Starting from the premise that a compliance program must be implemented according to the size and characteristics of the organization, we will now make some recommendations for its implementation in a large company, which, due to its focus and complexity, varies significantly from that of a small company.

Firstly, and considering that large companies usually have greater resources available, we recommend that, in addition to dedicating financial, technological and human resources, through the participation of specialized teams during its implementation, the governing body and senior management demonstrate a commitment to the culture of compliance, sufficiently visible to generate awareness at all levels of the organization, through awareness-raising, sensitization and training programs.

Likewise, considering that a large company could have a higher degree of exposure to risk, as a consequence of the volume or complexity of its operations, it is recommended that, as a starting point, and prior to the identification of the activities, operations and/or processes exposed to risk, the following methodologies be developed ad hoc for the organization:

• Risk assessment: which takes into account the risks inherent to the organization’s activities, and the criteria for determining the level of impact and probability consider the nature of the business, its economic environment and the influence on the fulfillment of strategic objectives.
• Control evaluation: which measures the level of control strength, considering, for example, the degree of automation (manual or automatic), the nature of the control (preventive or detective), the ability to circumvent the control (vulnerability) and the frequency of execution of the control.
• Review of controls: to ensure an adequate control environment, through guidelines that allow the development of control monitoring plans that contain specific actions and lines of defense aimed at properly managing the supervision of previously identified controls.

As you can see, large companies will not only have a higher degree of sophistication during the implementation stage of a compliance program , but also during its operation, since, compared to a small company:

• The frequency of review of risks and controls will be less spaced.
• Higher levels of reporting of the results of the different model reviews will be established.
• More frequent and more specialized communication programs will be required.
• Codes, policies, procedures, action guides, manuals, protocols and/or instructions will be developed for specific risk areas.
• Increased internal controls will be implemented.
• The use of technologies for monitoring the program and access to the reporting channel will be assessed.
• Compliance programs will be integrated into the organization’s various processes.
• The model will be flexible enough to grow with the organization (scalable).
• The appointment of an internal auditor will be evaluated.
• The governing body or senior management, as appropriate, will need to appoint a compliance program officer with autonomy, authority and independence .

In conclusion, the implementation of a compliance program in large companies must be adapted to the specific characteristics and dimensions of the organization, considering aspects such as operational volume, exposure to risks and complexity of its structure.

For this, the involvement of corporate governance is key, since it must lead and promote the implementation and supervision of the compliance program, in addition to ensuring compliance by acting in an ethical and responsible manner.

In addition, it is essential to create customized methodologies to evaluate risks, controls and their constant review, thus ensuring a solid control environment.

By Jorge Luis Hurtado, Deputy Manager of Legal and Regulatory Management at Redinter.