Being involved in two advocacies, anti-corruption and data privacy protection, I am more and more convinced that reporting and monitoring constitute the nervous system of compliance programs. They bring potential concerns about misconduct to the compliance officer’s attention; they protect the management against criminal liabilities and safeguard the reputation of the organization. However, reporting and monitoring are also the most challenging parts of a compliance program to develop. This is mainly due to two factors:
- The imperative of setting up well-functioning training programs and robust policies and codes of conduct rests on a healthy risk assessment. If compliance modules are born out of an inadequate risk assessment, reporting and monitoring will eventually fail to deliver compliance officers with the right data as the compliance program components were not targeting relevant business risks in the first place.
- The dynamic of relaying information back and forth is at the heart of the reporting and monitoring systems, thus they must operate with a wide range of individuals, both inside and outside your business. These systems must be ready to encounter internal or external stimuli; translate those incidents into actionable intelligence; and relay that information to a central “brain” –the compliance officer and further up the responsibility chain – that can decide how best to respond.
That said, compliance officers should consider the following pointers when developing reporting and monitoring systems:
Carefully design reporting systems. Gather a complete picture of the business activities. Siloed data will hinder compliance officers from gaining comprehensive insight into business operations. Missing data, could mean key facts missing from a specific allegation of misconduct, siloed whistleblower reports, loopholes in investigations, etc.
Normalize and consolidate data. Normalize information as it flows upwards; consolidate disparate pieces of data into broader trends of compliance activity and send it along the correct executives. This process helps compliance officers ‘know what they want to know’ and react appropriately.
Develop escalation systems. The human element is crucial in detecting misconduct. In the same way that employees must know a reportable event when they see it, middle and senior managers (including the chief compliance officer) must know when an event or trend in data should be escalated and to whom. An effective escalation procedure matches an incident to the relevant persons in the enterprise with the right procedure to respond to it.
Automation is key. Manual processes are the mortal enemy of efficient reporting and monitoring systems. People might report data incorrectly, or submit it twice, or forget to submit it at all. The result is an inaccurate picture of compliance activity, exactly what any compliance officer wants to avoid. Effective reporting and monitoring systems should automate those manual processes out of existence wherever possible. The ideal is continuous monitoring, where the flow of data is constant and human intervention is minimal. These IT systems are available; we can assist organizations in the selection process.
In conclusion, reporting and monitoring are indispensable processes for an effective compliance program. Compliance officers want to rely on optimal reporting and monitoring systems to examine the right data delivered and understand what to do next. That is what effective reporting and monitoring help to bring about.
By: Henry J. Schumacher