Once your compliance policies have been finalized and distributed to the appropriate personnel, you may feel the hard work is complete. You deserve a moment to breathe and congratulate yourself on a job well done! Before you file the policies away, however, take a moment to lay the groundwork for the ongoing development and testing that must take place in order to reflect changes to legal requirements and business practices. What worked well for your organization on Day 1 may not reflect your organization’s future practices or legal standards.
Many organizations invest significant resources to create policies and procedures and then bury the materials online or in a binder that never see the light of day until the policy is challenged. Alternatively, some organizations only dust off their policies once a well-known legal amendment has gone into effect. Of course, both of these situations may prompt review, but an effective testing procedure should be built on the expectation that policies will be reviewed and updated according to a set schedule.
The most common schedule is to perform an annual review to determine if any legal requirements have changed. For organizations that either have too many documents or too little staff to perform an annual review on all documents, consider a tiered system. Under this approach, certain high-risk policies are reviewed annually while others are reviewed less frequently or on a rolling schedule.
Another important element of a testing protocol is to identify the appropriate person who will perform the compliance testing. Organizations that have internal auditors and in-house attorneys often look to these resources to fulfill the monitoring and testing responsibilities. These resources may be a tremendous first-line of defense, but they may also carry institutional biases that cloud their view of risk, whether reputational or legal.
Further, carefully consider which outside resources should be employed and how to go about doing so. For example, recent settlement agreements and consent orders with the Consumer Financial Protection Bureau have cited evidence from third-party consultants. These organizations likely acted in good faith to test practices and use industry specialists, but the reports appear to have caused unintended consequences since examiners used findings in the reports to initiate or supplement enforcement actions. These external auditors certainly provide a valuable service and organizations should continue to engage their expertise while also carefully considering how to review and correct any findings.
If your board of directors has been engaged in the initial implementation of a policy, you should expect to periodically update them on the testing results. The board should not only authorize and adopt the compliance policies, it should also expect to receive timely reports from management as to how testing will be performed. The board should also require that any corrective action be taken in a timely manner.
A robust testing procedure should be based on well-defined benchmarks, whether it is the governing law or an internal business standard. The individual, department or outside advisor that is tasked with testing needs to have the appropriate expertise and qualifications to identify the correct legal issues, standards and compliance elements. Once the appropriate issues are identified, many organizations find that a scorecard or similar tool to parse discrete issues and responses best support their ongoing testing system.
Finally, if issues of non-compliance are identified, the testing procedure should schedule the issue and follow up to correct the deficiency. Depending on what issue is revealed, the organization should consider both prospective changes to a business practice and retroactive corrective actions.