Compliance departments have traditionally been essential on Wall Street, in banking and insurance, healthcare, and other highly regulated industries. As the burden of regulations has grown, so too has the recognition of the importance of a disciplined approach to compliance management.
According to the Baker McKenzie Global Compliance Benchmark 2016 (a compilation of the most respected studies worldwide), 83% of compliance professionals feel that compliance has become more complex and challenging in the last two years. At the same time, corporations are recognizing the need to make the CCO a standalone C-level position, with 59% of companies reporting in 2015 they have a standalone CCO, compared to just 37% in 2013.
More recently we’ve seen industries that had never viewed compliance as a core business requirement begin to change their views. Often an issue their company or industry is just starting to confront has impacted their emerging view. As a result many business leaders and their boards are looking at compliance now in a new, broader light. Today’s Chief Compliance Officers often view their jobs as both compliance and risk managers, and this broadened scope makes building an effective compliance team even more daunting.
Start At The Top
If your company is in the early stages of building a compliance team, consider that this needs to start with leadership. The C-suite and board should set the tone by declaring compliance and risk management a strategic imperative critical to enterprise sustainability. Here’s how they can show that they mean it:
- Create a board level committee to provide oversight on compliance planning
- Provide audience-specific messaging to set expectations
- If there’s a CCO already in place, involve him or her in strategic discussions
- Set expectations for executive involvement, and establish accountability
The tone at the top can get things started, but we all know actions speak louder than words, and a corporate culture is affected by the actions that signal commitment. Commitment can also signal to an organization that new behaviors aimed at improving transparency are expected. In the world of compliance, nothing says commitment like a formal compliance risk assessment, because of the resources involved and the effort expended to conduct it properly.
Conduct Compliance Risk Assessment
Risk assessments have become an important service offering of the global accounting and general consulting giants like Deloitte and PwC, for the obvious reason that risk assessments require the same type of disciplined dive into all aspects of business operations that internal audit requires.
That’s not to say you couldn’t do it yourself, but the experts can do it on a predictable timeline and provide you with complete confidence that the end result will be thorough and comprehensive. And when you’re talking about compliance risk, anything less than comprehensive is unacceptable.
A risk assessment will seek to identify and understand your top compliance risks. The reasons risk may occur, the likelihood of occurrence, and the expected impact to the business are all core elements of an assessment. The end deliverable will provide a view on risk prioritization and internal ownership, as well as thoughts on resource allocation to address mitigation.
Hire Chief Compliance Officer
If you don’t already have a CCO in place, now is the time to take that step. You’ll need a senior professional in place to begin building organizational expectations, practices, processes, roles, situational protocols, etc. In short, a new CCO has the mandate to create everything that’s needed to successfully establish compliance as an organizational priority.
As you consider the process of finding and hiring your first CCO, we advise clients to make the search a board-level assignment, especially if the position will be part of the senior team and reporting to the board. Having the board directly involved in the search helps candidate recruitment, and will also send the right message to the organization regarding expectations of the impact this position will have attached to it.
Because of the dynamic changes in the CCO role, both in the number of companies adding CCOs as standalone C-level positions, and in the evolution of the position to a more strategic function, the difficulty in effectively filling CCO positions has grown dramatically. That’s why we’ve seen significant growth in the number of CCO search assignments, and why we recommend always working with specialists who have access to the best candidates and the skill to find the right fit.
Compliance and Risk Management
A new CCO faces the daunting task of creating a comprehensive code of conduct that ensures an organization’s compliance with laws and regulations at all relevant levels, from local to international, as well as compliance with existing enterprise policies. Increasing regulatory pressures in the U.S. and abroad make this challenge more complex than ever.
CCOs must also contend with the emergence of new risks, such as increased cross-border enforcement of bribery and corruption laws. Cyber threats and the explosion of digital crimes force organizations to create policies and technologies to protect from these 21st century threats.
The compliance and risk assessment becomes the best starting point to create an effective compliance management plan. In broad strokes, here’s what that plan should address:
- Corporate code of conduct
- Policies, procedures and controls addressing all compliance requirements and risk areas
- Communication tools and policies for reporting concerns and misconduct
- Defined protocols for capturing and cataloging issues, conducting investigations, and taking corrective action
- Training tools and expectations for everyone involved
- Compliance visibility and organizational engagement
- Testing, auditing, results measurement, reporting
Too many organizations and industries have treated compliance and risk management as a reaction to a crisis or short-term situation, providing emphasis when they felt pressure to address issues, but reducing the emphasis as the crisis retreated.
In the world we now live in, it seems obvious that global enterprises are realizing that great compliance management is a strategic imperative that provides sustainable protection and value to organizations. And it’s that recognition that drives the work we do, and the advice we offer on building great compliance teams.