SMAART comes from Federal Sentencing Guidelines
The United States Sentencing Guidelines for Organizations (“USSGO”) set forth the following minimum criteria for an effective compliance program:
1) Compliance standards and procedures must be established to deter crime.
2) High-level personnel must be involved in oversight.
3) Substantial discretionary authority must be carefully delegated.
4) Compliance standards and procedures must be communicated to employees.
5) Steps must be taken to achieve compliance in establishment of monitoring and auditing systems and of reporting systems with protective safeguards.
6) Standards must be consistently enforced.
7) Any violations require appropriate responses, which may include modification of compliance standards and procedures and other preventive measures.
Despite their years of usage in the literature, the guidelines do not come trippingly off the tongue. Yet, reaching diverse audiences in the corporate world is necessary to convert the goals of the USSGO into real compliance accomplishments. Working SMAART: Systems, Monitoring, Assessment, Accountability, Response and Training spells out compliance risk management in an acronym—at the same time unique and familiar—that facilitates an internalization of the compliance mantra. As with the “New Math,” the new spelling of compliance is more about conveying fundamental material using a different lesson plan than it is a change in basic principles. However, revising the medium at the same time as enhancing the message elevates the Working SMAART framework to a more accessible approach to compliance management than pursuing USSGO standards alone.
As with the USSGO, SMAART provides a framework that affords an institution necessary flexibility to develop a compliance program tailored to its business strategy, organizational complexity, market circumstances, risk profile and resource constraints.
The essential components of a comprehensive compliance management program are:
Systems
Compliance Systems embody the task-specific procedures and controls that ensure business operations are conducted and recorded in a manner that satisfies your legal obligations and fulfills your other compliance core values. Procedures describe the methodology for conducting an activity in accordance with your compliance policy goals and integrating it into the daily functions performed by staff in the course of their business responsibilities. In SMAART, “systems” encompasses the first USSGO criterion that mandates establishing standards and procedures to deter crime.
“Systems” is also where SMAART extends beyond mere law abidance. This component incorporates not only the processes that ensure regulatory compliance, but also directs how staff will go about realizing customer service goals, fulfilling work place quality principles, attaining market peer leadership expectations, and observing corporate ethical standards. Compliance systems must reach all operating facets of the organization and be represented in the initiation of corporate policy at the highest levels of the institution.
Monitoring
Essentially, Monitoring is workflow supervision integrated into daily activities of each department or business unit to assure real-time execution of compliance responsibilities in accordance with program standards. As opposed to system controls that direct line staff actions, monitoring is a form of control used to supervise operational performance. “Monitoring” in the SMAART lexicon corresponds to USSGO criteria 5 and 6 dealing with monitoring/auditing/reporting and consistent enforcement, respectively, except that the notion of auditing is broken out of “M” and given special prominence as its own factor.
As distinguished from auditing, monitoring puts the onus on day-to-day or week-to-week supervisory activity that manages people and processes to assure that they work consistently. This is where your investment in the development of management skills has the greatest return for the organization. Monitoring goes hand-in-hand with Managing. Likewise when you substitute third-party outsourcing for managing your own operations, monitoring is the component of your compliance program that is responsible for conducting due diligence of contractor capabilities and performance.
Assessment
Assessments are periodic reviews of system records or operations to identify regulatory violations and program deficiencies. Regular self-assessments or self-evaluations based on a risk-sensitive schedule of institution operations afford management an opportunity to step back from day-to-day operations and evaluate them against institution policy goals and objectives. The first “A” in SMAART can be roughly equated to the audit requirement of USSGO criteria 5 raised to new significance.
However, SMAART does not restrict its Assessment factor to the formal strictures of either internal or external audit. Rather, it connotes the full range of quality reviews that an institution enlists to provide regular checks that systems and monitoring are functioning at expected levels. Independence of judgment is an important part of such reviews, but even where resource constraints limit the ability of an institution to conduct periodic oversight independently, management and the board can benefit significantly from self-evaluation efforts as long as any inherent bias is acknowledged.
Accountability
Accountability comprises the arrangement of responsibility, authority and reporting that provides direction to staff for implementing compliance policy and apprises senior management and the directors about compliance program performance. The second “A” of SMAART combines USSGO criteria 2 and 3 requiring high-level oversight and carefully delegated discretion.
As part of the Accountability arrangement of most institutions with successful compliance programs is the designation of a management official as compliance officer. Whether institution size or simplicity permits these duties to be performed as part of a larger job description, someone generally must be identified as the compliance officer who serves as the link between board policy goals and staff execution of the program. As vital as the respective roles of directors, management, counsel, accountants, auditors and staff are to effective compliance risk management, the compliance officer serves as the hub around which the spokes of the SMAART program rotate.
Response
Response is the process of addressing consumer complaints, remedying regulatory violations, amending procedures and controls, correcting internal oversight deficiencies, and implementing policy revisions or updates. No amount of monitoring, self-assessment or independent testing is beneficial unless followed by prompt, effective corrective action to eliminate program deficiencies. Response correlates to Rectify in a functioning program, because the ultimate goal is to have a self-identifying and self-correcting compliance process. “Response” reflects the same concepts in SMAART as contained in the 7th criterion of the USSGO.
Nevertheless, Response encompasses more than just remedying the problems arising from lax performance or erroneous behavior. This factor also captures the organization’s ability to React to changes in the risk profile of the institution due to operational or environmental changes. As the corporate entity pursues its business plan and core values, it must be prepared to adjust its course as business opportunities occur and societal constraints demand. Being responsive to these evolutionary pressures without sacrificing your corporate identity or values is an integral part of Working SMAART.
Training
Training covers not only the communication of institution policies, procedures, directives and goals called for by USSGO criteria 4, but also the development and the maintenance of staff compliance expertise. In addition, “Training” in the SMAART framework includes educating senior managers and directors to a broader appreciation for the consequences of emerging compliance issues and the compliance ramifications of operational and strategic business choices.
Training maintains organizational expertise in compliance topics so that managers, professional staff and employees perform at their requisite levels of competence and can identify changing obligations and evolving best practices. Your curriculum and supporting materials must keep up with developments in your compliance systems. Training perpetuates the value-based performance standards that you want to become second nature to employees and emblematic of your compliance culture.
As illustrated above, Working SMAART traces its pedigree to the lineage of the Federal Sentencing Guidelines.