6 Federal Criteria for an Effective Compliance Process
Business-sensitive strategy to enhance process effectiveness.
According to the federal government, an effective compliance process has 6 key elements. Regulated entities and public companies are expected to compare their compliance processes to these criteria annually, to prioritize opportunities to improve.
This strategy generates a cycle of continuous process improvement.
This is my first blog post to share tips for strengthening compliance processes. These tips apply to public companies and regulated startups. Link to one-page visual.
1. Does The Process Have a Clear Owner, with Adequate Resources and Support?
- Is there a clear process owner? Does he or she have real authority?
- Does the process have adequate resources, given the entity size?
- Does leadership show clear support for the process?
2. Is There a Written Policy?
- Is there a written policy that clearly explains — in plain language — what is supposed to happen, including how to document transparently what happened and why?
- Do employees understand what they are expected to do, when the need to get approval and by whom?
- Is the policy translated into local languages, where needed?
3. Are Employees Trained on the Policy? Is It Effectively Communicated?
- Is the policy easy to find and easy to read?
- Do employees understand what is expected of them?
- Are updates clearly communicated?
4. Is the Process Continuously Improved?
- Is the policy updated when laws, regulations or licensing requirements change or when the business model changes?
- If the company acquires — or merges with — another business, especially a foreign one, are the policies integrated?
- Does the organization gather “lessons learned” from employees, to avoid making the same mistake twice?
- Are “work-arounds” effectively resolved?
5. Is the Policy Consistently Implemented and Enforced (hotline)?
- Is there an audit or system for assessing whether the policy is effective?
- Are policy design and implementation gaps identified, remediated / enforced?
- If discipline is necessary, is it fair — are lower level staff blamed to avoid higher level staff experiencing consequences?
- Is there an anonymous hotline? Are complaints tracked and handled effectively?
6. Are Relevant Third Parties Sensitized to Policy Expectations?
- How do vendors, agents, consultants and other third parties become aware of policy expectations that apply to them e.g. policies that may apply to third parties: anti-bribery policy, business expense reimbursement?
How To Use This List
I use this list as a “cheat sheet” when I am working on projects to enhance business and compliance processes and to strengthen transparency. I compare an existing policy or process to these 6 core criteria to help identify and prioritize practical, business-sensitive process enhancements.
Q & A: Why do compliance processes matter?
Effective compliance processes help organizations:
- Generate reliable financial reports
- Avoid wasteful operational duplication and inefficiencies
- Prevent regulatory missteps and
- Improve cost-efficiencies and bottom line performance.
It is a critical, dynamic challenge to find the right tension between innovation and process standardization. A compliance strategy that includes continuous re-alignment with these 6 effectiveness criteria will help you build and scale practical, business-sensitive improvements.
What is a compliance process?
Simply put, a compliance process is any business process that contributes to a financial report, or aligns a business function with legal, regulatory or licensing requirements.
Why should I scale compliance processes?
Scaling compliance processes helps an entity adapt to two types of continuous change:
- Changes to the business model (new products, new customers, new or different anything).
- Changes to legal, regulatory or licensing requirements, or emerging industry best practices.
How can I build the plane while I am flying it? Shouldn’t I wait until the business is more settled before I start to change compliance processes?
If you want to adapt to internal and external changes, then you may want to consider adapting in real time — sooner rather than later. Continuously refreshing your processes to re-align with the 6 required elements is a great start.
Hopefully, your plane will continue to grow as you fly, so the sooner you implement a process of continuous improvement, the better. It works well to standardize an annual review that maps key business processes to these 6 elements.
Where did the criteria come from?
These criteria are derived directly from two federal government releases that outline expectations for compliance programs (auditors use similar criteria):
- Metrics released by the federal Department of Justice on Monday, November 2, 2015 that clarified the criteria they use to judge compliance programs. I wrote a summary here.
- Federal Sentencing Guidelines at §8B2.1 which explain the requirements for an effective compliance program. The definition of an “organization” includes non-profits. The guidelines are here.
This continuous improvement strategy leads to consistent process improvements.
Scale. Don’t boil the ocean. Prioritize.
About Me
I am a NYC-based independent compliance consultant and attorney. I help organizations prioritize and rollout business-sensitive compliance process enhancements. My initiatives improve operational effectiveness, including policies, internal controls, training and Codes of Conduct. I am a former SEC senior enforcement counsel, KPMG regulatory compliance consultant, CCO for the NYC Council, Director of Program Integrity for the Massachusetts state government budget office, compliance training specialist with a federally funded educational foundation and public broadcaster, and a former Skadden litigation associate.
Feel free to reach out any time concerning compliance best practices ideas or projects, or if you have any suggestions.