Compliance Management: The 12-Month Compliance Challenge Episode 5: Compliance Processes – Establishing the Framework

Published: 22 Nov 2021

In episode 4 of this series, we saw that guidelines – often called "policies" – are the backbone of a CMS.

What exactly are “processes”?

If guidelines provide necessary structure and mark the expectation horizon, processes transform business operations into a defined sequence of steps.

In general, a distinction is made in business processes between leadership or management processes, the value-creating core processes directly related to the company's products or services, and supporting processes. The last category includes risk analysis processes and, therefore, compliance processes. Regardless of how detailed the process descriptions are, they should depict processes and tasks within the company as clearly as possible, and specify that they are binding.

Ideally, business processes – and thus compliance processes – should be described so that the reader understands how processes and tasks within the company are currently running ("existing processes") and how they should run ("target processes").

Describing Processes

Charts can often be useful in depicting processes. There are software programs (such as Visio or Lucidchart) that can help visualize processes, but for less complex processes PowerPoint shapes do the job, too.

In any case, well-known and reliable systems should be used to create the visual. For years now, the Object Management Group Inc. ("OMG") has been defining and standardizing the basic elements of process description and the procedure for process modelling (see

Standard Operating Procedures (SOPs) are a common way of implementing processes. SOPs generally describe the following (1) the aim and purpose of the process, (2) its application, (3) the process itself, (4) who is responsible for it, (5) how the process is documented, and (6) steps for monitoring the process, if applicable.

Typical Regulations

Descriptions of compliance processes typically define roles and responsibilities which can be used to better manage and control especially critical (i.e., risky) activities.

The implementation of compliance processes can be illustrated by the example of interactions between the pharmaceutical industry and healthcare professionals. During such activities (training events, speaking or consultancy contracts, sponsoring, donations, etc.) compliance must be ensured with all requirements of competition and anti-corruption laws and rules of industry codes. A compliance officer will therefore carefully consider how he or she should approach this task (aside from standard approaches such as training and the preparation of contract templates) and pay particular attention to the following issues:

  • Description of roles and responsibilities (who is responsible for preparing the necessary paperwork, including a complete and accurate description of the cooperation arrangements and the need for them)
  • Regulation of the "double check principle" and approval by the Compliance Officer
  • Implementation the separation between medical/scientific functions and marketing/sales
  • Evaluation of how services are provided
  • Prerequisites for invoicing and payment as well as integration into order and payment processes
  • Documentation requirements
  • Implementation of control and review measures ("monitoring")

An important reminder: Involve stakeholders early on!

When establishing processes, it is, as always, vital to involve as many relevant departments and players in the development as possible, for example in workshops using the brown paper method (processes are drawn on (originally brown) paper stuck to the wall).

Training and Communication

As with guidelines, systematic communication and training is essential to the implementation of compliance processes. In addition, make sure that you regularly adapt your processes and keep careful track of versions (V 1.0, V 1.1, etc.), so that you always understand the big picture!

What's Next

The next episode continues with the topic "Management’s Commitment and Obligations".

If you are unsure how to set up and run your compliance project successfully, please feel free to contact me.


Share this page

Stephanie Trossbach

Firm: Catus Law + Compliance
Country: Germany

Practice Area: Compliance

  • Thurn-und-Taxis-Platz 6 (Nextower)
    Frankfurt am Main

Find a Global Advisory Expert


Since 2010, the Global Advisory Experts annual awards have been celebrating excellence, innovation and performance across the legal communities from around the world.