In the July 2005 issue of The Metropolitan Corporate Counsel, we described a compliance framework that a number of companies have successfully implemented. The framework defines a systematic, end-to-end approach to compliance, and can be adopted by any company irrespective of industry. Of course, in order to successfully implement this or any other compliance framework, you need resources, typically in the form of a compliance function or group. In this article, we will highlight some of the elements that we believe are key to the compliance function.
If executive leadership is not fully committed to compliance, chances for success are slim. In today's environment, you would be hard pressed to find a CEO or other leader that would not say she is committed to compliance. Saying it is the easy part - in our opinion, that is not true commitment.
Commitment is providing the monetary resources needed to create a truly effective compliance program, recognizing the compliance leader as a real leader in the organization and involving compliance in high-level company affairs.
Commitment is also regular involvement. The competition for a CEO's time is great, but because of the importance of compliance and the potentially disastrous consequences that can arise without an effective program, he or she must make time. Compliance is about people doing the right thing, which at the end of the day is about culture. Nobody is in a better to position to positively impact culture than the CEO.
Finally, leadership needs to understand and embrace the fact that results of an effective compliance program is a competitive advantage and worth the investment.
A compliance function starts with people. The numbers of people, their positions, years of experience will all depend on the organization and its risk profile. Likewise, the technical legal and regulatory know-how required will be driven in large part by the company's industry and markets. There are some core skills that we believe should be well represented within a compliance function.
Knowledge of the Business - Although the mission of the company and product mix are important, it is equally important to have an understanding how business takes place within the organization. Who are the people in the business who should be engaged in major change efforts? What communication mechanisms work best? What other priorities and messages does compliance compete with? How are people in the business incented? A highly productive compliance function will typically have one or more people who have spent a considerable amount of time working in the business.
Project Management - Much of what a compliance function does requires change, and sometimes the level of change can be significant. These types of efforts require heavy-duty resource, activity and deadline management. Moreover, the operation of the compliance function requires core project management skills: regular examination of priorities, reallocation of resources and elimination of barriers. Unfortunately, we often see these skills taking a backseat to technical, legal and/or regulatory skills. All of the members of a compliance function would benefit greatly from incorporating project management skills into their individual learning plans.
Communication - A critical job for the compliance function is translating complex, technical requirements into messages that the organization's employees can understand. It is also important for a compliance function to recognize all of the different channels that these messages can travel - statements of policy, FAQ's, presentations, company bulletins, etc. A core foundation in business communication is essential..
Sales - Yes, that is right - sales. It would be ideal if whatever the compliance function said, people did. Unfortunately, that is not the way things work in business. There is constant competition for priority, resources and mind-share, as well as asking other professionals to change their entrenched practices. Compliance professionals should think about how to position the messages and requirements with its "customer base" so that they understand and embrace the benefits.
Collaboration - It is essential that compliance works with the business units and many corporate functions including legal, internal audit, and risk management, to name a few, in order to successfully develop and implement compliance initiatives. Compliance professionals need to have teamwork and interpersonal skills to be successful in a collaborative environment.
We believe that an effective compliance program is grounded in process. Compliance cannot be a reactive endeavor. It must be proactive, where policy and practices are embedded into the company as solid, repeatable processes. Below are three areas that will benefit from a process approach.
Risk Identification and Prioritization - Good risk identification and prioritization procedures start with formally noting the different sources for compliance risks. These sources can include changes in laws and regulation, calls to an ethics hotline, cases in the litigation docket, to name a few. The sources and the method for gathering the information should be documented to avoid re-inventing the wheel in the future. Once risks are gathered, it is time to prioritize them. The compliance function should evaluate each and every risk using a standard methodology. Common variables used for this type of exercise include potential exposure for the company, likelihood of occurrence, and existing controls in place.
Policy Development and Publication - One of the challenges for a compliance function is to create and publish policy that conveys the right messages, is easy to understand, and accessible by the target population. At the very least, there should be a checklist created that compliance professionals consistently follow when creating policy. The checklist would include such items as:
Key message to be conveyed
Change required of employees
Resources available for employees
Related / superseded policies
In addition, a policy template should be developed to ensure that policies have a similar look and feel and a consistent flow of content. Finally, it is considered a leading practice to use an existing or new executive level committee to formally review and adopt policy. Beyond the basic review function, this will help directly engage executive leadership in compliance, help to refine messages to best reach the target audience, and provide a channel to obtain executive leadership assistance in promoting new policy.
Monitoring - Just sitting and waiting for the phone to ring cannot be considered an appropriate level of effort to detect compliance issues. Moreover, it does nothing to examine and test the effectiveness of a compliance program. A robust compliance effort needs detailed monitoring processes for each of the compliance risks facing the organization. The rigor of these processes should be tailored to the risk and its relative priority within the organization. A monitoring plan for a given risk should contain the follow type of information:
The name of the compliance risk being monitored
A description of each monitoring activity
The control being tested by each activity
The frequency of each monitoring activity
A description of how to interpret the results of the monitoring
Technology can be a great enabler to an effective compliance program, but it must be used appropriately. A compliance function should fully exploit technology tools in order to improve its efficiency of operations and expand its ability to manage and monitor the company's compliance risks. A few key areas where technology tools can be of particular benefit:
Compliance Risk Repository - One of the most basic applications for technology should be a repository for the compliance risks facing the organization and each risk's supporting details. Although there is sensitivity around storing this type of information in a system., in today's environment, most would probably agree that it would be difficult to manage the workload of the department without documenting basic information about the company's risks and programs. When we are designing these kinds of repositories, the kinds of information we incorporate typically includes the following:
Description of the compliance risk
Relevant statues or other controlling standards
Business units / function potentially impacted
Subject matter experts (inside the company or outside such as company counsel)
Core elements of the program (policy, business processes, training and awareness, etc)
Monitoring program for the risk
Compliance Portal - A common complaint that we hear from employees is the difficulty in navigating all of the information that exists in an organization. To increase visibility into the function, all compliance related materials can consolidated into a single portal within an organization's intranet. Easier said than done, but the goal should be for the portal to incorporate:
Link to information about compliance training
Resources available to employees to surface compliance concerns
Regular compliance awareness campaigns
Compliance in the news, in particular news that highlights the benefits good compliance or consequences of poor compliance practices
Business Intelligence Tools - No doubt that there is a lot of data available within an organization that could be used to help monitor compliance and detect compliance issues. The problem is that the amount of data can be overwhelming, and connecting the dots between related data elements and sources can be quite challenging. This is where Business Intelligence Tools can be of great assistance. Long a staple within Finance, these tools have evolved enough in both capability and ease of use to be more widely used within an organization, even in functions where data mining expertise is not prevalent. With these tools, a compliance function can consolidate and analyze data from disparate parts of the organization to identify deviations from the norm or outliers that could be indicators of a compliance problem.
If we can stress one point, it is the need for executive buy-in. Without it, the value of and effective compliance program will be lost and all efforts to create a program will be futile. In some cases, the impetus to garner executive buy-in can be triggered by an adverse event, in which case it is important to seize the moment.
Published September 1, 2006.