Scribd
Upload
27 views5 pages

What Is A Compliance Framework

A compliance framework is a structured set of guidelines that aggregates and harmonizes all compliance requirements for an organization. It allows a company to integrate new requirements into its compliance program. Implementing a framework involves finding a relevant framework, analyzing gaps between the framework and the company's current program, and remediating those gaps.

Uploaded by

Mido Mido
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
27 views5 pages

What Is A Compliance Framework

A compliance framework is a structured set of guidelines that aggregates and harmonizes all compliance requirements for an organization. It allows a company to integrate new requirements into its compliance program. Implementing a framework involves finding a relevant framework, analyzing gaps between the framework and the company's current program, and remediating those gaps.

Uploaded by

Mido Mido
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

What is a Compliance Framework?

The
Definitive Guide

Matt KellyOctober 23, 2020


So don’t die of surprise at this news, but sometimes companies don’t have a robust
compliance function. Which means that when they want to build that function—either
because the executive team is forward-thinking, or regulators have ordered corrective
action—the business needs to create a compliance framework.

Well, what exactly do we mean by that? What things does a compliance framework
provide, that lead to an effective compliance program?

A compliance framework is one of the most important tools a compliance officer can use
to build a program. So let’s take the time to unpack and understand everything
contained in those two words.

What Is a Compliance Framework?


Formally, a compliance framework is a structured set of guidelines to aggregate,
harmonize, and integrate all the compliance requirements that apply to your
organization.

In practice, a compliance framework lets you take a collection of documents—policy


manuals, procedure descriptions, mission statements, regulatory mandates, control
documentation—and meld those things into one cohesive whole. A compliance
framework brings order to the ceaseless stream of regulatory mandates that rain down
on a large organization so that when something new comes along, you have a method
for integrating that new requirement into your existing approach to compliance.
Compliance frameworks are usually tailored to a specific issue. For example, you might
follow one framework to guide your anti-bribery compliance, another to guide your data
privacy compliance, and a third to guide anti-discrimination compliance. Your
compliance program would use those frameworks to measure its progress on all three
issues. (How, exactly? We’ll get to that shortly.)

Why Do Compliance Frameworks


Exist?
Well, just imagine how you would develop a compliance program without frameworks.

In all likelihood, you couldn’t. You would miss too many steps, or take certain steps out
of ideal order and end up repeating your work, or repeat the same step over and over
and waste program resources. Some parts of the enterprise might be managing
compliance risk brilliantly, while another part is managing the same risk terribly—and
you, the compliance officer, might not be aware of the discrepancy. Which could lead to
awkward conversations with regulators if you experience a compliance failure, and
those regulators start asking about the effectiveness of your compliance program.

Put another way: compliance frameworks exist to help compliance officers build a
compliance program efficiently.

Let’s remember that all large organizations already have at least some compliance
activities happening around their enterprise, and many will even have quite a lot of
compliance activity happening. Your job as a compliance officer is to wrestle all that
activity into one disciplined program that meets all the regulatory obligations your
company has. A compliance framework lets you proceed through that work in a
methodical way, so you can reap the most benefit for the least expense of time,
resources—and your own sanity!

Moreover, compliance frameworks provide a standard that others can use to judge your
compliance program. That is, when regulators (or the board, or auditors, or business
partners) ask, “How strong is your compliance program? Why did you build it the way
you did?”—you can map your program and its activities to what those frameworks
require. Those parties can then better understand the program improvements you’ve
already made or the ones you still need to make.

How Do You Implement a Compliance


Framework?
You implement a compliance framework first by finding a framework that you can use
and then comparing what that framework requires against what your company already
does. That analysis reveals the gaps in your compliance program, and you remediate
those gaps one step at a time.

Of course, the reality of implementing a framework is more complicated than that


abstract theory. So let’s consider an example from the anti-bribery world.

You would begin by researching where you could find an anti-bribery framework. For
example, the U.S. Justice Department has published lengthy guidance in the form of the
FCPA Resource Guide. The U.K. Serious Fraud Office (SFO) has published its own
guidance about adequate procedures for the U.K. Bribery Act. ISO 37001 is a standard
for anti-bribery management systems. Any number of professional services firms could
also help you identify an anti-bribery framework or fashion one together from regulatory
guidance.

Then comes the gap analysis: comparing what that framework requires for a
compliance program, against what your compliance program already does.

Let’s say the compliance framework requires that your company has an anti-bribery
policy; procedures to help employees follow that policy, and controls to assure that
employees can’t easily evade those policies and procedures. How do all those things fit
together? We’ll consider each one in turn.

Compliance with Company Policies


A policy is a written statement about how your company views certain risks. It can be a
simple rule that states what the company’s compliance objective is. So for anti-bribery,
the policy could be something like:

The company is committed to conducting its business in an ethical, honest, and


transparent manner. Bribery and corruption are not consistent with our values, and
present significant risks to its business. Therefore employees should never offer, give,
solicit, or accept a bribe; whether cash or other inducement to or from any person or
company. The company is committed to the prevention, deterrence, and detection of
bribery and corruption.
Corporate policies are the backbone of a compliance program. Unto itself, however, a
policy usually does little to teach employees (or agents and other third parties) how to
act when faced with a particular temptation or risk. That’s where procedures come in.

What Are Compliance Procedures?


Procedures provide employees and agents with guidance about how to act under
certain circumstances, to ensure that they don’t violate corporate policies.

For example, you could require employees to seek approval from the legal or finance
department demonstrating a legitimate business purpose before offering to pay travel
and lodging expenses for a foreign government official. You could also require
prospective agents to complete a due diligence questionnaire, or have employees
complete their own due diligence checklists as part of the agent pre-hire process.

A compliance framework will help you understand what procedures you should put into
place. As you can imagine, the total number of procedures necessary to operate a
global anti-bribery program can grow quite large—procedures to submit requests,
procedures to review requests, procedures to document decisions, and so forth. A
framework can identify which ones make the most sense for your organization, and
clarify the work that will be necessary to put those procedures into effect.

What Are Compliance Controls?


Controls, by contrast, are specific checks or gateways intended to prevent improper
transactions from happening. They’re usually administered by accounting or compliance
personnel—or, even better, are automated parts of your IT systems—to help assure
that policies and procedures aren’t subverted.

For example, a control could be something as simple as requiring two authorized


signatures on an approval to spend money entertaining a foreign official; or as complex
as disallowing any payment to an agent or reseller whose due diligence isn’t already
complete. Another might be to disallow any spending requests at all from employees
who haven’t completed necessary anti-bribery training or policy attestations.

All controls aim at the same goal: control and oversight of corporate transactions, so
those transactions unfold according to company policy and regulatory obligations.

Tying Your Frameworks Together


As we mentioned, most large organizations will use multiple compliance frameworks at
the same time, to chart their progress on multiple compliance obligations. And when you
consider the myriad steps involved even within one compliance framework—the
remediation work to build and maintain a robust compliance program can be
overwhelming.

To that end, compliance officers must consider what technology they can use to
coordinate their frameworks and remediation steps. Those tools can map regulatory
requirements to specific policies, procedures, and controls; and let you see which of
those items you don’t currently have. Then you can prioritize remediation work, assign
tasks, monitor progress, and report your program’s compliance posture to senior
executives.

That’s the rigor and structure that an effective compliance program needs. That’s what
compliance frameworks provide.

You might also like