The Board of Governors of the Federal Reserve System has traditionally defined compliance risk as "the risk of legal or regulatory sanctions, financial loss, or loss to reputation a bank may suffer as a result of its failure to comply with all applicable laws, regulations, codes of conduct and standards of good practice." To ensure adherence with the governing laws and regulations, most banking institutions have an enterprise compliance program/framework in place; this framework generally consists of the following elements – Standards and Procedures, Governance (Oversight), Training, Enforcement, Monitoring (Testing), and Corrective Action Reporting.
1) Standards and Procedures – Written policies and procedures are essential to the organization's establishment of guidelines for associates to follow to remain compliant with the governing laws and regulations. The policies and procedures are viewed as the roadmap for enterprise compliance; they are the foundation on which employee training is based.
2) Governance (Oversight) – An effective compliance framework requires management oversight; the old adage of " leading by example" is at the forefront of a robust compliance program. Communication of the importance of compliance to the organization, repercussions of non-compliance, and fostering adoption of the compliance program falls on the "shoulders" of the governance (oversight) group.
3) Training – It is not enough to have written policies and procedures in place that outline how employees are to comply with rules and regulations; employees must be educated. Implementing a formal education, training, and adoption plan ensures that employees are aware of policies and procedures and understand their respective roles in adopting and following the guidelines.
4) Enforcement – Within the written policies and procedures, there is generally a section devoted to explaining the disciplinary actions that can be taken in the event that associates fail to adhere to compliance policies. In many organizations, failure to comply with policies results in additional policy training, notations of non-compliance in employee files, and/or termination of associates. It is the responsibility of the organization to ensure that the disciplinary guidelines are well publicized/communicated to all associates.
5) Monitoring (Testing) – Organizations must periodically review (audit) their compliance program in order to ensure that it has been adopted by all associates and that it remains effective. There are two types of monitoring that can occur: independent auditing and internal auditing. Independent auditing typically occurs during a pre-defined period of time, while internal monitoring should be ongoing. Internal auditing helps to reveal "breaks" in the program and provide adequate time to implement corrective actions prior to independent auditing.
6) Corrective Action Reporting – Upon the conclusion of monitoring/auditing of the compliance program, auditors will provide a report of all findings to the organization. It is up to the organization to provide a timely and written response to any non-compliant findings; contained within this response should be the organization's plan to modify and improve the areas of non-compliance and the timeline for which the organization endeavors to become compliant.
As policy makers continue to introduce new and modify existing governing laws and regulations, it is important that organizations have a strong compliance program in place. The absence of such programs will undoubtedly yield sanctions and reprimands when organizations are found to be non-compliant. There are a number of elements that can vary within the compliance framework from organization to organization; however, the aforementioned elements are consistently found amongst the most robust, comprehensive, and more importantly- successful compliance programs.