There’s more to ensuring a company has a good compliance program than having the right words in a document and making sure everyone has access to it. Crafting a compliance program is an exercise that involves many levels of the company, and starts with those at the top.

And it’s not just a matter of writing out policies. A compliance program must be built with real situations in mind, based on an evaluation of the company’s real risks. It has to include the compliance tools a company needs to address the risks it faces.

“There has to be an effort to actually look around and try to figure out where your compliance risks are and try to get them resolved before they blossom into something that is more onerous to deal with,” says Emil Moschella, Executive Director, Rutgers Center for Government Compliance and Ethics. “It requires an understanding of compliance controls. A lot of times people really don’t understand how an organization goes about putting in management controls to prevent and detect non-compliant behavior, what the elements of those things are,” he says.

Crafting a compliance program usually boils down to three items, says Moschella. “Good policies, good training and monitoring.”

Good Policies

“The policies can’t be vague, they’ve got to be specific and they’ve got to be consistent with the law that they’re implementing,” says Moschella.

“It’s a lot easier to understand with a new law that comes in or a court decision that affects how you operate. It comes in and all of a sudden the organization has to react to it. And they go ahead and write a policy. Well it doesn’t do any good if you just take the policy and put it up on a shelf,” he says. “You have to publicize it, you’ve got to train people, and once it’s up and running you really have to at least monitor it to make sure that people understand it and are getting it right.”

Good Training

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

Even the best compliance program is useless unless employees know that it exists, how it affects them, and how to put it into practice. This usually means live, in-person training.

Compliance training should be targeted at the individuals who are actually in trenches doing the work, says Moschella. “Sometimes they do these broadcast web-based programs and people can have absolutely no idea of why they are listening to it. And so it loses its impact,” he says.

Monitoring

Monitoring is the third prong of a good compliance program. It ensures that employees understand it and it’s being put into practice the way it was meant to be. But monitoring requires more than just auditing.

“Sometimes audit schedules are every five years or every two years or whatever the rotation is, but it catches the problems too far down the road,” says Moschella. “If you catch it as part of the process of doing business, then you’re in much better shape at that point.”

Crafting a Compliance Program that Works

It’s one thing to have good policies, training and monitoring, but how do you if your compliance program is working?

“It’s difficult to measure a negative,” says Moschella. “You can say that bad things can happen if you don’t have it.” Or you can measure signs.

Some companies measure hotline calls; some do anonymous employee surveys. “When it comes to compliance and ethics a question might be: do you have any concerns about raising an issue where you think your company is not complying with the law?” says Moschella. If you’re getting affirmative answers to that question, you know you’re not being as effective as you should be in promoting the notion of non-reprisal and confidentiality, he says.