Increased regulatory and ethical pressures are transforming the traditional role of compliance. Compliance departments are taking on broader responsibility for ethics, compliance, corporate culture, and social responsibility. With greater frequency, they are moving out from under the legal department into a direct reporting relationship to the CEO and/or Board, particularly in highly regulated industries.
Some organizations are differentiating between operational compliance and legal compliance by leaving a function within legal for monitoring and interpreting relevant laws. In some cases regulators are requiring, and at least encouraging, compliance to report outside of legal so it has greater autonomy to raise and resolve issues. The critical point: enabling compliance to report directly to the Board of Directors.
Since 1996 in the US, oversight responsibility to ensure compliance and ethics programs are in place falls squarely on the Board. This was made clear in the United States Sentencing Commission Organizational Guidelines that require Boards be knowledgeable about compliance risk, the content and operation of the compliance and ethics program, and exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program – with specific ability for the compliance function to have direct access to the Board or an appropriate subgroup of the board.
Therefore, we see that compliance is mandated to take on greater relevance as it guides the enterprise beyond traditional concepts of being the compliance “cop.” This requires an integrated role in the organization’s proactive risk management programs. Ideally, today’s compliance function will possess a solid understanding of the company’s ethical, regulatory, and cultural risks, how they relate to each other, and how they fit into broader enterprise risk strategies. Reliance on well-established risk management and governance processes will provide assurance that ethics and compliance efforts are sufficient and operate as designed.
Building Relationships Across the Business
The compliance function faces a big challenge today: encouraging executives to work together to revamp siloed, haphazard risk management systems and turn them into an integrated process that provides greater transparency, reliability and value.
It is critical that the compliance function play a key role in risk management strategy. To do so, it must first understand compliance and ethical risk facing the organization. Then focus on opportunities to control cost, improve resource utilization and create sustainable scalability and alignment with organization goals. In order to champion corporate compliance and ethics goals, compliance should be prepared to:
- Articulate to the board why having a clear and conformed view of compliance risk is critical to the organization’s culture, performance, and fiduciary responsibilities.
- Demonstrate how centralized oversight and supporting technologies for compliance risk management drives predictable behaviors and performance results.
- Communicate the benefits of including compliance risk management within business change initiatives.
- Influence key executives to support the compliance role in the achievement of business objectives.
- Collaborate with key executives in developing compliance processes that allow measurable evaluation of effectiveness, efficiency, and support business agility.
- Assist the CEO in evaluating opportunities and preventing adverse effects from regulatory compliance and ethical risks.
- Help management appreciate how integrated compliance risk management processes can improve operations while reducing redundancies that can be leveraged across assessment, training, awareness, investigations, and policy management.
- Incorporate compliance risk management and assurance across extended third-party business relationships
Understanding and Approaching Compliance Risk Management
Historically, the compliance function did not understand how to manage risk. Compliance was understood as: documenting and meeting requirements and finding and resolving issues. Modeling compliance risk to determine business impact and prioritization of resources was done on a limited basis, if at all. Non-existent was a proactive function tasked with interpreting and predicting compliance risk and developing corrective plans to mitigate damage. Most often, compliance was a reactive function trying to put out fires.
Compliance is now challenged to take a risk-based approach to compliance processes. This requires the organization to take in information from the external business and regulatory environment, understand the context of dynamic and distributed business, and model risk and present and future business impact.
The core principles of compliance risk management are:
- Understand your risk. An organization needs to have a risk-based approach to managing compliance and ethics. This includes a periodic assessment (e.g., annual) of the exposure to the organization for unethical conduct. However, the risk assessment process should also be dynamic – done each time there is a significant business change that could lead to exposure and incidents (e.g., mergers and acquisitions, new strategies and markets).
- Approach compliance in proportionality of risk. How an organization implements compliance procedures and controls is to be based on the proportionality of the risk it faces. If a certain area of the world or a business partner scores as a higher risk to corruption or ethical issues, the organization is to respond with stronger procedures and controls. Proportionality of risk also applies to the size of the business – smaller organizations are not expected to have the same measures as large enterprises.
- Monitor the risk and regulatory environment. Content and information on changes to risk and regulatory environments is critical to understanding ever-changing compliance risk. New laws, changed regulations, court rulings and amended standards change the organization’s compliance requirements. A defined process with accountability to monitor risk of changing regulatory environments is essential.
- Tone at the top. The compliance risk management program should be fully supported by the Board of Directors and C-suite. Communication to top-level management must be bidirectional. Leadership is to communicate their definition of acceptable and unacceptable risk and their support for the compliance program. To fulfill their fiduciary obligations, executives and Board members should always be informed about the effectiveness and operations of the compliance risk management program.
- Know who you do business with. Know your business relationships. This requires an established risk-monitoring framework that catalogs all third-party relationships, markets, and geographies. Strict due diligence ensures the organization is contracting with ethical partners. If there is a high degree of risk to corruption, compliance, and ethical issues, implement additional preventive and detective controls in accordance with the risk. Also, know your employees and conduct background checks to determine if they are susceptible to corruption or unethical conduct.
- Keep information current. Due diligence and risk assessment efforts are to be kept current. These are not point in time efforts that happen once; perform assessments on a regular basis or when you become aware of conditions that point to increased risk due to ethics and compliance issues.
- Compliance oversight. Make a trusted executive responsible for the oversight of compliance risk processes and activities. This includes the authority to report compliance and ethical risk to an independent monitoring body, such as the audit committee.
- Manage change. It is essential to monitor the business for changes that can impact its compliance program or introduce greater risk to corporate ethics. Document changes required to business practices as a result of observations and investigations. Implement changes to address deficiencies through a deliberate program of change management. This requires that changes be monitored by compliance to be proactive in preventing corruption.
Check Out These GRC 20/20 Compliance Management Resources . . .
- Strategy Perspective Research Paper
- Research Briefings