Editor’s Note: This is the seventh post in an ongoing series on Codes of Conduct by Jason Lunday. Follow this link to view all of Mr. Lunday’s articles in his Codes of Conduct featured column series.
While a little understood element of process management, monitoring serves as a powerful tool to ensure that ethics and compliance processes continue to work and improve.
Ethics and compliance monitoring is a clear expectation but has not been well defined, leaving many companies at a disadvantage in understanding how to effectively incorporate it into their ethics and compliance management efforts.
Unlike other recommended ethics and compliance activities, monitoring (and auditing, as well) is less of a defined, discrete activity and more a part of a management process. It needs to be designed to fit and incorporated into each activity. Without strong monitoring techniques, ethics and compliance processes are likely to fail or fall out of date as external changes antiquate a business process.
Monitoring has become a basic expectation of ethics and compliance management. The U.S. Sentencing Guidelines include ‘monitoring and auditing’ among the principal components of a recommended compliance and ethics program.
The Guidelines state: “The organization shall take reasonable steps…to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.”
The Guidelines continue: “The organization shall take reasonable steps…to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,” including “monitoring through regular ‘walk-arounds’ or continuous observation while managing the organization.”1
Along with the Guidelines, other ethics and compliance management frameworks include ‘monitoring’. The U.S. Department of Health and Human Services’ model compliance programs for healthcare-related companies also include monitoring. This framework encourages “the use of audits and/or other evaluation techniques to monitor compliance and assist in the reduction of identified problem area.”2
The COSO risk management model places ‘monitoring’ as a critical management activity. It lists ‘monitoring’ as one of five principal components of good risk management and control practices. COSO looks to monitoring to help ensure “that internal control continues to operate effectively.”3 While the U.S. Department of Justice’ prosecutorial guidelines for organizations do not mention ‘monitoring’ specifically, their description of what may constitute an effective compliance program appears built on an organization’s ability to identify and take action regarding non-compliance with its standards – in short, monitoring.4
Still, as addressed above, these expectations do not provide much detailed guidance as what makes for good ‘monitoring’. In fact, in the recent BAE Systems plea agreement with the U.S. Department of Justice (DOJ), ‘monitoring’ as a term is not used at all. In the agreement, what the DOJ does expect are “internal controls, policies and procedures.”, “effective review and approval,” and “periodic testing of the compliance systems, policies, and procedures designed to evaluate their effectiveness”, expectations which monitoring may address.5
Another well-known model provides a more expansive perspective on ‘monitoring’. The Open Compliance and Ethics Group’s (OCEG) “Red Book”, a framework for ethics and compliance management, uses the term “monitoring” in a broader context that includes regular review of an organization’s external and internal changes that may impact a business process, in addition to review of a process’s activities to ensure compliance with its objectives. This OCEG framework on guidance about evaluating an organization’s external and internal factors helps to ensure that a process does not become victim to outside changes, leaving it ineffective. However, with regard to monitoring as part of a discrete process, the OCEG framework does not elaborate much.6
Perhaps because of this lack of detailed guidance on ‘monitoring’, companies continue to grapple with this issue and how to effectively address it. A 2009 PricewaterhouseCoopers publication states that “few have had true success with establishing real-time, proactive monitoring programs that allow them to get ahead of issues and violations, reduce costs, and drive operational excellence to enhance compliance and create a competitive advantage.”7
One reason for this difficulty may be because the Guidelines’ include monitoring among other discrete ethics and compliance activities, such as promulgation of standards of conduct, education of employees, development of a whistleblower channel – activities that are unique processes unto themselves. But monitoring is not intended to be a discrete business process; like auditing, ‘monitoring’ is intended to be an important part of an integrated business process, whether the process addresses an ethics and compliance activity or any other business activity. As COSO addresses it, monitoring is an integral part of process management and improvement. Its purpose is to help provide the reasonable assurance that a process is effective.
Because of the confusion between monitoring and auditing, it is helpful to distinguish between the two. Monitoring tends to occur within the activity’s operational structure and closer to the underlying activity’s occurrence. It may be conducted by operational management or involve an expert outside of the operational line where the expertise does not exist within the management structure.
Auditing generally describes activities that occur further after the fact by parties more independent of the respective operational management, such as an Internal Audit staffer or external auditors. While auditing may occur far after the fact to allow for the problem to be corrected, it may do better at ensuring that operational management effectively manages the business activity. Monitoring allows for early identification and correction before a problem festers and causes the company to be in non-compliance.
Examples of Monitoring
- Pre-activity approvals
- Transaction reviews, such as travel expense reports
- Reviews of in-process quality checks and outcome data
- Review of staff-completed checklists
- Listening to or reviewing recorded customer service intake calls
- Attending sales presentations
Monitoring and auditing are essential to verify that a business activity actually works and continues to do so. A process’s design should consider both monitoring and auditing in process design and improvement to ensure the most effective overall internal control solution, while still making certain of an independent, objective audit.
So, a distinction between monitoring and auditing is important to ensure that operational management cannot improperly bias or overrule the audit of an activity; in this regard, higher leadership provides an effective check to ensure that while the audit remains independent, monitoring and auditing function in tandem efficiently and effectively.
The U.S. securities industry has developed a helpful framework that includes monitoring. FINRA, the financial regulatory authority, requires all of its member firms to maintain written supervisory procedures (WSPs) to ensure that business activities are regularly monitored for compliance with exchange rules. These WSPs are completed by supervisors, often with advanced supervisory credentials.
In addition, firms also must maintain supervisory control procedures (SCPs) that document how the WSPs will be reviewed and/or verified. This industry’s approach essentially establishes secondary and tertiary means to control manage a business activity. Slowly, other industries are building approaches similar to the securities industry that ensure that a business process is checked and double-checked to identify, assess and respond to errors and other variances that would otherwise thwart compliance with an activity’s procedures.
The following is an overall approach toward understanding what monitoring is, its value as part of a business process and how to integrate it into an activity.
Monitoring serves numerous goals. At its most basic, it helps to ensure that a business activity is taking place and actually works – that the expected outcomes are occurring. In this regard, it is an effective tool to identify, review and determine how to handle variations to the expected outcomes that may not have been initially identified. Variations will always occur, and so any good process needs a way to capture and handle them.
Monitoring also identifies intentional deviations, such as when an employee purposely seeks to stray from a defined process for his or her own benefit. In doing this, monitoring reinforce that management is watching and taking action when problems occur. Monitoring helps to improve the process’s accuracy, efficiency and effectiveness as it captures possible or actual failures. It also helps in documenting a process’s existence, operation and oversight – and in reporting on the process’s outcomes – so that the company can demonstrate the process works and is effective.
Finally, as addressed in the OCEG model, monitoring of a process’s external environment (i.e., the organization’s external and internal changes) helps to ensure that the process can adjust to these changes.
Monitoring can occur prior to, during or after a business activity takes place. Common pre-activity monitoring includes, for example, a management approval, such as for high-risk activities like offering expensive gifts to customers. After-the-event monitoring may be reserved for activities that are less risky and/or that occur frequently; while it cannot head off problems specific to a single transaction, such monitoring stresses that management is watching over the activity, especially when management regularly queries staff about how transactions were conducted.
Monitoring may occur during an activity, such as a complex set of procedures where management previews certain intended actions while it reviews just-completed ones. For instance, during a prospective consultant due diligence process, management may review the outcome of staff’s initial screening while previewing staff’s evaluation of the consultant’s response to a questionnaire. Or management may sit in on a sales presentation to ensure accuracy of presented data.
Monitoring includes some portion of an activity’s occurrences. For the most sensitive activities, monitoring may involve each transaction. Or it may act as a ‘spot check’ in looking only at randomly selected transactions. Management may determine to review process exceptions with the assumption that they pose the greatest risk. Or it may develop a more sophisticated way to evaluate higher-risk transactions, such as those that occur in certain demographies, by certain staff members or with other select parameters.
For example, management may decide to more closely monitor hotline calls from staff with a pattern of errors. A complex monitoring program may include a variety of these approaches.
While operational management needs to assume accountability for an activity’s oversight, who actually conducts the monitoring can vary, largely based on the activity’s sensitivity and staff’s requisite competence. For instance, management may delegate monitoring to staff not directly involved in an activity, who then report results back to the manager. This is more likely to occur for routine transactions with lesser risk and where staff can be appropriately trained. In the most sensitive situations, management will want to reserve monitoring for itself.
What is important is ensuring that the choice of who monitors still provides effective oversight of the activity. COSO indicates that good process management includes “an effective organizational structure that assigns monitoring roles to people with appropriate capabilities, objectivity and authority.”8
Metrics are an important part of any business process and critical to monitoring. The monitor must be able to determine whether an activity meets, comes close to or fails to meet its goals, and the responsible staff should be able to do the same. If an activity fails, the monitor needs to know the extent of the failure and, if possible, the reason why.
Also, metrics help the monitor to know whether an activity is improving when the metrics improve (or visa versa). Even results that achieve but come close to missing objectives provide value, and monitoring of these metrics ensures that management can take appropriate action with this data.
Monitoring helps management to affect changes when an activity does not meet or is at risk of not meeting its intended results. This step is pivotal in process management. Unaddressed failures or other deficiencies not only weaken a process, they also can create unexpected liability if regulators or others determine that the company did not take reasonable measures to achieve compliance.
This means that the outcome of monitoring must be more than identifying actual or potential non-compliance; it must lead to management taking actions that correct the non-compliance risks. Knowing that it will report results of monitoring its activity also encourages a company to both monitor and make appropriate changes.
A monitoring outcome also may include identifying changes to the underlying activity or external environment that may require changes to the activity to ensure continued compliance. Take the situation where the number of calls to a company’s hotline quickly decreases in a given month. This change may signal a shift in demographics, employee opinions or other issues that may require a change in the hotline communication or call intake process.
What monitoring steps should be included and how they should be designed and conducted depend on various determinants, including:
Other determinants may also be appropriate depending on the underlying activity.
Finally, monitoring should work hand in hand with auditing. It should benefit from the outcome of internal or external audits. Audit findings are intended to correct or improve a process, and part of this correction can include a process’s monitoring steps. Just as monitoring provides a valuable benefit to an activity’s correction and improvement, process audits provide the same benefits to monitoring steps.
Given all of this information, the challenge then is for management to implement monitoring steps that best meet an activity’s needs. The intent is to develop, implement, maintain and improve monitoring practices so that they provide effective oversight of an activity as efficiently as possible. For starters, a process may not need a sophisticated monitoring plan at the beginning; it likely can start with basic monitoring steps as the process gets underway. In fact, a new process may be best served by very basic but active monitoring in the early stages to ensure that the basic process steps are followed and to identify glaring variations. Management also can simplify development of monitoring steps by using standardized templates and other materials that can then be customized to a process to train employees, serve as reporting tools and invoke correction actions.
Some ways that monitoring may be modified include the following:
This is a means by which a responsible individual or group – such as operations staff – monitors and reports on its own performance. Self-monitoring seeks to create greater accountability among the responsible parties and, in turn, reduce the need for monitoring by others, like management. Auditing can be used as a check to ensure that the self-monitoring actions are performed as expected and not otherwise compromised. Still, even with self-monitoring, it is reasonable that management will want to perform some monitoring to provide greater assurance that the self-monitoring efforts are working, or for high-risk activities.
This is a means by which monitoring is made an ongoing activity versus a periodic, discrete one. According to KPMG, “Continuous monitoring (CM) is a feedback mechanism used by management to ensure that controls operate as designed and transactions are processed as prescribed. This monitoring method is the responsibility of management and can form an important component of the internal control structure.”9
Continuous monitoring is likely to employ automated technology in order to simply and mechanize it. Continuous monitoring is a concept that is perhaps most helpful to those companies that conduct only occasional process monitoring. KPMG also discussed how continuous monitoring seeks to review disparate data from multiple processes to weave together an otherwise unknown perspective on potential risk to the business activity.
Next to the existence of a regimented process itself, monitoring is perhaps the best tool to ensure that an activity meets its objectives. So, it is wise to use monitoring to a process’s strategic advantage. In this regard, it is important to adjust monitoring steps as the process evolves and apply risk-based methodology to monitoring so that it is both efficient and effective and does not lead to ‘overkill’.
In short, ensure that monitoring remains as dynamic to the process itself to get the greatest value from it.
1 Guidelines Manual, U.S. Sentencing Commission, November 2009, pp. 504, 506.
2 The Department of Health and Human Services’ Model Compliance Program is listed in the Federal Register, Vol. 63, No. 35, February, 23, 1998.
3 Guidance on Monitoring Internal Control Systems, Committee of Sponsoring Organizations of the Treadway Commission (COSO), January 2009. Identifies more detailed guides on monitoring. Also note that the ‘monitoring’ component of this model also includes auditing activities.
4 “Principles of Federal Prosecution of Business Organizations,” Title 9, Chapter 9-28.000, U.S. Department of Justice, August, 2008.
5 United States vs. BAE Systems plc, Plea Agreement, Appendix D, (letter from U.S. Department of Justice to Lawrence Bryne, Esq., Linklaters LLP, February 2, 2010)
6 GRC Capability Model “Red Book” 2.0, Open Compliance and Ethics Group (OCEG), April 2009.
7 “How pharmaceutical and life sciences companies can improve monitoring techniques to anticipate and mitigate compliance risk,” Global Pharmaceutical and Life Sciences Industry Group brochure, PricewaterhouseCoopers, 2009.
8 Guidance on Monitoring Internal Control Systems, COSO.
9 “What is Driving Continuous Auditing & Continuous Monitoring Today?,” KPMG Intl. Cooperative White Paper, 2010.
Jason Lunday is principal consultant with The Ethical ElementTM, a professional services firm based in Washington, DC.
Jason has worked in the ethics and compliance field for over twenty years, both inside companies and as a consultant to them. His work has involved supporting corporate values initiatives, developing and revising codes of conduct and related policies, conducting organizational risk, culture and program assessments, developing and delivering live training, building monitoring systems and auditing compliance systems and activities.
He has worked in or consulted with companies in a broad range of industries, including banking and insurance, manufacturing, industrial and consumer products, utilities and energy, healthcare and telecommunications.
Noteworthy experience includes:
Jason’s past experience includes director of ethics and compliance at Premier, Inc., consultant in Arthur Andersen’s Ethics and Responsible Business Practices Consulting group, compliance analyst at Goldman, Sachs & Co., senior consultant in the Ethics Resource Center’s Advisory Services group and knowledge leader at LRN Corp. In addition, he has authored/co-authored numerous articles and papers on business ethics issues.
Jason holds an MBA from the University of Virginia’s Darden Graduate Business School, with a focus in business ethics and organizational behavior, a BA also from the University of Virginia and additional business coursework at the New York Institute of Finance.
Jason can be contacted via email at: jason.lunday [at] ethicalelement [dot] com. Follow the link to view Jason’s Code of Conduct featured column on CCI.