Tracking Ethics and Compliance Program Performance (Part II of II)
Chief compliance officers rely on several important sources for feedback — internal data and communications (reviews with board, senior managers, employees); and benchmarking against comparable organizations. An internal compliance dashboard is an important part of this feedback loop and brings consistency to measurement and trend analysis.
Policies and Procedures: Assuming that the organization has adopted a policy management program (often using an automated program), for each policy, a CCO should track:
(1) Subject: legal, compliance, safety and health, human resources
(2) Last review: review, revisions and updating;
(3) Future Review;
(4) New Policy(ies);
(5) Internal Dissemination: communication, posted on internal website, and posted on external website.
(6) Tracking Data: Click data on internal website by policy, user and other data available.
Third-Party Risk Management: Assuming an automated platform, which is fast becoming an operational minimum, CCOs are able to generate important data from the platform to track:
(1) Number, Type and Status: total, new, pending, renewed; agent, distributor, reseller, dealer, vendor, supplier and other direct or indirect categories;
(2) Risk Level
(3) Geographic Location and Changes: (US, international region and country);
(4) Line of Business;
(5) Contract: contract, purchase order, or other;
(6) Due Diligence & Screening: completed, in process, or none;
(7) Monitoring: sources, type, number of notices, resolution, time to resolution; and
(8) Audit and Review: number, location and type reviewed or audited, type of audit (desk, sampling, testing, onsite).
Financial Controls: Depending on the risk profile, there are a variety of internal controls that can be monitored. For example, assuming that the CCO’s company relies on a network of distributors to resell its product in another country, and assuming that specific controls exist with respect to discounts, rebates and marketing allowances, control testing could be tracked to ensure compliance with internal procedures, such as a discount and/or rebate approvals, or marketing allowance audits.
Additionally, specific compliance controls might exist with respect to charitable contributions, or gifts, meals and entertainment reimbursement. These can be tracked for control testing purposes.
With respect to third-party risk management, invoice-to-payment processes should be implemented and then tracked for compliance purposes. For example, a specific third party should be monitored for issues such as the existence of a contract or purchase order, invoice review and approval process.
Board, Senior Management and Compliance Committees: It is important to measure governance activities relating to the oversight and monitoring of the ethics and compliance program. Starting with the board and continuing with senior management compliance committee, the number of meetings, the length of time, and topics covered should be tracked.
Risk Assessment and Mitigation: A critical part of the ethics and compliance program is the risk assessment, mitigation and adjustment of the risk profile in response to changing circumstances. The CCO tracking function in this area corresponds to broad enterprise risks. In many cases, the risk enterprise function should focus on the top-10 risks for measurement and monitoring purposes.
As an example, the top-10 risks could include anti-corruption, antitrust, code of conduct violations, data privacy and protection, employment and labor relations, environmental health & safety, export compliance, financial report (SOX and tax compliance), quality and regulatory/product integrity, and third-party risks.
For each of these risks, the initial collection would focus on five specific issues:
(1) Overall Risk Status;
(2) Liability Exposure;
(3) Reputation Exposure;
(4) Regulatory Exposure; and
(5) Impact to Business Operations.
By risk category, a second set of data should include:
(1) Incidents, Disciplinary Actions
(2) Violations of Laws and Regulations and Resolution
(3) Policy Review
(4) Last Risk Assessment