- A policy management system to ensure that everyone knows the rules they need to abide by;
- A location for disseminating training and communications about the policy;
- A system to require managers to certify that they have trained their teams and will comply with the policies;
- A register for gifts and entertainment, which will allow approvals to be given and reporting to show where issues may lie;
- A system to manage the screening and monitoring of third parties, which are often the conduit of indirect bribes.
It is often the case that you will be looking for a solution to whatever issue is currently most pressing. When selecting a technology solution, however, it is wise to consider the functions you may need in the future as well as those you need today, either in terms of new compliance programs or building out the current program. The worst solution is to have a number of independent systems managing different aspects of what should be a single compliance program.
It is rare that a full suite of compliance tools will run without any interaction with your existing systems. Regardless of where the system is hosted, you should consider whether you could benefit from integration with:
- Human resources systems to ensure new users are added and old ones removed;
- Authentication systems which allows for a single sign-on to simplify the log-on process for users;
- Enterprise resource planning (ERP) systems to ensure new partners are effectively screened;
- Travel and expense systems to support gifts and entertainment tools;
- Learning management systems (LMS) to support central recording of training.
Once you have determined the type of data to integrate you should then consider the level of integration which can often have a significant cost implication. Types of integration include:
- Manual uploads using a defined template;
- Manual or automated file transfers using a secure protocol over the internet;
- Fully automated transfers on demand via an application programming interface (API)
Decisions on the automation and level of integration require a cost-benefit type review to weigh the time and resources of a manual process versus the cost of building and maintaining an automated process. Vendors should be reviewed not only on the integration options they provide, but also on their flexibility in allowing integration to grow as you better understand your processes.
So how do you actually go about implementing software to support your compliance program? The first step is to gain commitment. This includes commitment from executive management as well as those who will be involved in the process. To achieve this you must be clear about the risks and obligations that the system is being designed to manage and focus on how the system will support the strategic goals of the organization. Having issues such as those surrounding GSK and Sinopharm fresh in the minds of your senior managers can help.
Additionally, there also needs to be a consideration of the question of whether to build or buy. You will need to think about your company culture, budget, size and geographic locations, and whether you have the necessary resources to complete an internal build project. If you are able to build internally, you will need to ensure that there is a plan to meet the challenges of supporting and maintaining software once the initial budget has been exhausted. Should you decide to purchase a system, test the market and select a vendor who understands the goals of compliance and has built a flexible system that allows you to fit their software around your processes.
The next stage is to implement your system. This entails more than the basic parts of designing the processes, purchasing or building the system then implementing and testing the processes. The key element, which is often overlooked, is communication, since a major risk for any system is that people won’t use it. A clear strategy for communications is required, and it must include a detailed training program (either in the classroom or online) that covers the reasons for the system (e.g., corruption or health and safety) and when the system will be available as well as how to use it.
The final stage of the system implementation is to ensure that the technology is actually being used. This can be achieved in a number of ways, such as monitoring access to the system after the rollout, reviewing the information entered into the system and asking users for their feedback. Where issues are found, a review will need to be conducted to understand the root cause – whether the processes were not well designed, the communications were ineffective or the technology was not suited to the needs. In each case remedial action should be taken on each of the causes so that the system and programs do not fail or be seen as failing.
The last review that needs to be carried out is to establish whether the overall system meets the goals set out in the planning phase. This might consider things such as whether the budget was sufficient, whether the technology choice was appropriate and whether the risks and obligations have been managed.
It is clear then that software systems can, and should, be an integral part of solving compliance challenges. The key to making them work, however, is ensuring that the software is selected and configured to fit the program rather than the other way around, and not ignoring the soft skills of management buy-in, communications and training.