In Mr. Levinson's speech he reviewed what makes a strong compliance program, and I was once again reminded of how similar all the best practice frameworks are in their guidance.
Earlier this year I spent some time reviewing guidance in the US Federal Sentencing Guidelines, those from the OECD on effective compliance, FCPA program advice, and recently the Adequate Procedures from the Ministry of Justice on Anti-corruption programs. All of these shared commonalities, echoed by Mr. Levinson, on what needs to be present in an effective and evolving compliance program:
- Tone from the Top - Senior Leadership must be committed to fostering an environment of integrity and compliance, and ensure this culture permeates throughout all employee ranks
- Risk Assessment - An organization must periodically review and assess the perceived risks facing it, which subsequently leads to...
- Policies, Procedures, Controls and Guidelines - Once risks are identified, appropriate policies and controls must be created and distributed to those likely to be affected. And these stakeholders must be trained, and often attest to their understanding of the policy and their commitment to abide by the expectations set within.
- Reporting Mechanism - We are all human, so despite best intentions, it is recognized violations of existing policies will occur. When this happens, an organization must have the ability to effectively collect reports of possible violations where ever they come forward. A hotline is not enough - organizations should challenge themselves to ensure they are capturing reports that surface in face to face meetings with managers, HR business partners, and other local supervisors, exit interviews, through alerts or exceptions that are flagged through technology, etc.
- Monitor and Assessment - A compliance program is not static; it needs to adapt as the business changes. New regulations can be mandated by the government, the business environment may be altered through mergers & acquisitions, economic prosperity or downturns, expansion into new markets, etc. Risks that weren't anticipated during the periodic assessments may become visible. An effective compliance program must be able to collect risk-related data, manage it consistently and appropriately, learn from it, and ultimately adapt to these learnings in order to support the overall business objectives.
This is why we have put so much effort into delivering the EthicsPoint Adaptive GRC Framework. We know that our solutions need to be able to fit into your organization today, regardless of where you are on the continuum, and adapt to your own internal processes and needs. Furthermore, we have to be able to support you as your compliance requirements change over time.
Later tonight, we will be launching the latest evolution of our solution offerings, including:
- Enhanced Issue and Event Manager capabilities
- NEW Benchmarking module, enabling deep analysis of your GRC program and comparisons with other "like" organizations - by industry, company size and even against our entire population of clients
- NEW Policy Manager product to help you effectively manage the lifecycle of your policies
- Enhanced Visualization Manager capabilities that will assist you in identifying risk hotspots, patterns and trends
- New Service Offerings, including Global Whistleblowing Compliance, Third-party Risk Assessments and Third-party Privacy Assessments