Compliance Program Effectiveness

This weekend, I was preparing a gap analysis of a Compliance program.   After having experience implementing COMPLIANCE across various sectors – from state-owned enterprises and municipal and regional-owned companies to private sector organizations – I came to a clear conclusion about what is essential for an EFFECTIVE compliance program:   1. COMPETENCE ↳ An effective compliance program starts with competencies. Where does compliance risk arise? Wherever people work. To minimize that risk, we must provide employees with the knowledge and skills necessary to responsibly perform their tasks.   2. POLICY AND PROCEDURE ↳ Policies and procedures must be clearly defined. They should not only meet regulatory requirements but also help employees understand why certain behaviors are important.   3. ROLES AND RESPONSIBILITIES ↳ Every individual must clearly understand their responsibilities within the compliance framework. Clarity reduces the risk of errors and strengthens personal accountability.   4. SPEAK UP ↳ A culture where employees feel free to report irregularities or suggest improvements is crucial for strengthening the compliance program. It is easy to write this down but very challenging to achieve in practice.   5. COMMUNICATIONS ↳ Open, clear, and two-way communication about rules, expectations, and opportunities is key for effective compliance implementation.   6. CONTINUAL IMPROVEMENT ↳ Compliance is not static. The program must continually adapt to changes in the business environment and proactively prevent future irregularities.   7. BALANCE OF RISK AND GOALS ↳ To foster truly responsible behavior, organizations must balance ambitious targets with acceptable levels of risk. Excessive pressure, unrealistic expectations, and constant high stress not only undermine compliance efforts, but they also actively create an environment where mistakes, omissions, and misconduct become more likely. And most importantly...   8. LEADERSHIP COMMITMENT ↳ When leadership actively lives and integrates all these elements – competence development, purposeful procedures, clear roles, open communication, a speak-up culture, continuous improvement, and balance of risk and goals, they demonstrate true commitment to compliance.   📌 Compliance must be a living system of values, and employees should feel it as part of their professional purpose, not as an imposed rule.   Wishing you a successful start to Compliance Week! 👋 #compliance

The DOJ consistently says that compliance programs should be effective, data-driven, and focused on whether employees are actually learning. Yet... The standard training "data" is literally just completion data! Imagine if I asked a revenue leader how their sales team was doing and the leader said, "100% of our sales reps came to work today." I'd be furious! How can I assess effectiveness if all I have is an attendance list? Compliance leaders I chat with want to move to a data-driven approach but change management is hard, especially with clunky tech. Plus, it's tricky to know where to start– you often can't go from 0 to 60 in a quarter. In case this serves as inspiration, here are a few things Ethena customers are doing to make their compliance programs data-driven and learning-focused: 1. Employee-driven learning: One customer is asking, at the beginning of their code of conduct training, "Which topic do you want to learn more about?" and then offering a list. Employees get different training based on their selection...and no, "No training pls!" is not an option. The compliance team gets to see what issues are top of mind and then they can focus on those topics throughout the year. 2. Targeted training: Another customer is asking, "How confident are you raising bribery concerns in your team," and then analyzing the data based on department and country. They've identified the top 10 teams they are focusing their ABAC training and communications on, because prioritization is key. You don't need to move from the traditional, completion-focused model to a data-driven program all at once. But take incremental steps to layer on data that surfaces risks and lets you prioritize your efforts. And your vendor should be your thought partner, not the obstacle, in this journey! I've seen Ethena's team work magic in terms of navigating concerns like PII and LMS limitations – it can be done!

FDA Warning Letter snippet: Facility has areas not maintained and in a state of decay. QMR identified significant gaps in training which were not addressed effectively. Sterile operations were not maintained with basic requirements being ignored and willfully violated. What can you do about these issues: The GxP compliance process of Align, Apply, and Adapt is a structured approach to ensuring that GxP standards are effectively integrated into an organization’s operations. Here’s how this framework works: 1. ALIGN – Establishing Compliance Foundations This phase ensures that the company’s policies, procedures, and systems are aligned with regulatory expectations and industry best practices. Key Activities: ✔ Regulatory Landscape Assessment – Identify applicable FDA guidelines. ✔ Gap Analysis – Assess current systems against regulatory requirements and industry benchmarks. ✔ Quality & Compliance Framework Development – Establish or refine SOPs, policies, and quality systems. ✔ Stakeholder Buy-In – Ensure leadership and teams understand compliance priorities and objectives. 📌 Outcome: A clear compliance roadmap that aligns business operations with regulatory expectations. 2. APPLY – Implementation & Execution Focuses on applying compliance principles into daily operations to ensure processes are followed consistently and effectively. Key Activities: ✔ Training & Competency Development – Conduct role-specific GMP training for employees. ✔ Process Integration – Embed compliance into manufacturing, quality control, and clinical operations. ✔ Data Integrity & Documentation – Ensure ALCOA+ principles are met. ✔ Routine Monitoring & Self-Inspections – Conduct internal audits and quality reviews to identify gaps before regulatory inspections. 📌 Outcome: Compliance becomes part of the company’s operational culture, not just a checkbox activity. 3. ADAPT – Continuous Improvement & Risk Management Since regulations and business environments evolve, organizations must continuously adapt their compliance approach to remain inspection-ready and competitive. Key Activities: ✔ Regulatory Change Management – Monitor FDA updates and enhance policies accordingly. ✔ Process Optimization – Leverage insights from deviations, CAPAs, and audit findings to improve compliance efficiency. ✔ Technology & Automation – Implement digital compliance tools to enhance data integrity and reduce human error. ✔ Culture of Compliance – Foster a mindset where compliance is proactive rather than reactive. 📌 Outcome: A resilient, future-proof compliance program that evolves with regulatory changes and business needs. Why This Approach Matters 🔹 Prevents last-minute compliance scrambles before inspections. 🔹 Reduces regulatory risk and ensures inspection readiness at all times. 🔹 Increases operational efficiency by integrating compliance into day-to-day processes. 🔹 Supports scalability, ensuring compliance remains strong as the company grows.

The biggest myth in compliance? That passing one audit means you’re secure. I’ve seen organizations celebrate a clean report… only to fail the next cycle because: - Evidence wasn’t maintained - Controls drifted without ownership - Tools went stale without tuning Compliance is not a snapshot. It’s a system. The programs that hold up year after year all share three things: - Controls mapped to real owners - Evidence collected automatically as work happens - A cadence that keeps everything current long before the auditor arrives If your team is still treating compliance like a once a year sprint, you’re setting yourself up for failure. The leaders who get it right build compliance into the operating rhythm of the business.

Why Formal Controls Are Not Enough For An Effective Compliance Program Whenever I give ethics and compliance trainings, I like to mention some of the many well known examples of wrongdoing that didn’t involve just one or two rogue employees; instead, the wrongdoing was known throughout these organizations and involved many people, despite the fact that many of the organizations operated in highly regulated industries and had established and well staffed compliance programs. These organizations had numerous formal compliance program elements in place: robust policies, detailed controls, frequent training, and various reporting channels - but these alone were not enough or effective in preventing or stopping the wrongdoing. While essential, an over-reliance on these formal controls and a lack of focus on the deeper elements like culture, misaligned incentives, and failing to address reported concerns or known wrongdoing, means a program will ultimately fall short in practice. Here is an analogy I like to use: formal controls are like bricks in a wall - they provide much needed structure for the wall. Organizational culture, aligned incentives, and addressing (and being seen to address) issues that are raised or otherwise known are what act as the cement in an effective compliance program - just as cement fills the gaps between the bricks and gives the wall the strength it needs to stop it from crumbling or falling down, effective compliance programs need to have a balance of bricks and cement to be effective. You wouldn’t build a wall with only bricks and no cement (or if you do, you shouldn’t expect the wall to last), so don’t think a compliance program that only or overly relies on formal controls will be effective. How do you make sure that your program is effective in practice and not overly-reliant on formal controls? _____ #SundayMorningComplianceTip #EthicsAndComplianceForHumans 📚 Want to get more compliance ideas and suggestions like this? Connect with me here on LinkedIn or get your copy of my book called Ethics & Compliance For Humans (published by CCI Press and available in print and kindle format on Amazon and various other online book stores)

DOJ update on antitrust compliance: Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations 💛 The U.S. Department of Justice (#DOJ) Antitrust Division has released significant updates to its Antitrust Compliance Guidance (11/2024). These updates underscore the importance of robust corporate compliance programs in preventing, detecting, and addressing #antitrust violations. Effective compliance programs not only help companies self-report issues but also potentially benefit from leniency under the DOJ's Corporate Leniency policy, thereby protecting them from prosecution and demonstrating their cooperation. The DOJ's comprehensive framework for evaluating compliance programs focuses on their integration into business operations, adaptability to legal changes, and leadership endorsement to foster a culture of compliance. Key elements include adequate resources, tailored #risk assessments, ongoing training, diligent monitoring, and robust reporting mechanisms. Emphasis is also placed on #technology adaptation, continuous audits, and proactive investigative inquiries to keep programs current and responsive to emerging risks. Moreover, the DOJ highlights the necessity of enforcing disciplinary measures, maintaining confidential reporting mechanisms (#whistleblowing), and implementing effective remediation strategies to prevent recurrence of violations. The genuine implementation of these programs, supported by senior leadership, is crucial in influencing sentencing decisions and determining fines and penalties. Overall, the DOJ’s guidelines aim to embed compliance deeply within corporate structures, ensuring sustained legal and ethical business conduct. For more: https://lnkd.in/eYB8q6Ry ⁉️ #integrity #ethics #fraud #forensics #investigation

Annual reporting season just ended. Did your compliance report reveal progress — or problems? If you found non-compliance, repeat violations, or near misses, the real question isn’t what happened — it’s what are you going to do about it? Too often, compliance issues get filed, not fixed. That’s a systems problem, not a people problem. Here are some of the warning signs and shifts to watch for: ✅ Compliance Requires Functioning Systems ↳ Policies don’t protect your organization—systems that work do. If it’s not written down, it’s not enforceable, auditable, or actionable. ✅ Compliance Programs Fail When They’re Too Far from the Work ↳ When compliance is siloed in Environmental, Health, and Safety (EHS) and disconnected from daily operations, frontline teams can’t see risks—or own them. ✅ Warning Signs Your Compliance System Has Gaps ↳ From buried metrics to unclear Standard Operating Procedures (SOPs), most compliance breakdowns stem from poor design, not lack of effort. ✅ In High-Performing Organizations, Compliance Is Operationalized ↳ They embed limits into SOPs and alarms, train field teams to spot risk, and review metrics alongside safety and quality. ✅ System Design Is the Foundation of Sustainable Compliance ↳ Environmental risk is built into risk reviews, alerts, task plans, and maintenance systems—built for consistency and control. ✅ Systems Support Action—But Leaders Set the Tone ↳ Leaders model what matters. They show up in the work, lead the reviews, and drive accountability. ✅ Environmental Compliance Isn’t a Report. It’s a System. ↳ Weak systems put your license to operate, your people, and your reputation at risk. Where do compliance systems fail most in your experience—SOPs, ownership, or visibility? Drop your thoughts below. 👇 Need help turning compliance into culture? Contact Morgan Davis, PMP, PROSCI, MBA Davis if your organization needs help systemizing your compliance program and driving operational results. ♻️ Reshare to encourage leaders in Operations, EHS, and Compliance to shift from reactive reporting to system-level improvement.

Companies are over-engineering and over-complicating their compliance programs. Instead of developing risk-based and right-sized security programs with intentionality, too many companies are playing compliance whack-a-mole with band-aid fixes to their compliance needs. It’s short-sighted and causing more long-term harm than value.    The companies with the most effective and sustainable compliance functions don’t focus on checking-off compliance requirement boxes; they focus on implementing security programs that address their organization’s specific risks and opportunities. They operationalize sound security and governance practices, and such practices become engrained within their company’s DNA. Through this approach, fulfillment of compliance requirements becomes a natural result of doing the right thing. If your goal is to build an effective and sustainable compliance program, it pays off to do the right thing from the start.