How Good Compliance Program Design Helps Your Organization

Michael Nyhuis
6 min read
Regulatory compliance has become part of the daily grind for corporates ' no longer a nice-to-have, a comprehensive compliance program is a non-negotiable element of organizational strategy.

But in this relentless quest to keep pace with the mountain of legislation firms have to comply with, thinking space is a rare commodity. Compliance teams stretched by shrinking resources and growing obligations don't have a lot of spare time to navel-gaze.

As a result, many probably don't often ask what their 'ideal' approach to compliance looks like ' or whether their current strategy lives up to it.

With the U.S. Department of Justice recently issuing updated guidance on the 'Evaluation of corporate compliance programs' ' guidance that will be as pertinent elsewhere as it is in the U.S. ' maybe now is a good time to evaluate your compliance program. Can you be confident that it would live up to expectations?

A Roadmap for Best Practice Compliance Programs

The new document updates guidance first issued in February 2017 and revised in April 2019.

Summarizing the guidance on corporatesecretary.com, partners from law firm McDermott Will & Emery identify its over-arching theme as 'a renewed emphasis on the substance and adequacy of resources made available to the compliance program'.

The guidance shares three fundamental questions that a prosecutor should ask when investigating potential non-compliance:

  1. 'Is the corporation's compliance program well designed?'
  2. 'Is the program being applied earnestly and in good faith?' In other words, is the program adequately resourced and empowered to function effectively?
  3. 'Does the corporation's compliance program work in practice?'

The hope is that by answering these questions, prosecutors can evaluate a company's compliance performance ' both at the time of the offense and at the time the failings are identified and resolved.

In setting out the questions, the DoJ notes that they do not represent a comprehensive checklist, nor a formula for guaranteed compliance. It also recognizes that the questions might be more or less relevant depending on the organization and its circumstances. And finally, notes that some areas being assessed may fall under more than one of the questions.

These caveats aside, the DoJ's three questions certainly provide a good start point for any organization looking to measure compliance performance and review the effectiveness of their current program, whether in the US or elsewhere.

Here, we look at each of these questions in more detail. What do they tell us about the DoJ's current approach to compliance? And how can they help businesses to develop robust, efficient compliance programs?

How Can a Compliance Program Roadmap Help Your Organization?

1. Is the program well designed?

In looking at design, the DoJ's guidance stresses the need for every organization to take a bespoke approach. There is no 'one size' answer to compliance; the organization's risk profile ' which may be determined by factors like industry, company size, number of locations ' will inform the exact nature and scope of a compliance program.

Design also needs to take into account the ever-changing nature of compliance. With regulations and the wider external landscape shifting constantly, compliance programs need to be adaptive in response.

Any assessment of program design should therefore take into account not just the program at the time of the review, but its evolution to this point. How has it developed to its current iteration?

When assessing your compliance program against the DoJ criteria, a level of granularity is vital. As the corporatesecretary.com article says, the Department 'has always included granular questions regarding the design of the compliance program, but the updated guidance gets even more into the weeds'.

This detail-driven approach seems due in part to the DoJ's view that with increased use of technology, organizations should have unprecedented access to the data and insight they need to continuously improve their approaches.

In particular, they stress that technology should make corporate policies easily accessible. In too many organizations, procedures are opaque. But employees cannot be expected to follow best practice if they don't know what it looks like. It's worth revisiting the way you manage and communicate your corporate policies; are they transparent and easily-accessible?

Compliance software can be invaluable here, enabling organizations to clearly document, communicate and enforce corporate procedures and rules.

2. 'Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?'

This question has been updated from the previous iteration of the guidance, with the focus on resourcing and empowerment. The previous guidance asked only whether the program was being 'implemented effectively'.

The new wording gives additional insight into what the DoJ is looking for in an effective compliance program. Resourcing is a key issue; a thorough program on paper is pointless if it fails to translate in practice due to lack of people or time to see it through.

The question of 'adequate resourcing', though, may give organizations pause for thought. The DoJ's view of adequacy may differ from the business's. Compliance teams are ' like the rest of the business ' under pressure from challenging conditions; a recent report in Financial News predicts that banks plan to cut their London compliance teams by up to 25% in the next 12 months.

How can your organization deliver on this 'adequate' resourcing? Again, many are turning to compliance solutions to streamline compliance, reducing unnecessary admin and duplication while strengthening the robustness of their approach.

3. 'Does the corporation's compliance program work in practice?'

The million-dollar question. A well-thought-out program is no use if it doesn't work in real life.

As above, are policies and expectations clear and well-communicated? Are they comprehensive, taking into account third-party providers as well as in-house practices?

How do you measure your compliance program ' and what do you do to tackle any shortcomings identified? Do you make timely improvements where failings appear? Do you take note of enforcements against other, similar organizations and put in place remedial actions for comparable risk management challenges in your own business?

The role of middle management is central here; while the DoJ has long-emphasized the need for top-down leadership when it comes to governance, risk and compliance (GRC), the new guidance has been edited to stress the need for a culture of compliance 'from the middle' as well as from the top.

The importance of middle-management buy-in and leadership by example cannot be under-estimated. As the authors of the Corporate Secretary article note, middle management 'has the greatest direct influence over the majority of employees', and therefore needs to be at the heart of your compliance program.

What's Next for Compliance Officials Striving for the 'Ideal' Compliance Program?

The DoJ's updated guidance is a good place to start for any organization looking to review their current program and improve compliance standards. Whatever your role in the GRC universe ' general counsel; chief compliance officer; auditor or senior executive ' there are takeaways from the subtle tweaks to the guidance that should inform your approach.

There is no single 'ideal compliance program' ' risk management will look different for every business. And importantly, even the ideal program for your organization will never remain static; it should be an evolving, ever-improving entity that grows and adapts with the challenges it faces. While the guidance shouldn't be used an exhaustive checklist, it does provide a good roadmap for any organization looking to fine-tune its approach to compliance.

Compliance software, as we mentioned earlier, can be invaluable in putting a greater degree of rigor around your governance, risk and compliance programs. If you want to read more about compliance management and compliance monitoring solutions, and the efficiencies and effectiveness they can deliver, you can check out more compliance insights and resources.
Related Insights
This is where Author Role goes
Michael Nyhuis
Michael Nyhuis is the former Director of Audit & Compliance at Diligent and a modern governance expert with over 25 years of experience.