Businesses are rarely simple or linear anymore. Compliance officers face a multitude of regulations, layered atop unique business units with varying risk profiles that are, figuratively and literally, all over the map.
Managing that risk exposure requires a framework that unifies decentralized compliance activities; the goal is to streamline monitoring, testing, and reporting. The challenge, for a large organization, is maintaining the same compliance objectives, testing, and controls across all units without the costly need of starting from scratch and trying to replicate those processes anew for each segment.
That sounds difficult in theory and, well, it’s just as difficult in practice, according to a trio of experts speaking at the recent Compliance Week 2015 conference. The solution, they said, is equal parts personality and process.
“You can show your teeth, but you need to do it with a smile,” said Bruce Strothers, managing counsel for Coca-Cola. He stressed the diplomatic balancing act needed as compliance interacts with business units. His message: those units need to work with him, and be partners with him, to be successful and profitable.
“To be fully effective, you need to be collaborative,” said Stephen Naughton, chief compliance and ethics Officer at Kimberly-Clark. The broad task at hand is “integrating all the functions and reducing all the silos,” including compliance, legal, finance, human resources, and internal audit. “They have to be brought together so that the company knows when something is going wrong.”
Culture goes hand in hand with this collaboration, Naughton added. Employees and managers alike must be comfortable raising concerns, either through a helpline or direct contact with a superior. His approach during personal visits is to ask, “What’s the open secret in the room?”
“To be fully effective, you need to be collaborative. The broad task at hand is integrating all the functions and reducing all the silos. They have to be brought together so that the company knows when something is going wrong.”
Stephen Naughton, Chief Compliance & Ethics Officer, Kimberly-Clark
“There almost always is one,” he said. “Everybody knows of something that is happening, but nobody really talks about. Get out, get out of your office, and try to develop communication lines.”
Strothers, Coca-Cola’s compliance lead for its Minute Maid business based in Houston, stressed the important of seeking out trouble, not just waiting for it to happen. Greater-than-expected profits in a quarter could be a red flag, for example, so he investigates to ensure that the financial success wasn’t achieved by cutting corners “and painting ourselves into a corner that we can’t get out of.”
At Kimberly-Clark, every month Naughton consults with legal, internal audit, global security, and human resources to review all major cases, investigations, and problems. “If HR knows of something, legal should know about it; if legal knows about something, then compliance should know about it,” he said. “One of my standing rules is that if there is an internal investigation in the company, I should know about it.”
Handshakes, meetings, and phone calls can only advance integration efforts so far; there are also regulatory pressures to consider. Strothers knows that all too well from his work at Coca-Cola, a company with hundreds of product lines in virtually every country in the world. The most recent challenge dropped at his doorstep was the launch of a milk brand—a first for the company—simultaneously in 46 states, each with its own regulatory regime in addition to federal rules. The business imperative was clear: even the slightest violation would mean empty shelves and a flopped launch.
“Being business unit counsel means that you are forced to make decisions without subject matter experts at your beck and call,” he said. “I can’t just go down the hall and ask for our trademark counsel or operations counsel like I can in Atlanta. I have to make snap decisions because the business unit is moving forward and I have to tell my business colleagues that if we don’t comply with these regulations there is a business detriment.”
Don’t be afraid to work with your company’s marketing or public relations team to craft messaging that effectively communicates the regulatory environment to everyone from sales teams to external partners, Strothers said. He also relies on a slate of self-help tools, including charts, maps, and e-books, to explain important requirements and controls companywide.
“If I can give them a visual of what the requirements are, they have something they can sink their teeth into and it’s a very effective way for me to communicate what the regulations are,” he said. “We can’t do business unless we are in compliance with these various regulations. My business colleagues have to come to me to keep the product on the shelf.”
At KPMG, Amy Matsuo, a principal in the firm’s regulatory risk service, advocates the Three Lines of Defense model for risk oversight: business units in the first line, compliance in the second, internal auditors in the third. “When I think of integration, I think of it from that perspective,” she said. “whether you call it alignment or collaboration, it is important to maintain independence.”
Especially in the financial services sector, regulators are driving (or at least trying to drive) integration efforts. “They are pushing to have what they are calling a ‘centralized obligations inventory,’ ” Matsuo said. “That sounds simple in principle—that you should have all of your obligations in one place—but financial services fall under state, federal, and global regulations. Putting all of that in one place, in a repository that is plain English rather than just the citations, is no small feat.”
The benefits could be substantial over time. “If the first, second and third lines are all going to use that same repository, that will be great,” Matsuo said. “If you can link up to the business controls as you map out your business processes and identify key compliance controls—mapping those to what obligations you are testing and what are the results are—you can see linkages and integration coming together.”
“What the regulators are pushing for is independence of testing in the second line, essentially taking those compliance testers and putting them into one centralized compliance testing unit that still reports to the chief compliance officer, but it is separate from the advisory function,” she added. “The feeling among regulators is that you cannot truly be independent if you are both advising and testing on what you advise on. There is a restructuring going on in a lot of the testing functions in compliance right now in terms of getting that to come together and be more consistent across the entities.”
Companies, especially those in highly regulated sectors, can advance integration efforts by ensuring that those efforts tie to regulatory change monitoring and management. “You want to identify regulatory changes then map them, through that centralized obligations inventory, to your policies and procedures—so that if, or when, one of those obligations changes you know which business units, channels, or policies and procedures are affected,” Matsuo said. “You know who is responsible for all of these because you’ve got that roadmap for when a change happens where you go and who you go to.”
Expect efforts to consolidate regulatory requirements, centralize testing, and better predict future risks using data analytics to continue for the next several years, she added.