If your company is public or regulated, auditors expect you to do this. And so does the Fed.

6 Federal Criteria for an Effective Compliance Process

Business-sensitive strategy to enhance process effectiveness.

According to the federal government, an effective compliance process has 6 key elements. Regulated entities and public companies are expected to compare their compliance processes to these criteria annually, to prioritize opportunities to improve.

This strategy generates a cycle of continuous process improvement.

This is my first blog post to share tips for strengthening compliance processes. These tips apply to public companies and regulated startups. Link to one-page visual.

1. Does The Process Have a Clear Owner, with Adequate Resources and Support?

• Is there a clear process owner? Does he or she have real authority?
• Does the process have adequate resources, given the entity size?
• Does leadership show clear support for the process?

2. Is There a Written Policy?

• Is there a written policy that clearly explains — in plain language — what is supposed to happen, including how to document transparently what happened and why?
• Do employees understand what they are expected to do, when the need to get approval and by whom?
• Is the policy translated into local languages, where needed?

3. Are Employees Trained on the Policy? Is It Effectively Communicated?

• Is the policy easy to find and easy to read?
• Do employees understand what is expected of them?
• Are updates clearly communicated?

4. Is the Process Continuously Improved?

• Is the policy updated when laws, regulations or licensing requirements change or when the business model changes?
• If the company acquires — or merges with — another business, especially a foreign one, are the policies integrated?
• Does the organization gather “lessons learned” from employees, to avoid making the same mistake twice?
• Are “work-arounds” effectively resolved?

5. Is the Policy Consistently Implemented and Enforced (hotline)?

• Is there an audit or system for assessing whether the policy is effective?
• Are policy design and implementation gaps identified, remediated / enforced?
• If discipline is necessary, is it fair — are lower level staff blamed to avoid higher level staff experiencing consequences?
• Is there an anonymous hotline? Are complaints tracked and handled effectively?

6. Are Relevant Third Parties Sensitized to Policy Expectations?

• How do vendors, agents, consultants and other third parties become aware of policy expectations that apply to them e.g. policies that may apply to third parties: anti-bribery policy, business expense reimbursement?

How To Use This List

I use this list as a “cheat sheet” when I am working on projects to enhance business and compliance processes and to strengthen transparency. I compare an existing policy or process to these 6 core criteria to help identify and prioritize practical, business-sensitive process enhancements.

Q & A: Why do compliance processes matter?

Effective compliance processes help organizations:

• Generate reliable financial reports
• Avoid wasteful operational duplication and inefficiencies
• Prevent regulatory missteps and
• Improve cost-efficiencies and bottom line performance.

It is a critical, dynamic challenge to find the right tension between innovation and process standardization. A compliance strategy that includes continuous re-alignment with these 6 effectiveness criteria will help you build and scale practical, business-sensitive improvements.

What is a compliance process?

Simply put, a compliance process is any business process that contributes to a financial report, or aligns a business function with legal, regulatory or licensing requirements.

Why should I scale compliance processes?

Scaling compliance processes helps an entity adapt to two types of continuous change:

1. Changes to the business model (new products, new customers, new or different anything).
2. Changes to legal, regulatory or licensing requirements, or emerging industry best practices.

How can I build the plane while I am flying it? Shouldn’t I wait until the business is more settled before I start to change compliance processes?

If you want to adapt to internal and external changes, then you may want to consider adapting in real time — sooner rather than later. Continuously refreshing your processes to re-align with the 6 required elements is a great start.

Hopefully, your plane will continue to grow as you fly, so the sooner you implement a process of continuous improvement, the better. It works well to standardize an annual review that maps key business processes to these 6 elements.

Where did the criteria come from?

These criteria are derived directly from two federal government releases that outline expectations for compliance programs (auditors use similar criteria):

• Metrics released by the federal Department of Justice on Monday, November 2, 2015 that clarified the criteria they use to judge compliance programs. I wrote a summary here.
• Federal Sentencing Guidelines at §8B2.1 which explain the requirements for an effective compliance program. The definition of an “organization” includes non-profits. The guidelines are here.

This continuous improvement strategy leads to consistent process improvements.

Scale. Don’t boil the ocean. Prioritize.

About Me

I am a NYC-based independent compliance consultant and attorney. I help organizations prioritize and rollout business-sensitive compliance process enhancements. My initiatives improve operational effectiveness, including policies, internal controls, training and Codes of Conduct. I am a former SEC senior enforcement counsel, KPMG regulatory compliance consultant, CCO for the NYC Council, Director of Program Integrity for the Massachusetts state government budget office, compliance training specialist with a federally funded educational foundation and public broadcaster, and a former Skadden litigation associate.

Feel free to reach out any time concerning compliance best practices ideas or projects, or if you have any suggestions.