Compliance Program Best Practices

Note from Duff & Phelps: We are happy to announce that last month's Compliance Readiness Seminar, co-sponsored by Duff & Phelps and Kirkpatrick & Lockhart Nicholson Graham LLP was a great success. The sold-out event attracted compliance professionals from all over the Northeast, and one of the highlights of the Seminar was the breakout sessions that followed the key-note speakers and panelists.

Many participants felt that, while there are many Compliance seminars offering a wide variety of speakers and topics, rarely is there a chance for Compliance professionals to share best practices and learn from what their colleagues are doing in other organizations. We identified facilitators for each of the small groups, and the facilitators included General Counsels, Chief Compliance Officers, and other key Compliance professionals. The breakout sessions focused on three key topics: risk identification, assessment and prioritization; Compliance programs; and Compliance policies and procedures. Some of the best practices shared during the groups are compiled below.

Risk Identification, Assessment and Prioritization (Group 1)

(Facilitator: Marina Adams, Compliance Officer, FRBNY)

• As a first step in identifying risk, the Compliance Department should work very closely with the Audit Department; however, the Compliance Department should not always rely on Audit to conduct Compliance assessments.

• Interpret self-identified risks with caution - there is often reluctance for business areas to accurately 'own up' to legal and regulatory risks.

• Include representatives from Audit, Legal, Accounting and Business Management in risk assessment committees.Holding mock risk identification and mitigation scenarios (from both real experiences and those in the news) is an excellent way to gauge your company's response.

• Prioritize risks by using a scoring method that weighs (i) the gravity/severity of the risk, (ii) the likelihood of the risk, and (iii) the 'controllability' (mitigating procedures) of the risk.

• Report monthly to Senior Management on key risks. The report should consist of activities to mitigate and handle infractions. Either the business unit or the compliance function should have this responsibility

Risk Identification, Assessment and Prioritization (Group 2)

(Facilitator Ed Forman, General Counsel, Duff & Phelps)

• Adopt formal procedures on risk identification and management. There is not a single source for risk identification and evaluation - which means that it is very important to include representatives from the business and support functions in the identification exercise.Risks can be identified through interviews, assessments or facilitations.

• Be sure these procedures include a detailed plan on how these risks are reported to Senior Management.

• Despite a company's size, formal procedures should be in place. Just because a company is smaller, it still needs to have a plan for risk identification and prioritization.

• If your company allows identified risks to be managed by business leaders, be sure both Legal and Compliance representatives play a role in prioritizing and monitoring.

Compliance Programs (Group 1)

(Facilitator: Alberto Mora, Chief Counsel, International Division, Wal-Mart)

• For those organizations in the Financial Services industry, apply the same management discipline to other compliance risks that your company practices with anti-money laundering programs. Compliance programs within the Financial Services industry tend to be more mature as they have tackled anti-money laundering programs in the recent years.Financial Service companies tend to approach compliance with more rigor than other industries and for the most part are leaders in all areas of Compliance.

• Excluding counsel from routine corporate affairs or significant matters could be a sign of a current problem or problems up ahead (i.e., WorldCom and Enron).

• For reporting structures, having the Chief Compliance Officer (CCO) report to the General Counsel, Audit Committee or the CEO is the most common structure, but in all cases, the CCO should be closely tied to legal.

• 'Tone at the Top' is extremely important and a successful program will have the attention of the executive team.Through messaging and investment, the executive team can demonstrate their support of the program.Communication in general is important too.

Compliance Programs (Group 2)

(Facilitator: Jonathan Perlstein, Chief Compliance Officer,CIGNA Corporation)

• Including a Compliance/Ethics element in performance evaluations is a powerful force for raising employee awareness and interest.

• Financial services companies generally have well developed programs and a high level of management interest. Compliance programs in industries that have not been the subject of significant regulatory scrutiny may have substantially more difficulty in getting management attention to, or interest in, Compliance programs. If this is the case, be sure to review communication procedures and approach. A consistent flow of information to senior management about the travails of other companies in industries that have some similar traits might spur management to take more interest in Compliance issues.

• Even those companies whose Compliance Departments appeared to have strong training and strong reporting systems, still didn't seem to have too much visibility into the 'so what' of their reporting.Addressing the individual event or error seemed to be the responsibility of the Compliance folks; the 'root cause' and systemic remedial actions appeared to be the responsibility of others.

• While finding effective ways to engage the broad employee population in Compliance programs can be very challenging, formal training programs can help get the word out. The more specific the training (i.e., training that resonates because it is tailored to closely link to the employees' day-to-day job activities), the more effective it is in raising awareness and affecting conduct.Some smaller companies have no formal training, and must rely on ad hoc communications to raise awareness.

Compliance Policies and Procedures

(Facilitator: Paul Shay, Chief Compliance Officer,Popular Financial Holdings)

• No matter the size of the organization, Compliance policies are a must; have the Compliance Department or Human Resources act as the conduit to the business on these policies to ensure effective communication. Compliance policies should include a reference to the law or regulation, express the risk and provide detailed instructions in layman's terms that can be easily translated into educational and testing programs.

• Training programs on Compliance policies and procedures should be focused on three issues: method, content and efficacy.

1. Method: either in-person or on-line. Larger organizations tend to use Internet-based resources, while the smaller companies tend to use in-person training for new employees and high risk topics (e.g. harassment).

2. Content:

• Many organizations take the 'build your own' platform approach, but most use larger vendors to build their content. When designing content, be sure to take into account refreshing content. If information is 'hard coded' into the system, it can be very difficult and expensive to update the material. More sophisticated vendors will tailor to suit and refresh content on their own.

• Approach to content can be training up-front or customizing syllabuses for each job category. No matter the approach, regulators/judiciary do not tend to give 'bonus' points for irrelevant training, so keep hours spent off the factory or sales floor to a minimum.

3. Efficacy: While in-class training may be preferable, the cost and difficulty in scheduling classroom training, especially for large organizations, outweighs the benefit. However, be aware of the limitations of Internet-based services as well.

Questions or comments regarding the content included in this article should be directed to Jerry Kral at or Jim Ewing at

Published December 1, 2006.