Compliance Officer and Committee |
Select a compliance officer (CO) | CEO/governing board | High level; position of power; “independent”/does not report to chief financial officer or general counsel |
Select a compliance committee (CC): -
Provide compliance and risk area training to the compliance committee -
Identify specific compliance subtopics for implementation -
Create subcommittees or task forces -
Assign each task force to a specific compliance subtopic
| CEO/governing board/CC | Representative of key departments |
Ensure CC meets as often as needed during implementation | | |
Ensure CC meets on a regular basis (at least quarterly) after implementation | | |
Risk Assessment (once structure is in place) | | |
Conduct an organizational risk assessment and prioritize findings: -
Identify any well-known industry risk areas -
Identify all relevant laws, regulations, government, or regulatory body guidance -
Identify any areas of previous compliance problems within the organization -
Identify any areas of previous operational or financial problems within the organization -
Identify any human resources-related problems within the organization -
Request all departments to list their department’s areas of weakness or potential weaknesses
| | |
Policies and Procedures and Developing the Code of Conduct |
Create and distribute code of conduct: -
Draft compliance code of conduct -
Obtain approval of code of conduct -
Distribute and explain to all employees -
Obtain signed attestation of code of conduct from all employees
|
CC
CC
CEO/governing board
CC
CC | |
Draft “structural” policies and procedures: -
Mission/goals/directives of compliance -
Role of compliance officer -
Role of compliance committee -
Role of management and board of directors -
General compliance training -
Specific compliance training -
Annual compliance retraining -
Testing of compliance education retention -
Anonymous reporting mechanism -
Open lines of communication -
Feedback on reports -
Nonretaliation policy -
Auditing and monitoring -
Auditing work plan -
Auditor independence -
Continuous/regular monitoring -
Conducting background checks -
Disciplinary action guidelines -
Enforcement of disciplinary action
| | |
Draft “substantive” policies and procedures: | | |
Obtain approval of policies and procedures from compliance committee | | |
Obtain approval of policies and procedures from executive committee | | |
Obtain approval of policies and procedures from board of directors | | |
Distribute and explain the policies and procedures to all employees | | |
Obtain signed certification of receipt and understanding of policies and procedures from all employees | | |
Review of policies and procedures
- Annually: -
Review all compliance-related policies and procedures -
Update policies and procedures as needed -
Create new policies and procedures for new risk areas identified -
Obtain required approvals of revised policies and procedures -
Obtain proof of review for all nonrevised policies and procedures -
Distribute revised policies and procedures to all appropriate employees/contractors -
Obtain signed certification of receipt and understanding of revised policies and procedures from all applicable policies and procedures
- Upon revision of a process: -
Review all compliance-related policies and procedures -
Update policies and procedures as needed -
Obtain required approvals of revised policies and procedures -
Distribute revised policies and procedures to all appropriate employees/contractors
| | |
Review of other departmental policies and procedures: -
Prepare a departmental policy and procedure request memo (upon creation/implementation of the compliance program and annually thereafter) -
Designate a task force or delegate specific policy and procedure to various task forces to review and recommend compliance-related revisions to each policy -
Provide recommendations back to the departments with a timeline for each department to submit the revision or submit a written explanation of the process as it is and why it can’t be revised -
Sign off on each revised policy and procedure and each policy and procedure that does not require revision
| |
Memo should request from all departments copies of all operational, financial, or other compliance-related, department-specific policies and procedures
|
Training and Education |
Build compliance training program: -
Identify all employees that require general compliance training -
Identify all employees that require specific/focused compliance training -
Identify all vendors, contractors, and customers that require compliance training -
Identify any other community members or other entities that require compliance education -
Determine content and duration of general compliance training -
Determine content and duration of specific compliance training -
Determine content and duration of contractor/vendor compliance training -
Determine content of community/customer/other entity compliance education -
Determine frequency of training required -
Determine most appropriate mode of general training -
Determine most appropriate mode of specific training -
Determine most appropriate mode of contractor/vendor training -
Determine most appropriate mode of customer/community training -
Determine most appropriate trainers -
Develop training materials and presentation -
Determine mechanism for tracking who has and has not been trained -
Document training and education plan and schedule developed through above activities
| |
Live, online, self-study
pamphlets, emails, mailers, radio/TV
compliance officer, human resources, consultant
PowerPoints, tailored-but-purchased training, content for consultants to present |
Provide training: | | |
Refine training program: -
Track who has and has not been trained -
Identify alternative training/education methods -
Implement alternative training/education methods -
CO and CC regularly attend high-level compliance conferences/seminars -
Subscribe to compliance journals/newsletters -
Join compliance-related organizations -
Subscribe to government and other mailing lists
| |
Postings, pamphlets, monthly compliance newsletters, compliance tip of the week
Vital to ensure compliance leadership has most current information |
Auditing and Monitoring |
Complete risk assessment (described above) | | |
Draft audit plans for each risk area identified: -
Determine the objectives of the audit -
Determine the appropriate sample selection method for each audit -
Determine which documents will be audited -
Determine the audit criteria
| | |
Develop an audit schedule based on prioritization from risk matrix | | Frequency of each audit, how many audits at once, expected duration of each audit |
Determine the appropriate party to conduct each audit | | Internal audit, outside consultant, compliance committee, compliance officer |
Certify the independence/objectivity of the auditor | | |
Conduct the audit | | |
Determine the appropriate corrective action plan for any problems identified | | |
Prepare a written audit report | | |
Determine if legal counsel should be involved in the audit resolution based on findings | | |
Develop surveys specific to each audience | | Employees, customers, board of directors |
Survey employees, customers, and other individuals on compliance issues | | |
Flow chart: -
Flow chart specific processes -
Identify potential compliance weaknesses in the process -
Identify areas that lack sufficient checks and balances -
Add areas identified to audit plan/schedule -
Improve processes as indicated -
Reflow chart with corrected process -
Educate changes to affected employees
| | Ensure they understand the need for the revisions |
Hold roundtable discussions regarding compliance | | |
Quiz employees during staff meetings | | Theoretical and applicable to their work area—(a) create questions that get employees thinking about compliance in a practical manner, (b) determine additional training needs, (c) prompt discussions regarding compliance |
Receive regular reports from compliance committee on concerns in their respective departments | | |
Send “secret shoppers” to anonymously review processes | | |
Forms review: -
Request from each department any forms that may cause a compliance problem -
Review the forms -
Provide recommendations for revisions to forms, as needed
| | Billing worksheet, dunning cycle statements, expense tracking forms, time and effort tracking forms |
Effective Communication |
Publicize the chain of command for reporting | | |
Create a mechanism for anonymous reporting | | Hotline, drop box, anonymous email, anonymous address |
Maintain open lines of communication | | |
Ensure that processes are in place to protect employees from retaliation | | |
Develop a mechanism for providing feedback to anonymous reporters regarding issue resolution | | |
Communicate with employees creatively and on an ongoing basis | | Postings, pamphlets, monthly compliance newsletters, compliance tip of the week |
Disciplinary Guidelines |
Determine an appropriate disciplinary action plan | | Verbal, verbal, written, suspension, termination |
Ensure that employees know and understand the consequences of noncompliance | | |
Enforce disciplinary action plans when situations of noncompliance arise | | (1) Punish inappropriate behavior and (2) prevent future occurrences |
Involve human resources and legal when appropriate | | |
Responding Appropriately to Detected Offenses |
Investigate the report of misconduct in a timely manner: -
Interview appropriate personnel -
Conduct site visits and walk-throughs -
Research applicable laws, regulations, and guidance -
Audit processes/documents as needed -
Obtain legal opinions, if needed
| | |
Maintain all investigation documentation | | |
Determine if misconduct has occurred | | |
Develop a corrective action plan: -
Create or revise policies and procedures to ensure misconduct is not repeated -
Create or revise forms that may have influenced misconduct -
Provide education to employee who acted inappropriately -
Provide education to all employees on the specific misconduct -
Revise flow charts or entire processes as needed -
Implement the disciplinary action plan, as appropriate
| | Memoranda, topic at staff meeting, email, new policy and procedure distributed |