Five Compliance Best Practices for … Conducting a Compliance Gap Analysis
As an accompaniment to our biweekly series on What Every Multinational Should Know About various international trade, enforcement, and compliance topics, below find an update to our series on compliance checks that every multinational company should consider. Give us two minutes, and we will give you five suggested compliance best practices that will benefit your international regulatory compliance program.
Conducting a compliance gap analysis is essential for identifying areas where an organization’s compliance program may fall short of regulatory requirements or industry standards. A good way to think of the compliance gap analysis is that it completes the process started by the organization’s risk assessment; the risk assessment identifies the risk, and the compliance gap analysis then considers whether the organization’s compliance policies and internal controls address those identified risks.
If your organization has not conducted a compliance gap analysis in the last two years (hopefully alongside a new or updated risk assessment), then it should strongly consider doing so. Here are some best practices for most multinational companies when conducting a compliance gap analysis:
- Establish the Scope of the Compliance Gap Analysis: Determine the scope of the gap analysis, including the specific regulations, standards, or requirements to be assessed as well as the business processes, functions, or locations to be included. At a minimum, any multinational organization should be assessing items relating to its core compliance policies and high-risk areas such as anticorruption, economic sanctions, supply chain risks, and other areas that have been identified as special compliance concerns at your organization.
- Gather Relevant Documentation: Collect and review relevant documentation related to the organization’s ethics statements, compliance program, policies, procedures, internal controls, compliance training materials, and previous compliance audit findings. You should pay attention to local compliance policies at well, to evaluate whether your organization’s various compliance dictates form a coherent whole.
- Evaluate Compliance Policies and Internal Controls Against Likely Core Policies: Once you have gathered the universe of in-force compliance policies and internal controls/SOPs, you should evaluate them against a list of core and suggested compliance policies (which Foley can provide at no charge, upon request), as a starting matter for determining whether your multinational company is addressing areas that most regulators would consider minimum standards for a multinational organization.
- Engage Stakeholders: Involve key stakeholders from across the organization in the gap analysis process, including compliance officers, legal counsel, internal auditors, business unit leaders, and subject-matter experts. Interview relevant personnel and stakeholders to gather insights into the effectiveness of the compliance program, identify potential gaps or weaknesses, identify problematic compliance areas, and solicit feedback on areas for improvement.
- Compare Current State to Desired State: You should compare the organization’s current compliance practices, controls, and procedures to the desired state defined by regulatory requirements, industry standards, and the risk profile of the organization. Once compliance gaps are identified, you should develop an action plan to address identified compliance gaps and deficiencies. The action plan should define specific tasks, timelines, responsible parties, and resource requirements for implementing corrective actions.
By taking these five steps, your organization will be able to identify compliance gaps and implement corrective actions to close those gaps and strengthen the organization’s compliance program.
If you have questions or concerns about this article, please feel free to reach out to any of the authors or your Foley & Lardner attorney. Would you like more practical compliance tips like these? Click Here to Register for our email list to receive future biweekly emails and practical international regulatory compliance tips.