In the past few years, the importance of the compliance organization within corporations has grown significantly given the increased scrutiny companies have faced from regulators and the public. In past articles in our compliance series, we addressed the people, process and technology necessary to create a best-in-class compliance program ("Compliance Functions - Leadership, People, Process & Technology," The Metropolitan Corporate Counsel, September 2006), and we compiled a list of best practices from the October 2006 Compliance Readiness Seminar which we co-sponsored with Kirkpatrick & Lockhart Preston Gates Ellis LLP ("Compliance Program Best Practices," The Metropolitan Corporate Counsel, December 2006). In these articles and others we have strongly advocated a process-driven compliance function embedded deeply within the organization, making compliance a natural part of the business.
Up until this point, our articles have focused more on the domestic side of compliance programs. Now, however, we want to address the unique issues facing global compliance programs. Challenges that typically exist for global programs include such difficulties as language and communication barriers, a myriad of local country rules, regulations and customs that often vary considerably, if not totally, with domestic versions, and limited compliance resources stretched across regions in an attempt to ensure global coverage. Beyond these issues, a global compliance program must grapple with infrastructure differences across the company in key areas such as IT and HR, making it difficult to standardize processes and procedures. In this article, we will describe what we see as three important tactics for addressing these and other global compliance challenges: develop cross-functional compliance committees, take a program management approach, leverage the concept of "freedom within a framework."
A global compliance program should develop a cross-functional compliance committee in the corporate office to ensure that key stakeholders are directly engaged in the compliance program and to provide a forum for enterprise-wide discussions on compliance and risk. The compliance committee is a formalized group with representation from a cross-section of the organization. In addition to business unit leadership, this committee could include representatives from such functions as Risk Management, Human Resources, IT, Legal, Internal Audit and Corporate Affairs, to name a few. Most importantly, the compliance committee should appropriately represent the areas of the company that both create and manage compliance risk. The corporate compliance committee should meet on a regular basis to discuss the state of compliance within the company and the tasks that need to be accomplished to ensure that the company as a whole meets its compliance objectives.
In addition to a corporate level/enterprise-wide compliance committee, depending on the organization of the enterprise, business units and local markets should have their own versions of the cross-functional compliance committee. Either directly or through the corporate compliance function, the corporate compliance committee should connect with the local compliance committees, providing them with information and guidance on corporate policies and procedures and educational initiatives, and compiling feedback on risks and issues facing the business. However, the local team needs to remain distinct from the corporate team so that the local team can focus on embedding a compliant culture locally. In doing so, the local compliance committee would give the company increased flexibility in dealing with local systems and local regulations, which in the past have proved primary stumbling blocks for a global compliance program.
Beyond dealing with the day-to-day compliance issues the company faces, the compliance committees can help the corporation develop the annual compliance agenda. It is the responsibility of senior management and the board to articulate the agenda, but both the corporate and local compliance committees can provide excellent on-the-ground analysis on what is working now and what challenges the company will face in the coming year. Senior management and the board, working with the corporate compliance function, can take these considerations into account when developing the corporate compliance agenda, and they can also use the compliance committees as a sounding board for initial drafts of the agenda.
Project Management Approach
Developing a global compliance program is an exercise that never ends. There are always new aspects that must be developed and implemented, be it initiatives to manage new risks or new infrastructure to better manage the existing risk environment. Given the difficulty in implementing these kinds of programs globally, we believe it is important to cultivate a strong project management approach and discipline within the compliance function to keep the compliance agenda moving forward and on-track irrespective of the current crises of the day. To do so, we recommend the simple "hub and spoke" project management scheme, wherein there is a centralized compliance function (the "hub") and individuals responsible for compliance in each region of the business (the "spokes"). To implement this approach, of course, the company will need compliance resources who are familiar with project management.
Under this project management approach, the corporate compliance function would create a master compliance project plan with key dates, resources and deliverables highlighted. This plan would sync up with the enterprise compliance agenda and the key compliance related initiatives for the company. Beyond this master plan, local level resources with responsibilities for implementing aspects of the master plan would have their own, more detailed plans, to aid implementation. The corporate compliance function should assist the local level resources in the development of these plans, and the local level resources will use these plans as the basis for their progress updates. In many cases, the corporate compliance project manager will interface with the local cross-functional team.
Beyond work plans, good project management skills within the compliance function would benefit other aspects of the global compliance program. For example, the corporate compliance function could develop standard templates and approaches for company policies, compliance related communications, compliance monitoring, compliance risk identification and reporting, to name a few. In so doing, the company would be supporting consistency in its management of compliance, and at the same time reducing duplication of effort by providing clear guidance and expectations.
Freedom Within A Framework
The "Freedom within a Framework" tactic, borrowed from a major retailer, is an attempt to bridge the differences between a centralized and decentralized approach to compliance. There have been discussions for years about the most effective ways to manage compliance, from a strong command and control environment with a majority of compliance resources located at the corporate level, to compliance resources distributed to and dedicated only to a business unit or local market, and all points in between. At one end of the spectrum you have an enterprise view, which many times lacks the ties to the businesses to effectively implement the objectives and lacks the proximity to local markets to truly understand the risks that the businesses are facing. At the other end of the spectrum, compliance resources know how to better operate within the business that they are a part of and can better appreciate local market issues, but, this decentralized approach to compliance can be inconsistent across the company, be difficult to maximixe resources and the close business unit control can result in decision making and resourcing that is inconsistent with the best interests of the enterprise overall.
With the "Freedom within a Framework" concept, a strong central or corporate compliance function works hand-in- hand with a strong local compliance lead (either a market or business unit, depending on how the company is organized) to manage compliance risk within the company. Combining input from the local resources with input from the board and senior management, the corporate compliance function sets the compliance agenda. In addition, as noted in the project management section above, the corporate compliance function creates the tools necessary to effectively manage all aspects of an effective compliance program, from risk identification and policy development, to education and awareness, to compliance monitoring and reporting. Combined, these elements become the "Framework" that the local compliance resources use to implement the compliance program and manage compliance risk. The "Freedom" exists in that the local resources use the elements of the "Framework" to implement the compliance program and manage compliance risk, and do so by customizing and adapting to meet the needs of the local markets and the working environments of the local operations. In this way, the company is attempting to get the best of both worlds - combining a standardized approach to compliance and enterprise needs with local needs and business realities.
One important aspect of the "Freedom within a Framework" concept is communication between the corporate compliance function and the local compliance resources. If there is no communication other than templates sent back and forth, either group could lose sight of the ultimate goal: the creation of a robust, adaptive and effective global compliance program. Therefore, all members of the global compliance program must keep each other informed of any major changes to their portions of the compliance function and the rationale behind those modifications.
Global compliance is growing in importance as businesses create larger and larger global footprints, and it is critical to the eventual success of these international ventures that the company is in compliance with all local laws and regulations, particularly those regulations focused on anti-corruption, privacy, anti-trust, environmental and labor and employment. By taking a proactive approach to global compliance, many companies can avoid significant regulatory action down the road and maintain a positive reputation at home and abroad.
Published April 1, 2007.