Guide

10 Key Elements to an Effective Compliance Program

The Complete Guide

Why you need a compliance program

If you are a startup founder or working in the C-suite of a new company, you’re a busy person. Starting and growing a business takes a lot of work and a lot of late nights. Every process, procedure, and system has to be built from the ground up. Unfortunately, in all of the chaos, many startups lose sight of something critical: compliance.

You may think that ensuring compliance with regulations will slow you down, is too expensive, or isn’t all that important. The reality is that although it can be time-consuming and costly, you can’t afford to put compliance off. Compliance is one of the keys to growing a thriving, successful business. And it’s something that will come back to bite you if you aren’t thinking about it in the early stages of company building.

Here are five of the most important reasons you need to have a compliance program in your organization:

1. The regulatory environment demands robust compliance programs.

Businesses today are facing more regulations and a more aggressive enforcement environment than ever before. The consequences of ignoring compliance are becoming more serious. In July 2019, the FTC hit Facebook with a $5 billion fine — the largest penalty ever levied against a tech company — for its role in the Cambridge Analytica scandal and other privacy breaches. In 2019, Marriott Hotel Group, British Airway and Equifax each had to pay out multi-million dollar fines for data breaches that compromised their customers’ personal information.

Facts like these clearly demonstrate that regulators are becoming more active in enforcing the law. However, fines and penalties aren’t doled out automatically when a company is found to be in violation of law. When a compliance violation has been discovered by regulators, the first thing they look for is whether the business has a well-documented, current, and accurate compliance program. The U.S. federal sentencing guidelines state that when a corporation has been convicted of a crime, the two factors that “mitigate the ultimate punishment of the organization” are:

The existence of an effective compliance and ethics program
Self-reporting, cooperation, or acceptance of responsibility

2. The costs of non-compliance are much higher than the costs of compliance

According to a 2018 report by the Ponemon Institute and security company GlobalScape, non-compliance costs 2.71 times more than maintaining or meeting compliance requirements. The cost of non-compliance comes from the expenses associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.

For example, let’s consider what might happen when a sizable data breach occurs within your organization. Even if regulators do not levy a fine against your firm, you may suffer a myriad of consequences. Customers may lose faith in your organization’s ability to protect their data and cancel their service with you. Staff from IT, engineering, security, marketing, and customer success must be pulled off their existing projects to contain the incident, address customer concerns, patch up vulnerable systems, and ward off a PR crisis. And despite your best efforts to contain the incident, news of the breach may still turn into negative news headlines, which further damages your company’s reputation and makes it harder for the firm to attract customers, qualified job candidates, and investors.

Putting a compliance program in place will mitigate the likelihood of incidents that can lead to severe financial loss for your company. When you have an effective compliance program, your employees will know what they should and should not do in order to protect your company. They will take precautions in their work, avoid unnecessary risks, and speak up when they see unethical or questionable behaviors. All of this helps your organization stay on the right side of the law and avoid incurring the steep costs of non-compliance.

3. Not paying attention to compliance will limit your addressable market

As a new business, your credibility is everything. Having a sterling reputation will make it that much easier to attract marquee customers, qualified job candidates, and investors who can help take your company to the next level. When you choose to invest in compliance, it sends the positive message to all of your stakeholders that you take data security seriously, that you value your customers’ trust in you, and that you are a developed and mature company, not a fly-by-night operation.

On the other hand, a lack of attention to compliance will limit your ability to grow. These days, B2B customers are savvy and expect a robust compliance program. Customer-driven audits are on the rise. If you don’t pay attention to security, data privacy, or adhere to regulations in your industry, you won’t be able to do business with a significant portion of your addressable market.

Fortune 500 companies, federal and state governments, healthcare organizations, and any other business or organization that handles sensitive information typically require their vendors and partners to demonstrate compliance with certain frameworks and standards. Depending on the kinds of businesses you’re working with, you might need to be HIPAA, SOC 2, ISO 27001, or FedRAMP compliant. The time to start building a compliance program is long before you are courting a government agency or large hospital system. You don’t want to miss out on big opportunities and set your business back.

4. You can use compliance to create a competitive advantage

Starting a compliance program early can help your entire team operate at a higher level, resulting in a competitive advantage for your brand. Getting a compliance program off the ground serves as a force to get all your stakeholders together — from executives to operators in engineering and IT — to think more deeply about your business and product development processes. It will push your organization to establish policies, procedures and habits that help your team produce better quality work, which has positive ripple effects across the organization.

For example, when your engineering team takes the time to document your software development cycle and every team member follows established security and quality assurance processes, the software they build will be more secure and stable. Customers who have a great experience with your software are more likely to become your advocates and refer new customers to you, which would lower your cost of customer acquisition. When customers experience fewer product issues, your customer support cost will be lowered as well as morale among the support team goes up and turnover goes down.

5. Compliance becomes harder and more expensive later in the game

Establishing a compliance program is about building good habits. It’s much better to build habits early in your company journey because once habits are ingrained, they become much harder to break. Redefining established processes after the fact to address compliance efforts is much harder and more expensive than defining processes with compliance in mind.

10 Key Elements to an Effective Compliance Program

It’s all too common for companies to have compliance programs that are in-name-only. For example, an organization that has a compliance program where employees know all the policies in the employee handbook, but it’s an open secret that no one follows certain policies.

A compliance program is only effective when it impacts the way leaders and employees make decisions large and small. The ultimate goal of doing all this work is to foster a culture of compliance within your organization. Here’s what a culture of compliance means:

Everyone, from the executives all the way down to the summer interns, understands the importance of compliance and behaves in an ethical manner at all times, even when no one is watching.
Each individual understands their role in the company’s compliance program and fulfills their individual responsibilities.
Software and IT systems that handle data are designed to be compliant with the laws and industry standards that govern data privacy, security, availability, and confidentiality. In other words, compliance is baked into your products and business processes.

Creating a culture of compliance is like building a house. Constructing a house requires skilled professionals like architects, civil engineers, electricians, roofers, painters, and interior designers and a lot of materials, from concrete to wood to aluminum to glass to carpet. The sequence of events in building a house also matters — you wouldn’t put on the roof before you’ve laid the foundation. Similarly, to cultivate a culture of compliance, you need many building blocks and a variety of people involved and the order that you do the work in matters.

To build a culture of compliance, you need the following elements in place:

A governance structure for your compliance program
A detailed risk assessment
A code of conduct
An incentive plan that encourages desirable behaviors and discourages unwanted behaviors
Effective collaboration between the compliance function and the company’s operations teams
Trainings so employees know what to do and what not to do
A mechanism for reporting misconduct
An incident management/response process
Ongoing monitoring and evidence collection
Technology that supports your people and compliance processes

Let’s take a look at each element in detail.

1. Governance

When you create a compliance program, the first set of questions you’ll want to answer are about governance. You want to have clear roles and responsibilities and regular and helpful communication between the key stakeholders with responsibilities for compliance. Determine the following:

Who will be accountable for the compliance program?
What are the responsibilities of senior management?
Who are the specific individuals responsible for compliance day-to-day?
How will information about compliance be escalated?
What resources will be dedicated to compliance?

To build a culture of compliance, you need a dedicated leader for your program. Because compliance issues have a material impact on a business, the compliance officer needs to have a seat at the table, a direct line to the CEO and a company’s board, and adequate resources to do their job properly. The U.S. Department of Justice’s guidance to prosecutors on how to evaluate corporate compliance programs explicitly calls out the importance of good governance as part of an effective compliance program. The guidelines say credit is given to companies showing, among other things the following:

Strong, explicit and visible support for company’s compliance program from the executive team and the Board of Directors.
That the compliance program has sufficient stature and support within the company.
The compliance officer must also have the staff and resources to do the job properly.

In short, when a violation has been discovered, the last thing you want is for regulators to find that your company has an understaffed, underfunded compliance department.

2. Regular compliance risk assessments

Compliance programs must be customized to the needs and challenges facing each company and be comprehensive enough to deal with all of the risks the company has identified.

As mentioned earlier, the presence of an effective compliance program could mean more leniency from regulators in the event of a corporate misconduct investigation. In fact, in April 2019, the U.S. Department of Justice Criminal Division updated their guidance document for prosecutors on how to evaluate corporate compliance programs in the context of conducting corporate investigations. DOJ guidance states that prosecutors should consider whether the compliance program is appropriately “designed to detect the particular types of misconduct most likely to occur in a particular corporation’s line of business” and “complex regulatory environment.”

An effective risk assessment should begin with a detailed picture of the compliance landscape your company operates in. The two questions to answer are:

Where are you doing business?
What regulations cover businesses like yours?

Example

Are you trying to work with customers in healthcare?

If so, you will need to make sure that your systems that handle patient data can sufficiently meet HIPAA security requirements. If you collect, store, transfer or process the data of residents in the EU, you will need to comply with GDPR. If you regularly deal with third parties or suppliers and subcontractors, you will need to make sure these third parties have sufficient compliance programs of their own to address information security, privacy, and fraud risks.

The most important thing is this: your compliance efforts should be aimed squarely at the risks that are most critical to your business.

An effective risk assessment must also include a clear picture of how your organization operates. In other words, you need to know the “who, what, where, when, and how” of the day-to-day operations happening on the ground in your company.

The Risk Assessment Process

Step 1: Understand the current state of affairs

Try to find what already exists. Learn about and document the key company processes, systems, and transactions. It may be possible to find existing business process materials prepared for contract certification purposes. You also want to take the opportunity to meet key personnel who execute the business’s processes and systems. Interview these people and understand what motivates them and stresses them.

Step 2: Map the potential risk contact points that exist in your company

Once you have a detailed picture of your company’s operations and the compliance landscape your company operates within, it’s time to identify the compliance risk contact points, or specific company operations that present the potential for violating applicable regulations.

You can identify these contact points by evaluating each of the key processes, systems, and recurring transactions identified in Step 1 in terms of questions or issues associated with the regulatory regimes you want to be in compliance with.

Step 3: Assess the current controls in place to prevent, detect, and correct violations

Are the existing procedures and controls at your company effectively addressing the risk contact points you identified? For each risk contact point, identify the specific policy, procedure, work instruction, or any other control that applies. You should assess the sufficiency of these controls in the context of your knowledge of each contact point.

Consider the likelihood that a violation will occur given a current control, whether such a violation would be detected, and, once detected, what the worst potential impact of the violation would be.

The contact points that are insufficiently addressed by current controls present compliance program gaps that need to be addressed.

Step 4: Determine and prioritize the compliance enhancement measures you undertake

Your company probably won’t have the resources to tackle every compliance risk at once. You should rank your program’s gaps in terms of risk criticality and the resources required to remediate them. You’ll want to expend more resources policing high-risk areas than low-risk areas.

Once you’ve prioritized your company’s compliance opportunities, you should identify projects to address them systematically. Identify the compliance enhancements that will generate the most benefits for your company.

Step 5: Update your risk assessment periodically

It’s important to note that a risk assessment shouldn’t be a one-off event. The DOJ’s guidance document for prosecutors states that as prosecutors evaluate the quality of a corporate compliance program, they should assess whether the company’s risk assessment is current and has been reviewed periodically.

Events such as the acquisition of new companies, movement into new geographical or sector markets, corporate reorganization, and engagement with new customers and regulators will raise different types of compliance risks. Similarly, changes in regulations and how enforcement authorities interpret these risks can create new compliance risks. It is important to implement a deliberate, recurring process to periodically update your risk assessment.

3. A code of conduct

Every business needs to have a code of conduct that defines how a company’s employees should act on a day-to-day basis. It reflects the organization’s daily operations, core values, and overall company culture. This document should be readily available to employees and placed on the homepage of the company’s intranet or wherever it will be easily accessible for every employee. Make sure people always know where to find the code of conduct and understand its importance.

If you need some help writing a code of conduct for your company or want some examples of what great code of conduct documents look like, check out these 18 examples.

4. Incentive program that encourages the right behaviors and discourages the wrong behaviors

Incentives can be a double-edged sword in terms of creating a culture of compliance. When properly used, incentives motivate workers to achieve organizational goals. However, when improperly used, incentives can encourage bad behaviors (e.g. cheating to meet a sales quota) and pose a compliance risk. When doling out rewards to employees, it is important to consider not only the results they achieved, but also how they achieved that result. Before you roll out an incentive program, be sure to review it from a compliance perspective, consider potential risks, and develop mitigation measures.

5. Communication between teams

Many groups within a company are responsible for compliance. For example, HR is responsible for sexual harassment claims, IT security handles data privacy and security, and marketing must stay compliant with laws governing user data collection, email communication, and advertising. The compliance team acts as the quarterback of the company’s compliance efforts.

One important thing for compliance to understand is whether all areas of company risk are sufficiently covered, and if not, how to address the risks in the compliance program and determine which group is responsible.

The compliance function also needs to ensure coordination and collaboration between the groups and make sure they address issues and share best practices. A compliance officer needs to create the right policy to ensure different compliance issues are routed to the right group and there’s no duplication of effort or groups operating at cross-purposes.

The ultimate goal of collaboration is to get your organization to a state of continuous compliance. When you operate in a mode of continuous compliance, your stakeholders become fully aware of how your policies, processes, and operations stack up against relevant standards. Operational teams such as IT and engineering team take ownership over the implementation, testing, monitoring, and enhancement of controls within the systems they manage. Operating from a mode of continuous compliance is ideal because it allows you to reduce your operational costs while lowering the chance that you’ll be negatively affected by a security or compliance risk.

To get operations teams like IT and engineering to take compliance seriously, it is important to communicate how this approach benefits them. When the compliance perspective is taken into consideration in the earliest phases of a product development lifecycle, engineers can build an application in a secure and compliant manner, which saves them from having to unwind their existing work and “bolt on” compliance features later in the process.

Another responsibility for the compliance officer is to serve as a liaison to the C-suite and the board on all matters related to compliance. The compliance officer should create a reporting process for the C-suite and the Board so they are always aware of material issues as soon as possible and can work to contain the consequences and take remediation steps. Boards usually want regular reporting of what compliance issues have occurred and how they were handled.

6. Regular employee training

One hallmark of a well-designed compliance program is appropriately tailored training and communication. Everyone at the company, including executives, needs to know what is in your code of conduct. In addition to knowing the rules they’re expected to follow, employees also need to know who they can turn to for guidance if they have questions about compliance and how they can report violations and concerns.

Outside of communications about the employee code of conduct, you should also institute risk-based training for employees who work in high-risk functions and employees who implement controls.

Training can be made available online or in person to help all employees absorb the content, and it should be kept as simple as possible. Go for important issues, use easy-to-understand language, and give specific examples whenever you can. Employees should understand that the organization wants them to do the right thing and that compliance makes the company stronger and mitigates the risks of lawsuits or regulatory actions.

TIPS

Here are a few tips for getting employees to complete compliance training and retain important information:

Make sure all members of the senior leadership team have completed the training
Use a “stick”; for example, revoke people’s access to critical software or files until and unless they complete the training
Gamify training by incorporating game-like elements (e.g., badges, points, leaderboard, quizzes) into your training to make it more fun for employees. There’s evidence that gamification can work for improving security-related behaviors. According to Salesforce Chief Trust Officer Patrick Heim, 18 months after implementing a security awareness gamification effort, “participants in [the] program were 50% less likely to click on a phishing link and 82% more likely to report a phishing email.”

7. A simple process for reporting misconduct

To foster a culture of compliance, all employees need to understand when they need to report something and how to do so. The code of conduct should detail all the ways employees can raise issues, such as through a toll-free hotline, a monitored email alias, their manager, the general counsel, the head of HR, or however you want issues reported in your company. It is much better for your company to empower employees to raise issues early while there’s time to prevent bigger problems from materializing.

If you want people to report questionable behavior or misconduct, you must put in place and enforce a no-retaliation policy. Employees must believe they won’t face punishment for bringing forth an issue in good faith. There should also be a general policy to ensure confidentiality for both the person bringing the complaint and any employees implicated by the complaint.

Further, there should be a process for how the compliance team will address complaints. For example, there should be procedures in place to guide compliance violation investigations. There should be an expected timeline that’s communicated to the person who files a complaint. Interview reports and other documentation should have a consistent look and feel. There should be a mechanism to close the loop with the person raising the issue so they know the company took the complaint seriously.

Lastly, there needs to be consistent punishment for any employee found to be in violation of the code of conduct, including executives. If there are different outcomes for different employees, people will lose faith in the compliance process.

8. An established incident management and response process

Being prepared to handle incidents of non-compliance is as important as putting in place controls to mitigate compliance risks. Poor incident management can dramatically increase the costs a brand must pay for non-compliance, and it is often what gets brands into public headlines.

The 2017 Equifax data breach that exposed the personal information of 143 million people is a prime example of poor incident management. Equifax claimed it learned about the data breach in July 2017, but waited six weeks to disclose the breach to consumers. Second, instead of building pages on its main, trusted website to allow people to check whether their data was compromised, Equifax directed customers to a new domain — equifaxsecurity2017.com — which was bug-ridden and flagged by some browsers as a phishing threat. Furthermore, Equifax took months to patch the vulnerability in the web application which attackers used to gain access to the Equifax system.

Because Equifax handled this data breach so poorly, they paid a high price. In July 2019, the FTC and Equifax reached a settlement: the FTC required Equifax to pay up to 700 million in fines and monetary relief to consumers over its 2017 data breach.

Whether you are dealing with someone who has violated a standard or a system issue that represents a compliance violation, having the steps laid out and understood in advance is key. To start, each incident should have an incident manager identified in advance. This will help you avoid having “too many cooks in the kitchen” and the situation becoming confusing. The incident manager should define and oversee the deployment of a playbook on how to respond to an incident.

Generally, the playbook should include these steps:

1. Identify any immediate, urgent safety needs.

2. Scope out the incident and determine what has occurred.

3. Contain the incident.

4. Assess the impact of what has happened and determine what must happen next.

Small incidents can and should be handled by the compliance officer and stakeholders in affected areas at the ground level. Sizable incidents — or anything that would matter to the public at large, to investors, to regulatory agencies, or to the bottom line — need to be guided by the senior management team. The senior management team must make the call on what gets communicated and who is notified.

Certain regulations come with obligatory communication requirements. For example, all 50 States in the U.S. have breach notification statutes that require organizations to notify individuals of security breaches of information involving personally identifiable information (PII). Some laws also require the organization to tell state authorities about the security incident.

In general, regulatory bodies expect less from brands when small incidents occur and expect more after high-impact events. After a sizable incident, regulators may expect to receive a detailed report on what happened and what the company’s investigation and remediation plan look like. They may also want to see what processes your organization has changed in order to address the vulnerability and prevent future incidents. Your organization needs to take regulatory reporting seriously. When a regulatory agency doesn’t view your company as taking your own non-compliance seriously, they may target your company for enforcement action.

Aside from regulatory requirements, you may want to communicate with the public. For example, you may want to control the story that gets told in the press about your company and the way it’s handling of an incident. Senior management is in the best position to guide the compliance team on what communications should be sent out.

9. Ongoing monitoring and evidence collection

To inculcate a culture of compliance, you need to continuously document your compliance program and collect evidence to ensure your controls are working as intended. Along with potentially protecting your company from being fined in the event of an incident such as a data breach, having evidence of your compliance processes on hand can give you an opportunity to find your compliance blind spots. If your compliance evidence doesn’t exist, you’re likely not meeting standards.

Further, if you establish a habit of collecting evidence on a regular basis, it makes external audits smoother and less stressful, because you won’t need to scramble to find the evidence you need just days before the auditor shows up at your office.

Going forward, we can expect to see regulations in areas such as user privacy, security, and others increase at the local, state, federal, and international levels. To reduce compliance risks, you’ll want to dedicate resources to help your organization stay up-to-date with new laws that may impact your business so that you can update your internal control environment to sufficiently mitigate risks.

10. Technology that simplifies compliance management

You can manage your compliance program through spreadsheets, emails, file storage systems like Dropbox, Google Drive, or Box, but if your compliance data is all over the place, it will be hard to get a holistic picture of your compliance program. If you can’t easily see what policies, controls, and evidence already exist and what’s missing, you won’t be able to get a true handle on your risks.

Using the right technology makes it that much easier to stand up and manage your compliance program. When you use a compliance management system like Hyperproof, you can quickly launch a new program, centralize all of your compliance data, automatically collect evidence, and easily collaborate with various stakeholders in your ecosystem (e.g. employees, vendors, and external auditors) to get a solid handle on all of your risks.

Here are the benefits organizations experience when they use Hyperproof:

Program setup

Hyperproof helps you see what you need to do to comply with a regulation or industry standard. Here are some of the ways Hyperproof has made setting up a program easier:

We’ve created quick-start guides for many common compliance frameworks, including SOC 2, HIPAA, GDPR, ISO 27001, PCI DSS, and over 100 others.
You can quickly import your existing compliance program into Hyperproof so everything is in one place.
You can get support from compliance subject matter experts when you have questions.
Hyperproof gives you a tool to map controls across multiple frameworks that allows you to eliminate duplicate controls.

Evidence collection

Hyperproof streamlines and automates much of the evidence collection process so compliance teams can spend their time on strategic risk management instead of administrative tasks.

Hyperproof provides a central and secure platform for all of your evidence.
You can upload a piece of evidence once and link it to all associated controls.
Hyperproof is integrated with the productivity tools you’re already using (e.g. Gmail, Slack, Outlook, etc.), so collecting evidence from control owners doesn’t require much work.
Hyperproof integrates with your business applications to automatically collect and test evidence — verifying a control’s effectiveness.
Hyperproof is able to detect when a piece of evidence is out of date and automatically ask your colleagues to provide fresh evidence.
You can access the full history of your evidence any time.

Compliance program management

To maintain an effective compliance program, you need to have the right controls, processes, and insights about your program. Hyperproof helps with all three areas:

Hyperproof can help you make sure no one drops the ball on important tasks. It will automatically schedule and distribute tasks to your team.
Hyperproof provides a dashboard overview of your programs and potential issues to help you understand where you are and what needs to happen next
Hyperproof’s analytics and insights help identify your critical issues, action items, and high-priority tasks.

Creating a culture of compliance

Starting a compliance program will require time, money, and staff, but it isn’t something to put off until you’re a more established company. Today’s regulatory environment demands robust compliance programs from businesses, and the costs of non-compliance are much higher than the costs of meeting compliance requirements. Additionally, focusing on compliance now sends a positive message to the marketplace and helps you establish the credibility you need to take your business to the next level.

Creating a culture of compliance takes dedicated effort, much like the construction of a well-made home that can be passed onto future generations. It takes a specific series of steps and attention to details. When you build your compliance program, it is important to take steps in the right order and not skip any.

To summarize, here are the key steps your organization needs to take to foster a culture of compliance:

To start, you need to create a governance structure for your compliance program and assign roles and responsibilities.
An effective compliance program starts with a risk assessment. You’ll want to be informed about the regulatory landscape surrounding your business and identify the risk contact points that exist within your business.
Determine which requirements and frameworks are critical to your business and put in place controls that sufficiently address these requirements. To do both, you’ll need to work closely with the various teams responsible for different aspects of compliance (e.g. IT managers, engineering managers, HR managers, etc.).
Create a code of conduct to guide employees’ behavior.
Make sure your incentive plan is designed to support your compliance program.
Train employees so they understand what to do and what not to do.
Make reporting misconduct easy.
Establish an incident management and reporting process.
Collect evidence of your compliance measures and keep your policies and controls up to date.
Use a compliance management system to streamline your processes and simplify compliance management.