Compliance Management
Episode 4: Compliance Guidelines – Defining the Framework

Solid guidelines – often also called “policies” – are the basis for a Compliance Management System (CMS) which builds binding commitments.

Guidelines as the backbone of a CMS

As mentioned in the previous post, many compliance officers start immediately by creating and promulgating guidelines they consider necessary. This creates a sense of security, since you now have progress to show “on paper”.

True is: A concise, comprehensible set of guidelines adapted to company-specific risks provides necessary structure and establishes the expectation horizon. Once a thorough risk assessment has fostered understanding of a company’s sensitive, risk-prone areas, guidelines provide a framework for addressing these risks at the regulatory level. They represent a lasting standard against which the Compliance Program and the behavior of the employees will be measured.

But what exactly are guidelines? Put simply, guidelines are intended to translate “external” laws into the corporation’s language. This “language” should reflect the reality of the company and – of course – should be comprehensible. This may seem obvious, but experience shows this expectation is not always fulfilled.

The following “Dos & Don’ts” should be particularly highlighted:

Do:

  • Clear structure and language
  • Where possible: visuals
  • Definition of central terms
  • Reference to and consistency with other guidelines

Don’t:

  • Long texts
  • Copy chunks of legal text
  • Unclear legal terms and wording
  • Absence of company-related examples

There is rarely a strong emphasis on formal criteria, at least in the case of guidelines in the compliance area. Compliance officers within companies are therefore usually free to decide on the content and the formulation of specific rules, as long as the rules serve to successfully organize collective behavior in the company. It is important to note here that there are different “rule types” [1], for example:

  • “Boundary rules”, which explain which behavior is unacceptable
  • “Priority rules”, which prescribe a solution in case of conflict
  • “Implementation rules”, which explain how a certain guideline should be “lived” within the company
  • “Communication rules” indicating which departments/persons need be informed about certain actions or decisions

It is not necessary to use every rule type; the selection of types depends largely on the individual case. However, one thing is clear: Simple Rules increase the overall likelihood that addressees will adhere to them.

Important: Involve stakeholders early on!

 Paper, as we know, is patient. Even a guideline crafted with all possible care may not necessarily meet with approval. Therefore, make sure that all important departments are included and involved in the policy. “Involved” here definitely means inviting an active contribution.

Training and Communication

It is not enough to create a guideline only to bury it somewhere in the depths of the corporate intranet. The “roll-out” – that is, the systematic communication, training and implementation of the new rules – is equally important. The success of the policy depends on its being anchored in the company’s DNA. Creating a set of frequently asked questions and answers (“Q&A”) explaining guidelines is often particularly useful. The most important aspects can be explained again in the questions and answers. Add questions employees ask you about the policy. Answer these questions clearly and accurately. This exercise will also help you, as a compliance officer, carefully consider the scope and consequences of the regulations. The best part is: You can continue to update and improve the Q&A over time, which simultaneously creates a record of your consulting activities.

[1] Donald Sull/Kathleen M. Eisenhardt, Simple Rules: How to Thrive in a Complex World.

What’s Next:

In the next episode, we’ll address compliance procedures.

If you are unsure how to set up and run your compliance project successfully, please feel free to contact me.