The global health crisis offered little relief for compliance teams. There are isolated cases of regulatory bodies, such as the Securities and Exchange Commission (SEC) relaxing regulatory enforcement, but no laws have been rescinded. Consequently, privacy laws across 107 countries are still in place today as are local, state and federal regulations dealing with subjects as diverse as building codes, vehicle licensing, equal employment opportunity, occupational health and safety and much more.
Organizations may find many of the policies and procedures they implemented prior to the health crisis are no longer applicable, or have fundamentally changed as a result of business process changes or the shift to remote work. Where business processes are no longer accurately documented, associated internal control procedures designed to ensure regulatory compliance and risk management, may no longer be applicable. Finally, the disruption may have upended an organization's control procedure testing such that compliance with internal and external obligations cannot be determined. Because of the disruption, many organizations may simply not know if their internal control framework is designed and operating effectively. This situation was discussed in a previous blog post relating to public company financial reporting obligations under the Sarbanes-Oxley Act. Organizations without an effective internal control framework are less likely to achieve their objectives, and are more likely to experience surprises, incidents and losses.
As organizations unravel themselves from this unprecedented time, they need to refocus their compliance programs to minimize risk to the organization and its managers.
One measure of the adequacy of your compliance program can be gleaned from the U.S. Justice Department's update to the "Principles of Federal Prosecution of Business Organizations," released on June 1, 2020. These principles spell out the specific factors prosecutors should consider in conducting an investigation, including "the adequacy and effectiveness of the corporation's compliance program." These principles serve as minimum guardrails within which compliance programs should be operated to avoid Federal prosecution of compliance violations.
The principles establish three "fundamental questions" a prosecutor must consider when evaluating the adequacy and effectiveness of a corporation's compliance program:
- "Is the corporation's compliance program well designed?"
- "Is the program being applied earnestly and in good faith?"
- "Does the corporation's compliance program work" in practice?
Let's unpack what these questions mean for your business and how to address them.
Well-designed Compliance Programs
Organizations with well-designed and operating compliance programs pre-disruption must not assume their program is ready to thrive in the new normal. It is critical that each organization identify, document and evaluate how deviations in design and operating effectiveness resulted from the disruption. It'll also be critical to remedy deficiencies as quickly as possible based on their significance. Organizations that fail to assess the impact of the disruption on their compliance program, and fail to capture and remediate deficiencies in a timely manner, will be hard pressed to assert that their compliance program was not affected by the disruption and remains well-designed.
Adequately Resourcing and Empowering a Compliance Program
Demonstrating that a compliance program is being "applied earnestly and in good faith" means you must demonstrate that the program is adequately resourced and empowered to function effectively. Ascertaining the adequacy of resources is determined by documenting the balance between the risk of the organization's non-compliance given the design and effectiveness of the program, and the resources required to keep the risk of non-compliance at an acceptable level. To demonstrate adequate resourcing, you must be able to show the following:
- Captured all of your obligations
- Understand the risk associated with non-compliance
- Have business processes, policies, procedures, and training in place to reasonably ensure compliance
- Periodic testing of the effectiveness of the program is occurring
Lastly, empowering resources to function effectively is achieved through codes of conduct, individual job descriptions, policies and procedures and training. Today, most of this is only accessible digitally. For employees to understand and act upon their day-to-day compliance responsibilities, and for the organization to prove they have been empowered, employees must have digital access to this information. Their identity must be authenticated, they must be granted access commensurate with their role and responsibility, and an audit trail of this empowerment must be preserved.
A Program that Works
Answering the question of whether a compliance program works is most important and most difficult. The health crisis has disrupted how compliance exceptions are captured, evaluated and managed. The periodic testing of control design and effectiveness may simply not be possible with a remote workforce. Consider three scenarios:
- The most onerous privacy obligations require organizations to have adequate technical and organizational measures in place commensurate with the amount of privacy risk. Compliance with this requirement means organizations must identify what, where, and how much data they or their third parties have. subject to privacy laws, the risk of non-compliance (including fines, sanctions, litigation, reputational damage), the technical and organizational controls that should be in place to mitigate the risk, and implementation, testing, and monitoring of those controls to ensure they are operating as designed. If an organization or its third parties have undergone significant changes in their business processes and technologies during the disruption, documenting, assessing and testing may exceed available resources. One example to consider is the shift to remote work. The security risk profile of the organization likely grew as a result of this, leading to the need to bolster authentication controls, network anomaly detection and response, and hardening remote devices. Organizations also hoped that employees remembered their cybersecurity training to help protect private information remotely in the same manner as if they were working on-site.
- Many of the same technical and organizational controls established to maintain privacy apply to authorized individuals and third parties who have access to information and originate transactions commensurate with their role. Authentication, access management, segregation of duties, and promptly removing former employees and third parties is critical to ensure transactions are authorized, accurate and complete.
- Finally, some organizations may have compliance obligations which require employees to validate certain information from third-party data sources (e.g. validating individuals and organizations on the U.S. sanctions list) or to examine source documents that are not available via document imaging systems. Organizations must determine where these processes exist and how and when they will try to retroactively verify that compliance violations did not occur.
In the end, with or without a disruption, organizations must prove to internal and external stakeholders -- including regulators -- that they have a well-designed and effectively operating compliance program. There are several steps compliance teams may consider to verify compliance efficiencies, reduce resource burdens and establish real-time visibility into program effectiveness. These include:
- Catalogue obligations to understand the scope of the compliance burden
- Establish named accountabilities for all compliance obligations
- Use a unified control framework to map obligations to control procedures
- Implement key indicators to establish continuous compliance monitoring
- Institute risk-based compliance to prioritize limited resources
- Operationalize the capture, evaluation and management of internal and external changes that may impact the risk profile
- Use machine learning to assist in mapping new and changing obligations with control standards and risk treatments.
Check out this whitepaper to learn how RSA can help you modernize your compliance program.