Blog Post

“Building Blocks” For Effective Compliance Policies

Richard P. Kusserow | September 2022

Download PDF

For more information on this subject, register here for a free CEU credited webinar, “Building Blocks for Effective Compliance Programs (sai360.com),” that will be held on November 10, 2022, at 2 PM Eastern.

Key Points:

• Policies are a critical element of any effective Compliance Program.
• “Building Blocks” are underpinnings that support effective policies.
• Policies provide structure for defining compliance culture.
• Effective development and management reduce compliance failures.
• Obligations and expectations must be clear and understandable.
• “Building Blocks” are ways to evidence compliance policy effectiveness.

There are many “building blocks” involved in developing compliance policies, a critical element for an effective compliance program. Policies are essential to defining how individuals should perform their duties to avoid violations of laws, regulations, standards, privacy/data breaches, and other wrongdoing. Policies also evidence to outside authorities a commitment to doing the right thing.

When properly developed, disseminated, and managed, policies can give clear guidance on what to do under different circumstances and help reduce or avoid compliance risks that could give rise to liabilities. However, unlike the Code of Conduct, where all employees may be expected to read and acknowledge their understanding and agree to abide by it, this is not the case with compliance policy documents. They are resources that should be available, as needed, to clarify and detail policy standards. It is unrealistic to expect employees to read and attest to understanding and adherence to all policies.

A. Policy Development Process. Effectiveness depends on the documents being user friendly in giving clear and concise guidance. Key to this is standardizing the process of development.

The following are process “building blocks”:

1. Identify Needed Policies. Compliance Officers should identify those policies needed for the Compliance Program and program managers for their areas of responsibility.
2. Policy Ownership. All policies should have an owner responsible for the policy drafting.
3. Development Coordination. Define coordination to avoid conflict with other policies.
4. Define Process. To avoid errors, decide on and follow the same defined steps for all policies.
5. Approval. Define levels of approval.
6. User Group. Use a group impacted by the policy to review for clarity and understanding.
7. Dissemination. Establish the manner by which policies will be disseminated to employees.
8. Access. The Department of Justice (DOJ) places focus on policies being easily accessible for employees.
9. Policy Management. A system is needed to develop, create and maintain policies.
10. Version Control. Post only the current version with retired, rescinded and modified policies stored for retrieval as needed.
11. Ongoing Policy Monitoring. Designed to identify weaknesses and for remedial action.
12. Audit. Periodic review of policies to ensure they are up to date (OIG favors annually).

B. Standardize Form and Format. It is important to be consistent in style and presentation. The objective is the creation of documents to be “user friendly” by presenting them in a familiar manner following the same organization by section. Permitting different styles in presentation often leads to omission and errors.

1. Single topic. Focus on a signal issue; mixing issues invites confusion and complexity.
2. Short/Focused. It should be short, direct, and uncomplicated.
3. Clear/Understandable. The policy is ineffective if it isn’t understood; keep at high school reading level.
4. Background Statement. Explains context and need for the policy
5. Purpose. A statement as to the intent of the policy.
6. Scope. Defines what operations and individuals the policy applies to.
7. Definitions. Where necessary, the policy should define key terms to clarify the content.
8. Policy Statements. Describes goals to be met by the implementation of the policy.
9. Procedures. Describe step-by-step guidance on how policy goals must be met.
10. Related Policies. Cross reference other related policies to avoid confusion
11. References. Citations of authority (e.g., applicable laws, regulations, standards).

C. Evidencing Policy Effectiveness. After all the building blocks have been laid, the question is how outcome effectiveness can be determined. Depending on the policy in question, if it can be shown that employees have been following the guidance with little exception, then one could assume that it has been effective guidance. However, this is not easy to evidence.

The following provides some thoughts on this:

1. Employee’s knowledge testing at the conclusion of compliance training can evidence understanding of key compliance program policies that should be included in training lessons (e.g., duty to report, anonymous/confidential reporting, non-retaliation, use of the hotline, etc.), with details being in the policy documents.
2. An employee compliance knowledge survey conducted months after the training can evidence level of retention concerning policies.
3. Ability to keep track of employees accessing the policy documents is another method that indicates not only employee knowledge of the policies, but also they have referred to them (DOJ’s June 2020, Evaluation of Corporate Compliance Programs guidelines specially ask about this).

For more information on this subject, register here for a free CEU credited webinar, “Building Blocks for Effective Compliance Programs (sai360.com),” that will be held on November 10, 2022, at 2 PM Eastern.

For more information on other compliance-related concerns, contact Richard Kusserow ([email protected]).

Keep up to date with Strategic Management Services by following us on LinkedIn.

Subscribe to blog