Find out what a compliance programme is and what the essential elements are of an effective compliance programme. We’ll look at guidelines given by various authorities and also explain how we can help you design, implement, run or measure your compliance programme.

“An organisation’s compliance programme is how a team practically and continually implements and operationalises the law throughout their organisation.” John Giles

What is a compliance programme?

A compliance programme is a set of related activities that an organisation does (or measures or controls that an organisation puts in place) with the long-term aim of complying with regulatory requirements (like laws, rules, codes or standards). The regulatory requirements may be on different topics – like a data protection programme, access to information programme, cybercrimes programme or trustworthy AI programme. Other common regulatory topics include plain language, anti-bribery and corruption or healthcare.

Lexico defines a programme (the noun) as “a set of related measures or activities with a particular long-term aim” and the phrase “get with the programme” as to “do what is expected of one; adopt the prevailing viewpoint“. A compliance programme is not just a compliance monitoring programme – it is more than that. It is a programme and not a program. Program is the US spelling for programme.

It is worth remembering that compliance is part of the bigger topic of governance, risk and compliance (GRC). Programmes are therefore sometimes called a governance programme or GRC programme. Sometimes the name of the programme is the topic (like the Trustworthy AI programme).

There is a difference between a learning and compliance programme.

A compliance programme is not the same as a legal training course, an awareness training programme or learning. Legal training is only part of a compliance programme. A programme is about actually putting measures in place whilst an awareness training programme is just about awareness. Our programmes empower you to put measures in place and we continually update our programmes so that they reflect the prevailing viewpoint.

Satya Nadella says “We have translated our AI principles into a core set of implementation processes, as well as tools, training, and practices to support compliance.”

Let’s look at Microsoft’s example of an AI programme. Microsoft has a responsible AI program co-sponsored by Brad Smith (Vice Chair & President) and Kevin Scott, Microsoft’s Chief Technology Officer. Brad Smith says “As the White House’s voluntary commitments reflect, people must remain at the center of our AI efforts and I’m grateful to have strong leadership in place at Microsoft to help us deliver on our commitments and continue to develop the program we have been building for the last seven years. Establishing codes of conduct early in the development of this emerging technology will not only help ensure safety, security, and trustworthiness, it will also allow us to better unlock AI’s positive impact for communities across the U.S. and around the world.”

Each organisation needs a compliance programme

You must set up and run a programme for your organisation on each regulatory topic that has a significant impact on it on an ongoing basis. You can also run one compliance programme for all regulatory requirements.

How we can help you with your programme

  • Set up and run an effective programme for your organisation on an ongoing basis by using a Michalsons programme as a blueprint.
  • Have an effective compliance programme by asking us to design one for your specific organisation.
  • Implement a compliance programme by asking us to run your programme (work through one of our programmes and apply it to your specific organisation).
  • Implement a compliance programme by asking us to do parts of it for you in the form of services.

Some of the benefits of an effective compliance programme

  • An organisation complies with the law and avoids the risks of non-compliance.
  • Have happy customers and employees.
  • Grow the business.
  • Oversee third parties (like vendors).

“If you think compliance is expensive, try non-compliance.” Former U.S. Deputy Attorney General Paul McNulty

Essential elements of an organisation’s compliance programme

  1. You must create a learning environment in which everyone receives appropriate awareness training on an ongoing basis through an awareness training programme.
  2. The executive must be briefed, set a strategy and communicate their support on an ongoing basis.
  3. You must plan your compliance programme carefully.
  4. There must be good governance (including accountability, responsibility and oversight) and
  5. The programme must have sufficient funding.
  6. You must select, buy, configure, implement and use the appropriate software or legal tech for your organisation.
  7. You must know the relevant facts (for example your activities or data).
  8. You need an excellent compliance framework (like a data protection compliance framework).
  9. You need good policy and procedure.
  10. You must be able to conduct assessments quickly and easily when necessary.
  11. You must manage or govern risk.
  12. You must review and change existing contracts and ensure that new contracts you enter into are up to date.
  13. People must be able to report incidents internally and there must be an incident response procedure.
  14. Internal investigations must be done.
  15. There must be enforcement and disciplinary measures – there must be consequences.
  16. You must manage third-party relationships.
  17. You must manage your relationships with authorities.
  18. You must monitor, measure, test and audit the effectiveness of your compliance programme and adjust it to sustain it on an ongoing basis.
  19. You must sustain your compliance by trying to avoid fines, resolve disputes and avoid litigation and incidents.
  20. You need people (a team) both internally and externally to take action from time to time.

The principles of compliance monitoring programmes for pharmaceutical manufacturers

In 2003, the Office of Inspector General (OIG), Department of Health and Human Services, developed the OIG Compliance Program Guidance for Pharmaceutical Manufacturers. The OIG sets forth its general views on the value and fundamental principles of compliance programs for pharmaceutical manufacturers and the specific elements that pharmaceutical manufacturers should consider when developing and implementing an effective compliance program. It is for pharmaceutical manufacturers but is useful for other organisations too.

  1. Implementing written policies and procedures
  2. Designating a compliance officer and compliance committee
  3. Conducting effective training and education
  4. Developing effective lines of communication
  5. Conducting internal monitoring and auditing
  6. Enforcing standards through well-publicized disciplinary guidelines
  7. Responding promptly to detected problems and undertaking corrective action

Evaluation of corporate compliance programs guidance document

In April 2019 the U.S. Department of Justice (Criminal Division) updated its guidance document on the evaluation of corporate compliance programs. It helps prosecutors make informed decisions as to “whether, and to what extent, the corporation’s compliance program was effective at the time of the offence, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate

  1. form of any resolution or prosecution;
  2. monetary penalty, if any; and
  3. compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”

It states that “there are three “fundamental questions“ a prosecutor should ask:

  1. Is the corporation’s compliance program well-designed?
  2. Is the program being applied earnestly and in good faith? In other words, is the program being implemented effectively?
  3. Does the corporation’s compliance program work in practice?”

This document is useful in helping us to determine what a prosecutor might consider to be an effective compliance programme.

Guidelines from the United States Sentencing Commission

The guidelines on the sentencing of an organisation from the United States Sentencing Commission are also useful. According to it “The two factors that mitigate the ultimate punishment of an organization are:

  1. the existence of an effective compliance and ethics program; and
  2. self-reporting, cooperation, or acceptance of responsibility.”

It goes on to say that “These guidelines offer incentives to organizations to reduce and ultimately eliminate criminal conduct by providing a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program. The prevention and detection of criminal conduct, as facilitated by an effective compliance and ethics program, will assist an organization in encouraging ethical conduct and in complying fully with all applicable laws.”

The King Code

The King Code sets out the governing body’s responsibility regards compliance and provides good guidance for compliance programmes.