This GRC Tool is a questionnaire that can be used to determine whether a company has an effective process and culture in place to control and mitigate compliance and ethics related risks.
This GRC Tool is a questionnaire that can be used to determine whether a company has an effective process and culture in place to control and mitigate compliance and ethics related risks.
Questions 1 through 3 address organizational culture to determine if a company is taking the formal steps necessary to address the subject of compliance and ethics—& whether management, the Board of Directors and the employees really believe that compliance and ethics are an integral part of the company’s corporate culture. A stakeholder should evaluate whether the company has seriously considered all of the enterprise risks of non-compliance or unethical conduct, has established its own goals and objectives, and has communicated its behavioral expectations effectively throughout the organization.
Questions 4 and 5 consider scope and strategy of the compliance and ethics program, assessing how thoroughly it can address potential risks. Most important is the integration of that process with overall enterprise risk management. The Securities & Exchange Commission expects compliance and ethics issues to be considered even when fast-paced decisions must be made. Stakeholders in publicly traded companies must be able to determine whether the compliance and ethics program is sufficiently broad in scope and well enough planned to address this need.
Questions 6 through 8 identify the structure and resources dedicated to the ethics and compliance program, judging the seriousness of commitment to effective management of the program. It is the audit committee’s responsibility to ensure that a structural process is in place that encourages both top-down communication and bottom-up feedback, and that issues are dealt with quickly and completely. If the proper resources are not funded and in place to prevent the audit committee from becoming a “choke point,” the program will be judged a failure, and the blame for inadequately addressing enterprise risk will be placed on upper management.
Questions 9 through 14 evaluate management of policies and training, and further address program adequacy by looking at the mechanics of the processes in place. These questions evaluate how Codes of Conduct and other policies are distributed, tracked and kept up to date, and under what circumstances they can be waived or overridden. They also address how employees and other stakeholders are trained to understand and apply established policies and procedures, and how information is communicated to them.
Questions 15 through 18 focus on internal enforcement, assessing whether the company appropriately and consistently deals with violations of established policies and procedures. If individuals are allowed to ignore, disobey or even mock the objectives and requirements of the compliance and ethics program, stakeholders can conclude that management is not fully committed to ensuring ethical conduct.
Questions 19 and 20 assess evaluation and continual improvement efforts in the compliance and ethics program. Without processes to judge program elements and implement necessary improvements, any compliance and ethics program will have difficulty staying efficient, effective and up to date. Well-developed routine monitoring and periodic assessment processes, with clear paths for communication of recommended changes, may be the best sign of a mature and effective management system.
Featured in: Compliance , Ethics , Culture