If you find yourself in a situation where you need to develop a compliance program, ask yourself, “What do I need to do, and where do I start?” look no further. What you need to do is determine what your product offerings will be so you know which regulatory frameworks are applicable for you to consider. You will then need to start with designing an effective compliance program based on the U.S. Department of Health and Human Services Office of Inspector General’s seven elements of an effective compliance program, considering your organization’s unique product offering(s), size, and structure.[1] You are probably now asking yourself: “How do I do this?”
Designing and implementing a new compliance program is like setting sail and discovering a whole new world. We would suggest the following outline to get started:
-
Architect and design of the vessel
-
Getting the crew on board
-
Mapping the course
-
Setting sail
-
Adjusting to life in the new world
Architecture and design of the vessel
Begin by mapping out your compliance program’s structure and design. At this stage, the design should be drafted in a form that can be modified easily, as it is almost guaranteed to change as you move forward. The design and presentation are very important as they will be used to gain organizational leadership and staff buy-in. In drafting, you must consider and align with applicable regulatory frameworks (i.e., requirements), applicable audit protocols and reporting requirements, areas of risk, organizational size, knowledge and experience of available resources, and the organization’s culture, mission, values, and objectives.
The program structure should be designed around the seven elements of an effective program and intended to prevent, detect, and correct noncompliance issues. Examples of preventive measures include drafting policies and procedures, conducting training and routine risk assessments, and implementing structure with clear roles and responsibilities. Detective measures might include establishing effective communication and reporting channels, such as a hotline, and conducting both organizational and departmental monitoring and auditing activities and reporting. Each department should implement departmental monitoring to validate compliance with applicable requirements and make the results available to compliance. We recommend that the compliance department own the organizational monitoring and auditing of adherence to regulatory requirements to oversee the departmental processes. Organizational monitoring may include tracking and trending (e.g., dashboard reporting) to ensure the organization is compliant and always audit-ready. Auditing may include mock audits based on regulatory audit protocols but does not include other organizational audits typically performed by an internal audit department, such as financial control audits. Corrective measures include processes to support timely and thorough investigation and response to suspected or identified issues, impact analysis, root cause determinations, documentation, and reporting.
A key decision in the early stages of building your compliance program is to determine whether to build a centralized or hybrid structure. A centralized model is where the compliance department staff is made to manage all seven elements with minimal assistance from the operational areas. A hybrid model is where there is more shared responsibility, and processes are designed with operational and compliance responsibilities working hand in hand. Our experience has proven the hybrid model to be most effective and noted in multiple sources as an industry best practice. This model is also supported by the popular three lines of defense model, whereby the frontline staff is equipped to defend compliance as the first line; compliance serves as the second line by implementing the structure to support compliance and conducting oversight; and the third line is the area—such an internal audit—which provides formal, objective oversight such as audits. The program structure and design are heavily dependent on the culture of your organization and the knowledge and experience of available resources. When adopting a hybrid model, we recommend identifying, educating, and building strong relationships with an accountable owner in each operational area to serve as a liaison and subject matter expert for compliance. Additional resource needs should be considered once structure is defined.
The structure of your program must also consider the responsibilities, systems, processes, and cross-functional impact on other vital functions—if established independent of compliance, such as legal, human resources, internal audit, fraud, privacy, and security. These partners are critical allies to help carry out the compliance message and coordinate efficient execution of compliance program requirements—especially where responsibilities may overlap. It is vital to clearly define and coordinate the role of these partners early on to build them into the framework and avoid duplicative or contradictory work.
