Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Compliance Line of Sight: Evaluating Your Program’s Structure and Oversight

Jose Tabuena | August 18, 2015

Jose Tabuena Icon - 0815The appropriate placement and authority of the compliance function and chief compliance officer remains a hot topic. Yet the continuing occurrence of major compliance failures raises the question of whether a better-structured compliance program and a CCO with substantial clout could have made a difference.

The General Motors faulty ignition switch fiasco is a case in point. Despite an exhaustive investigation resulting in the lengthy Valukas Report examining the failure, there is no direct mention of a corporate compliance program or the involvement of a CCO. While the Recommendations section of the report mentions a Global Ethics and Compliance Center, with reference to a code of conduct and the responsibilities of a vice president of global vehicle safety (to include safety and compliance issues), it doesn’t seem that the role of a CCO itself merited any attention.

Additionally, recent settlement agreements have begun to examine compliance function reporting lines and independence, and have required companies to fix their compliance oversight structure. For instance, the 2012 Justice Department deferred-prosecution agreement with banking giant HSBC required separation of compliance from legal and a new structure for the CCO to oversee all anti-money laundering compliance activities in the field.

According to compliance authorities such as Donna Boehme, the chief compliance officer should have compliance oversight for all high-risk areas of the company: “When evaluating the effectiveness and strength of a compliance function, ‘line of sight’ is one of the first things prosecutors and regulators should look for,” she wrote recently. “It is one of the key criteria that make all the difference between a compliance program that looks good on paper and one that doesn’t work at all in practice.”

Oversight Over Compliance Risks

The Three Lines of Defense model (which I’ve written about several times) offers a realistic framework to consider and organize compliance risk activities. Following a compliance and ethics risk assessment, part of the remediation evaluation should include clarifying roles and duties to monitor and control those risks.

What isn’t explicitly or comprehensively addressed under Three Lines of Defense is how core corporate departments such as legal, compliance, finance, and human resources fit in the model. While these functions have roles in the Second Line monitoring risks for operational units, they also own their own risks in the First Line.

Coming to an understanding of compliance obligations, where those obligations sit in the organization, and how they get tracked and reported is an important step in maturing the compliance program. By understanding who manages which compliance obligations within the business, compliance officers can identify opportunities to add value enterprise wide.

Regardless of who owns which risks and obligations, the emerging practice is for a central compliance function to ensure that all compliance risks are managed effectively across the organization. For this reason, all compliance-related areas should be in the line of sight (although not necessarily the direct responsibility) of the CCO, with consolidated oversight by the compliance function. Comprehensive and integrated oversight will enable the CCO to provide the CEO and board with a view into key compliance responsibilities across the organization. It will also help ensure that exceptions and issues quickly get reported up the chain of command so they can be handled appropriately.

Once scope has been determined, CCOs can communicate expectations clearly to the compliance owners across the organization. And there must be clarity about compliance roles—who leads, who follows, and who executes. Without clarity of oversight gaps in compliance management can emerge, or poorly executed or poorly monitored compliance activities could result in unforeseen issues.

The compliance function must then take steps so that the main compliance-related risks and activities are managed regardless of where the compliance function sits within the organization. It requires collaborating with the business, where the majority of compliance obligations are often managed. Mechanisms must be in place to facilitate collaboration of activities between the central compliance function and compliance owners within the business, and clear accountability for compliance obligations must be expected.

The Right Oversight Structure?

A variety of resources can help you document the scope of compliance, from assurance maps to compliance risk inventories and dashboards. Those tools can be good starting points for internal conversations or negotiations about who is responsible for which compliance obligations.

Recall that the biggest influence on the design of a compliance program are the U.S. Sentencing Guidelines. In addition to the Sentencing Guidelines, if the company is publicly held, it must comply with the Sarbanes-Oxley Act of 2002. And if the company is a federal government contractor or subcontractor, the Federal Acquisition Regulation comes into play. Other compliance requirements apply to other industries. Fortunately, these various guidelines and requirements tend to complement each other rather than conflict.

For example, the Office of Inspector General of the Department of Health and Human Services recently published (in collaboration with professional associations) Practical Guidance for Health Care Governing Boards on Compliance Oversight. That guidance describes that organizations “should define the interrelationship of the audit, compliance, and legal functions” and that the “structure, reporting relationships, and interaction of these and other functions (e.g., quality, risk management, and human resources) should be included as departmental roles and responsibilities are defined.”

Coming to an understanding of compliance obligations, where those obligations sit in the organization, and how they get tracked and reported is an important step in maturing the compliance program. By understanding who manages which compliance obligations within the business, compliance officers can identify opportunities to add value enterprise wide.

Size Matters

Clearly size is a relevant factor in structuring a compliance and ethics program. A large company generally should devote more formal operations and greater resources to its program than a small one. A small organization can meet the guideline requirements with less formality and fewer resources. As referenced in the U.S. Sentencing Guidelines Manual, size-related informality include:

  • The governing authority in a smaller company directly managing compliance and ethics activities.
  • A smaller company training employees through informal staff meetings and monitoring through regular “walkarounds” or continuous observation during normal management.
  • A smaller company using available personnel, rather than separate staff, to carry out the compliance and ethics program. With resource constraints, individuals may wear multiple hats such as a general counsel who also serves as the chief compliance officer, or the head of audit likewise responsible for risk management.
  • Modeling a compliance program on an existing, well-regarded compliance and ethics program, and best practices of similar organizations.

Regardless of size, the company will need to assess whether it has devoted adequate resources to the operations of its compliance program, and whether the designated compliance officer has sufficient authority within the organization.

Evaluation Considerations

Here are key questions for internal audit and the company to consider when assessing the compliance oversight line of sight:

  • Does the CCO have direct access to all key-risk information in the company, or are some areas “carved out” of the compliance program? How are carved-out areas monitored and managed?
  • If compliance risks aren’t addressed by business representatives on the compliance committee, where are the risks being managed? And is the compliance function overseeing the management of those risks?
  • Are compliance risks not in the CCO’s direct reporting line regularly providing the compliance function with requested information on risk monitoring and control areas?
  • Does the CCO have unfiltered access to the board, not only via periodic in-person reporting but also other significant visibility, such as the audit committee seat at the table, and mandatory escalation procedures for critical matters?
  • Ultimately, does the CCO have the independence and broad authority to require improvements in all risk-area activities, if they are not meeting the standards expected for effective, well-implemented compliance programs?

It’s impossible to know with certainty if a more robust compliance program could have prevented significant compliance failures such as in the case of General Motors. The professional perspective of a compliance officer, however, could have made a difference. Essential features of an effective compliance program include establishing appropriate discipline and incentives, and supporting a culture of transparency and accountability. In the case of GM, it seems that performance-enhancing risks such as the pressure to meet performance criteria,  not to delay a product launch, and to defend the company were critical factors in its recent debacle—which are risks a CCO is intended to address.