CORPORATE COMPLIANCE ACTION PLAN

CORPORATE COMPLIANCE ACTION PLAN

          By John Kyriazoglou* (author’s credentials at the end of this document)

A compliance program refers to an organization's management plan for conducting all of its activities within the frameworks of law, rules and regulations.

It usually concerns:

(a) Identifying the laws, rules and regulations that apply to the activities of the organization,

(b) Identifying business areas where the activities of the organization are at risk of breaching these laws, rules and regulations,

(c) Establishing and executing systems, policies and procedures to try to avoid, prevent and protect against such breaches,

(d) Assigning specific compliance-related responsibilities to managers and professional staff and incorporating all compliance activities within the regular business operations of the organization,

(e) Changing behavior of all participants (board, managers, staff, external parties, etc.) through communication, education, training and coaching where this is necessary,

(f) Monitoring and reporting all compliance-related issues, and

(g) Reviewing, auditing and improving the whole compliance program and effort.

This compliance program could be implemented by a compliance action plan as follows:

The conceptual model that may be used for crafting the compliance action plan and ensuring its completeness, to the best and practical way possible, is the ADDIE Model, which is the acronym for analysis, design, development, implementation and evaluation, and its corresponding phases. This model (see, for more details: http://en.wikipedia.org/wiki/ADDIE_Model) gives us, from a practical perspective, an added level of confidence that we have not forgotten any phases in developing and implementing a compliance program.

Phase 1: Analysis of Compliance Requirements and Needs

The objective of this phase is to analyze the compliance requirements and needs impacting the organization and prepare it to manage its activities and operations in a compliance-effective environment. The actions required to be executed to complete this phase are:

Action 1: Carry out the analysis of the compliance landscape of the organization and the statutes, laws and regulations affecting all functions of the business the organization is involved in and the countries or states (provinces) it operates in.

Action 2: Define the constituent elements required by the specific organization in terms of funds, people, management structure, policies, systems, procedures, documentation, facilities, techniques, methods and tools to be effectively employed to carry out and implement the whole compliance process.   

Action 3: Collect all compliance rules, regulations and standards affecting the organization.

Action 4: Carry out the analysis of the communication and training aspects and the readiness of the organization regarding compliance.

Action 5: Submit a report to the board of the analysis that includes a budget for the compliance process, and obtain approval and funds from the board for designing, development and operating a compliance program for the organization.

Phase 2: Design of the Compliance Function of the Organization

The objective of this phase is to design and set up an effective compliance program and a compliance officer and often a compliance committee who are responsible for collecting all relevant rules, regulations and standards applicable to the organization, organizing, developing, operating and monitoring the compliance program. The compliance officer and compliance committee must report directly to the organization’s governing body, and CEO, periodically and on an as-needed basis. The compliance officer must oversee the program, including making revisions as the company’s needs change, coordinating and participating in training and education for employees, independently investigating compliance matters and ensuring that any necessary corrective action is taken. The actions required to be executed to complete this phase are:

Action 1: Design the duties, roles and responsibilities of a Compliance Officer.

Action 2: Design the responsibilities of a Compliance Committee.

Action 3: Appoint the Compliance Officer.

Action 4: Establish the Compliance Committee.

Action 5. Design and issue a first draft of the Compliance Strategy and Program.

Action 6. Design, if required, the specifications of a computerized system to support the compliance process of the organization.

Action 7: Submit a report to the board of the design phase, making any required changes to the initial budget, and obtain approval and funds from the board for the execution of the next phase.

Phase 3: Development of Compliance Policies and Procedures

The objective of this phase is to carry out the development and distribution, by the compliance officer, of written compliance standards, systems, policies, procedures and practices to guide the organization and its employees on a day-to-day basis. These should include a code of conduct detailing the fundamental principles, values and framework for action within the organization, general corporate policies and procedures, a summary of critical laws, regulations and standards, and specific provisions for various administrative, production, customer service, sales, marketing, financial, information technology and other business functions within the organization, including any regulations that may apply to business units in other national jurisdictions. These should be easily understood by, and posted and communicated to, all affected employees, as well as participants in the activities of the organization. The actions required to be executed to complete this phase are:

Action 1. Develop and finalize the Compliance Program.

Action 2: Develop the corporate compliance policies, procedures, codes of conduct and the compliance records maintenance and retention system of the organization.

.

Action 3. Develop or obtain a ready-made software system, if required, to support the compliance process of the organization.

Action 4: Obtain board approval of all corporate compliance policies, procedures and codes of conduct.

Action 5: Distribute all compliance policies, procedures and codes of conduct to all staff and managers.

Action 6: Develop the compliance communication procedures.

Action 7: Develop the education and training plan and procedures for all compliance issues.

3. Implementation of Compliance Program

The objective of this phase is to fully implement the compliance program. It may not be enough to appoint a compliance officer and committee, even if they are excellent in carrying out their duties and roles. The compliance officer must create and maintain effective lines of communication with all employees. This should include a process, such as a hotline or other reporting system, to encourage questions and complaints and procedures to protect the confidentiality or reports and anonymity of the complainants and to protect employees against retaliation. The actions required to be executed to complete this phase are:

Action 1: Implement all Corporate Compliance Policies, Procedures, Compliance Codes of Conduct, as well as the compliance records maintenance and retention system.

Action 2. Implement, if required, the computerized system to support the compliance process of the organization.

Action 3: Run all awareness sessions with all business functions as regards the compliance policies and procedures of the organization.

Action 4: Implement the compliance reporting system, including a Hot Line for compliance issues.

Action 5: Execute the education and training plan for all compliance issues.

Action 6: Link compliance to management and employee performance.

Action 7: Enforce compliance standards through well-publicized disciplinary guidelines.

4. Evaluation and Improvement of Compliance Program

The objective of this phase is to assess the effectiveness of the Compliance Program of the organization. The compliance program must be evaluated periodically to assess its effectiveness as a whole, including how it performs in practice to monitor the operations of the organization on a day-to-day basis. If the same problems recur time and time again, specific actions must be undertaken and compliance requirements and needs must be addressed. Compliance policies, standards and practices are only effective if they have the commitment of the management of the organization, are clearly written and communicated to staff, and are interpreted by a compliance officer with the proper skills, dexterities and experience. In the event of a regulatory investigation or potential breach, complete documentation of all aspects of the company’s compliance program is necessary to demonstrate the good faith of the company and the specific program’s effectiveness. The actions required to be executed to complete this phase are:

Action 1: Monitor the execution of all Corporate Compliance Policies and Procedures by the designated officer and committee of the organization.

Action 2: Request auditing of Corporate Compliance Policies and Procedures by internal audit.

Action 3: Review all Corporate Compliance Policies and Procedures by external auditors, including subject experts.

Action 4: Develop correctives actions and execution of responses to detected offences.

Action 5: Evaluate the effectiveness of Corporate Compliance Policies and Procedures.

Action 6: Evaluate the effectiveness of Compliance Program.

Action 7: Improve all Corporate Compliance Policies and Procedures and Compliance Program.

*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.

E-Mail: jkyriazoglou@hotmail.com

Profiles

http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919

http://www.authorsden.com/jkyriazoglou

http://www.icttf.org/profile/johnkyriazoglou

http://www.blogger.com/profile/15482029934015594259

Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/

Publications: http://johnkyriazoglou-works.blogspot.com/

INFORMATION SENSITIVITY POLICY

INFORMATION SENSITIVITY POLICY

By John Kyriazoglou* (author’s credentials at the end of this document)

The primary objective of the Information Sensitivity Policy is to provide guidelines for the data classification issues of information collected and processed by information systems activities of an organization. This example may be used for educational purposes only and it should be amended to suit the particular organization’s legal and regulatory requirements and operating conditions, before it is put to effective use and is implemented in a real environment. The author assumes no responsibility whatsoever for the contents, suitability and accuracy of this policy.

An example of such a policy is described next.

  Company ‘XYZ-Fictitious Enterprise Corporation’ Information Sensitivity Policy

1. Purpose

The Information Sensitivity Policy of ‘XYZ-Fictitious Enterprise Corporation’ (referred to as Company, from now on), is intended to help management and staff of a corporate entity determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of <Company Name> without proper authorization.

2. Coverage

The information covered in these guidelines includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

3. Classification Definitions

All <Company> information is categorized into three main classifications: <Company> Public, or <Company> Confidential, or <Company> Restricted.

<Company> Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to < Company>.

<Company> Confidential contains all other information that is not public or restricted such as information stored in computer files and network servers, telephone directories, general corporate information, personnel information, etc., which is, however, critical to the every-day activities of the company.  

<Company> Restricted contains information that is more sensitive than other information, and should be protected in a more secure manner. This information includes: trade secrets, development programs, patents, copyrighted material, potential acquisition targets, and other information integral to the success of the company.

This classification, for all digital and non-digital information of the organization, should be carried out initially and reviewed and improved periodically by a management mechanism that includes: (a) Information Owners, (b) Information Systems Managers, and (c) Security Manager, with the support and advice of other corporate officers, such as data privacy officer, compliance officer, etc.

4. Encryption of Information

All <Company> Confidential and <Company> Restricted information should be encrypted in accordance with the Acceptable Encryption Policy. International issues regarding encryption are complex. Corporate guidelines on export controls on cryptography should be followed. For more details consult your manager and/or corporate legal services for further guidance.

5. Sensitivity Guidelines

The Sensitivity Guidelines below provide details on how to protect information at varying sensitivity levels.

5.1. <Company> Public: This relates to general corporate information, some personnel and technical information of a generalized nature.

Access: This information should be allowed to <Company> employees, contractors, and people with a business need to know. All accesses to this type of information should be authorized and recorded.

Distribution: Internal distribution of this information within <Company> should be carried out by standard inter-office mail, approved electronic mail and electronic file transmission methods. Distribution of this information outside of <Company’s> internal mail should be carried out by national mail and other public or private carriers, approved electronic mail and electronic file transmission methods. If this information is distributed in an electronic way, it should be sent to only approved recipients.

Storage: This information should be protected from loss. All electronic transmissions should have individual access controls where possible and appropriate.

Disposal/Destruction: Special disposal bins should be used for outdated paper information. Electronic data should be expunged, cleared and erased with specialized devices. Media should be physically destroyed.

5.2. <Company> Confidential: Business, financial, technical, and most personnel information.

Access: This information should be allowed to <Company> employees, contractors, and people with signed non-disclosure agreements who have a business need to know. All accesses to this type of information should be authorized and recorded.

Distribution: Internal distribution of this information within <Company> should be carried out by standard inter-office mail, approved electronic mail and electronic file transmission methods. Distribution of this information outside of <Company’s> internal mail should be carried out by national mail and other public or private carriers, approved electronic mail and electronic file transmission methods. If this information is distributed in an electronic way, it should be sent to only approved recipients.

Storage: This information should be protected from loss. All electronic transmissions should have individual access controls.

Disposal/Destruction: Special disposal bins should be used for outdated paper information. Electronic data should be expunged, cleared and erased with specialized devices. Media should be physically destroyed. All these actions should be authorized, recorded and reported.

5.3. <Company> Restricted: Trade secrets & marketing, operational, personnel, financial, source program code, & technical information integral to the success of <Company Name>.

Access: This information should be allowed to <Company> staff with signed non-disclosure agreements who have a specific board authorization. All accesses to this type of information should be recorded and reported.

Distribution within <Company>: This information should be delivered directly to the approved recipient upon their signatures. All envelopes should be stamped confidential. Electronic file transmissions should not be allowed.

Distribution outside of <Company> internal mail:  This information should be delivered directly, by approved private carriers, to the approved recipient upon their signatures. All envelopes should be stamped confidential. Electronic file transmissions should not be allowed.

Storage: Individual access controls to this information should be enforced for electronic information. Appropriate physical security measures should be used, and information should be encrypted and stored in a physically secured computer.

Disposal/Destruction: This information should be physically destroyed by paper shredders, and other specialized digital crunching devices. Digital media should be cleared and erased before disposal. All these actions should be authorized, recorded and reported.

6. Business Connections

Access to <Company> computers and information systems by business partners, competitors and unauthorized external personnel must be restricted so that, in the event of an attempt to access <Company> corporate information, the amount of information at risk is minimized. Connections may be set up to allow others (business partners, etc.) to see only what they need to see only when specifically authorized by the board. Unauthorized personnel should only have access to information classified as <Company> Public, upon recording their details and their needs for accessing this information. This involves setting up both applications and network configurations to allow access to only what is necessary. All these actions should be recorded and reported.

7. Penalties

The penalty for deliberate or inadvertent disclosure of any information by any staff member (management, board, professional staff, line employee, etc.) found to have violated this policy may include disciplinary action, up to and including termination of employment, possible civil and/or criminal prosecution to the full extent of the law.

8. Responsibility of management  

All <Company> personnel should use these guidelines in securing <Company> Restricted and <Company> Confidential information to the proper extent possible. All department heads are responsible to supervise the classification activities of all the information managed by their function. A register of such files should be maintained and reported to the senior management of the company. If a manager is not certain of the classification to be applied, he or she should contact a higher level of authority (such as CEO, Ethics Committee, Compliance Committee, Compliance Officer, Legal Department, etc.), as specified by the internal controls policy and practices of the company. 

9. Responsibility of staff  

If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their manager. If an employee feels that their manager is not following these guidelines, he or she should contact a higher level of authority (such as CEO, Compliance Committee, Ethics Office, Compliance Officer, Legal Department, etc.), as specified by the internal controls policy and practices of the company. 

10. Responsibility of Compliance Officer  

It is the responsibility of the compliance officer to provide guidance to all personnel on the use of these guidelines, and ensure that these guidelines are complied with. The compliance officer should also report to both the compliance committee and the board, on the basis of the company’s reporting standards, all compliance related activities.

*Author’s Credentials

John Kyriazoglou, CICA, M.S.,B.A(Hon), is an International IT and Management Consultant, author of the book ‘IT STRATEGIC & OPERATIONAL CONTROLS’ (published in 2010 by www.itgovernance.co.uk), and co-author of the book CORPORATE CONTROLS’ ( to be published in 2/2012 by www.theiic.org), with Dr. F. Nasuti and Dr. C. Kyriazoglou.

E-Mail: jkyriazoglou@hotmail.com

Profiles

http://www.linkedin.com/pub/john-kyriazoglou/0/9b/919

http://www.authorsden.com/jkyriazoglou

http://www.icttf.org/profile/johnkyriazoglou

http://www.blogger.com/profile/15482029934015594259

Blogs

Articles, Opinions, etc.: http://corporatecontrols.blogspot.com/

Publications: http://johnkyriazoglou-works.blogspot.com/

COMPLIANCE, ETHICS AND RISK MANAGEMENT

COMPLIANCE, ETHICS AND RISK MANAGEMENT

A question was recently put in a discussion group, whether COMPLIANCE is distinct from ETHICS and how they interact in a corporate environment.

I think COMPLIANCE has to do with meeting fully to all standards, rules and regulations, whether external or internal to the ORGANIZATION. The term comes from Latin (COM=TOGETHER), and Ancient Greek (PLERE=TO FULLFILL).

 

ETHICS provides the background in terms of moral character (good, evil, just, etc.), nature, disposition, habit and custom of a person to obey willingly or face the moral and other consequences if he or she does not. The term comes from Ancient Greek (ETHOS=Moral Character).

The question ‘If the person complies should he/she be also ethical?’ is irrelevant.

The question ‘If the person is ethical should he/she also comply?’ is also irrelevant.

The major philosophical question for managing organizations, to be resolved, however, is this: How to handle the case and to minimize if not avoid all-together, the possibility that the person (staff member, manager, executive, etc.) might easily damage and potentially destroy the organization, its stakeholders, customers and employees, etc., when that specific corporate person (staff member, manager, executive, etc.) who is complying fully with all rules and regulations and is or is not ethical, but WITH COMPLETE DISREGARD for the RISKS involved, makes the right decision on a strategic or operational transaction, issue or activity.

In other words we should see both COMPLIANCE and ETHICS co-existing within the GOVERNANCE FRAMEWORK which should also include RISK ASSESSMENT and RISK MANAGEMENT. 

Also we should ensure that all these mechanisms resolve to a satisfactory and beneficial level, to society, economy, community, organization and individuals concerned, the classical principal-agent problem.