Originally Published June 7, 2013, 12:01 AM ET
Eight Ways to Move Toward a Culture of Compliance
More than just a set of policies and procedures, effective compliance risk management at the enterprise level can be viewed as a cultural ethic that should function like any other business asset that reaches across an organization. An effective way to get there is through a risk intelligent framework that brings compliance into the open, running throughout all business processes, with responsibility shared among all employees.
“A risk intelligent framework can be a radical shift from the way most companies see compliance today,” says Donna Epps, a partner and U.S. co-leader of Governance and Risk Management at Deloitte Financial Advisory Services LLP. “To move a company in that direction, the chief compliance officer will need to gain the backing and support of stakeholders from across the organization, including executive peers, business-unit and functional leaders, and the board of directors.”
Following are eight initiatives a Chief Compliance Officer (CCO), working with the CFO, can lead to help bring about a more holistic program of compliance risk management through a risk intelligent approach and elevate awareness at the enterprise level.
1. Get the Top Brass on Board
The road to holistic risk compliance can be much smoother if the CEO, CRO and the board of directors understand what the CCO is trying to do and why they should want to help. Risk intelligent compliance requires clear channels of communication between the compliance risk management program and the enterprise risk management (ERM) program, and the CRO’s engagement is critical. Luckily, the CRO’s shared interest in improving risk management effectiveness can make risk intelligent compliance a relatively easy sell.
The CEO’s role in supporting risk compliance is to empower the CCO with the authority needed to drive meaningful change, as well as to provide the necessary investment, political support, and, if needed, enforcement. Gaining the CEO’s support can require the CCO to make clear the risk management benefits of robust compliance processes, as well as collateral benefits of cost reduction and revenue enhancement. Any up-front investments must also be addressed early, such as the purchase of more effective technology to replace spreadsheet-based tracking and reporting.
The board of directors can play a role in holding management accountable for results of the enhanced programs. “The CCO’s task is to set expectations, develop metrics and establish milestones that are both substantive and realistic, as well as establish a multiyear master plan,” says Scott Baret, partner, Governance, Regulatory and Risk Strategies, Deloitte & Touche LLP, who also serves as global leader, Financial Services Enterprise Risk Services. “Many boards prefer to spend time on risk management rather than on compliance, so CCOs may want to consider framing board discussions in the context of ERM.”
2. Take the Company’s Bearings
Like any transformation, the pursuit of risk intelligent compliance begins with understanding the current state. Important questions include:
What are the company’s current compliance obligations and risks?
Who owns each risk?
What controls are in place against them?
How does the organization respond to control failures?
How are remediation priorities set?
What supporting technologies are used?
3. Develop the ERM-aligned Compliance Risk Management Program
Coordinating compliance risk management with ERM provides CCOs the operational basis for establishing, strengthening and validating the link between compliance and enterprise value. How a CCO accomplishes this at any particular company will depend greatly on internal organizational dynamics. “For insights on how to maintain effective cross-communication with ERM, the CCO may want to look at the way the internal audit function interacts with ERM to evaluate company risks,” says Mr. Baret.
4. Align the Compliance Function
The process of aligning compliance activities and investments with business priorities starts with the compliance function itself. The CCO should allocate the compliance function’s activities across the company’s compliance risks according to the relative importance of each compliance risk to enterprise value. In some cases, this may mean deploying people and infrastructure to countries, programs and/or activities where greater investment seems counterintuitive. In others, it may mean scaling back on one or more “sacred cows.” In either case, the CCO should be able to back up his or her decisions with reasons that tie solidly back to ERM priorities.
The corollary is that CCOs themselves should prioritize requests for investments in the compliance function based on their expected risk management benefit. Barring obvious infrastructural or resource gaps, the choice of what to ask for first may sometimes come down to a frank judgment call.
5. Lobby Hard for Effective Technology
The “right” technology and data architecture, both within and outside the compliance function, can go a long way toward improving compliance efficiency and effectiveness. Automating controls, for instance, can help lower costs and increase reliability, especially if the controls are first rationalized to reduce duplication. Companies can also avail themselves of a growing array of tools to support the compliance risk management process, some stand-alone, some sold as part of larger “enterprise governance, risk and compliance” solutions.
Some of the newer compliance tools feature: automated monitoring of regulatory releases; workflow capabilities to facilitate compliance process execution and tracking; and integrated “front end” interfaces that allow users to execute, document and track compliance activities in multiple areas from a single point of access.
6. Piggyback on Each Other’s Work
Looking for ways to reduce duplication of effort with other internal groups can help a CCO stretch the compliance function’s limited budget and resources. In particular, the CCO should enlist internal audit in supporting compliance oversight by testing and auditing compliance-related internal controls and business processes. Compliance personnel can advise internal audit on what tests would be most useful to the compliance function, as well as on what tests might be better left to the compliance function’s specialists to perform.
7. Foster a Culture of Compliance
Changing corporate culture can take years. CCOs should expect to work with the office of the CEO—as well as human resources, legal and communications—to supervise the change initiative and supply compliance-specific guidance as needed. Important areas to address include:
Performance management and compensation
8. Participate in Strategic Planning
The risk intelligent CCO should help leaders set a strategy that takes compliance into appropriate account by bringing relevant compliance perspectives to the strategic planning process. For instance, the CCO should explain what compliance obligations are associated with each of the strategic options being considered, help evaluate the likely compliance risk associated with each option and describe the nature and extent of the investments that may be needed to maintain compliance risk exposures within acceptable tolerances under a variety of conditions. “Once the strategy is set, the CCO should help the company understand and prepare to address compliance obligations that are expected to arise in execution,” adds Ms. Epps.
Aligning Compliance Risk Management to Business Priorities
The Risk Intelligent Chief Compliance Officer
This publication contains general information only and Deloitte LLP and its subsidiaries (“Deloitte”) are not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication. Copyright © 2013 Deloitte Development LLC.