Building a compliance program from the ground up from a well-conceived blueprint is a luxury few compliance professionals enjoy.

Most companies already have some initiatives in place—an environmental, health, and safety program or anti-money laundering policies, for example. While the existence of such programs is not necessarily bad in itself, building on to them can lead to compliance programs that are siloed, says Shaheen Javadizadeh, vice president of strategic markets at Datacert, a provider of legal software solutions. That is, they're run by different individuals and departments across an organization.

The result? Most compliance professionals “have not had an opportunity to look at their government, risk, and compliance (GRC) program holistically,” says Javadizadeh. A program built from scratch, on the other hand, can be aligned with the business strategy and tailored to foster the organization's growth.

A fractured compliance program can force companies to be reactionary, responding to issues as they crop up, rather than having a proactive system in place based on risk assessment. “You're constantly looking in the rearview mirror,” says Shanti Atkins, president and chief strategy officer at NAVEX Global, a provider of GRC services and solutions. 

Operating multiple, disparate programs also comes with a hefty price tag if each business unit decides to implement its own software solutions, for example, or develop its own policies, creating duplicate systems and efforts. “We believe passionately in having operating efficiency,” Atkins says.

Moreover, the U.S. Federal Sentencing Guidelines identify “similar misconduct,”—prior conduct that's similar to the behavior underlying an offense for which an organization currently is being sentenced—as one factor that can increase a company's culpability score, which in turn can boost penalties. Disparate GRC efforts increase the risk that similar misconduct can, even inadvertently, take place in different areas of a company.

In light of these factors, a growing number of companies are moving to a unified GRC approach. “We're seeing the maturation of the compliance function,” Atkins says. “Organizations recognize the need to pull the parts together.”

Several building blocks are critical to effectively developing and managing a unified GRC effort, Javadizadeh says. These include:

1. Context. This is what's frequently referred to as “tone at the top.” Organizations need to develop a compliance culture and objectives and align them with the business operations and the organization's mission. “This function needs to be perceived as seminal to the business; that the business will be higher performing and more valuable with an integrated, predictive approach to ethics and compliance,” Atkins says.

2. Organization. Next, companies must assign responsibilities to various departments and individuals within the organization. Most successful programs take what Javadizadeh terms a “big C, little c” approach. Under this model, they assign initial responsibility for compliance to the business units, since they are, after all, in a position to first identify potential compliance issues. These units have dotted-line reporting relationships to the professionals in compliance, who are responsible for, among other functions, providing training and helping to identify weaknesses in controls. “It's both centralized and decentralized,” he says.

3. Assessment. An effective, unified GRC program has to identify and assess the threats and opportunities in which the company operates, Javadizadeh says. A solid risk-assessment plan allows the organization to focus its attention and resources on those areas likely to harbor the greatest exposure.

4. Controls and policies. Once the potential risks have been identified, an organization needs to develop the controls, policies, and codes of conducts that will govern the actions undertaken by the business units, as well as the tools that will be used to educate employees on the policies and controls.

Often, this is the area in which a large chunk of the GRC budget is expended; disseminating controls and policies across an organization typically requires an investment in both human and technical resources. Indeed, a variety of technical tools are available, Javadizadeh notes. For instance, many organizations have implemented policy management systems that enable them to develop and communicate policies across various units, as well as learning management systems that allow them to administer and track the delivery of online courses or training. GRC software often sits over both of these, allowing compliance to manage both in a single common system and workflow, Javadizadeh adds.

“The notion that there's a single, mega GRC platform to cover everything that falls into risk and compliance is a little silly.”

—Shanti Atkins,

President, Chief Strategy Officer,

Navex Global

While technical tools are critical, they can't define the GRC function, cautions Lisa Semeraro, senior GRC consultant with OpenSky Corp., a provider of IT consulting services. People sometimes “think technology will tell them what to do,” she says. “There's no such thing as ‘an easy button.'”

Management and employees need to undertake an analysis of their processes, as well as the regulatory and business environment in which they operate in order to develop an effective program.

5. Monitoring and detection. The goal is to have in place the systems and people that can identify and flag potential failures.

6. Response. Companies may have wonderful controls and policies in place, and may have communicated them well to employees, but they still need to respond properly when things go wrong, as they always do. An important element of an effective response process is determining when it makes sense to bring in outside experts. Generally, this step is critical when some of an organization's senior management team are potentially involved in wrongdoing, Javadizadeh says. Without the opportunity to work with an outside party, the integrity of the process becomes suspect, as it would be difficult for almost any employee to provide information that could be damaging to a superior.

7. Measurement. As with any business function, the impact of the compliance function should be regularly measured and evaluated. Obvious metrics, such as the number of incidents in a given time period or the number of calls to a hotline, are a good starting point, with more sophisticated measures added over time.

8. Interaction. Given that effective compliance initiatives will impact employees, vendors, and customers, developing a sustainable program often means eschewing single-point solutions, which can leave gaps in the views they provide of an enterprise's compliance efforts. 

Instead, organizations generally want to aim for fewer systems that can work across an organization. Otherwise, it becomes difficult to share insight or gain a holistic view of GRC issues, Atkins says.

That's not to say that one system will be able to accommodate all aspects of an enterprise-wide GRC program, Atkins cautions. “The notion that there's a single, mega GRC platform to cover everything that falls into risk and compliance is a little silly.”

Sometimes a one-off system might be needed to meet the specific needs of a business unit or region. When that's the case, the compliance function “needs to get smart about data exchange,” Atkins says. The platforms should be able to feed and receive information to and from other applications, so that the end result is a unified view of compliance.

Along with working across business units and geographic regions, the systems should enable an organization to conduct due diligence on its vendors and other third parties, Javadizadeh says. Under many newer anti-corruption laws, organizations can be liable for improper actions done on their behalf by outside agents. For example, a summary of the U.K. Bribery Act by the Foreign & Commonwealth Office states: “Companies can be liable for bribery committed for their benefit by their employees or other associated persons.”

Even once an organization has put in place the building blocks that can lead to an effective, unified compliance program, its work isn't over. “It's an evolving process, not ‘set it and forget it,'” says Semeraro. Companies need to regularly assess their risks and needs and respond appropriately as they change.