Financial institutions and heavily regulated industries have undergone increased regulatory activity in recent years that has led to substantial changes in their compliance functions. Diversified products, complex regulations, multiple regulators and profit driven incentives are a few elements that can create significant challenges to developing an effective global compliance function. It is no longer sufficient for corporate compliance departments of multinational organizations to focus on domestic compliance programs and to allow foreign operations to develop and implement local market programs unmonitored. Moreover, in the past, some corporate compliance functions would roll out global policies and expect foreign operations to comply; however, sometimes these policies did not comply with local law and customs, or the policies interfered with or prohibited doing business locally. Now, cultural sensitivity is critical for multinational organizations, and many compliance programs have responded by allowing flexibility and customization in regional and local market compliance functions.
Previous articles by Duff & Phelps described elements of a successful compliance program ("Compliance Functions - Leadership, People, Process & Technology," The Metropolitan Corporate Counsel, September 2006) and provided techniques to improve the effectiveness of global compliance programs ("Three Techniques To Improve The Effectiveness Of Global Compliance," The Metropolitan Corporate Counsel, April 2007). In this article we will discuss four techniques for developing effective regional compliance programs at multinational organizations: developing integrated compliance functions; creating regional centers of expertise; developing regional infrastructure; and socialization of the global compliance program. The techniques described below apply to multinational organizations of all sizes having global compliance operations.
Integrated Compliance Functions
There are different perspectives regarding whether global compliance is most effectively managed by a centralized or a decentralized approach. Decentralized functions typically involve a small, central corporate presence where most compliance resources reside in the business and have solid-line reporting relationships to business management. The chief compliance officer generally has little formal authority over these compliance resources. Disadvantages to decentralized functions include a lack of independence of the compliance function, an inconsistent approach to compliance and difficulties in implementing consistent best practices across the organization. Centralized functions traditionally involve a majority of compliance resources located at the corporate level, which enables an enterprise view into compliance risks and promotes consistency across the organization.However, centralized functions usually lack ties to the business to implement compliance objectives.
Many multinational organizations are adopting the freedom-within-a-framework concept whereby the corporate compliance function provides the framework and standards to drive consistency in approach to managing compliance risk across the organization. Regional compliance functions then customize and adapt the standards, policies, procedures and training to meet the needs of the region, develop regional risk mitigation plans, regionalize investigations programs and develop and implement regional best practices. Local market compliance professionals have the front-line responsibility for implementation and for embedding compliant cultures within the business.
For an integrated compliance function to be effective, regional and local market resources should be fully dedicated to the compliance function (e.g., no resource sharing with legal or the business) and local market resources should report directly to compliance managers who will make hiring, termination and compensation decisions. Maintaining dotted-line reporting relationships with business partners and allowing them to provide input into hiring decisions and performance review discussions is advisable in order to ensure that compliance professionals are supporting business strategies and goals. In many multinational organizations, compliance resources are spread thin across regions and are rarely dedicated solely to compliance. Utilizing time surveys to understand the functions to which compliance professionals are dedicated and how they allocate time between functions will provide data that will inform intelligent resource allocation decisions.
Creating Regional Centers Of Expertise
There are many options when drawing compliance regions at multinational organizations. Factors influencing the composition of a region include geographic distribution of products and services; business unit structures; the regulatory environment; country risk profiles generated from periodic risk assessments; and headcount numbers. Regardless of the regions drawn, creating regional centers of expertise will ensure that the corporate compliance framework is appropriately adapted to be compliant with local customs and laws while supporting the organization's global compliance vision.
Effective regional compliance functions promote consistent compliance visions in the local operating environments. Due to their proximity to local operating environments, regional functions have a pulse on what is happening in the field as they have access to local exception reports and are better able to analyze emerging risks and trends that surface in a region. Therefore, it is imperative that recognized risk experts are embedded within the regional function if they are not a part of the corporate compliance function.
A risk expert is a subject matter lead in a region that advises the business, develops policy and contributes to monitoring risk. Risk experts should be appropriate for the region, and regular risk assessments will ensure that risks are being surfaced and investigated by those in the best position to implement measures to mitigate and monitor the risks. In addition to risk experts, regional functions should also consist of cross-functional information technology and human resource assets that can leverage shared operational resources across regions. Creation of a risk response team is also advisable whereby dedicated compliance resources can be deployed across regions to investigate and monitor potential compliance incidents and breaches.
The creation of regional centers of expertise is not limited to large, multinational organizations. Small organizations or those with limited regional and local market compliance resources can be given access to risk experts, IT and HR resources by the corporate compliance function, or external service providers can be utilized for specific objectives. The key is providing regional and local market compliance functions with access to critical resources that will enable the corporate compliance framework to be appropriately adapted to be compliant with local laws and customs.
Developing Regional Infrastructure
A challenge that some multinational organizations encounter is when other corporate functions share a budget with compliance, which usually results in compliance having little control over its budget. For some organizations this challenge has necessitated the creation of the "ring-fenced" compliance budget, a budget dedicated solely to compliance where cost centers are created within each business unit to house the resources and associated costs of the compliance function. Corporate and regional compliance officers are included on the corporate compliance budget while local market compliance professionals are included on budgets designated by local compliance officers with local business managers. A process should be implemented whereby changes to the compliance budget must be submitted to the global chief compliance officer for approval. Creating a "ring-fenced" compliance budget will ensure that the independence of the compliance function is maintained and will empower compliance professionals. Moreover, compliance budgets will be protected during economic downturns or other challenging times when there might be a temptation to cut compliance budgets in order to control costs.
Technology plays a critical role in an organization's global compliance vision. Defined information flows between corporate, regional and local market functions are essential to creating an effective global compliance function and positioning compliance as a leader in proactive risk identification and risk management. Ideally the underlying technology is integrated, allowing compliance professionals to track and communicate issues, trends, mitigation plans and training across a region; integrated systems also connect compliance professionals and create a "compliance community" globally and within and across regions.
Effective compliance programs take a proactive approach to compliance risk management and are built upon processes that are embedded within the business. What seems to be lacking in organizations with global compliance operations is a centralized system that contains a risk repository in addition to policies, laws, risk assessments, compliance awareness campaigns, training, FAQs, and incidents and investigations related to specific risks. The system should also house action plans containing key resources, dates, milestones and deliverables to mitigate risks. Organizations are understandably hesitant to collect risk information in a centralized location, but the most effective way to manage risk is with an integrated system. Moreover, most systems allow for security groups to be established that control information that can be viewed by pre-defined user groups. While organizations without defined processes will need to spend effort on the front end creating solid, repeatable processes that can be leveraged by technology, it will be time well spent when the resulting system is able to generate global and regional reports that will inform intelligent risk management decisions and when real-time data is available from the chief compliance officer down to the local market compliance officer.
Socialization Of The Global Compliance Program
Defining and communicating the "tone at the top" view of global compliance is essential to obtaining buy-in to compliance program initiatives within business units and local markets. In our experience, centralized communications that run from corporate and regional compliance functions to business unit leads and down to the local markets are the most effective means of communicating the importance of ethical behavior and appropriate business conduct to all employees. Centralized communications ensure transparency of compliance program initiatives and goals and set clear expectations for employees.
However, socialization of the program is only the beginning. While "doing the right thing" is a concept that employees within multinational organizations can agree upon, what the concept means in the context of diverse cultures, local laws and customs is less clear. Therefore, regional functions must then "regionalize" training that communicates why compliance is relevant for local compliance professionals in their specific jobs and in their regions.
Developing effective global compliance functions at multinational organizations has never been more difficult, particularly in light of increased regulatory activity. However developing and enhancing regional structures by integrating the compliance function, creating regional centers of expertise, developing regional infrastructure and socializing the global compliance program will ensure that ethical and lawful behavior becomes embedded in the way that multinational organizations do business.
Published May 4, 2009.