Six Steps to Implementing Continuous Monitoring in your Compliance Program

Thomas R. Fox

Anti-corruption, anti-bribery, anti-money laundering programs policies and procedures and even export control systems are seemingly in a constant state of evolution. Many companies are struggling with the challenge of implementing effective controls and monitoring risks across a spectrum that could include the three above listed compliance areas as well as others. One area which is evolving into a minimum best practices requirement for compliance is that of Continuous Monitoring (CM).

While many companies will look at CM as a software solution that can assist your company in managing risk; provide reporting metrics and, thereby, insights across an organization, it should be viewed more holistically. You will need to take many disparate systems, usually across a wide international geographic area, which may seem like an overwhelming process. However help is at hand from an article in the November 2011 issue of the Compliance Week Magazine, entitled “Mission Impossible? Six steps to continuous monitoring”, where author Justin Offen discusses his six-point program to ensure that your “CM solution doesn’t become part of the problem” rather than a solution.

Reputational Compliance

1. Know your global IT footprint. Offen believes that the challenges with integrating “disparate data often prevent CM discussions from even getting off the ground.” Rather it is important to understand how CM will be incorporated into your company’s overall IT strategy as well as your compliance strategy. This advocates that this inquiry begins with understanding what your current IT structure is and what it is anticipated to be in 3 and 5 years. Once you identify your global IT footprint you can determine which system will be the best fit.
2. Define scope and necessary resources. The author believes that you need to determine what your goal is; begin by identifying your needs and then prioritize them. You should perform a risk analysis and then rank the risks. Here a risk ranking is not only helpful but can be critical to enable your company to focus on the needs specific of the organization. Regarding resources, you need to understand the amount of talent you have in your organization, identify who can implement and work with the system and determine your budget, which may need to be increased based upon your need for outside experts and unknown contingencies.
3. Conduct a pilot or proof of concept. Offen suggests that your company does not roll out an entire CM solution, company-wide, in one fell swoop but rather “business units and/or geographies should be prioritized and a phased in approach” utilized. This is one of the benefits of your risk analysis and risk ranking. This phased in approach can be used as a proof of concept, which the author believes “will yield greater operational efficiency throughout your CM solution implementation.” Significantly it should enable you to chalk up an early success to present to the inevitable nay-sayers in your organization.
4. Decrease false positives. Offen notes that it is “important to determine the effectiveness of each test prior to ‘turning it on’ in a CM solution.” This is because improper or incomplete testing may well lead to a larger amount of false positives with which you are required to evaluate and clear. From each test, you can further refine your CM solution to the specific needs of your organization and increase time and efficiency in your overall CM program.
5. Establish your escalation protocol. The author believes that as part of your implementation, you should establish a response protocol when an exception or Red Flag arises. This protocol should include an escalation protocol if the Red Flag suggests that it is warranted or additional investigation determines a wider problem exists. This protocol should include specific individuals and departments that need to be notified, the makeup of your initial and secondary triage team and the accountability for each person in the process. A line should be set up for Board of Directors notification as well as a protocol to determine at what point to bring in outside counsel, if warranted.
6. Demonstrate control through case management. How does your company keep track of it all? I have long maintained that the three most important words in any compliance program are “document, document and document” but this must also include the caveat that you are able to produce the documentation, in a reasonable time, if a regulator requests. Offen suggests that your company should be ready to “respond with appropriate documentation of any transaction that’s been reviewed, showing the level of review and any additional steps taken.”

Source: tfoxlaw