Developing Effective Compliance Programs – and Getting It Right
By Patti McKeown
Posted: 29th July 2014 08:47
Many organisations today are either required to have a compliance program or clearly understand the need to protect the organisation and have proactively established a compliance function. The question, however, is whether the compliance program is effective.
Regardless of the industry – but particularly for those industries that are regulated – an effective compliance program is critical to protecting the organisation from constantly changing internal and external risks and events. Following the financial crisis, regulators have been criticised for their own effectiveness, and as a result, have increased their focus on compliance. In some cases, they are using their enforcement tools to levy record-setting fines and enforcement actions. Regulatory scrutiny continues to intensify, and of utmost importance to every organisation - regardless of the industry or jurisdiction - is protecting the organisation’s reputation.
Charged with anticipating, identifying and managing risks, the compliance function is an area that is often overlooked and understaffed until there is a significant event or change be it a regulatory examination, a new regulation or another regulatory enforcement action with a record fine. In recent times, the role of the compliance function has not only changed – but become more important than ever.
Whether developing a new compliance program or enhancing the effectiveness of an existing function, the following are some of the foundational, critical components:
It Starts at the Top But Continues Through All Levels
With ultimate responsibility for compliance being held by the Board of Directors, Board members must clearly understand their role, responsibilities and accountability. The Board must set the tone at the top to ensure that compliance is a critical and respected part of the organisation’s structure and culture – and there must be an ongoing commitment to compliance. Every Board meeting should set aside sufficient time to discuss compliance issues, and the Board must receive necessary, relevant and clear information and analysis to inform their decisions and to carry out their responsibilities. The Board must also ensure that it has executive management’s buy in, as executive management must effectively convey the message consistently and continually throughout the organisation.
Just as important, however, middle managers execute on the commitment and policies of the top. Regardless of the intentions of senior management, middle management must buy into and be properly incentivised to live the program values.
Culture, Accountability and Recognition
The power of an organisation’s culture cannot be underestimated. With the Board and executive management setting the tone from the top, compliance must be a part of the everyday life of the organisation – and a cornerstone of its culture. Compliance must be a respected business partner, and have “a seat at the table.”
The importance of compliance is conveyed in multiple ways. First, ensuring there are sufficient resources, including staffing, budget, and technology. These should be evaluated and enhanced as needed and on an ongoing basis. In addition, many organisations require their employees to annually attest to their code of conduct, which includes compliance. Compliance should also be a standard component of not only job descriptions, but the performance evaluation process.
Accountability is a topic of great discussion in the press today – particularly from a regulatory perspective. There is an expectation that organisations and their employees must be held accountable for compliance deficiencies. Employees must be held accountable for compliance, and the message of this expectation must be clearly and consistently conveyed and adhered to at all levels of the organisation. In addition to the assessment of record fines, regulators are using enforcement actions as a tool against the organisation as well as its employees.
Sometimes overlooked in the process of accountability is recognition and reward. Organisations should also have processes and procedures in place to recognise and reward those that have gone the extra mile to again reinforce the importance of compliance at all levels.
Not in a Silo!
In some organisations, compliance is seen as the responsibility of those who work in the Compliance Department. In this era of heavy regulation and record fines, however, many organisations clearly understand that compliance cannot be effectively performed in a silo. Compliance must start at the top and the message must be clear – it is everyone’s responsibility, and everyone must own it. Each employee must be engaged and clearly understand his or her role in compliance, whether the individual works in a customer-facing position or is employed in a support area such as technology, operations, human resources or training.
Finding the Right People to Manage and Support the Compliance Function
The Compliance Officer
A critical component of the compliance function is a qualified, experienced compliance professional who can lead the charge, whether it is the chief compliance officer or a compliance professional leading a specific area of compliance such as fraud, anti-bribery and corruption or anti-money laundering. This individual must have the requisite expertise and qualifications, possess excellent communication and organisational skills, and be a flexible, proactive and effective leader who can manage a program across the organisation regardless of its size, geographic location and risk profile.
Finding this individual, particularly in today’s market, is a significant challenge due to the shortage of quality and qualified compliance professionals. Organisations must be cognizant of the market and be willing to pay for the experience needed to not only attract, but retain the talent needed. In addition, the compliance officer position must be at a level that will attract and retain qualified personnel. Also, the compliance officer must be at the appropriate level of seniority within the organisation and have the authority needed to manage the program across the organisation.
Building the Team
The compliance team is not just within the compliance department. The team directly reporting to the compliance officer and within the compliance department must be clearly experienced and knowledgeable and be able to function as trusted advisors. The compliance team may also include individuals outside of the department who perform compliance functions, as well. These individuals may be embedded into the organisation with direct reporting lines into compliance, or they may have direct reporting lines into the business and indirect reporting into the compliance function. These individuals, too, must be experienced and knowledgeable with clear-cut compliance roles and responsibilities.
Given the volatility in the market for compliance professionals, organisations must be prepared for change and ensure that there is program continuity. If the compliance officer or other key personnel leaves the organisation or the position, the program must be sustainable. To achieve this, there must be succession planning for key positions and functions, who can step in at any time with clear knowledge and understanding of current processes, procedures and controls. Back-ups must be cross trained and have the opportunity to perform the function.
Training is a critical component of the compliance function and should include all levels of the organisation – starting at the top with the Board of Directors. Many organisations take advantage of web-based training for general compliance training. Functions and areas identified as higher risk should have focused, customised training on a more frequent basis – and in-person training where possible to engage the stakeholders and give them the opportunity to ask questions and confirm their understanding.
Given the evolving industry and regulatory environment, the importance of an effective compliance program will be increasing. Organisations must be prepared to proactively manage as well as have the flexibility to quickly react to a rapidly changing risk and regulatory environment. As a result, the need for an effective compliance program will become increasingly important going forward.
Patti McKeown is a Senior Director in Navigant’s Washington D.C. office. She has over 20 years’ retail banking experience, performing variousmanagement roles within two financial institutions within the United States and internationally. For the past 10 years, Pattihas been providing compliance advisory services to financial institutions worldwide. Her experience includes managing large complex projects to help clients with their domestic and global regulatory compliance programs. She has assisted clients with multiple engagements including the development/enhancement of documented compliance programs, risk assessments and the development/delivery of training. She has also conducted numerous gap analyses, independent testing and remediation engagements.
© 2014 Navigant Consulting, Inc. All rights reserved. Navigant Consulting is not a certified public accounting firm and does not provide audit, attest, or public accounting services. See navigant.com/licensing for a complete listing of private investigator licenses. The opinions expressed in this article are those of the author and do not necessarily represent the views of Navigant Consulting, Inc. Neither Navigant nor the author assume responsibility for legal advice nor make any representations concerning interpretations of either the law or contracts.