A Compliance Management System (CMS) eliminates or minimizes risk from litigations, sanctions, noncompliance with government regulations, and unfair lending practices. A good CMS is essential for businesses operating today. But staying on the right side of applicable laws was not always seen as a value added to business.
Historically, public outcry against outrageous business practices is what leads to compliance regulation. For example, in 1906, Upton Sinclair’s The Jungle exposed unsafe processes in the meat packing industry. As a result, the Food and Drug Administration, then called the Bureau of Chemistry, was charged with enforcing the Pure Food and Drugs Act to protect consumers and drawdown public dissatisfaction.
This wasn’t the last controversy to lead to legal changes. In 1977, the Foreign Corrupt Practices Act was created after investigations exposed more than 400 U.S. companies who admitted making questionable payments to foreign governments. In 1985, outcry over toilet seats purchased by the Navy for $600 led to government-wide guidelines for ethical practices for contractors. These examples and many more were the impetus for the robust CMS programs seen in many businesses today.
What Is a Compliance Management System?
A CMS is a repository of processes, procedures, and policies that ensures a business is operationally adhering to government regulations. A CMS program is integrated into a business with relevant documentation, controls, and tools to comply with legal requirements and ensure minimal harm is done to consumers and employees.
A good compliance management system has four components to eliminate or mitigate infractions.
|4 Components of a Compliance Management System|
|Policies||Set by management and followed by employees|
|Processes||Documented and comply with established regulations|
|Training||Implemented during the hiring process and refreshed as standards change|
|Monitoring||Recursively checking for compliance in business transactions|
Implementing a CMS
CMS programs are an integral part of a successful business in today’s social media-conscious society. A lack of compliance management today can cost millions of dollars in fines, and a social media boycott of a business can be irrevocably damaging to a business’ brand reputation and market share. In addition to robust compliance policies, a company’s CMS must be implemented and supported at the highest levels of an organization, starting with the board of directors and executives. Leadership must have a clearly defined mission statement about compliance that is explicitly communicated to employees and third-party providers.
Senior management personnel have a key role in ensuring adequate manpower and financial resources are dedicated to the organization’s ethics and compliance initiatives. Senior management are further responsible for ensuring all employees understand the CMS, and that the best practices and procedures are fully implemented. Management at this level constantly strives to improve upon the best practices and procedures; the goal for management is to always be in a state of full compliance (or becoming compliant) on business products or transactions.
A good CMS program also includes a compliance officer who reports directly to the board of directors. The compliance officer makes sure the business is complying with external regulatory and legal requirements. They also audit the internal business policies, processes, and practices; the officer strives to confirm the business is perpetually in compliance.
Read more: DACI: Top Decison-Making Framework
Do All Businesses Need a CMS?
Businesses that do not have a compliance management system expose themselves to multiple risks. If a business is not in a state of compliance, then applicable CMS policies and procedures must be put in place until compliance is attained. There are numerous ways to be non-compliant, depending on the services and products a business provides. Lucidchart lists several compliance audits a business might face, including:
- Sarbanes-Oxley Act (SOX): Rules for electronic records management, data protection, executive accountability, and internal controls reporting
- General Data Protection Regulation (GDPR): Standards for collecting and handling the data of EU citizens, including obtaining consent and anonymizing data
- Health Insurance Portability and Accountability Act of 1996 (HIPAA): Mandated security procedures to protect data privacy and patient confidentiality
A compliance audit can be internal or external. A compliance officer performing an internal audit can make recommendations to the board of directors if they find business processes falling out of compliancy. An external auditor can mandate changes to address the noncompliant issue, and follow up later to ensure compliance. Any findings by an external auditor can also result in sanctions.
Business can also be sanctioned for failure to respond to consumer complaints in a timely manner. Lack of a managed, repeatable method for responding to consumer complaints increases the likelihood of costly sanctions. A standardized consumer complaint program is one of the pillars of a sound compliance management system, so response time and action taken to address a consumer complaint need to be recorded and retained.
New or modified regulation can also impose changes on a business. A dynamic and proactive CMS program will quickly adapt to shifts in compliance, and be constantly moving towards becoming compliant again. If a company is not in compliance or becoming compliant within an acceptable time frame, it is exposing itself to non-compliance infractions.
Examples of Successful and Unsuccessful CMS
With all the laws and regulatory policies that businesses are subject to, a robust and active CMS program can save a business millions by avoiding sanctions and bad publicity. Promedica has a 33-page compliance plan that covers the gamut of a CMS program, from what a compliance plan is to how to report a compliance concern. As such, a business creating a strong CMS can look to Promedica’s example.
Here are some features of a robust CMS:
- A CMS organizational structure
- Policies and standards for all applicable laws
- Auditing and monitoring
- Reporting process
- Discipline policy
- Remediation process
Conversely, a business with notable gaps in its CMS can permanently damage itself and the public at large. Enron is a prime example of a porous CMS that lacked substantial checks and balances on business decisions.
Enron’s sudden collapse in 2001 caused significant disruption to the energy and communications markets, as the company falsified its accounting for nearly 18 months prior. When the dust settled, the scope of Enron’s financial abuses was staggering. Enron “assigned business losses and near-worthless assets to unconsolidated partnerships and ‘special purpose entities.’ In other words, the firm’s public accounting statements pretended that losses were occurring not to Enron, but to […] ostensibly independent firms that […] were in fact accounting contrivances created and entirely controlled by Enron’s management,” according to a contemporary Congressional report. “In addition, Enron appears to have disguised bank loans as energy derivatives trades to conceal the extent of its indebtedness.”
These actions were so bad, Senator Paul Sarbanes and Representative Michael Oxley drafted legislation called the Sarbanes-Oxley Act (SOX) to protect investors from businesses creating false financial reports. The SOX Act holds auditors, corporate officers, and accountants accountable for accurate recordkeeping standards.
Read more: Types of Risk in Project Management
Types of Compliance Management System Software
Many of the CMS software packages available can work across multiple industries, from banking to healthcare to commercial real estate. Hyperproof, for example, supports multiple frameworks, including GDPR, SOC2, HIPAA, SOX, and more. Depending on the vendor, general CMS software can be offered as part of an all-in-one solution for compliance, risk management, business continuity, and more.
There are similarities across all CMS software packages, but some provide in-depth support via industry-specific CMS modules. For example, Onspring has an incident and problem management module that meets the needs of the automotive and aircraft maintenance industry. Governance, risk, and compliance (GRC) software can also be applied across multiple industries, though GRC is specific to IT-related operations. GRC modules are part of most CMS software.
It’s important to note that updating CMS software is required when newly implemented laws go into effect, or when updates are made to existing laws. To ensure CMS software is continuously accurate, the software can be configured to update immediately upon notification of an update, even after business hours.
End of Service (EOS) or End of Life (EOL) notifications regarding a CMS software package are announced years or months before it is no longer supported by the vendor. This gives a business plenty of time to purchase upgraded CMS software, so a business should never be in a non-compliant state due to software becoming obsolete.
A good compliance management system is the foundation for best business practices, so it’s important to implement a CMS program thoughtfully. With all the available CMS software options, a business can generally find the package that will meet its specific needs.
Read next: Best Project Management Software for 2021