Companies everywhere know that demonstrating an effective compliance program is more important today than ever before.
Where the real challenge lies is in assuring that the compliance department maintains the best structure possible as regulations change and as the business evolves.
“One of the biggest challenges for compliance programs today, particularly some of your more heavily regulated industries, is the speed and complexity of the regulatory environment and the changes that are taking place,” says Richard Girgenti, a principal with KPMG who leads the firm's forensic practice in the Americas. As a result, the nature and the way in which risk assessments are conducted have had to change as well, he says.
Once a company becomes aware of a new regulation, the question then becomes how to get visibility into the changes the compliance program must undergo; how to drive that change into the organization's policies and procedures; and then how to embed the importance of those changes into the company through education and training.
The regulatory environment, however, should not be the only driver for maintaining an effective compliance program. “It's very easy to point at the regulatory environment as the sole driver of compliance programs, but I think globalization is a vastly underestimated force,” says Robert Biskup, a director in the forensic and dispute services practice of Deloitte Financial Advisory Services.
As more companies expand abroad, especially into developing nations, “we're seeing a lot of board-driven focus on making compliance a part of that expansion plan so that appropriate risk-management protocols are in place,” Biskup adds.
Board members increasingly want a better understanding of how developed the companies' ethics and compliance programs are, and how well those programs are resolving issues. “They're looking for more qualitative than quantitative analysis,” says Andrea Falcione, vice president of advisory services and chief ethics officer at SAI Global Compliance.
And companies are increasingly willing to invest resources for a more robust compliance program. According to a recent poll of more than 1,900 business professionals conducted by Deloitte, 57 percent said they plan to focus more time and resources on improving compliance programs.
Compliance Gaps
What parts of a compliance program create the most challenges for companies?
Achieving a holistic view of the organization's risk is a significant area of concern, says Biskup. Many business units are conducting siloed and inconsistent compliance and risk assessments simultaneously. “Where opportunity lies is in getting that consistency,” he says.
The challenge for the organization is that any time a new regulation comes out, “if you don't have an enterprise-wide approach to your governance, risk, and compliance effort, you can easily become overwhelmed,” says Girgenti. All business units should be sharing the same focus, metrics, language, and approach.
Another area for improvement is doing a better job of integrating compliance programs with internal audit, says Colin Campbell, senior vice president of GRC Product Management at SAI Global Compliance. It's a matter of compliance departments asking: “‘What are the changes we want to make in the business? How can compliance work with audit to affect that change?'”
Many companies also need to do a better job of delineating compliance roles and responsibilities, says Biskup. “Who is responsible for what? And how?” Without adequately defined roles, “cracks will exist in the program, and things will be able to slip through,” he says.
BECOMING COMPLIANT
Questions to Assess Compliance Program Effectiveness
How do you assess the effectiveness of tone-at-the top?
Are integrity and ethics considered in hiring for senior positions?
Are leaders evaluated on their ethical behavior?
Do managers at all levels know how to incorporate values into business decision-making?
What consequences exist for bad ethical behavior?
Does the sales team know what actions can get them, and the company, into trouble? Do they know how to avoid those actions?
In addition to measuring people's accomplishments, do you evaluate how people accomplish their goals?
In the event of an acquisition or expansion of the business into a new area, do you assess the culture of the new entity, and do you consider potential risks of unethical behavior?
As you downsize or reorganize, are you inadvertently removing needed controls?
Are you placing people in situations where they will be overwhelmed and tempted to take unethical shortcuts?
Is the ethics program a set of check-the-box activities versus a set of values that influence behavior?
Have you emphasized the values of the enterprise throughout your supply chain? Do you make certain that the participants in all the working parts understand their contribution to overall success and the protection of your brand?
Do the company's Corporate Social Responsibility actions reinforce the company's values?
Source: Deloitte.
Respondents to the Deloitte survey also cited inadequate tone at the top (14.5 percent) and excessive pressure on unrealistic sales and performance expectations (14.5 percent) as additional leading management-related challenges to their compliance programs.
While tone-at-the-top is important, many compliance professionals said they worry more about their employees' activities. When asked which group requires the biggest improvement to help the organization's compliance program, 19 percent of poll respondents said “U.S. employees outside of compliance, risk, and internal audit,” whereas 16 percent said “compliance, risk, and internal audit professionals.”
Tied for third at 14.5 percent was “non-U.S. employees outside of compliance, risk, and internal audit” and “non-employee third parties." Senior executive and board leaders ranked lowest at 10 percent.
The poll results highlight the value in continuously taking employees' pulse to gauge the corporate culture. “It's amazing what employees will tell you if you just ask,” says Falcione.
In addition to on-site visits and focus groups, Deloitte also recommends the following practices:
Employee cultural surveys to assess attitudes and willingness to comply and report issues;
Exit interviews to capture, categorize, and quantify potential compliance risks;
Periodic ethics and compliance awareness and education; and
Detailed auditing and testing of employee compliance training results to track pass rates, completion rates, geographical correlations, and questions with high miss rates.
Communication and training efforts are crucial to maintaining an effective compliance program, particularly on a global scale. A common best practice is using actual case studies or hypothetical examples as an educational tool, keeping in mind cultural and language differences.
Building compliance controls around third-party business partners and conducting third-party risk audits, ranking each by their level of risk, is another important measure. Biskup also recommends providing:
Surveys and certifications of joint venture partners, agents, distributors, and resellers with questions that probe business practices;
Vendor and distributor training programs in addition to certifications of compliance with company policies and regulatory requirements; and
Helpline access to non-employee third parties such as vendors, customers, and other stakeholders.
Maintaining compliance program effectiveness also means keeping up with industry and cross-industry best practices, “finding the optimal combination of internal and external sources to drive effectiveness for your company and your industry,” Biskup adds.
Barbara Kipp, a partner in PwC's Risk Assurance practice, recommends that companies periodically engage a third party to conduct an independent audit to assess how the company is fairing in comparison to the body of best practices out there “in order to give that additional level of assurance and comfort that the compliance program is working,” she says. Another option is to engage a subject matter expert to perform a “health check” of a specific risk area.
Having an outsider look over your compliance program also can help with keeping track of regulatory changes, “which can be very useful in terms of continuing to monitor what is going on and figuring out what changes need to be made in your program,” says Falcione.
“Without that detailed risk assessment to stratify and prioritize where risk resides, it becomes an almost impossible task to set out deploying appropriate controls,” says Biskup. “Inevitably, you're going to do too little or too much.”
Companies have to be continuously monitoring regulatory changes so that they can change their risk profile just as quickly as new regulations arise that may affect their business or industry. “It's no longer a once-in-a-while effort; it's a continuous effort,” says Girgenti.
“Making sure that organizations harness the data they have and use all the multiple measures that are at their fingertips to ensure the effectiveness of their programs is the way to go forward,” says Kipp.
An emerging trend in the way that companies are mitigating compliance risks is through “social business intelligence,” keeping a pulse on societal indicators that may result in regulatory changes down the road, notes Kipp.
She cites the recent “pink slime” outcry as an example, in which bad publicity over the use of “lean finely textured beef” in the beef-producing market quickly catalyzed into regulatory changes for the whole food industry. “If you really want to be ahead of that stuff,” she says, “you need to be watching it and thinking about the potential impact on your business.”
No comments yet