4 Phases of a Compliance Management System (CMS)

by Sarah Harvey / July 23rd, 2015

According to the CFPB, a “robust and effective compliance management system” is a critical component of the structure of an organization. Best practices define a Compliance Management System (CMS) as a set of interrelated or interacting elements that organizations use to direct and control how compliance policies are implemented and compliance objectives are achieved.

Since the CMS is essentially the foundation of your organization, let’s start from the bottom and talk about how to build and maintain your CMS. What does a “robust and effective CMS” look like? How does the flow of this management system work?

The CFPB defines a CMS by having four interdependent control components: board and management oversight, compliance program, response to consumer complaints, and compliance audit.

Learn more about CFPB Compliance with our mock audits.

4 Phases of a Compliance Management System (CMS)

Phase 1: Plan

This is where you establish the system’s intent and goals.

  • What do we intend to accomplish here?
  • Compliance with consumer laws?
  • What does success look like?
  • When there’s a systematic process in place?
  • When does clear and effective communication happen?
  • When do all employees understand their roles and responsibilities in regards to compliance?
  • When continuous improvement is happening?
  • Take the time to define your resources. Who will audit? What technical resources are needed?

The Planning phase is where we assess our risks, ranked from the greatest to least. Written policies and procedures should be developed here that are directly tied to any identified risks from your Risk Assessment. Board and Management involvement is critical during the planning phase, to help establish the “tone of compliance” and to be involved throughout the entirety of the process.

Phase 2: Do

The implementation and operation of a Compliance Management System take place during the “Do” phase. Most people think this phase is the CMS, however, it takes all of the phases working together to maintain an effective CMS. During this phase, Management should provide clear support throughout the process.

All employees should be trained on the policies and procedures that you have developed and documentation of these policies and procedures should be easily accessible to all employees. The Compliant Resolution Program is also developed and implemented during this time and should be included in the policy and procedure documentation.

Phase 3: Check

Monitoring and reviewing what we are doing to maintain compliance within our organization should be a regular and integral part of ensuring that we are doing what we say we are doing. An Internal Audit is a great way to determine this by looking at what our policies and procedures say we are supposed to be doing versus what we are actually doing.

Are there any gaps? Are there any areas of our CMS that need to be improved upon? Are we meeting our pre-established compliance goals? After the internal audit has taken place, Management should review the audit, identify where any action is needed, and provide direction when necessary.

Phase 4: Act

The fourth and final phase of implementing and maintaining a “robust and effective CMS” is all about improving upon what we’re doing and taking any corrective and preventative action that is deemed necessary throughout the process. Be sure to document any areas of non-compliance. Don’t be discouraged by findings! A good CMS WILL find areas of non-compliance, but this is to be considered a good “quality test” and will only further strengthen your CMS. Next, develop an action plan. Write down any preventative and corrective actions that need to take place. Be sure to document in your follow-up that these actions have been completed.

Maintaining a “robust and effective CMS” is an ongoing process. It’s a constant cycle of reviewing and implementing to better strengthen the compliance at your organization.

Are you in need of some assistance in developing your CMS? Are you lacking policy and procedure development?

We can help! Contact us today for help with custom policy and procedure development as well as help assessing your CMS.

More Compliance Management Resources

Top Mistakes C-Level Execs Make When it Comes to Security Compliance

Everything You Need to Know about Leading Compliance Initiatives

Preparing for the CFPB