Yes, yes—companies everywhere know that having in place an effective compliance program is more important today than ever before. Regulators, boards, shareholders, and other stakeholders all are demanding it.
But how are compliance officers actually achieving that?
That was the question posed to a panel of compliance officers at Compliance Week 2016, who came together to discuss how they harmonize the pillars of their compliance programs—from training and communication to risk assessments, monitoring, testing, and more.
Fifteen years ago, directors did not have risk assessments on their radar, but that’s not the case anymore, said Stasia Kelly, co-managing partner of the Americas at law firm DLA Piper who serves on two corporate boards. “This is what keeps us up at night.”
Directors want clear communication about the company’s risks. “Don’t just give me a heat map,” Kelly said. To prevent information overload, it’s especially helpful to directors when risks are prioritized and reported on that way, she said.
Some companies may assign certain risks to the audit committee, and other risks to the governance committee. Still, other issues—such as cyber-security—may receive the attention of the full board.
Emerging risks are another area of focus for boards, Kelly added: “What is coming down the pike? What is it that we should be worrying about?” Shareholder activism, for example, is a “big deal” and will continue to be a big deal, she said. Compliance officers can add real value by thinking about what those issues mean to the business.
At multinational insurance company AIG, risk assessments are reported to the regulatory and compliance committee of the board once a year. Special attention is paid to high-risk areas, “and then we do a deep dive with the board,” said Karen Nelson, chief compliance officer at AIG.
“We have found the most success by having dedicated people who go in and test the actual controls.”
Karen Nelson, Chief Compliance Officer, AIG
With cyber-security and sanctions risks, for example, subject-matter experts come to the board meetings and explain, “‘here’s what we’re looking at. Here’s what we’re struggling with. Here’s what we’re doing about it,’” Nelson said. “That was received well by the board.
To get a better grip on its risks, AIG last year implemented a technology solution that enabled the company to input all its risks into one comprehensive GRC system. In that way, each department is able to show which risks it owns. If another department feels they own that risk as well, they can attach to it.
Those risks are then aligned to different processes. “For example, claims handling is a compliance risk, so in the spreadsheet we align it to the claims process, so that executives of the company can see all the risks associated with claims processing,” Nelson said. “Any inherent risk that was labeled as being higher elevated, that’s where we focused our risk assessment.”
Having this GRC system has allowed the company to consolidate reporting to the board “and have much more meaningful data across 76 countries to be able to say, ‘here is where we have issues. Here is where we need to tighten controls,’” Nelson said. Prior to adopting this new system, AIG used to “boil the ocean,” she said. The problem with that approach is that “you get so much data you can’t synthesize it and understand what is there.”
At hospitality company Hilton Worldwide, legal and compliance does their own departmental legal risk assessment, separate from the company’s enterprise-wide risk assessment. “The enterprise-wide risk assessment is largely focused on business risks—strategic, operational, financial, and reputational,” said Louise Nelson, assistant general counsel of compliance at Hilton Worldwide.
The legal risk assessment, in comparison, helps ensure that certain issues that may not necessarily be considered high risks to the company are still being addressed. “Then we assign a risk owner to each legal risk,” said Nelson of Hilton. “We want to make sure nothing slips through the cracks.”
Furthermore, Hilton this year changed the format for how it reports risk by comparing its risk exposure in relation to management capabilities. Employees were asked, for example, “what’s your perception on whether people, processes, and technology are capable of effectively managing this risk?”
Below are the results of a poll conducted by DLA Piper during Compliance Week 2016 in the session, “Putting Your Program Into Practice.”
How frequently are your compliance communications sent from your senior executives?
More frequently than quarterly (15%)
Not yet (15%)
Total votes: 84
Do you report the results of your risk assessment to the board?
Not applicable (10%)
Total votes: 80
How frequently do you audit or monitor compliance?
More frequently than quarterly (31%)
Not at all (10%)
Total votes: 78
Source: Putting Your Program Into Practice; Compliance Week 2016
The company then ranked its risk exposure based on any gaps between the enterprise risk assessment and management capabilities. “Our CEO loved it,” said Nelson.
For companies that don’t have $10 billion in revenue or can’t afford the luxury of a comprehensive GRC system, having a well-documented compliance program, at the very least, makes it easier for external counsel to defend the program to regulators when an issue arises, said Brett Ingerman, a partner at DLA Piper. That includes “documenting the risk assessment, documenting the remediation, documenting your follow-up,” he said.
Aside from budget, another real-world obstacle, particularly among industries with disparate workforces—like hospitality, construction, and retail—is how to then communicate risks to the workforce. Hilton Worldwide, for example, has over 175,000 employees, the majority of which don’t have access to computers or a company e-mail address.
To overcome that compliance challenge, “we really think about our communication awareness program in two different buckets,” Nelson of Hilton said. One is communicating primarily with middle management and all other corporate employees around the world, while the other is thinking about “team members who are on the ground in our hotels and aren’t technology-abled,” she said.
For the latter group, “which is really our lowest-risk audience form a compliance perspective,” she said, the company does what it calls “pre-shift training,” which essentially involves talking points created for managers to use to brief their employees in-person as shifts change, and that happens every couple of months, Nelson said.
Monitoring and testing
Nelson of AIG noted that it’s important to differentiate between monitoring and testing. “They are very different,” she said. Monitoring is the day-to-day surveillance of the business, while the actual testing of compliance controls keeps the program in check.
AIG develops its testing plan each year based on the results of its risk assessment, Nelson of AIG explained. “We have found the most success by having dedicated people who go in and test the actual controls,” which involves a dedicated team of 52 individuals, organized regionally, she said.
Testing controls enables the company to identify the root cause of issues. As issues get tracked and put into the GRC database, the company can then run a trend analysis to identify if there are issues in a particular region or area.
“The test program took us a while to build, and we went through a lot of trials and tribulations with it,” Nelson added. The plan gets adapted as issues arise; to ensure that the team does not test the same controls as audit, “we’ll figure out who should take the lead,” she said.
“People get very comfortable with the results of the risk assessments,” Nelson added. The shortcomings of a risk assessment, however, is that the findings are based on people’s opinions of how controls are working. “If you’re not going in and looking at those high risks and elevate risks in terms of controls, and testing them to make sure they’re operating correctly, that’s when you have a false sense of security.”
Although companies operate successfully through taking risks, it’s the responsibility of compliance officers to rein them in if they start to go too far, said Nelson of Hilton. “As a compliance officer, I let the business walk as far as the edge of the cliff with my arm extended, so if they start to fall over, I can grab them back.”