Synopsis This article provides an overview of the necessary steps and methodology required to implement a compliance framework (Framework) within a large organisation. While this paper is focussed on large entities, the same process and methodology may be adapted and then applied to build Frameworks for smaller organisations. Gaining Support The first step is to [...]
Synopsis
This article provides an overview of the necessary steps and methodology required to implement a compliance framework (Framework) within a large organisation. While this paper is focussed on large entities, the same process and methodology may be adapted and then applied to build Frameworks for smaller organisations.
Gaining Support
The first step is to gain support from your CEO, Company Secretary or Board. This is an essential step for your Framework project to be successful. It will be much easier to get the necessary support from middle management if upper management support your Framework initiative.If upper-level management are not willing to give your Framework support, it is likely that they don’t fully understand the risks that your organisation is exposed to. It is your job as compliance professional to communicate these risks to them. To do this you must have a short, sharp and easy to understand message. Delivering the message to the leaders in person is always the best communication channel.
It is more prudent to get the support of one or two senior managers before you arrange that important meeting with your company secretary or CEO to inform them of the risks to the organisation and ask for their support to implement a Framework.
Team Building & Planning
Team-building and communication is essential in order to build a successful Framework. Specialist knowledge and assistance is required from various stakeholders before beginning to design the Framework. Engaging the right stakeholders from the start will minimise project delivery time. Don’t expect to do everything yourself, compliance is very much a team effort. Alliances are necessary from various departments from within your organisation such as Risk, IT, HR, Finance, Communications, Learning and Development and Document Management.
You should start by making a compliance committee consisting of the SME’s that you select from each area. Regular compliance meetings with the compliance committee are a great way to gain support, communicate and stay on top of compliance issues. The SME’s respective areas or departments may already have some type of compliance controls in place. You will save a lot of time if you learn to leverage from their current systems and interdependencies rather than taking a ‘start from scratch’ approach. Even if you believe their systems are less than adequate, learning what doesn’t work is often as beneficial as understanding what will work.
Complying with Your Obligations
It is important to understand that compliance involves more than meeting your legal obligations. There are other obligations that will vary depending on the values of your organisation which may include company policy, board direction, corporate social responsibility and in the case of a GOC; ministerial direction.
Knowledge of your organisation’s business activities (‘Activities’) is necessary in order to fully understand relevant compliance obligations (‘Obligations’). The fastest and most accurate method to uncover your organisation’s Activities is to engage managers or subject matter experts (SME’s) that have a comprehensive understanding of the day to day operation within their department.
The best practice is to engage those SME’s that have enough seniority to make decisions or those who are in a position to highly influence the decision-making process but are not too busy for you to get regular access to.
You may then create a list of Activities that you believe is relevant to that area. Once you have finished, facilitate a brain storm session with the SME’s so that they can build and refine the list of Activities. Once you have a firm understanding of the Activities, you may then take the next step in development of the Framework which is to map the Obligations to the Activities.
Calculating Risk
It is necessary to know what your organisation’s acceptable levels of risk are. Engaging your organisation’s risk department to inform you of the acceptable level of risk tolerances within your organisation is an important step. There are three key areas of risk that you need to be particularly mindful of when developing the Framework, they are:
• reputational damage;
• imprisonment; and
• high pecuniary penalties
Obligations can best be determined when they are measured against your organisation’s risk tolerances. Some Obligations may not be relevant unless they meet the risk tolerance levels of your organisation. For example, infringement of a particular offence may potentially result in imprisonment of an officer however, there may be an extremely limited chance of such a breach and therefore the overall risk may not be significant enough to address in your Framework. On the other hand, your organisation may be exposed to a moderate financial penalty however which has a high-chance of occurrence and therefore be assessed as high risk and consequently should be contemplated when developing your Framework.
In large organisations it is impossible to manage every single risk in the Framework. There should be two layers of compliance. The top level is your Framework and the other smaller risks should be managed by SME’s as part of their business as usual management process within each department.
Communication and Culture.
This is where you will need to be creative. Compliance is something that people should want to do, rather than feel obligated. This may require a culture change within your organisation. Many organisations engage the marketing and communications department to advise in this process. The message that you send out to your organisation must be clear, precise, fun and easy to understand.
Get excited and get everyone involved. Compliance can certainly be exciting if you believe it can be exciting. This is your chance to really make a difference. Make a fun corporate video, caps, conduct learning activities, keep regular communication – even create a mascot or celebrity to deliver the compliance message. To invoke a corporate change you will need to get attention and it all starts with you as compliance professional.
Remember, your organisation is built from individuals with different education levels, genders, backgrounds, cultures and religions. Your message, however you choose to communicate it needs to be clear and concise so it can be clearly understood by all individuals within your organisation. By all means make your communications fun, but be sure that it does not offend.
The message should also point out exactly how compliance can benefit each individual within your organisation directly. By doing this your message is more likely to have a greater impact.
The Framework itself
A successful Framework will consist of training, systems and business processes backed by the legal department and management who will provide support to employees that request it.
Before implementing the Framework it is important to not bite off more than you can chew. Starting with a pilot program (‘Pilot’) is a very smart way to begin the Framework development and implementation process before rolling out the entire Framework throughout your entire organisation. The Pilot should focus on implementing the Framework into one or two key areas of your organisation. The best area to implement the Pilot will be dependent on your organisation’s Activities.
Consider the following questions when contemplating which area the Pilot should be implemented into:
• which area poses the highest risk to your organisation?
• which area has compliance work already done?
The answer to both of these questions will likely be the same and will therefore be the ideal place to start implementing the Pilot.
The Framework should live and breathe within your organisation which will require be face to face interaction required to review your organisation’s business as usual processes that you can discuss with managers and SME’s.
The IT system (‘IT System’) should ideally have a number of functions such as facilitating online training, legislative summaries, obligation library, resources, points of contact and a method of breach and incident reporting. A system such as this to be built from the ground up will be very expensive. Not to mention the time it will take to develop.
To reduce cost and development time, your organisation may opt for an off-the-shelf product. If you do, ensure that it integrates with other systems such as SAP that are used by HR which will enable all employees to be imported into the system and be provided different levels of access (and information) based on their role.
Maintaining the Framework
The Framework will need to be maintained throughout its existence. This means that you should subscribe to a service that provides legislative and regulatory updates so that you can keep the online training, legislative summaries, obligation library and other resources up to date. You should also keep up to date on policies and procedures within your organisation as they will vary from time to time. Having a mechanism in the document management area that reports to you when such documents are updated is invaluable.
Legal compliance professionals require high level communication skills not only to develop a Framework, but to maintain it as well. Building and maintaining relationships throughout your organisation are an important skill that will make your compliance journey a more comfortable and rewarding one. Cooperation often demands finding mutually beneficial solutions to your organisation’s departments and compliance requirements.
Also see the compliance article on PCI Compliance.
Leave Your Response
You must be logged in to post a comment.