Developing a compliance management system
⇐ Continued from Beginners’ Guide to CMS
Step 5: Compliance policy and procedure templates
Once you have identified your compliance obligations and commitments, your next step is to create your compliance policy and procedure templates. One or more of the following documents may be required for each compliance obligation or commitment you have identified:
It is possible to combine the compliance compliance policy and procedure templates and in most cases, recommended in order to reduce complexity and the sheer number of documents required for your organisation. However, in combining the compliance policy and procedure templates, you need to make sure that all compliance obligations and compliance commitments are captured or otherwise, have a process implemented for identifying, complying with, monitoring and training your staff on new obligations or commitments that may be imposed on your organisation.
|Resources ⇒ Use our Compliance Resources as a basis for creating your compliance documents.|
For clients on any of our compliance programs, your set of compliance policy and procedure templates may be downloaded from your dedicated Workspace. We can customise them for you if you require.
Step 6: Other high value content
You also need to identify all other high value content required for your compliance obligations and commitments. Such content may include the following:
- contracts, agreements, proposals with clients, vendors and suppliers
- shareholder agreements, shareholder and director loan agreements
- contracts with employees, contractors, consultants and directors
- operational workflow charts and process diagrams
- product description statements, information memorandums
- business plans, business proposals, strategy statements
- user guides, user manuals and knowledge bases
|Resources ⇒ Use our Legal Templates and Business Templates for creating your content.|
Again, for clients on any of our compliance programs, your set of templates may be downloaded from your dedicated Workspace.
Our legal and compliance consulting service can customise all your documents for you.
Step 7: Central document repository
Once you have developed your compliance policy and procedure templates and legal and business content, you need to create a central repository for all your documentation. Your dedicated Workspace may be used for this purpose.
A central document repository should have the following features:
- allow for a record of document versions
- document approval workflow functionality
- be accessible by all your team members
- be easy to implement and integrate with your existing operational processes
An example of a Workspace which has been used as a central document repository may be found on our demo site.
(Note: If you find that you cannot log in, please request for access from our Accounts team.)
Larger organisations may require much more sophisticated compliance management systems with document management systems that can integrate, from a software perspective, with customer management, contract management and other business systems. If you are looking for such systems, we can help recommend options for you.
Step 8: Procedures and processes
The next step in the compliance management system implementation process is to customise the procedures and processes for each compliance obligation or commitment. In Step 4, while you have developed your compliance policy and procedure templates, you will need to check that the procedures created are appropriate for each compliance obligation or commitment.
Obligations with a high risk of non-compliance or with severe consequences will need to have more a robust procedure as part of your risk management strategy. If you have completed our Assessment Questionnaire, you can refer to our Compliance Risk Assessment Report to help identify your highest risks of non-compliance. For clients on our compliance programs, the Report has been made available to you from your dedicated Workspace.
Your procedure documentation should outline the following:
- actions needed to comply with compliance obligations (as may be contained in the relevant compliance documentation above)
- actions needed to identify any additional compliance obligations (especially in relation to any new business activity, product or service)
- actions needed to keep up-to-date with changes in compliance obligations
- actions needed to minimise risk of non-compliance
- resources required for such actions
- responsible persons
- time for completion of actions
- how results will be evaluated
|Resources ⇒ Our Compliance Resources including procedure documentation may be adapted to suit your organisation’s processes.|
|Resources ⇒ Our compliance management program includes publication of regular newsletters on updates of regulatory changes which you can subscribe to.|
Step 9: Compliance management procedures
As part of the previous step, you will also need to establish compliance management procedures setting out the workflow for the operation of the compliance management system and subsequent maintenance, monitoring and continuous improvement processes.
In addition, controls should be built into the various compliance management procedures established in the procedure documentation. Effective controls result in an effective system, which in turn result in desired behaviours being achieved.
Controls may include:
- creating systems and exceptions reports
- creating annual compliance plans
- creating employee performance plans
- building in approval requirements in your procedural workflows
- having regular internal and external communications on compliance
- having demonstrated management commitment to compliant behaviour (on everyday tasks)
|Resources ⇒ Use our Compliance Management Procedures template as a basis for developing and creating your compliance management procedures.|
Step 10: Compliance schedule
A compliance schedule sets out the timelines and deadlines for taking specific actions required for compliance described above. These include:
- actions required to meet compliance obligations
- actions required following the compliance procedure documentation, and
- actions required for controls.
The schedule should be included in the relevant compliance registers required as part of your compliance documentation.
|Resources ⇒ Our Compliance Resources include Compliance Registers which may be used as examples for developing your organisation’s registers. We also have pre-filled Compliance Obligation Schedules for compliance action items or tasks which may be imported into your organisation’s calendar.|
Step 11: Operationalise the system
Once all compliance policy and procedure templates, processes and schedules have been developed, and your stakeholders have signed off on the same, the next step is to operationalise your compliance management system. Operationalising the system means that all employees and staff in your organisation, including all directors, officers and management, be trained on the system, have an understanding of the rules and policies contained in your compliance documentation and thereafter, be able to follow compliance procedures and processes that you have developed.
If your organisation is large or if you are looking at implementing new processes and procedures, we recommend that dry runs (or trial runs) be carried out before the system is operationalised. This way, kinks in the system may be ironed out and procedures and processes adjusted before compliance training begins.
Step 12: Compliance training
As part of operationalising the compliance management system, staff training is essential. Types of compliance training include the following:
- Training on the system
- Training on general compliance obligations
- Training on management compliance obligations (for directors, officers and managers)
- Training on industry-specific obligations
- Training on various procedures and processes
Having a once-off staff training session is never enough to maintain an effective and responsive compliance management system and you will need to schedule regular training sessions with the staff.
|Resources ⇒ A compliance training schedule template is available from your Workspace and sessions on compliance, contract and sales management training may be scheduled with staff using our Compliance Training Courses.|
Step 13: Reporting and analytics
Monitoring of the compliance management system needs to be implemented to measure performance and to ensure that desired outcomes are achieved. Reports of results of such monitoring should be prepared, non-compliance reviewed and breaches remedied as part of the monitoring and reporting process.
The Australian and international standards for compliance management systems ISO 19600:2015 prescribe for the following types of monitoring and reporting:
Monitoring of the compliance management system
- Effectiveness of training
- Effectiveness of controls
- Effective allocation of responsibilities for meeting compliance obligations
- Currency of compliance obligations
- Effectiveness in addressing compliance failures previously identified
- Results from audits and monitoring activities
Monitoring of compliance performance
- Instances of non-compliance and near-misses
- Instances where internal compliance obligations are not met
- Status of compliance culture
- Key performance indicators established by the organisation including:
- percentage of employees trained effectively
- frequency of contact by regulatory bodies
- internal use of feedback mechanisms
- types of corrective actions undertaken for non-compliance activities
- consequences of consequences of non-compliance including imposition of fines,
penalties, damage to reputation etc
- amount of time taken to report and take corrective action, and
- non-compliance trends and compliance culture of the organisation.
In certain industries such as the financial services and credit industries, audit and compliance reports are required to be submitted to the relevant regulatory body.
|Resources ⇒ Our Compliance Resources include compliance plans and reports which may be adapted for your organisation.|
For clients on any of our compliance programs, your set of templates may be downloaded from your dedicated Workspace.
Step 14: Continuous improvement processes
Regular management reviews and continuous improvement processes of the compliance management system and compliance performance should be scheduled, implemented and carried out by the organisation. Types of reviews and continuous improvement processes include the following:
- Review of training, controls and allocation of responsibilities
- Review of non-compliance and effectiveness of corrective actions
- Review of results from audits and compliance monitoring activities
- Review of key performance indicators (described above)
- Improve on the compliance management system
Our compliance plans and reports templates cover schedules for such reviews.
Step 15: CMS roadmap
Finally, a compliance management system roadmap should be developed in conjunction with general reviews of the organisation’s systems, technology and resources of the organisation. Implementing the compliance management system roadmap should be tied in with the continuous improvement and development processes of such systems and your organisation’s products and services, with a focus on maximising customer experience and increasing value.
Work on your business compliance now!
All your compliance resources in one central location for you and your team
If you need more in-depth advice on compliance, our Compliance Consulting Services may be able to assist. If you are new to compliance, and are looking for compliance resources, learn more about our compliance programs.