It’s important to start explaining what the Product Compliance department does. The Product Compliance department oversees and ensures the business is making the best decisions to operate, while always complying with the jurisdictionally imposed regulations. This department is responsible for knowing and understanding what regulations and technical requirements are applicable to the product and what is the best way to ensure compliance to those requirements. Given the complexity of the current regulatory environment, a good Product Compliance department must have in-depth knowledge of laws and regulations. On the other hand, they must also be the experts in the definitions and implementations of Compliance plans and in the use of methodologies and tools that facilitate and streamline product development and certification.
BASIC ASPECTS AND TOOLS FOR AN EFFECTIVE PRODUCT COMPLIANCE DEPARTMENT
The Product compliance department must ensure that the company complies with current legislation and prevent any regulatory infringement from being committed, thus safeguarding its continuity in the market, as well as its reputation. But what is it that they need to do?
1. Define the objectives
When defining a compliance plan, the first thing to do is to establish the objectives. The UNE-ISO 19600: 2015 Standard is an international reference applicable to any company that offers guidelines for implementing, evaluating, maintaining, and improving a compliance management system. Product Compliance professionals and experts shall communicate that Compliance encompasses the entire organization, and demonstrate the commitment to comply with regulations, including legal requirements, industry codes and standards, especially those that operate in regulated areas, such as banking, electronics, gaming, etc. Compliance, for any for-profit organization, is the backbone in creating the right image, branding, and business value.
The evolutionary cycle in Compliance is outlined in the following graph:
2. Creating metrics and dashboards
To know whether the compliance objectives are being met, metrics shall be used, and that includes a series of indicators. The purpose is to be able to assess whether the defined control measures are effective or not. For example, some indicators can be the time to market, number and/or severity of quality concerns or issues identified, on time deployment, budget, etc. These indicators allow for a very quick view of the control environment for each process, which in turn facilitates knowing the status of the compliance plan in real time. This will allow the Compliance department to know what the current risk status is, communicate it to the business stakeholders and design an improvement plan, if necessary. The Product Compliance team must also instruct and guide the business regarding the various regulations, technical requirements, and specific controls that the products must undergo. Thus, when management has doubts as to whether a certain action or functionality is not in accordance with specific regulations, the Compliance Team shall provide clear guidance to overcome the complications.
3. Use risk and management analysis methods
There are various qualitative and quantitative methodologies to analyze and assess risks according to their impact and probability. To this day, many companies continue to use mainly qualitative techniques, to assess risks through metrics that may be obtained by those responsible for the processes. The problem with these techniques is that the result of the assessment is subjective. Every person in charge indicates, according to their own criteria, the impact and probability of occurrence of each identified risk. The most complex thing when it comes to analyzing these risks is prioritizing and deciding which ones should be considered first and foremost. In addition to identifying risks, the Compliance department must foresee the regulations that the product will be subjected to or the regulations to be implemented in the targeted jurisdictions. Along with this, prevention work must be done which involves establishing controls to protect the business from possible risks that may arise from these regulations in the future. For example, if the company is going to be deployed in a new market, the legislation for each type of product will have to be considered and fully evaluated. This will ensure the easy adaptation of the product to these new markets.
4. Collect and evaluate evidence
In the event of an issue identified in the field, a good compliance program must be designed in such a way that it can demonstrate that controls existed to prevent it. At the end of the day, compliance is an internal detective that has the capacity to conduct a thorough investigation, report the outcome of the investigation, and provide suggestions on how to prevent it in the future, if possible. After the investigation is completed, the Compliance department must be able to report the issue externally, clearly and concisely as required, including any solutions or suggestions to move forward. Another function of the Compliance Area of an organization is to monitor and report on the effectiveness of the controls put in place to prevent the company’s exposure to non-compliance risks. That is, you must analyze whether the controls that have been implemented are working or not. Maintaining a Bug Tracking system is a highly effective way to control the evidence of the resources used during development and SQA.
5. Independence and segregation of duties
To prevent a person or a department from carrying out tasks that could lead to non-conformities, it is advisable to segregate functions in the organization. One way to do it easily and quickly is through a matrix of departments and tasks in which incompatibilities are defined. For example, the person in charge of developing the software should not oversee verifying the quality in the SQA process or providing methods for independent verification in the field. What must be avoided is that the functions that belong to the same process flow overlap, because, when this is the case, it is easier to miss big steps and compromise the final product. This ensures that there is no conflict of interest.
For the exclusive function of Product Compliance to be carried out effectively, three fundamental units must be involved:
1. Supervision: This is where internal audits will be required and its main function is the control of all independent units, including Compliance.
2. Control Unit: Where Product Compliance comes into place. It’s the unit that evaluates the risk control and its effective application to the business, checking that the risks assumed are within those defined by the stakeholders.
3. Base: This is nothing more than the business itself. It’s the Operational Unit responsible for carrying out the development of the products.
Some of the potential outcomes of the Compliance risks are:
a. Financial fines and sanctions due to administrative or technical failures.
b. Loss of reputation. One of the greatest assets of a company is its brand and reputation, which is based on trust. A result of a compliance scandal may entail its public dissemination and, consequently, incalculable damage to the image of the company.
3. Financial losses that not only involve the payment of financial penalties, but loss of profits as well. Bad commercial practices could lead to compensation to clients, and, many times, losing their business.
What we have summarized here are the main methods and tools that are needed in a Product Compliance department. There are many more, and we could write hundreds of pages. However, one aspect that I must mention as it’s my favorite part of a Product Compliance department is the following: ‘Always look at the big picture because the devil will be in the details.’