Company Policy & Procedure  Compliance Program  Ref. No.: CPP-COM-0201		Version	2	Page	1	of	13
			Prepared by	J. Presbitero			03/ 06/2023
			Approved by	M. Malonzo
			Filename	CPP-CPL-0201_Compliance Program

Infinit-O’s Compliance Program is necessary because it:

• Identifies and prevents risk and issues; 

• Assists in adhering to regulatory requirements and the IO’s Policies and procedures;

• Maintains and promotes high-quality service, and

• Strives to promote the use of best practices in management and board governance.   

Infinit-O’s Compliance Program applies to

• Vendors

• Contractors

• Consultants

• All staff (Job Grade 1-4)

• Board of Directors 

What must employees do:

• Act efficiently; 

• Act as a team; 

• Identify ways to do things better in a department/project and take action; and

• Report problems immediately to your supervisor, directly to the Compliance Director or the Chief Compliance Officer, or take advantage of our anonymous compliance channels. 

1. Objective: 

1. The goal of the Organization’s compliance program is to establish a structure for achieving effective compliance within the organization.  

2. The organization’s compliance efforts are aimed at the prevention, detection, and resolution of risks, non-conformities, and challenges.

3. Align members of the organization with the requirements and expectations of the company with compliance.

4. Maintain or exceed a compliance score of 90%.

2. Scope:

1. It shall cover compliance requirements revolving around the organization's quality management system which includes adherence to IO’s Policies and procedures. It shall in turn put this relevant personnel under its coverage:

1. Employees

2. Leaders

3. Vendors/Clients

3. Rationale:

1. As part of the best practices of different organizations in ensuring compliance within their own companies, the following elements were identified of an effective compliance program:

1. Written policies and procedures

2. Designation of a Compliance Officer/Committee

3. Training and education programs

4. Open lines of communication to the responsible compliance position,

5. Disciplinary policies to encourage good faith participation

6. A system for routine identification of compliance risk areas

7. A system for responding to compliance issues

4. Key Roles and Responsibilities:

1. The Organization’s compliance program starts with its board of directors, who must assure the Organization operates in compliance with applicable national and local laws and regulations.  The board of directors provides direction to our CEO, who sets the tone for the Organization’s compliance activities.  

2. Relevant Departments Head works to ensure the Organization has the appropriate policies, procedures, and processes in place to minimize its risk and further the Organization’s mission to provide quality service to its interested parties.

3. Compliance Lead and Quality and Information Security Coordinator shall conduct the necessary planning, implementation, and review of the compliance program.
   

How do Industries Key Compliance Steps map to IO’s compliance activities?

5. Provisions:

1. WRITTEN POLICIES AND PROCEDURES

1. The written compliance policies and procedures provide a clear explanation of the Organization’s compliance and quality goals and provide clear and understandable mechanisms and procedures designed to achieve those goals in compliance with national, local, and other program requirements and standards. 

2. The Organization has specific, individual policies for an array of matters.  In addition, the Organization’s policies and procedures are available online at the IO MyHR site.  

2. ANNUAL WORK PLAN    

1. Every year, the Compliance lead and QIS Coordinator will prepare a Work Plan after reviewing the latest internal and external audit findings and hot topics that generate additional scrutiny.  Additionally, the Quality lead will obtain input from the VP-Admin, the staff of the Compliance department, and various departments.  The Work Plan will include the top five risk areas of concern. 

2. Additionally, the Work Plan includes a list of areas that the Compliance Department will audit and monitor.  The Compliance Department may add additional monitoring audits to its duties in response to new and emerging risks. 

3. The Compliance Department and audited departments will review the audit findings and develop audit responses to address findings.  The parties will develop remediation plans and associated timelines.  The Compliance Department will conduct follow-up on remediation activities.   Additionally, the Compliance Department will provide assistance with external audits from national, local, and other regulatory bodies

3. CONDUCTING EFFECTIVE TRAINING AND EDUCATION

1. An effective Compliance Program is rooted in an active and adaptive education and training program.  Active education and training are designed to teach each person how to carry out their responsibilities effectively, efficiently, and in compliance with statutory and regulatory compliance requirements.  Adaptive education and training are designed to be responsive to the educational needs of the Organization’s workforce identified through internal and/or external reviews, audits, or compliance assessments or by government notices, alerts, and/or other advisory statements.

2. Inadequate training significantly increases the risks of compliance issues and possible violations of the applicable statutes and regulations.  The Organization requires leaders to attend specific training upon hire and on an annual and as-needed basis thereafter. This will include training in program requirements.  The training emphasizes the Organization’s commitment to compliance with these legal requirements and policies.

3. The Compliance lead or other designated staff member will document the attendees, the subjects covered, and any materials distributed at the training sessions.

1. Basic training will include

1. Overview of the Organization’s regulatory environment

2. Recent enforcement activities

3. The Organization’s compliance structure

4. The key elements of compliance

5. Where to find the compliance plan and policies and procedures

6. Compliance Communication Channels

4. DEVELOPING EFFECTIVE AND OPEN LINES OF COMMUNICATION

1. Open Lines of Communication encourages everyone to express their compliance, quality, and other concerns and/or suggestions for improvement without fear of retaliation. Open communication is essential to maintaining an effective Compliance Program and enables the Organization to learn about issues that may arise, generating faster responses and quick fixes. Additionally, open communications allow the Organization to address small problems before they become big ones.

2. Any potential problem or questionable practice which is, or is reasonably likely to be, in violation of, or inconsistent with the Organization rules or policies relative to the delivery of its services, and any associated requirements regarding documentation, must be reported to the Compliance lead or QIS Coordinator. 

3. Any person who has reason to believe that a potential problem is or may be in existence should report the circumstance to the QISMS or inquire to or QIS Coordinator. Such reports may be made verbally or in writing and may be made on an anonymous basis. 

5. AUDITING AND MONITORING

1. The Compliance Officer will conduct ongoing evaluations of compliance processes involving thorough monitoring and regular reporting to the officers of the Organization.

2. The QIS Coordinator will develop an annual audit plan that is designed to address the Organization’s key compliance risks, policies, and procedures. Audits should also reflect areas of concern that are specific to the Organization. The following audit activities shall be planned and executed:

1. Risk Assessment review

2. Internal Audit

3. External Audit

4. Special/Adhoc Audit

6. The Quality lead and/or QIS Coordinator should be aware of patterns and trends in deviations identified by the audit that may indicate a systemic problem.

4. RELEVANT METRICS/MEASUREMENT

1. The organization's compliance score shall be determined by the following factor:

2. To enable objective measurement of the organization and team’s compliance, the Compliance Evaluation Scoring tool (Annex 1) shall be used.

5. REPORTING FINDINGS:

1. The finding after the audit activities are essential for the organization to have continual improvement; hence, results of the compliance and audit activities shall be available for viewing and perusal through channels such as

1. QISMS

2. Data Studio

3. Quicksight

4. Powerpoint

5. Google slides

2. The reporting frequency shall follow relevant reporting requirements of reference documentation per activity.

6. RESPONDING TO DETECTED OFFENSES AND DEVELOPING CORRECTIVE ACTION INITIATIVES

1. The QISMMS is developed to enable the organization and its leaders to report, document, or record non-conformities, improvement opportunities, and compliance issues. 

6. Frequency:

1. Annually

2. As per need

7. Reference Document: 

1. UM-ISO-0001_QISMMS_Users Manual_V5.pdf

2. ISO 9001:2015

3. ISO 27001:2013

4. IO Policies and Procedures

Annex A

The ratings below apply to generic activities of both departments and projects and may not entirely cover the full requirements of ISO 9001 and 27001.

Process Compliance - Refers to Documented information used and retained by the organization. This can be IO policies and procedures, created or approved internal documents, or externally provided by the client for compliance.

Project Compliance - Projects are defined as “is a specific, finite activity that produces an observable and measurable result under certain preset requirements”. Introduction of new software is also considered under the project category.

Risk Assessment Compliance - Refers to the risk assessment done at least annually. This ensures that projects and departments under the organization are aware and ready for any challenges that may present themselves during the program run.

Metrics/Compliance Compliance - Refers to metrics/Key Performance Indicator required the IO’s Performance Management system. This ensures that all team members are objectively evaluated based on their performance.

Performance Review/Coaching Compliance - Refers to the performance and regular review conducted with team members, ensuring that team members are achieving the requirements and expectations set by the organization.

Documentation Compliance - Refers to the requirement set forth in creating documentation and records.