Policies, Procedures, Compliance Codes of Conduct, as well as the compliance records maintenance and retention system.
Action 2. Implement, if required, the computerized system to support the compliance process of the organization.
Action 3: Run all awareness sessions with all business functions as regards the compliance policies and procedures of the organization.
Action 4: Implement the compliance reporting system, including a Hot Line for compliance issues.
Action 5: Execute the education and training plan for all compliance issues.
Action 6: Link compliance to management and employee performance.
Action 7: Enforce compliance standards through well-publicized disciplinary guidelines.
4. Evaluation and Improvement of Compliance Program
The objective of this phase is to assess the effectiveness of the Compliance Program of the organization. The compliance program must be evaluated periodically to assess its effectiveness as a whole, including how it performs in practice to monitor the operations of the organization on a day-to-day basis. If the same problems recur time and time again, specific actions must be undertaken and compliance requirements and needs must be addressed. Compliance policies, standards and practices are only effective if they have the commitment of the management of the organization, are clearly written and communicated to staff, and are interpreted by a compliance officer with the proper skills, dexterities and experience. In the event of a regulatory investigation or potential breach, complete documentation of all aspects of the company’s compliance program is necessary to demonstrate the good faith of the company and the specific program’s effectiveness. The actions required to be executed to complete this phase are:
Action 1: Monitor the execution of all Corporate Compliance Policies and Procedures by the designated officer and committee of the organization.
Action 2: Request auditing of Corporate Compliance Policies and Procedures by internal audit.
Action 3: Review all Corporate Compliance Policies and Procedures by external auditors, including subject experts.
Action 4: Develop correctives actions and execution of responses to detected offences.
Action 5: Evaluate the effectiveness of Corporate Compliance Policies and Procedures.
Action 6: Evaluate the effectiveness of Compliance Program.
Action 7: Improve all Corporate Compliance Policies and Procedures and Compliance Program.
John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.
Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/