We hear a lot about the challenges of compliance in today's business environment. In articles and speeches every day, experts talk about voluminous requirements, complex and conflicting obligations, fast-paced change, and lack of information—and we nod our heads in agreement and commiserate with each other about how hard our jobs are. We've been dancing to this tune for years now.

We are spending lots of money on compliance but we still have lots of gaps in coverage, lots of high risks for noncompliance (many that we don't see), lots of self-created complexity, and lots of wasted resources. We don't have enough consistency, enough insight and, most importantly, not nearly enough confidence that we know what our compliance obligations are and that we are addressing them correctly, let alone cost effectively. Even though we know it's out of tune, we still just hum along to this song called “The Disheveled State of Compliance” and sway in place.

Students of music know that each composition has a structure; an intentional design that describes the arrangement of different notes in each line of music with a defined beginning, middle, and end. Each style of music, be it opera, blues, or rap, has its own identifiable structure and when the songwriter doesn't follow the right style the piece just doesn't sound right and goes nowhere.

Songs that are well structured and make the best coordinated and creative use of key elements such as lyrics, melody, and harmony are the ones that flow from one part to the next almost seamlessly. They are the ones we can't stop singing. They are the ones that make us feel good. And the very best of them become anthems for our time.

To write a harmonious tune, or orchestrate a symphony, the composer not only has to be able to identify what is wrong with each subsequent draft, he or she also needs to know what structure to put in place and how to coordinate the key elements that will fix it, to retune it if you will, and the same is true for fixing a discordant approach to management of compliance obligations.

Just like a musical composition, a well-designed approach to managing compliance obligations has many moving and interrelated parts built on a specific structure, and each piece must work in harmony with the others. While the structure of a song includes many parts—the verse, the chorus, the bridge, the hook, and so on­—the structure of an effective approach to compliance similarly must be well developed and designed.

Key parts of the structure include a system to identify and track changes in the obligations—the mandated requirements and the voluntary commitments that each organization faces, management actions and controls that respond to address each obligation, identification and reporting of issues and potential for failures to conform, methods for auditing and improving, and overall an integrated workflow that enables quick exchange of relevant information across and throughout the structure.

Most often, though, both the business and the compliance capability of an organization has built up over time, with the latter developing in a reactive and haphazard manner. And that has resulted in an unstructured and disjointed approach that makes more noise than music. The need to step back and listen, identifying all of the parts and then determining those that work well and those that don't, is clear.

Putting policies and procedures in place is not enough, nor is randomly applying technology. Think about the former as the notes, and the latter as the instruments on which they are played. What is missing? It is the skilled musician, the person who brings these two essential elements together.

When I was in college, I had a friend who was a harpist studying under the foremost harp teacher in the world. On her wall was a quote from her teacher that read: “Focus on technique. The notes will follow.” What does this mean in the context of compliance management? It means develop the skill to design, structure, and operate a compliance capability that uses the right technology that you operate to its best advantage.

Just as the success of a piece of music is highly dependent on the synergistic skills of the composer and the group of musicians who work together to perform it, the compliance management process is dependent on coordination of skillful people, well-designed processes and high-performing technology that make it sing. Without structure, skill, and synergy, our compliance efforts will remain badly out of tune.

Managing Compliance Obligations: An OCEG Roundtable

Switzer: When we talk about managing compliance obligations, what are we talking about exactly?

Liebman: At its simplest, we are talking about creating an effective and sustainable process for identifying, prioritizing, and addressing the human behaviors to be encouraged or discouraged so that the organization can achieve its strategic objectives without negative outcomes.

Roney: The term compliance has evolved to encompass more than simply meeting regulatory requirements. The success of an organization is dependent upon not only compliance with legal standards but also internal controls and standards that support broader organizational objectives, including reducing risk in a variety of areas and satisfying customer requirements. Managing compliance obligations requires consideration of the risks of the organization and assigning responsibilities to cover those risks adequately.

Childers: The risks and obligations organizations must undertake to do business in a dynamic, global marketplace have grown exponentially in the last 5 years. The risk impact from data breach, third-party bribery, reputation damage from failing to live up to social responsibility claims, and conflicting international mandates, have compounded the historical perspective of compliance obligation management (COM). If we can agree that the essence of compliance is demonstrating the activities and efforts an organization undertakes to ensure that they are meeting the expectations or obligations required of them, then the compliance professional is charged with designing, implementing, and monitoring a myriad of activities to ensure that this growing list of compliance obligations are cared for. This is where the term “compliance obligation management” (COM) came from.

Switzer: Is COM the same for every organization?

Childers: No. Size, operating environment, industry standards and risk appetite all affect the establishment of COM. In fact, small or medium businesses looking to service larger corporations or government have an increased duty of care to demonstrate that they are a trusted business partner. COM extends beyond the pure regulatory interests of an organization and really becomes the extension of the organization's growth and sustainability goals.

Liebman: Each organization should act based on its own unique geographical and operational risks and the management capabilities and preferences of its leadership. Some may concentrate their efforts on addressing regulatory requirements while others may focus on legal as well as regulatory requirements. Still others may incorporate non-legal/non-regulatory ethics in the form of institutional mission and values. I like the OCEG “big picture” model which speaks of mandatory (i.e., externally-driven) and voluntary (internally-driven) boundaries which can be adapted to any organization.

Roney: That's right; the scope of COM has to connect with the risk profile of the organization. For organizations that are highly dependent on government contracts, legal/regulatory compliance is critical and COM may focus on that. For companies in the supply chain for brand name companies, a focus on responsible production practices may be the focus. Bottom-line: COM must be shaped by the critical risks of the organization.

Switzer: It would seem that larger, more mature organizations might be able to establish a formal compliance program and management process more easily, since they have more resources, more available technology, and so on. Is this just too challenging for smaller organizations?

Roney: Smaller organizations often do COM without realizing that is what they are doing. Small firms still have compliance requirements, both external requirements (regulatory or customer imposed) and internal. The Sentencing Guidelines recognize that the formality and scope of a compliance program will depend on the size and complexity of the company. That doesn't mean that smaller companies don't need to, or can't, manage compliance. It is not difficult to be systematic at managing compliance and documenting those processes, and small organizations need to do that.

Childers: Obviously a company with more resources and a mature process will move quicker to a COM posture but the process is not difficult. In fact, most organizations have a very clear understanding of their obligations but have not understood or embraced a process that allows them to manage these obligations consistently and effectively. In some cases, organizations that are larger and more “siloed” find it more difficult than a smaller organization to achieve an effective COM posture because of the lack of cross-functional data analysis and reporting. Effective COM, philosophically, is a balance of allowing organizations to function normally and operate efficiently at a departmental level while providing for the data exchange necessary to audit, report, and observe the overall COM compliance.

Liebman: Small and large organizations each have their positives and negatives. Smaller organizations are able to efficiently identify and prioritize risks and then quickly get consensus around a handful of appropriate mitigation activities. Done correctly, they are often able, or maybe are forced, to focus on the few behaviors that create the real risk, albeit their scope is much narrower. Large organizations can often think more tactically about behavior and apply layers of resources over time to address a wider scope of risk but they face all sorts of challenges in the implementation phase due to disparate and decentralized leadership and matrixed and often-conflicting management capabilities.

Switzer: What are some of the challenges that you see many companies struggling with? Are some parts of this more difficult to get right than others?

OCEG ROUNDTABLE PANELISTS

Carole Switzer,Moderator

President,

OCEG

David Childers,

CEO,

Compli

Paul Liebman,

Chief Compliance Officer,

University of Texas at Austin

Scott Roney,

Special Counsel,

CSLG

Source: OCEG.

Liebman: I think the biggest challenge companies face is prioritizing the ever-growing body of compliance-related requirements in an a time of diminishing resources. A somewhat connected concern is proving the relevance and ROI of the compliance department's activities to those in business and functional leadership roles. Both of these challenges are difficult but not impossible to get right.

Childers: Most organizations struggle with where to start in the process of achieving an effective COM posture. The path to COM illustration demonstrates the importance of risk and obligation review, activity planning, and the flagging of mitigation activities to ensure that as the risk environment evolves, the COM activities can be categorized and modified to create a steady state of operational compliance. Historically organizations often believe that they can achieve this type of cross-functional data interchange and audibility through internal processes and spreadsheet-type information consolidation. Because most organizations employ a number of point solutions like, HRIS, ERM, CRM, computer-based training, records management, etc., developing an internal tool to consolidate and track the diversity of COM data is very difficult.

Roney: In addition to prioritizing risks and allocating resources, a big challenge is to determine whether the needle is moving—are the resources you are putting into risk reduction actually having the desired impact. Compliance officers tend to measure processes, like training, code certifications, etc., but connecting those processes to substantive risk reduction is a leap. That ties into the challenge of showing an ROI on compliance department activities. If you can't show the data and how compliance management is adding value, then executives are reluctant to continue to make the investment. Switzer: Can you really effectively manage compliance these days without using technology to your advantage?

Childers: No, and that is what the COM pathway is all about. Effective COM is not about having one system but rather deploying the technology to synergize the variety of systems and tools likely already deployed or needed. The key tools required for effective COM are automated workflow, conditional alerts and routing, policy and document management, and cross-functional reporting.

Liebman: Technology can be an important tool to effectively manage large amounts of disparate and decentralized information but there is no substitute for the person-to-person aspect of the compliance leader's job. Technology is an enabler of previously-existing good practices; it cannot create good practices from thin air. So much of a compliance leader's success is based on the trust between himself and other leaders at the company, and that trust can only be built up over time through multiple very-human interactions.

Roney:: In most organizations, technology is critical to compliance management. There are just too many transactions and data points day-to-day to track and monitor without technology. Automated alerts, reports on aggregation of data, triggers for authorization ,and other such controls are critical to achieving a comfort level that activities are within established parameters. Possibly some small organizations can get by with little in the way of automated controls and technology, but I would say a firm of any substantial size has to look at technology to support its compliance program.

Websites

We are not responsible for the content of external sites

Topics