Ensuring Compliance: Tools for the EH&S Toolbox

The number of various federal laws and regulations makes it imperative for an institution to maintain some sort of compliance calendar or other tool to organize and manage the process.

• By D. C. Breeding
• Jul 01, 2013

In the Environmental Health and Safety (EH&S) disciplines, as in many other corporate, business, and institutional functions, the management of regulatory compliance is a chronic concern.

Compliance Defined
In general, compliance means conformance to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the plans that corporations, businesses, and/or institutions aspire to achieve in their efforts to ensure personnel are aware of and take steps to comply with relevant laws and regulations.

In my copy of Webster's Dictionary, compliance is defined as the act or process of complying with a desire, demand, proposal, or regimen or even response to coercion. It also refers to conformity in fulfilling official requirements. Due to the increasing number of regulations and need for operational transparency, organizations are increasingly adopting the use of consolidated and harmonized sets of compliance controls. This approach is used to ensure that all necessary governance requirements can be met without the unnecessary duplication of effort and activity from resources. Compliance may also mean the ability of an object to yield elastically when a force is applied, or the ability or process of yielding to changes in pressure without disruption of structure or function. Compliance can even be seen as the process of complying with an established regimen of reporting, action, or medical treatment.

Regulatory Compliance
Regulatory compliance is the term typically used to describe the policies and processes businesses and organizations have in place to ensure they follow the many, many laws, rules, and regulations put in place by the bodies that control financial activity in a given jurisdiction. Those rules and regulations are designed to ensure that such financial activity in the markets is fair, transparent, and robust, both between the financial institutions themselves (the so-called professional market) and, probably more importantly, when the financial institutions are selling financial services, such as shares, insurance products, or other financial products, to private individuals.

Regulatory compliance also describes the goal that corporations or public agencies aspire to in their efforts to ensure personnel are complying with relevant laws and regulations. This will include retaining data or records useful for the purpose of implementing or validating compliance. It also refers to the set of all data relevant to a governance officer or to a court of law for the purposes of validating consistency, completeness, or compliance.

A key component of regulatory compliance is the variety of policies and processes firms are required to have in place to meet legislation and regulation designed to prevent the use of the financial system for the purposes of financial crime, in particular money laundering. There is probably nothing more damaging to the reputation of a financial institution nor leaving it more exposed to serious regulatory sanction and fines than the suggestion it has been used as a conduit to provide funds used to finance money laundering or, even worse, a terrorist act. Even if the institution is an innocent participant, the very link of its name to death and carnage can be damaging. So the institution needs as much help as possible to identify and exclude known terrorists from its business but also to stand some chance of identifying the criminals who are already inside.

Money laundering is the use by criminals of the financial system to hide the source of their funds gained from illegal activity, such as drug trafficking, bribery, extortion, embezzlement, theft, or other criminal activity, as the criminals try to make their ill-gotten gains appear genuine.

Anti-money laundering is the term used by banks and other financial institutions to describe the various measures they have to combat this illegal activity and to prevent criminals from using individual banks and the financial system in general as the conduit for their proceeds of crime. In all major jurisdictions around the world, criminal legislation and regulation make it mandatory for banks and financial institutions to have arrangements to combat money laundering, with harsh criminal penalties for non-compliance.

Key elements of a sound anti-money laundering and counter-terrorist financing program, many of them required by law and key aspects of regulatory compliance, include:

• Minimum standards and policies, approved by senior management, that clearly set out your philosophy on crime prevention and business requirements.
• Strong "Know Your Customer" checks at customer take-on to identify and exclude known criminals, but also to be sure you know the real identity of the customers you do take on.
• Robust training programs for all staff.
• Processes (very often automated) to monitor the activities on customer accounts to identify suspicious activity and to check incoming and outgoing payments for unauthorized transactions and to enable reports to be made to relevant authorities.
• Retention of customer files and records of transactions for required statutory periods.

Compliance is either a state of being in accordance with established guidelines, specifications, or legislation, or the process of becoming so. Software, for example, may be developed in compliance with specifications created by some standards body, such as the Institute of Electrical and Electronics Engineers (IEEE), and may be distributed in compliance with the vendor's licensing agreement. In the legal arena, compliance usually refers to behavior in accordance with legislation, such as EPA, OSHA, the Sarbanes-Oxley Act (SOX) of 2002, HIPPA (the Health Insurance Portability and Accountability Act of 1996), and a wide variety of other assorted internal and external requirements.

In the financial sector, SOX was enacted in response to the high-profile Enron and WorldCom financial scandals to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise. In the health care sector, HIPAA Title II includes an administrative simplification section that mandates standardization of health care-related information systems.

As compliance has increasingly become a concern of corporate management, corporations and institutions are turning to specialized software, consultancies, and even a new job title, the chief compliance officer (CCO), who is charged with monitoring and documenting company and organization-wide compliance.

Goals, Elements, Structures, Strategies
The goal of business and institutional administrators should be to create a culture of compliance centered on a strong program that addresses and coordinates all requirements with which the institution must comply, pursuant to law, regulation, as well as internal and external institutional policy. Successful models often include:

• Clearly developed institutional policies and codes of conduct
• Effective communication and training procedures
• A formal compliance office
• A program to monitor compliance
• Sanctions or remedial measures for non-compliance

The precise structures and strategies will vary by location, but the resources discussed below can be helpful in this process.

Conducting Organizational Risk Assessments
A comprehensive risk assessment, allowing a business or institution to understand the nature of the risks it faces, is a critical foundation for any effective compliance program. Such a process can help to assess the effectiveness of current compliance controls and identify areas where new or more-effective controls might be necessary. Risk assessments should be performed periodically in order to ensure ongoing compliance with laws, regulations, and policies and to identify new or emerging risks.

So, what is the overworked, under-staffed, and underpaid EH&S professional to do in ensuring complete and timely compliance with the many, many rules and requirements in the EH&S arena? Let's look at one straightforward, simple, and effective tool: the compliance calendar.

The Compliance Calendar
The number of various federal laws and regulations, each with its own reporting dates and requirements, makes it imperative for an institution to maintain some sort of compliance calendar or other tool to organize and manage the compliance process. These calendars and tools will vary by business and institution, depending on many factors such as organizational culture and the difference in state laws.

Compliance calendars are a useful way to track federal and state notice, disclosure, and reporting requirements that arise on a regular basis. It is quite straightforward for the EH&S staff to develop calendars for each individual department and a “master” calendar that reflects such compliance activities across the entire location. The first step in developing these schedules is to reference the detailed compliance calendars available online, then eliminate particular items that are not applicable to your specific situation. Then, research and brainstorm into the regulatory requirements on both the state and federal levels. With this information, you can develop draft calendars and then work with compliance liaisons in each department to fill in any missing element.

Examples of Compliance Calendars:

• Catholic University: http://counsel.cua.edu/thebasics/compliance.cfm
• Washington and Lee University: http://counsel.wlu.edu/tutorial/ComplianceCalendars/ComplianceCalendars.html
• Texas A&M University: https://www.tamus.edu/assets/files/legal/pdf/Compliance%20Calendar.pdf
• North Carolina State University: http://www.ncsu.edu/general_counsel/legal_topics/compliance/documents/NCSTATECOMPLIANCEREPORTINGCALENDAR_003.pdf

How to Construct a Compliance Calendar
Constructing your compliance calendar can be as simple as writing it down by year and month on paper, readily constructing a column and row matrix in a spreadsheet, or as complex as purchasing proprietary software applications from commercial vendors or using programmers to develop a custom application for your business or institution. Your compliance calendar can be a strictly comprehensive or it can simply highlight the major reporting deadlines and schedules for your business or institution.

Whichever alternative you select, it is critical to be thorough in gathering together the details of your compliance requirements and their reporting deadlines and compiling them in a brief, organized manner into the calendar format. Monitor the compliance deadlines closely to ensure that appropriate reporting actions are prepared and submitted accordingly, and voila -- you, too, can achieve reasonable compliance.

This article originally appeared in the July 2013 OHS issue of Occupational Health & Safety.