Compliance begins at home

SARBOX and Basle II may have hit the headlines but what about compliance with internal policies?  Pelicam follower Chris Bevan argues these deserve equal attention.

Over the past two years the issue of compliance with regulations has risen to the top of the corporate agenda as organisations change their processes to meet the increasing demands of Sarbanes Oxley, Basle II, Health & Safety, FSA and other regulatory authorities.

Responsibility is now firmly held by CEOs and other board members, supported by the newly high profile role of the Compliance Officer. 

While a great deal of focus has rightly been placed on complying with external regulations, can we be confident that organisation’s own internal policies are implemented and followed with the same degree of rigour?  If not, the danger is that customers will be the first to find out, or - worse still - competitors will  exploit the fact.

Policies are driven by strategic goals and are formulated to provide the “rules” for governance and decision making. They also shape the way the world sees an organisation. For example, a policy empowering front line operators to make important financial decisions when engaged directly with a customer supports their perception that the company is customer focussed and responds to their needs.

But such a policy, however well intended, is worthless unless it is communicated, implemented and managed effectively.  

Software products can help with this process.  They can audit who has received the policy document (usually electronically) and, through questionnaire techniques, confirm the individual’s understanding and identify any training needs. So now we know that the policy has been communicated, received and understood.  But is it being followed?

There has to be trust that employees are following the policies and the company can help by providing them with the framework - processes, procedures and governance - to comply.

The Compliance Meta model below shows the steps required to ensure the framework is in place.  It also provides the internal audit step to ensure that any issues are picked up internally before external auditors arrive to check compliance.

Having determined the specific policies, the organisation should ensure that the appropriate controls are in place.

Once an organisation has determined its policies and the appropriate controls, it should review the relevant processes and procedures to ensure that they comply with the policy.  An example of this could be a financial policy on pricing which is owned by the finance department but implemented by the sales team. The only way for the finance function to check the policy is being followed correctly is to   ensure that the processes and procedures the sales team use are documented in some way. Once all this is done, the organisation has all the elements in place to expect compliance.

The remaining steps in the compliance model refer to auditing and remedial action that would be required should compliance not be found.

This model is a structured approach to ensuring that policies are complied with and can be incorporated into monitoring practices processes.  It can be used to monitor compliance with both internal policies and regulatory regimes – so business Boards can be confident that their intentions become reality without having to invent extra processes.