Imagine that you’ve just started a job as the compliance officer for a company that has no centralized compliance program. The engineers handle some security and privacy requirements, the c-suite handles some legal issues, but there are minimal records, set processes, and policies. During your first day, your first week, and your first month, what do you do? How can you make the biggest impact?
This scenario is common and it presents distinct challenges for compliance officers. Oftentimes, they’re hired to build and maintain a compliance program while leadership doesn’t truly understand the importance of compliance or the amount of work that goes into a successful program. Regulations are constantly changing, the compliance officer might be a team of one, and getting stakeholders engaged in compliance activities can be an uphill battle.
So, as a compliance officer, where do you start? How can you make an impact with all of these potential obstacles?
In this article, we’ll discuss eight steps that brand new compliance officers can take that will start you off on the right foot, and help you build a culture of compliance within your company.
1. Establish a clear value proposition for compliance.
Before you get started, you need to know what your vision as well as leadership’s vision for the compliance program is. This is like a mission statement for your team: Why is compliance important in the context of achieving your business goals? How does compliance fit into the overall business strategy? How do regulations affect your industry? What is the scope of your team’s responsibilities? Who has oversight over your compliance program?
Once your vision for the program has been written and approved, a great first step is to get the entire leadership team aligned on the mission and vision. A successful compliance program needs senior leadership support. To make sure all employees understand that your organization views compliance as an important matter, you can ask the senior leadership team to send a message to all employees via an email, or a weekly staff meeting, or some other formal announcement. This does the double duty of the attention of employees and showing everyone that leadership supports the mission and wants to see it succeed.
Related: The Business Case for Compliance, Even Now
2. Understand the current business processes and policies
Before you start dictating new processes, build relationships with the engineering team, the IT team, and others who are responsible for compliance. It’s also important to understand the company culture, employees’ attitudes, the goals of the organization, and the general position toward compliance. Compliance shouldn’t be a siloed effort, but instead something everyone in the business is bought into.
Next, you need to know what is already in place. This is important for a couple of reasons: first, you can avoid duplicating efforts and take advantage of the work that’s already been done, and second, you can start to build relationships with the people involved in this process. Instead of coming in and immediately telling people what to do and how to change, you’ll be showing that you value their input and abilities.
Take inventory of the policies, procedures, and controls you already have in the following areas:
- Policies: The rationale and frameworks behind your procedures.
- Procedures: The policies executed through thoughtfully developed processes.
- Technical controls: The security controls that computer systems execute, such as user authentication (login) and logical access controls, antivirus software, and firewalls.
- Physical controls: Tangible items such as locks, badge readers, and locked shredding bins that maintain the security of the physical environment.
- Procedural controls: The management oversight and approval and incident response.
Record all of this information and keep it organized and centralized. Compliance management software can help you organize, record, and update your compliance process in one place.
3. Conduct a compliance risk assessment
Your compliance program should be tailored to the risks your firm is facing and be comprehensive enough to deal with all of the risk you and your stakeholders have identified.
An effective risk assessment should begin with a detailed picture of the compliance landscape your company operates in. The two questions to answer are: where are you doing business and what regulations cover businesses like yours?
For example, are you trying to work with customers in healthcare? If so, you will need to make sure that your systems which handle patient data can sufficiently meet HIPAA security requirements. If you collect, store, transfer or process the data of residents in the EU, you will need to comply with GDPR. If you regularly deal with third parties or suppliers and subcontractors, you will need to make sure these third parties have sufficient compliance programs of their own to address information security, privacy and fraud risks.
The point is this: Your compliance efforts should be aimed squarely at the risks that are most critical to your business.
Additional resource: Conducting an Information Security Risk Assessment: a Primer
4. Identify what new policies and procedures are needed.
Photo by You X Ventures on Unsplash
Once you’ve conducted a risk assessment and you have a detailed picture of your company’s operations, it’s time to identify the compliance risk “contact points”, or specific company operations that present the potential for violating applicable regulations.
Take a look at the current controls, policies, and procedures in place at your company and see if they are effective at preventing, detecting, and/or correcting the risk “contact points” you identified. For each risk contact point, identify the specific policy, procedure, work instruction, or any other control that applies. You should assess the sufficiency of those controls in the context of your knowledge of each contact point.
Consider the likelihood that a violation will occur given a current control, whether such a violation would be detected, and once detected, what would be the potential worst impact of the violation if it occurs. The “contact points” that are insufficiently addressed by current controls present compliance gaps that need to be addressed.
Chances are, your company won’t have the resources to tackle all compliance risks at once. You want to rank your program’s gaps in terms of risk criticality and the resources required to remediate them. You want to expend more resources policing high-risk areas instead of low-risk areas.
Once you’ve prioritized your company’s compliance opportunities, you can implement new policies, procedures, and controls to address them.
When writing new policies and procedures, write them with the expectation of scaling. It’s important to explain the logic behind the current approach as opposed to writing a process that hinges on one specific person doing one specific thing; that way, as people leave and the company and its compliance program grow, it’s easier to adjust the process and make it work. Also, try to avoid slipping into aspirational policies, which can be overly burdensome and unrealistic for the size of your company.
Finally, develop a timeline for reevaluating the process so that you don’t wait until there’s a problem to come back and look at all of the policies and procedures you’re writing now.
Additional resource: How to Build a Strong Information Security Policy
5. Identify key controls and automate evidence management tasks when possible.
Automation reduces user error. Tasks such as collecting updated evidence and distributing tasks around control operations can easily be automated with the right compliance software. And automating them makes it less likely that they’ll be missed or executed incorrectly. Automating the collection of evidence whenever possible also lightens the burden on the people involved in the process and makes the process more consistent and easier to follow.
Additional resource: Three Tips to Radically Reduce Your Evidence Management Burden
6. Identify tools to make your compliance process more visible and efficient.
While automating key controls in your compliance process helps them run in the background, it’s still important to make sure that every part of the process is visible and running efficiently so that you can address problems and adjust the process when necessary.
This is another area where compliance operations software will make your job much easier. A platform like Hyperproof stores data on your programs, controls, and proofs, captures your priorities, and tracks the status of requests and audits, increasing the visibility of the process and ensuring you can track each part of it without onerous manual tasks. The right tools will support the right habits and make reporting and compliance easier.
Additional resource: Learn the Compliance Operations Methodology and how Hyperproof Supports an Effective Compliance Program.
7. Make compliance training a priority.
Photo by Amy Hirschi on Unsplash
One of the best things you can do in terms of maintaining your compliance program is regular employee training. Employee training is a huge step towards a culture of compliance because it helps each person in your company understand what is expected of them and their unique part in the compliance process.
You can make training more practical by giving employees scenarios and specific processes for how they should react to situations they may encounter every day. Ask for feedback and you might even encounter employees who can alert you to compliance issues you weren’t aware of.
This training should also communicate to the employees what consequences they will face when they don’t follow the compliance program and take shortcuts. Explain the disciplinary guidelines to employees and then make sure that you enforce them consistently.
Finally, document each employee’s completion of the training program and ensure that everyone understands the agreements and they’ve made.
Trained employees are more likely to succeed because instead of having one person or team watching out for compliance issues, you have an entire company that is watching for problems and knows how to address them.
8. Measure how your compliance program impacts your business.
When your compliance program is up and running, you need some way of measuring and evaluating the effectiveness of your program that takes into consideration a few key questions:
- How are we protecting ourselves?
- How can we drive down the relative cost of compliance over time?
- Is the program running as needed?.
- Are people participating in the program?
This can be tricky, because what constitutes a successful compliance program isn’t universal, and it depends a lot on the size of your company, what industry you’re a part of, and other factors.
However, there are a few core traits of your program that you can measure to evaluate the success of your program.
Sound design and execution: This essentially evaluates whether your program was designed well and if it is functioning as it should be. When all of the parts of your program are optimally designed and running smoothly, you should see recurring issues go down over time. You also need to understand the key risk indicators for your business and your industry and evaluate them each year to see how your company is faring. Conduct surveys of targeted employees to see how well they understand and are following the compliance program.
Timely response to issues. Even a company with a strong, well-established compliance program can and will encounter issues, and how the company responds to them says a lot about their compliance program.
For example, how many self-identified compliance gaps is your organization addressing each year? Is it increasing or decreasing? How long does it take you to close an issue out? How many repeat issues do you address each year? Tracking these types of metrics is critical for measuring the strength of your program, and is another area where a compliance management software can help.
Readiness for regulatory change. Changes in regulations will happen, and implementing these changes is essential. This includes changes to both infrastructure and procedures.
To be able to respond quickly to these changes, your process needs to be sustainably built and as automated as possible. If you build your process with growth in mind, as we discussed earlier, you’ll be able to automate more of your process and have it respond quickly to regulatory changes.
Use compliance operations software to build a sustainable program.
Being a brand new compliance officer can present a lot of unique challenges, and technology can help you take advantage of every opportunity to build a successful compliance program.
Hyperproof’s compliance operations software allows you to build a compliance program that grows with your business and respond quickly to regulatory change. With Hyperproof, you can centralize all of your compliance data, automate controls, and set alerts that will help you keep up with the regulations and allow you to build and maintain a sustainable, scalable program. If you’d like to learn more, we’d love to talk.
Monthly Newsletter
Get the Latest on Compliance Operations.
