Seven Questions to Ask to Optimize Your Compliance Programs


Compliance Week put on a webinar covering Practical Guidance: Seven Questions to Ask to Optimize Your Compliance Programs. Bruce McCuaig, Vice President, Risk and Compliance and Mike Rost, Vice President, Marketing of Paisley presented.

Mike started off with some background of Paisley, then moved onto the “Why?” of Compliance. Companies want to avoid the downside that comes from compliance failures.

Bruce then took over and set forth the seven questions:

  1. Do you have an effective compliance program?
  2. Have you assessed the scope of your compliance program?
  3. Is your compliance program risk-based?
  4. Do you have effective controls over your compliance risks?
  5. Is your compliance program integrated?
  6. Are you leveraging technology to support your compliance program?
  7. Do you have a plan to instill and sustain your compliance program processes?

Effectiveness has a basis in the federal sentencing guidelines. You need to have culture of compliance. You need to be effective in prevention. You need to document standards and procedures. You need to communicate and report. There is a need for continual improvement.

In assessing the scope of your compliance program, you need to look at the laws, standards and regulations that you must comply with. What jurisdictions to you operate in? What subjects do I need to pay attention to? You need to take a top-down risk-based approach to address the scope of your program. You need to find the most significant risks to compliance.

To think about if your compliance program is risk-based, you need to look at the root cause of possible failure. They break it into three pieces. You need to look at behavioral or cultural factors, impact factors and external factors. Behavior focuses on people. Do your people know the rules. Impact factors look at systems and external are things outside your control.

For effective controls you need to know the rules, know the rules have to be followed. You also need to know when the rules are broken. If they are broken they need to be penalized for failure. It is important that employees read and certify that they understand the rules. Where compliance failures are a risk, the regulators expect there to be a dedicated compliance officer. You need to use compliance metrics.

An un-integrated approach has redundancy in testing and documentation, with common activities across business lines. Bruce sees five point of convergence:

  • Shared context in organization and process structure
  • Common language of risk and control
  • Common methodology
  • Enterprise wide reporting
  • GRC convergence technology

Bruce thinks technology is important. You need a library of intelligent information on laws and regulations. You need to manage the life-cycle of the policies and procedures. They are useful to show that everyone has read and affirmed their understanding of the policies.

Bruce labels the four steps of maturity: (1)  reacting, (2)  anticipating, (3) collaborating, and (4) orchestrating.

See also:

, , , ,


  1. Bits and Bytes - May 4, 2009

    GRC competency…

    We have briefly mentioned creating a GRC competency not only when implementing your GRC framework, but also for sustaining the effort. The GRC competency is a working team of internal audit, risk management and compliance experts outside the C-suite. …