THE Ethics & Com-pliance Initiative’s (ECI) Monitor Benchmarking Group recently released the latest best practices papers designed to provide ethics and compliance professionals insight on important topics. This new report indicates that the use of monitors, by public- and private-sector organizations, is on the rise as a preferred risk-assessment tool.
This guide, authored by leading consultants and chief ethics and compliance officers from a variety of industries, includes information related to selecting a monitor, contracting for monitoring services and completing a monitoring engagement. Simply stated, the report is a practical guide into working with voluntary or in-house monitors. The report provides valuable tips for managing the monitoring engagement in a way that establishes and sustains trust between parties, maximizing value and addressing issues related to the monitorship.
In their findings, the authors recognize that a weak ethical culture can undermine even the most sophisticated system and that culture-based assessment from monitors can help provide a means for addressing risk not considered by traditional ERM or auditing techniques. By hiring a monitor, a company can help ensure the effectiveness of its compliance risk-management efforts and help enhance an organization’s overall ethical culture. Hiring one on a part-time basis may be more cost-effective than employing one on a full-time basis.
In what areas are compliance professionals needed?
• HR—labor law compliance
• Data privacy/data integrity technical department/manufacturing—Quality management/product safety
• Sales/marketing/purchasing/logistics—Ethics throughout the business process/no bribing of private and public sectors—Supply-chain management
Just to highlight the need for the new tribe, let’s look at the new rules imposed by the National
Privacy Commission (NPC) on the private sector:
The NPC issued NPC Advisory 2017-01 to guide personal information controllers and any
natural or judicial person or other body engaged in the processing of personal data, in their designation of data-protection officers or compliance officers. Under the advisory, the data-protection officer (DPO), who must me independent in the performance of his or her functions, shall be accountable for ensuring compliance by personal data controllers or processors with privacy and data-protection laws and regulations. Where a private entity has branches, suboffices, or any other component units, it may appoint a compliance officer for privacy (COP) for each component unit.
And here comes the catch: the advisory also emphasizes that the DPO and the COP must be a full-time or organic employee and should ideally be holding a regular or permanent position. Furthermore, while the functions of a DPO or COP may be outsourced or subcontracted, to the extent possible, the DPO or COP must oversee the performance of his or her functions by the third-party service provider or providers.
I feel that more training and interaction with the NPC are necessary to find solutions that are not overburdening, especially smaller companies. In general, I believe that the tribe called compliance officers with a wide area of responsibilities is needed in organizations. The functions should cover the areas I listed above. In the Integrity Initiative we are
discussing these issues at the moment and will have to link up with organizations like…to find acceptable solutions, including the training of the new “tribal” people.