So in order to be effective, compliance management needs monitoring, measures and metrics that will offer assurance to the board of directors and the executive management who had established these procedures and policies in hope of fostering compliance management process. Without the effective management of compliance risks, the organization is simply reactive, at best, and can be noncompliant, at worst.

For a majority of companies, complex accountabilities based on compliance have developed in an ad hoc manner over period of time. Since new procedures and policies are developed, they are added into the existing management structure, thus forming quite a few elements of compliance management that have become common in many companies. These include, reduced organization transparency, high audit costs, inefficient communication, redundant queries of risk and process owners, lack of automation, outmoded infrastructure and unstable control environments.

Acknowledging these elements as a status quo does come with a cost, since it can contribute to an inefficient and ineffective control structure.

However, the true cost of compliance comprises of three different elements:

1. The cost of efforts when referring to internal compliance that consist of particularly identifying functions that are embedded into the processes.

2. The cost of inadvertence throughout all levels of the organization.

3. And the cost of noncompliance, which includes loss of brand equity, loss or revenue, penalties fines and many others.

If the management would undertake a quality perspective on managing compliance with the same zeal it does with improving other core operating processes, cost could substantially be reduced in key area, since confidence is gained knowing that compliance risks are effectively being managed.

There are however, certain key elements of an effective and efficient compliance program that the board and executive management might want to consider such as:

Board Inadvertence

A positive understanding of over-sighting particular compliance programs and significant compliance risks by the board or by one of its member can help build an effective tone at the top of the hierarchy.

Executive Management Oversight

Management and coordination of the compliance program by an elected senior executive is crucial for an organization that consists of diverse and complex operations.

Reporting Mechanisms, Policies, Procedures and Standards

These particular elements need to be kept up-to-date and should be documented as well as should be communicated to employees throughout the organization.

Due Diligence and Risk Assessment Activities

The process of risk identification should integrate precise considerations of compliance risks. Appropriate subject oriented experts should be responsible for monitoring changes in the environment as well as identifying amendments required in certain compliance risk area(s), for which they are accountable.

In conclusion, companies need to make sure that their established procedures and policies offer a reasonable assurance that the organization is following the processes according to the laws and regulations and internal policies.

• The scope of this methodology will increase even more and will start supporting more regulatory requirements under the scrutiny of the government. These requirements are bound to grow in immense numbers, especially in businesses that belong to the financial and health-care industries. Any company that has limited resources will probably find it difficult to track legal and regulatory changes in requirements and then assess the impact of these modifications on the organization itself. Such a business would also have trouble updating their own registers. No matter what issues have to be faced, all these tasks will have to be accomplished, even though they do not directly result in increase in profits.

• For all those companies who follow the checklist approach towards compliance risks will have to change their methodologies because this method will become ineffective. This is because with the passage of time, the standards which are used for measuring compliance will modify from a one – model – fits – all structure to tailored models that are largely based on risks. What this implies is that assessments which are based on checklists will not be useful enough and can even harm businesses because they do not analyze risks effectively.

• Risk management will keep on developing as specialization, and companies will eagerly hire individuals who achiever this. Compliance risks will continue to occupy even greater portions in a company’s complete risk portfolio. As such, the need for individuals who have gained expertise in this will rise. True right now, risk management is not exactly recognized as a proper professional specialization, but as time changes, so will this in the long run.

• Compliance risk assessment activities will gradually become a continuous and dynamic process. As of now, companies perform these assessments on a yearly basis. After this, the compliance register is often thrown off in the shelves, only to be taken out in the subsequent year. However, now lawmaking is becoming more prominent and is accelerating at a rapid pace. As such, companies will need to reassess their compliance risks on a regular basis.

• Risk assessment will also start addressing third party risks so that they can be managed in a better way. Often, risk managers do not consider the regulatory and legal risks that are associated with vendors, suppliers, outsourced companies and the like. This approach often results in an error. Though in every business, all these outside agencies are an integral part, you cannot be sure if they will comply with the legal polices or not. As such until everyone follows the same methodologies, proper management cannot be achieved.

The concept of the Chinese Wall is incorporated in various environment situations, which includes journalism, law, network security, project management, software development, business, and the financial industry.

The term ‘Chinese Wall’ originated after the disastrous stock market crash in 1929, when the widely unregulated United States market suffered a 40% plunge between the months of September and October. According to a theory, the crash was a result of inflated stock values, which were created by insider trading and price manipulation. It was after the crash that Congress passed a law mandating separation of both investment and commercial banks, in an attempt to prevent a conflict of interest. Instead of enforcing corporate and physical separation, the law only stated that the policies need to be in place in order to create a logical partition between these divisions.

In theory, a Chinese Wall serves to restrict information flow to those individuals or groups who need it to perform their jobs. In practice, however, the Chinese Wall is highly dependable because it relies completely on the honor system. The information is restricted by the meticulousness and discretion of the parties involved. Regulations that identify the need for legal requirements for information security are incidentally more inclined towards improving compliance.

An example of the Chinese Wall is in software development, where the Chinese wall also referred to as the “clean room technique” is a reverse engineering approach by which programmers work on codes to separate groups. The first group will convert the program’s “machine code” into “source code” and then “document” the process, but will write no new code. The second group, however, will not be referring to the original code, but develops a new program based on the first group’s ‘documentation’.

The basic purpose of the exercise is to make sure that the new program’s code cannot be derived from the original program’s codes.

The Chinese Wall is typically an indication of the ‘Great Wall of China’, which had been built 2,000 years ago in order to protect its populace from invaders. However, there are other theories that exist such as in a Wikipedia entry, for instance, the author debates over the term being derived from a diplomatic machination during the Late Imperial Era in China, “…if a junior mandarin saw a senior mandarin on the road he was expected to bow and present his compliments. In Beijing this tended to happen quite a lot and so traffic was frequently blocked. Instead mandarins came up with a method of pretending they did not see each other on the road by the clever placing of a retainer with an umbrella. Because they did not “see” each other, they were not obliged to stop.”

In fact, even unintentional mistakes can lead to adverse public relations, penalties, fines, and distraction of the management. Remember, export compliance isn’t just an issue about your product, but it has to do with issues with your technology as well.

Companies that have technology based products who engage in new product developments should know that it’s more important and attractive to pursue such activities by discussing it with your strategic partners.

The key focus of this practice stems from the execution of the non disclosure agreement (NDA) which is intended to protect the party’s confidential information. However, all too often, companies hardly consider the impact that export control regulations will have on their arrangements and documents that are covered.

It’s a clear sound practice to maintain a form of process, in order to ensure that all legal documents receive an appropriate review. This process simply safeguards the documents that are being reviewed for export compliance. Regrettably, companies quite often fail to reach out to their NDA process which is concerned with the normal level of export compliance diligence when their products are being exported. So, don’t make that mistake!

There are a few important procedures that you need to take into account when reviewing for an NDA for export compliance:

• Determine whether you need a license to export the technology.

• Screen the parties involved.

• The end places and uses that are included in the NDA.

• Ensure appropriate export control provision.

The NDA needs to include a provision that focuses on export compliance obligations by specifying that no party will export their technology under the NDA, nor will they take any other action that is in violation of the export controls rules and regulations. These provisions simply put the parties involved on notice, who need to be aware of the export control issues as well as ensure compliance.

Many different kinds of products and the technology involved in designing the products cannot be exported without a license from the U.S. Department of Commerce’s Bureau of Industry and Security or from the U.S. Department of State’s Directorate of Defense Trade Controls. Depending on how the product is categorized, the technology that needs to be disclosed under the NDA may require a license before being exported in any form, whether by fax, email, in a meeting or even to a foreign person located within the U.S.

Just as some entities or individuals may be unable to acquire your technology, some uses can also be prohibited or require a license, which includes missile technology, nuclear, biological or even chemical proliferation activities,

The NDA reviews needs to include confirmation that the arrangements being made do not involve individuals or entities from countries with which the U.S has maintained sanctions, generally enforced and administered by the OFAC like North Korea, Iran and Cuba.

The sharing of information with various business partners will always be an important medium by which U.S. Companies can develop amazing new technologies and will allow them to successfully compete on a global scale. If you incorporate the use of export compliance practices in your organization when concerning such exciting opportunities, you will be taking serious steps to ensuring that the export control laws are followed, thus protecting your own technology.

Yet, the unimaginable happens. There are reports of a major fraud transaction internally and the entire scheme may have involved various members of the upper and middle management. The information was disclosed by an employee’s whisper, which is basically an internal hotline and it has enough substance to actually be believed.

So, what should the beneficiary of the tip do? Well, first they need to realize that their compliance program has failed. Apart from a company’s rigorous efforts, a risk in the program may exist. So, there’s no time for mourning over what may have gone wrong, what matters now is what the company needs to do next. Here’s what the company should do:

Assess the Allegation

The first step the company needs to take is to report the suspicious activity in order to determine whether it’s credible or not. Does the allegation have sufficient evidence to be believable? Does the activity shed light on the company’s activities and employees? So, the more specific the allegation, the more plausible the whistle blowers repot will be.

Start the Investigation Immediately

Companies that immediately begin their investigation of such activities are really favored by the Securities and Exchange Commission, since they appear as being more credible and prepared. After the whistle has been blown the upper management needs to examine the allegations before the SEC becomes officially involved, because if the SEC finds issues in the compliance program, it will be then regarded as an attempt to mislead the regulatory body.

All Tips Are Serious

Such cases demonstrated that the whistle blowers allegations need to be taken seriously, even if the management has considerable knowledge that the accusations are false.

Protecting the Data

If you decide to use outside investigators, make sure you use the outside counsel as well to direct work and obtain results. If the outside council directs the investigators, the reports of the investigation can be protected according to attorney-client privilege. The company needs to have this extra layer of defense, but until there’s clear evidence about the accusations it’s always better to stay internal to protect the work product.

This protection is highly crucial especially, if the company is being targeted by government investigators. Even if the management believes that there’s “nothing to hide”, it is always a good idea to protect the results of the investigation, if the government gets involved.

Make Rectifications to the Process

Even if the accusations turn out to be false it’s always better to focus on the process where it’s been negligent. By showing that the company is focusing on amending the situation the regulatory body may look more favorable towards it.

Characteristics of the Leading Companies in Risk Management and Compliance
After carrying out extensive analyses, the conducted survey states that firms who showcase performance graphs above the par level share several interesting characteristics. As such, these features are exactly what help them to gain a competitive edge and thrive in the market. Here are the main ones:

• Almost seventy percent of these leading companies have implemented consistent and reliable compliance policies.

• There is a designated team of employees whose sole responsibility is to handle governance and risk management issues. Once again, this is true for seventy percent of the companies.

• There is a clear visibility regarding key information which is mandatory for managing and controlling compliance and other security related procedures.

• The management is always given complete information about all the risks associated with information technology. A massive seventy eight percent of companies heed this statement.

• Internal policies and other external governmental laws have been implemented according to the industry standards. Moreover, there are designated teams which monitor these and ensure that all the requirements are always followed. This is followed by sixty seven percent of financial institutions.

• Almost sixty seven percent of these companies have already identified the information and data which is utilized during audits and reports.

From Here Onwards

Now that banks have grasped and held onto compliance, they can start focusing on other things as well that will lead to even more improvements. For instance, a more sustainable and continuous compliance model can be established through automating and streamlining processes. This would lead to consistency and unification across the organization in terms of risk management and compliance.

The Bottom Line

In a nutshell, the main points of the survey are that financial institutions definitely acquire the topmost slot when it comes to securing and protecting their businesses. The strategies implemented for this purpose allow these companies to transfer their capabilities to other aspects as well, and thus, they excel in risk management, compliance and governance.

A previously conducted research performed by the same company shares similar results with the survey under discussion. In almost all of the investments, the main drive is compliance, which is considered thoroughly or in all possible aspects. This includes compliance to all governmental regulations, industrial standards, best practices, market regulations and other internal policies.

Meeting these requirements ensures that the company has obtained leadership in its own specific industry based on acceptance, investor’s interest and business.

The listed company compliance comprises of two components: the Corporate Compliance and the Financial Compliance.

Corporate Compliance

This ensures that the listed companies are adhering to the highest standards of transparency and accountability, which includes enhanced government requirements when configuring audit committees, corporate boards, financial competency, and director independence.

The Stock Exchange has taken an active role in creating standards for corporate government practices for more than a century now and has periodically supplemented and amended its standards while keeping focus on the investors’ protection.

The governance rules that had been implemented in 2003 and 2004 empowered independent directors for being representatives of shareholders. They even enhanced disclosure of listed companies, so that investors are fully informed about the organizations activities with regards to ethics and governance.

Financial Compliance

Financial compliance reviews a company’s financial statements to ensure that the organization is following the original listing and continued listing requirements. The criteria includes share price, market value, trading volume, distribution of company shares, cash flow, as well as revenue.

If a company falls below a criterion, the Exchange will immediately notify them and will review the appropriateness of continued listings. After being notified the company has the opportunity to submit a plan in order to return to compliance before 18 months.

If the plan is accepted by the Exchange, it will monitor the company’s performance throughout the planned period. If the company fails to follow through with the plan in a timely manner, the Exchange will then suspend the securities of that company and will remove it from the list.

Here’s what companies on the list need to do in order to remain on the continued listing requirements:

• organize and plan to maintain controls

• Implementation and acquisition of control mechanisms (technology) and measures (processes and policies).

• Support and Delivery of operations

• Evaluation and Monitoring of controls.

As time goes, auditors will expect that the organization will raise the bar according to reliability and maturity of controls. They will expect the company to be more rigorously compliant and should have better integration of the technical and business controls. As it stands, organizations are given a grace period like mentioned earlier to improve their compliance infrastructure, if they want to stay listed.

The solution for these organizations is to ensure IT and corporate governance perfectly integrated in a consistent and common framework. The sooner an organization adopts such an approach the more likely it will remain on the list.

Design a reporting system that complements direct reporting methods but does not serve as a complete replacement for them

Every business should train several employees and publicize many job functions. For instance the supervisors and other business specialists can be assigned the duties of reporting any wrongdoings that are observed about the workplace or anything that seems to contrast with business ethics. However, prior to this, they must be given the required training. Similarly the staff should also be educated so that they understand that all reporting systems are meant to act as a backup when the direct communication means become unavailable. This can happen when there is a management breakdown or when a culprit tries to hide his footsteps.

Leave anonymous reporting methods for serious issues; the rest of the complaints must be open and liberal

Every company must ascertain that their employees understand that the reporting system has not been implemented for minor issues that can easily be handled in staff meetings, talks with supervisors and other conventional means. Moreover, the companies should also identify behaviors for which anonymous reporting systems can be used, and should make sure that their employees are aware of it. As an example, these systems can be used for serious issues such as records modifications and bribery, whereas other trivial issues can easily be reported through any other forum.

Build trust by fulfilling promises

All those employees which use anonymous reporting systems to file their complaints do so because they are embarrassed or fear that their supervisors or the culprits would retaliate. Thus the management must make sure that all the privileges which they offer in this regard are actually provided to the employee, and not just mentioned in the rules book.

Achieve transparency

Transparency leads to trust which results in better relationships between all the individuals associated with a business. At all the levels, the employees might have fears associated with an individual who tries to mar a reputation or with a person which is avoiding dismissal. The management also has fears and believes that reporting systems might encourage employees to directly approach their heads first without trying to handle the complaints by themselves.

All these concerns can be addressed if the designers of the reporting system are specific about the means with which they protect anonymity and the methods with which they maintain confidentiality.

Be quick in conducting investigation

Whether the severity of the complaint is less or more, the management should respond to it quickly so that employees become aware that their concerns are also important and are addressed immediately.

Workplace confidentiality is defined as keeping the clients and the employee’s information private. Generally, it is seen that organizations will go out of their way to protect client information, but when it comes to the employees not much is done.

This thought process, however, needs quite a few changes and the employees need to understand the severity of the situation, only then will they be treated like the clients.

The Importance of Confidentiality at the Workplace

Confidentiality is highly important; it’s the employee’s responsibility to take care of all the information they come across in the workplace with caution and care. The employee needs to be cautious enough not to reveal any sensitive information that the organization considers confidential to a third party, until and unless, the employee obtains permission from the supervisor to do so. In addition, employees should abstain from sharing any personal or confidential details with their fellow colleagues at work. This will help to sustain a more professional attitude in the workplace.

An employee should know exactly what materials, files or documents he or she is allowed to access in the workplace and should only focus on those. Under no circumstance is it allowed for the files to be given to or shared with unauthorized people. For a simple reason, because if the files end up in the wrong hands, it can be considered as violation of confidentiality, for which the employee may be dismissed. In fact, employees are prohibited to discuss any business dealings with clients outside of the work environment.

As far as the employer goes, any professional and personal details of the employees need to be handled with discretion. Information related to salary structure, health data, references and application forms need to be kept confidential, because they can be misused and might lead to discrimination creating a hostile work environment. Only the staff members belonging to the Human Resource Department are granted permissions to access the personal and professional files of the employees.

Maintaining confidentiality in the workplace is highly crucial for various reasons. If there’s a breach in confidentiality the client can sue the organization, if they prove that the organization or the employee has revealed any private information belonging to the client. This can have an adverse affect on the organizations reputation. So, it’s very important for the employee and the organization to ensure that all private information in the workplace is protected.

In order to maintain confidentiality in the workplace, the privacy guidelines and policies should be updated regularly, according to the laws developed by the government and should then be communicated to the staff to ensure compliance. By sustaining confidentiality practices in the workplace, an organization not only protects itself from legal issues, but even increases productivity by providing employees with a safe and secure working environment.

Risk management is becoming a very popular tool for organizations. In fact, many bank auditors consider ‘risk’ as a necessary audit tool. Based on risk management, bank examinations are increasing. This trend of risk management and risk assessment is considered as natural fit for compliance.

The Treadway Commission’s Committee of Sponsoring Organizations (COSO) classifies risk into several categories:

Internal and External Factors
Risks related to changes.

Although these are regarded as generic and broad categories, but in the process of determining risk, identifying its extent and recognizing ways to manage risk, classifying it into general categories can be quite useful.

External Factors

External factors are one of the major sources of risk, which the organization cannot control, but can predict and observe. A smart risk manager will always be ready and will have a responding strategy for it.

Internal Factors

Internal Factors are another risk source over which the organization has some control. The compliance manager should use the knowledge he or she has about the organization to determine the internal risk factors and should then take the necessary precautions to minimize the risk. Although, the organization does have some degree of control over the internal risk elements, methods to reduce the internal risk elements will always be expense of business opportunities.

Risks Related To Change

Risks related to change include a combination of various factors that are not under the organizations control. Changes associated with risk that result in the development of new products and trigger a new analysis concerning compliance risk are under some degree of control of the organization. Change may also occur due to the economy, legislation or the organizations market. In this form of change, the organization has no control and can only respond to the changes.

COSO has categorized a list of changes. These factors are very valuable to study in order to determine how compliance is affect. The factors included in the list by COSO are:

• A changed operating environment.

• New personnel.

• Redesigned or new information system.

• New technology and rapid growth.

• New products and product lines.

• New acquisitions and activities.

• Corporate restructuring.

Compliance managers should be familiar with these risks, since they will be used to outline the compliance program. Elements such as the quantity of the risk should determine your organizational priorities. Similar to the OCC approach, COSO’s question is based on whether these controls are reliable. The goal is not to be perfect, the goal is to have the ability to identify, minimize and prevent problems. An organization that is at risk is an organization with controls that are not reliable.

A compliance management program that is based on risk management can be quite an effective communication tool. Managers who are not inclined towards the term “compliance” may not be ready to respond to the term “risk”. With such a situation an organization needs to design an approach that allows management to understand the element while focusing on compliance priorities.