How to Fix Your Marketing Risk & Compliance Process
So your company just got called out by the competition regulator and fined for breaching the rules on advertising – meaning ads went out the door with misleading information and incorrect disclosures – and your marketing risk and compliance process failed to pick it up. That’s when your competitor noticed.
It’s not the half-a-million-dollar fine for being a repeat offender that’s the problem. Although, well, it partly is: the CFO was pretty unhappy.
It’s not even the brand damage that the public shaming generated. Well, actually, it sort of is: the CEO wasn’t too happy. It may all blow over in a few months, but until then, no one wants to be the kid in the naughty corner.
Really, though, the worst part is the increased attention all your marketing activity will get over the next year or two from the regulator. So the CMO’s not happy, either.
She’s been given fair warning the regulator is going to be scrutinising all your future campaigns, and coming back to check you’ve patched the holes in your marketing risk and compliance procedures.
If only you could point the finger at legal. Unfortunately, when Mary left, so did any knowledge of why legal was or wasn’t consulted. And IT couldn’t find anything in her old emails or personal drive.
I know, right? It’s not your fault. I mean, you were perfectly happy cranking out reports for the marketing team, minding your own business, getting stuff done.
Only thing is – now your company has to be able to step the regulator through your compliance and marketing risk management program. You have to be able to demonstrate your commitment to marketing compliance, and show that all your marketing materials go through the program.
And you’ve got the job of implementing it.
So what are the essential foundations of an effective Marketing Risk and Compliance program?
1. Three Lines of Marketing Risk and Compliance defence
There are basically three lines of defence when it comes to structuring a Marketing Risk and Compliance program, and your company needs all of them.
Marketing is fully responsible for all the risks in its area and it has to ensure that effective controls are in place. Marketing, with the assistance of the second line, will develop and implement a Marketing Risk and Compliance Program. However, Marketing will own the program and must ensure that all work goes through the right checks and is formally approved before it hits the market.
The first line of defence is really the key to success.
- Line 2: Legal and Risk inform the Marketing team
The second line of defence works with and supports the first line. Legal and Risk will support the continued implementation of the program and supervise how it is applied. They also provide the advice necessary to integrate business changes into the key processes. For example, regulations change all the time. Your company’s Legal and Risk teams should track those changes and filter the most current information – and how it affects your company — down, so Marketing knows what to do. And your Legal and Risk teams need to sign off on the relevant marketing materials before they are sent out.
- Line 3: Audit keeps everyone honest
There must be an internal audit function, which operates as a check and balance on the first two lines of defence. They are responsible for the quality control of the business processes surrounding marketing and ensure that they are consistently applied to guarantee continuity of operations.The more robust your internal audit, the better the chances you’ll pass next time your official auditor — or the regulator — comes knocking.
Get your free checklist: 10 Steps to Mastering Marketing Compliance
2. Documented Marketing Compliance Process
Until you write down your marketing compliance procedure, your company won’t be able to demonstrate your commitment to achieving marketing compliance. And until you do that, you won’t get the regulator off your back.
Consult Marketing, Product, Legal, Risk, Public Relations – whoever needs to be involved – and determine the marketing compliance process that will work for you.
Depending on the industry you’re in, this could be a simple as creating a list, or as complicated as writing a detailed manual.
You may decide social campaigns can be done on the fly; but as soon as they link to a website they require sign-off from a marketing lead. Perhaps all campaigns running in three or more channels will be referred to your weekly creative approvals meeting.
Document exactly when legal sign-off is required. You should also document how much time they have to consider a campaign; an hour at the end of the day before it is due to launch isn’t going to cut it.
Whatever your Marketing Compliance process is, formalise it, make sure it has been communicated and agreed to by all stakeholder teams, keep it updated, and store it in a centralised location, accessible to all.
Create a workflow that takes marketing compliance into account so that anyone involved in creating marketing materials that require sign-off not only follows the correct procedures, but can demonstrate their intention of doing so. Either follow this manually, or you can automate the process using a tool like Simple.
3. Guide to Regulatory Obligations
Increasingly these days, staff come into marketing from other industries — technology and data, for example — and may not be aware of their regulatory requirements when it comes to privacy, comparative advertising, and so on.
On top of that, regulations change frequently and your Legal and Risk teams should be responsible for providing an up-to-date guide to the rules the marketing team must follow.
Once you have this, it must be kept updated, and stored in a centralised location, accessible to all. It’s too easy for marketing managers to print off a copy and refer to it for months, unaware that the rules have changed, and unwittingly causing a breach.
4. Disclosures Checklist
Whether you run competitions, advertise different specials in different geographic areas, or operate in a highly regulated industry such as financial services, it’s likely you’ll need to include standard disclosures for particular products, in specific geographic areas, or at particular times.
Get an up-to-date list of the actual disclosures you’ll need from Legal and Risk, and create a checklist for including disclosures by product line, campaign type or geographic area – whatever makes sense for your business.
For a financial services company, for example, the list of disclosures that would apply when you’re marketing a superannuation product will differ from those that would need to be included in marketing materials for your wealth management products.
Going through the checklist to ensure the right disclosures are included might start as a manual process. Ideally, it will be automated using a marketing operations platform such as Simple.
Whatever you choose, the list and disclosures must be kept updated and stored in a central, easily accessible location. And when you use external agencies, your marketing team will need to supply them with the correct disclosures for the campaign or product line on which they’re working.
Again, this last point can’t be emphasized enough — too often marketers intend to comply with their regulatory obligations but breach them because they’ve included out-of-date disclosures.
5. Stakeholder Approvals Matrix
Your stakeholder approvals matrix should document all the staff by name from each department that are able to sign off on particular types of marketing materials.
For example, any member of the marketing lead team might be able to approve a simple Facebook ad.
But the relevant head of product, marketing lead, CMO and member of your Legal team might need to sign off any integrated marketing campaigns.
Or the cut-off might be investment-based: when the cost of media passes $100,000 it is referred up.
If you’re used to having a dozen people have input into major campaigns, just 4 approvers might sound like a pipe dream. But the more streamlined – yet watertight — you can keep your approvals matrix, the faster and more workable your approvals process will be.
With marketing staff changing regularly, this will also need to be updated frequently – by the compliance manager – and kept in a central location, accessible to all.
6. A Record of Amendments and Approvals
It’s not enough to follow the correct procedure, or complete a checklist showing a campaign went through all the required checks and balances — you must be able to show that this has been done by recording the relevant versions, amendments and approvals.
OK, it’s not the Dark Ages anymore, but some companies still maintain a paper approvals trail by ensuring every version of their marketing materials is printed out, physically marked up, amended, printed out (again), physically marked up (again), and literally signed off when it is ready to go.
Others will create a central document or spreadsheet in a shared drive and include scanned copies of marketing materials, emailed amendments and approvals, and links to copies of approved work in there.
It might sound like a headache, but it’s necessary – and, again, you must keep it in a central, easily accessible location.
Of course, you could also use a marketing workflow management tool such as Simple that incorporates compliance, mark-up, and approvals – and that creates an audit trail by capturing every version of an asset and a record of approvers.
The final thing you need is storage. Whether you’re talking paper files, a shared drive or a digital asset manager, there is a usually a minimum amount of time records must be retained. In Australia, you’re looking at seven years.
And make sure you keep your records in a central, accessible location – which means, not in someone’s email or private drive. Failure to do so will mean an F when that person moves on – and when it comes to your internal compliance audits.
8. Internal Audit Process
Once all your other building blocks are in place, a good compliance manager will conduct their own internal assurance audits on a regular basis – perhaps monthly – before your official audit team even gets a look-in.
Generally this will mean taking a random sample of marketing activities and scrutinising them to ensure correct marketing compliance procedures have been followed, the right disclosures have been included, any legal changes made, and proper approvals and sign-off recorded and stored.
This is particularly important if you’re doing everything manually — you’ll need to check to see the processes on which you’ve worked so hard are actually being followed. It’s easier if you’re automating the process using a tool that can provide you with data on what’s happening within your marketing team workflows.
From there, it should be smooth sailing when the auditor – or the regulator — comes calling!
Simple’s Marketing Operations Cloud helps marketing teams document, streamline, automate and audit their risk and compliance processes. To find out how, book a demo.