Regulatory compliance is continuously evolving, which makes it increasingly imperative that everyone involved in the Compliance Management System (CMS) understand their responsibilities. Various sectors mandate oversight, including healthcare, finance, and cybersecurity. It is also a foundational business practice to safeguard company reputation and demonstrate integrity to consumers and the public. 

Compliance management is a top-down system, like most workplace cultures and business processes. Thus, the CMS is established and maintained through the Board of Directors’ oversight, which ensures the regulatory process is fully functional within their organization. 

Reviewing the CMS: What’s Required? 

It’s important to review the elements of a CMS to understand the role of compliance oversight.

The core functions of a CMS are to protect the organization and to follow the rules that impact the business and its consumers. An effective CMS prevents enforcement actions, such as penalties and litigation. It also manages regulatory risks and ensures that threats are identified and mitigated.

At a glance, this sounds very straightforward. However, for most business units, it is an extremely complex process—often filled with overlapping regulatory bodies and seemingly endless requirements. Structuring your CMS, using top-down leadership and proactive oversight, will avoid pitfalls and streamline the compliance process for your organization. 

A CMS is how an entity: 

  • Acquires information about compliance responsibilities,
  • Conveys compliance responsibilities to employees, vendors and the public,
  • Incorporates compliance requirements into business processes,
  • Evaluates processes to confirm responsibilities are implemented and requirements are achieved,
  • Performs updates and corrective actions.

Regulatory institutions each have specific requirements. But at a minimum, compliance audits, risk assessments, a written compliance program and oversight of the Board of Directors apply to all. 

The CMS is instituted through a documented program, which includes written requirements for risk management and compliance issues. Formal policies within the program establish methods to guide the organization’s regulatory steps. The CMS policies outlined employee training. For staff and employees, the written CMS is also a valuable reference tool and provides a dedicated method to interact with the public and provide services that meet the regulatory requirements. 

Role of the Board of Directors

Implementing and sustaining an effective CMS are chief oversight responsibilities for the Board of Directors. The FDIC states this quite clearly: “The Board of Directors is ultimately responsible for developing and administering a CMS that ensures compliance with federal consumer protection laws and regulations.”

Board oversight includes:

  • Identifying compliance expectations for the institution and impacted vendors and providers,
  • Developing organizational statements that unequivocally convey regulatory requirements,
  • Selecting a compliance officer and understanding the duties of the officer,
  • Ensuring the compliance officer can conduct his or her tasks with proper authority and accountability,
  • Appropriating the financial resources toward compliance functions based upon the organization’s requirements,
  • Requiring and reviewing compliance audits,
  • Providing a system to receive regular reports from the compliance officer,
  • Applying or approving corrective measures to regulatory risks and providing follow-up to ensure these are satisfactorily completed.

Of these, one of the most important areas for the Board to understand is the role of the compliance officer.  An adequate flow of information from the compliance officer is essential to oversight. 

The compliance officer represents the boots on the ground for the regulatory needs of the organization. He or she may develop operational policies or procedures, which must meet the compliance requirements of the organization. 

Likewise, employee and management training, instituted or delivered by the compliance officer, should align with the organization’s regulatory goals. The compliance officer should report on these areas to the Board periodically. 

If applicable laws or regulations evolve or a new risk is identified, necessitating a change in institutional policy statements, the compliance officer should be aware and inform the Board. This means your compliance officer should regularly review policies, as well as emerging trends or potential liabilities, and deliver these findings to the Board. 

To perform duties of compliance management, the Board must allow the compliance officer the authority to function in duties. 

As the FDIC states, the compliance officer should have sufficient authority to:

  • Cross-departmental lines
  • Have access to all areas of the institution’s operations
  • Effect corrective action.

The Board’s oversight may include assessing the compliance officer’s authority and offering additional leadership support. For example, a compliance committee may be necessary to assist the compliance officer in directing the CMS. 

Oversight is Proactive and Engaging

Board of Directors oversight must extend beyond digesting reports from compliance officers. Properly implemented compliance oversight is proactive and regularly monitors and evaluates the organization’s CMS with the emerging regulatory landscape. 

In the collaborative publication, “Practical Guidance for Health Care Governing Boards on Compliance Oversight,” the authors state, “Boards are expected to put forth a meaningful effort to review the adequacy of existing compliance systems and functions.”

What does it take to put forth that “meaningful effort?” Essentially, Board Members should know the organization’s CMS well enough to ask the right questions. The correct questions produce a useful compliance framework for the organization. 

Are departments sharing pertinent compliance information with each other and with the Board? For example, if the legal department discovers a potential area of regulatory risk or possible fraud, what is the reporting process? How are corrective measures applied to the organizational level? Is the Board engaged in reviewing these corrections? 

Even asking foundational questions helps focus the organizational efforts. Such as, “What is the purpose of this rule or regulation?” And, “How are we fulfilling those requirements to the affected parties?”

Along with understanding the duties of the compliance officer, the Board should periodically examine the responsibilities and roles of legal, quality, and audit departments. Each of these is central to compliance—yet independent. 

The Office of Inspector General (OIG) believes an organization’s compliance officer “should neither be counsel for the provider nor be subordinate in function or position to counsel or the legal department, in any manner.” 

In other words, your compliance officer should collaborate as an equal with other departments to enact the CMS. It is through oversight that this is ensured and achieved. 

While oversight depends on the influx of information and expert input, striking a balance between too little or too much compliance information can be difficult. Some boards use dashboards or other similar tools that contain key operational, fiscal or strategic plans, to moderate information. 

Risk-reporting and compliance can be integrated into these tools to provide an overview of the pertinent CMS information to the Board. However, methods or policies should be established to ensure prompt reporting to the Board if specific risk-based criteria are triggered. 

Finally, organizational accountability is another area that is directed by Board oversight. Incentives for accountability, as well as maintaining an appropriate level of corporate transparency, stem from policies the Board enacts. 

Oversight is a Process 

It’s a tall order for Boards to stay on top of all this and still function in other organizational leadership roles. But engaging and effective Board oversight is an ongoing process, not a destination. Just as the regulatory environment is continuously evolving, oversight needs to be consistently developing and changing to meet those demands.