While a little-understood element of process management, monitoring serves as a powerful tool to ensure that ethics and compliance processes continue to work and improve.
Ethics and compliance monitoring is a clear expectation but has not been well defined, leaving many companies at a disadvantage in understanding how to effectively incorporate it into their ethics and compliance management efforts.
Unlike other recommended ethics and compliance activities, monitoring (and auditing, as well) is less of a defined, discrete activity and more a part of a management process. It needs to be designed to fit and incorporated into each activity. Without strong monitoring techniques, ethics and compliance processes are likely to fail or fall out of date as external changes antiquate a business process.
The Expectation of Monitoring – But a Lack of Guidance
Monitoring has become a basic expectation of ethics and compliance management. The U.S. Sentencing Guidelines include ‘monitoring and auditing’ among the principal components of a recommended compliance and ethics program.
The Guidelines state: “The organization shall take reasonable steps…to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.”
The Guidelines continue: “The organization shall take reasonable steps…to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,” including “monitoring through regular ‘walk-arounds’ or continuous observation while managing the organization.”
Want to know more about compliance monitoring? Browse CCI’s compliance monitoring library.
Along with the Guidelines, other ethics and compliance management frameworks include ‘monitoring.’ The U.S. Department of Health and Human Services’ model compliance programs for healthcare-related companies (PDF download) also include monitoring. This framework encourages “the use of audits and/or other evaluation techniques to monitor compliance and assist in the reduction of identified problem areas.”
The COSO risk management model places ‘monitoring’ as a critical management activity. It lists ‘monitoring’ as one of five principal components of good risk management and control practices. COSO looks to monitoring in its 2009 Guidance on Monitoring Internal Control Systems to help ensure “that internal control continues to operate effectively.” While the U.S. Department of Justice’ prosecutorial guidelines for organizations do not mention ‘monitoring’ specifically, their description of what may constitute an effective compliance program appears built on an organization’s ability to identify and take action regarding non-compliance with its standards – in short, monitoring.
Still, as addressed above, these expectations do not provide much detailed guidance as what makes for good ‘monitoring.’ In fact, in the recent BAE Systems plea agreement with the U.S. Department of Justice (DOJ), ‘monitoring’ as a term is not used at all. In the agreement, what the DOJ does expect are “internal controls, policies and procedures,” “effective review and approval,” and “periodic testing of the compliance systems, policies, and procedures designed to evaluate their effectiveness.” These are expectations that monitoring may address. (See United States vs. BAE Systems plc, Plea Agreement, Appendix D, (letter from U.S. Department of Justice to Lawrence Bryne, Esq., Linklaters LLP, February 2, 2010).
Another well-known model provides a more expansive perspective on ‘monitoring.’ The Open Compliance and Ethics Group’s (OCEG) “Red Book”, a framework for ethics and compliance management, uses the term “monitoring” in a broader context that includes regular review of an organization’s external and internal changes that may impact a business process, in addition to review of a process’s activities to ensure compliance with its objectives. This OCEG framework on guidance about evaluating an organization’s external and internal factors helps to ensure that a process does not become victim to outside changes, leaving it ineffective. However, with regard to monitoring as part of a discrete process, the OCEG framework does not elaborate much.
Perhaps because of this lack of detailed guidance on ‘monitoring,’ companies continue to grapple with this issue and how to effectively address it. A 2009 PwC publication (PDF download) states that “few have had true success with establishing real-time, proactive monitoring programs that allow them to get ahead of issues and violations, reduce costs, and drive operational excellence to enhance compliance and create a competitive advantage.”
Want more? Subscribe to CCI’s free weekly GRC eBlast. Top compliance news, view, jobs & events – delivered right to your inbox once a week.
One reason for this difficulty may be because the guidelines include monitoring among other discrete ethics and compliance activities, such as promulgation of standards of conduct, education of employees, development of a whistleblower channel – activities that are unique processes unto themselves. But monitoring is not intended to be a discrete business process; like auditing, ‘monitoring’ is intended to be an important part of an integrated business process, whether the process addresses an ethics and compliance activity or any other business activity. As COSO addresses it, monitoring is an integral part of process management and improvement. Its purpose is to help provide the reasonable assurance that a process is effective.
Monitoring and Auditing
Because of the confusion between monitoring and auditing, it is helpful to distinguish between the two. Monitoring tends to occur within the activity’s operational structure and closer to the underlying activity’s occurrence. It may be conducted by operational management or involve an expert outside of the operational line where the expertise does not exist within the management structure.
Auditing generally describes activities that occur further after the fact by parties more independent of the respective operational management, such as an internal audit staffer or external auditors. While auditing may occur far after the fact to allow for the problem to be corrected, it may do better at ensuring that operational management effectively manages the business activity. Monitoring allows for early identification and correction before a problem festers and causes the company to be in non-compliance.
Examples of Monitoring
- Pre-activity approvals
- Transaction reviews, such as travel expense reports
- Reviews of in-process quality checks and outcome data
- Review of staff-completed checklists
- Listening to or reviewing recorded customer service intake calls
- Attending sales presentations
Monitoring and auditing are essential to verify that a business activity actually works and continues to do so. A process’s design should consider both monitoring and auditing in process design and improvement to ensure the most effective overall internal control solution, while still making certain of an independent, objective audit.
So, a distinction between monitoring and auditing is important to ensure that operational management cannot improperly bias or overrule the audit of an activity; in this regard, higher leadership provides an effective check to ensure that while the audit remains independent, monitoring and auditing function in tandem efficiently and effectively.
A Framework for Monitoring
The U.S. securities industry has developed a helpful framework that includes monitoring. FINRA, the financial regulatory authority, requires all of its member firms to maintain written supervisory procedures (WSPs) to ensure that business activities are regularly monitored for compliance with exchange rules. These WSPs are completed by supervisors, often with advanced supervisory credentials.
In addition, firms also must maintain supervisory control procedures (SCPs) that document how the WSPs will be reviewed and/or verified. This industry’s approach essentially establishes secondary and tertiary means to control and manage business activity. Slowly, other industries are building approaches similar to the securities industry that ensure that a business process is checked and double-checked to identify, assess and respond to errors and other variances that would otherwise thwart compliance with an activity’s procedures.
The following is an overall approach toward understanding what monitoring is, its value as part of a business process and how to integrate it into an activity.
Monitoring serves numerous goals. At its most basic, it helps to ensure that a business activity is taking place and actually works – that the expected outcomes are occurring. In this regard, it is an effective tool to identify, review and determine how to handle variations to the expected outcomes that may not have been initially identified. Variations will always occur, and so any good process needs a way to capture and handle them.
Monitoring also identifies intentional deviations, such as when an employee purposely seeks to stray from a defined process for his or her own benefit. In doing this, monitoring reinforces that management is watching and taking action when problems occur. Monitoring helps to improve the process’s accuracy, efficiency and effectiveness as it captures possible or actual failures. It also helps in documenting a process’s existence, operation and oversight – and in reporting on the process’s outcomes – so that the company can demonstrate the process works and is effective.
Finally, as addressed in the OCEG model, monitoring a process’s external environment (i.e., the organization’s external and internal changes) helps to ensure that the process can adjust to these changes.
Monitoring can occur prior to, during or after a business activity takes place. Common pre-activity monitoring includes, for example, a management approval, such as for high-risk activities like offering expensive gifts to customers. After-the-event monitoring may be reserved for activities that are less risky and/or that occur frequently. While it cannot head off problems specific to a single transaction, such monitoring stresses that management is watching over the activity, especially when management regularly queries staff about how transactions were conducted.
Monitoring may occur during an activity, such as a complex set of procedures where management previews certain intended actions while it reviews just-completed ones. For instance, during a prospective consultant due diligence process, management may review the outcome of staff’s initial screening while previewing staff’s evaluation of the consultant’s response to a questionnaire. Or management may sit in on a sales presentation to ensure the accuracy of presented data.
Monitoring includes some portion of an activity’s occurrences. For the most sensitive activities, monitoring may involve each transaction. Or it may act as a ‘spot check’ in looking only at randomly selected transactions. Management may determine to review process exceptions with the assumption that they pose the greatest risk. Or it may develop a more sophisticated way to evaluate higher-risk transactions, such as those that occur in certain demographies, by certain staff members or with other select parameters.
For example, management may decide to more closely monitor hotline calls from staff with a pattern of errors. A complex monitoring program may include a variety of these approaches.
While operational management needs to assume accountability for an activity’s oversight, who actually conducts the monitoring can vary, largely based on the activity’s sensitivity and the staff’s requisite competence. For instance, management may delegate monitoring to staff not directly involved in an activity, who then report results back to the manager. This is more likely to occur for routine transactions with lesser risk and where staff can be appropriately trained. In the most sensitive situations, management will want to reserve monitoring for itself.
What is important is ensuring that the choice of who monitors still provides effective oversight of the activity. COSO indicates (PDF download) that good process management includes “an effective organizational structure that assigns monitoring roles to people with appropriate capabilities, objectivity and authority.”
Metrics are an important part of any business process and critical to monitoring. The monitor must be able to determine whether an activity meets, comes close to or fails to meet its goals, and the responsible staff should be able to do the same. If an activity fails, the monitor needs to know the extent of the failure and, if possible, the reason why.
Also, metrics help the monitor to know whether an activity is improving when the metrics improve (or visa versa). Even results that achieve (but come close to missing) objectives still provide value. Monitoring these metrics ensures that management can take appropriate action.
Monitoring helps management to affect changes when an activity does not meet, or is at risk of not meeting, its intended results. This step is pivotal in process management. Unaddressed failures or other deficiencies not only weaken a process, they also can create unexpected liability if regulators or others determine that the company did not take reasonable measures to achieve compliance.
This means that the outcome of monitoring must be more than identifying actual or potential non-compliance; it must lead to management taking actions that correct the non-compliance risks. Knowing that it will report results of monitoring its activity also encourages a company to both monitor and make appropriate changes.
A monitoring outcome also may include identifying changes to the underlying activity or external environment, which might require changes to the activity to ensure continued compliance. Take the situation where the number of calls to a company’s hotline quickly decreases in a given month. This change may signal a shift in demographics, employee opinions or other issues that may require a change in the hotline communication or call intake process.
What monitoring steps should be included and how they should be designed and conducted depend on various determinants, including:
- The number of an activity’s transactions – Fewer transactions make monitoring activity easier and faster.
- The cost of monitoring – This applies per transaction in money, staffing and other resources.
- The ease of monitoring – For example, where management can employ technology to automate and expedite monitoring, this bodes well for the overall process.
- The risk of non-compliance – both its seriousness and likelihood. Serious consequences of non-compliance may encourage pre-transaction approval; non-compliance that is more likely to occur can suggest a need for monitoring of more transactions.
- Motives for operating staff not to comply – Where staff may benefit from non-compliance, it behooves management to consider more stringent monitoring. For example, if sales staff can earn more commission from increased product sales by bypassing important paperwork, it may be important to monitor to ensure the paperwork’s timely and accurate completion.
Other determinants may also be appropriate depending on the underlying activity.
Finally, monitoring should work hand in hand with auditing. It should benefit from the outcome of internal or external audits. Audit findings are intended to correct or improve a process, and part of this correction can include a process’s monitoring steps. Just as monitoring provides a valuable benefit to an activity’s correction and improvement, process audits provide the same benefits to monitoring steps.
Putting it All Together
Given all of this information, the challenge then is for management to implement monitoring steps that best meet an activity’s needs. The intent is to develop, implement, maintain and improve monitoring practices so that they provide effective oversight of an activity as efficiently as possible. For starters, a process may not need a sophisticated monitoring plan at the beginning; it likely can start with basic monitoring steps as the process gets underway. In fact, a new process may be best served by very basic but active monitoring in the early stages to ensure that the basic process steps are followed and to identify glaring variations. Management also can simplify development of monitoring steps by using standardized templates and other materials that can then be customized to a process to train employees, serve as reporting tools and invoke correction actions.
Other Monitoring Techniques
Some ways that monitoring may be modified include the following:
This is a means by which a responsible individual or group – such as operations staff – monitors and reports on its own performance. Self-monitoring seeks to create greater accountability among the responsible parties and, in turn, reduce the need for monitoring by others, like management. Auditing can be used as a check to ensure that the self-monitoring actions are performed as expected and not otherwise compromised. Still, even with self-monitoring, it is reasonable that management will want to perform some monitoring to provide greater assurance that the self-monitoring efforts are working, or for high-risk activities.
This is a means by which monitoring is made an ongoing activity versus a periodic, discrete one. According to KPMG (PDF download), “Continuous monitoring (CM) is a feedback mechanism used by management to ensure that controls operate as designed and transactions are processed as prescribed. This monitoring method is the responsibility of management and can form an important component of the internal control structure.”
Continuous monitoring is likely to employ automated technology in order to simplify and mechanize it. Continuous monitoring is a concept that is perhaps most helpful to those companies that conduct only occasional process monitoring. KPMG also discussed how continuous monitoring seeks to review disparate data from multiple processes to weave together an otherwise unknown perspective on potential risk to the business activity.
Next to the existence of a regimented process itself, monitoring is perhaps the best tool to ensure that an activity meets its objectives. So, it is wise to use monitoring to a process’s strategic advantage. In this regard, it is important to adjust monitoring steps as the process evolves and apply risk-based methodology to monitoring so that it is both efficient and effective and does not lead to ‘overkill.’
In short, ensure that monitoring remains as dynamic to the process itself to get the greatest value from it.
Editor’s Note: This is the seventh post in an ongoing series on Codes of Conduct by Jason Lunday. Follow this link to view all of Mr. Lunday’s articles in his Codes of Conduct featured column series.