top of page
  • Ethena Team

Guide to Compliance Management Systems: 4 Parts of a CMS


Guide to Compliance Management Systems: 4 Parts of a CMS: two superheroes fist bump over their cubicles
Illustration by Sarah Rebar - IG: @heysarahrebar, Twitter: @heyitsarahreebs, www.sarahrebar.com

In this article

What is a compliance management system?

Who is responsible for the CMS?

4 components of a compliance management system


At its core, compliance is about following a set of rules. While the concept of abiding by the rules may be basic, it can be quite complex in practice — especially when there is a dizzying array of rules to follow.


Today’s businesses are expected to both comply with the law — which includes everything from consumer protection laws to international data privacy laws to federal, state, and local employment laws — and to set high standards for ethical behavior in the workplace. Doing so not only mitigates risk, but it also supports healthy corporate culture and helps win favor with your customers. Remember: Your customers and your employees want you to be compliant, because it means you’re following the laws that exist to protect them.


Some industries — like financial services — are subject to additional regulation, meant to protect consumers. A compliance management system is what helps companies, especially in regulated industries, well, manage all the moving pieces involved in compliance.


What is a compliance management system?

A compliance management system (CMS) is a multifaceted system that ensures a company, business, or institution is in compliance with their sector’s laws, regulations, and industry standards, as well as a company’s Code of Conduct. CMS platforms are often associated with the financial industry, as the Federal Deposit Insurance Corporation (FDIC) explicitly recommends that FDIC-supervised companies have compliance management systems.


However, when their purpose is considered more broadly, compliance management systems are relevant to other sectors as well, including manufacturing, hospitality, and civil engineering.


The specifications of a CMS will vary business to business, depending on the industry, size of company, location, and workload scope and complexity. However, some basics are consistent. All must have:

  • A designated individual or group to oversee it

  • A compliance program, including documented policies, training, and process for responding to complaints

  • A process for independent review (audits)

A successful CMS incorporates legal regulatory compliance requirements, as well as company policies, into the fabric of the business processes. The system’s tools work best when integrated into all parts of a business’s operations, from hiring to marketing to production and manufacturing. A successful CMS also includes compliance training that educates and engages employees about compliance requirements in a way that creates lasting change.


Looking for effective, easy-to-manage compliance training? Let's talk: An illustration of two superheroes fist-bumping

Who is responsible for the CMS?

In the financial sector, the board of directors is responsible for developing and administering the CMS. The board of directors typically works with senior management to communicate their compliance expectations to all employees, as well as notifying third-party service providers.

Depending on the size and scope of a business, senior management may take a more active role in the CMS, conducting in-person symposiums or smaller group discussions, to ensure all employees are not only adequately trained in the compliance processes, but also comfortable communicating with colleagues and leadership about compliance issues.


Often a chief compliance officer, compliance officer, or compliance manager position is created to oversee the compliance responsibilities of day-to-day operations. New industries like cryptocurrency, among other sectors, have complex and even conflicting laws and regulations that might require a compliance team rather than an individual, to manage.


4 components of a compliance management system

There is not a one-size-fits-all CMS system, but there are compliance issues that transcend industries and the particulars of a business. Here are five key components that comprise a working compliance management system.


1. Direction, oversight, and communication

Compliance starts at the top, and a CMS needs strong leadership and oversight to be effective. To this end, the FDIC places responsibility for compliance management systems with the boards of directors of financial services companies and institutions. While the board is expected to oversee the CMS, they may appoint a compliance officer to lead implementation. That officer is tasked with communicating compliance expectations to employees across the company, and taking action if ever needed.


In non-financial companies, direction, oversight, and communication responsibilities may rest with senior leadership and/or HR.


2. A source document

The most basic element of a CMS is a written document that outlines the specifics of a company’s compliance program. This is a single-point-of-truth that typically includes policies, procedures, rules, and regulations, which employees can consult for guidance. This CMS document is continually updated with new compliance regulations instituted by federal or local laws, or company policy; compliance is never static for long. The document might also include internal policies and the company’s code of conduct.


3. Compliance training

Compliance is complex, with many moving pieces — making training an essential component of any CMS (because you can’t expect employees to abide by rules they aren’t familiar with or don’t understand).


What’s the key to successful compliance training? Several aspects include:

  • Automatic enrollment

  • Automated reminders for employees about CMS training and/or actual updated policies.

  • Lessons delivered incrementally over time rather than in a single chunk once a year.

  • Easy access to training — no login required

  • Real life, non-cringe scenarios that fit the modern work environment

And how do you measure success? Metrics include not only participation and completion rates, but also qualitative measures like satisfaction with the training material.


4. Periodic audits

Compliance management isn’t one-and-done. The FDIC requires independent audits, and savvy HR professionals in all industries know that any compliance program needs to be evaluated regularly. Non-regulated businesses can conduct audits themselves, but financial services companies need to use a third party to augment their internal efforts.

These CMS components work together to ensure a business or financial institution is in compliance with the industry regulations.


Compliance management systems don’t have to be tricky. At Ethena, we excel at helping companies (and their employees) navigate tricky situations. From compliance to harassment prevention, we’ve helped compliance officers at companies like Netflix, Pinterest, and Carta to name a few – and we look forward to the opportunity to work with you as well!


Ethena is a modern compliance training platform that delivers current, cringe-free content that employees actually enjoy. Request a sample course to see for yourself! If you’re ready to bring complex issues to life through thoughtful real-world examples, dynamic multimedia, and actionable next steps, let’s talk to see if Ethena is right for your company.


Save time on paperwork so you can focus on people work: illustration of four coworkers chatting at their desks, with a "Lets talk" button

Stats to prove it.

Latham & Watkins wrote about our unique and effective approach to harassment prevention. It’s less boring than it sounds!

“ (1).png

A company using Ethena could reasonably expect to face fewer enforcement actions and to be less vulnerable to liability for sexual harassment."

1280px-Latham_&_Watkins_Logo.png
bottom of page