I have seen many fads in my life. One that to this day still amazes me for its creative marketing and success: the Pet Rock. Think about it; someone took a rock and a small piece of cloth to serve as a blanket, put them in a box and marketed the result as a pet. Hundreds of thousands of parents bought the Pet Rock for their children. Many probably hoped that it would curtail their child’s lobbying for a dog or some other animal requiring a far greater commitment—with the parent bearing the burden in the long run.
Maintaining an effective compliance program has become faddish for too many companies—much like investing in and playing with a Pet Rock. Compliance officers are tasked with designing, implementing and managing compliance programs, with the board and senior management needing to ensure their resiliency and sustainability in the longer term through funding, oversight and other supports. However, boards and senior management can tire of the fad for any number of reasons, relegating the compliance program to the back, like the Pet Rock, and shifting focus and priority to something else.
When it comes to compliance programs, history and enforcement actions have demonstrated that few companies are immune to this fad risk. But these programs must be viewed as permanent, long-term, deep commitments in order to be sustained at the level required to continuously and effectively mitigate legal and regulatory compliance risk. No effective compliance program survives on short-term fixes and support.
Sustained focus, controls and culture
Sustainability is the secret to success. Short-term memory is a major factor in compliance-program failures. Too many companies that have had past issues end up with repeat or similar issues five to ten years later, with several seeing repeat enforcement actions. Depending on the board and executive leadership at any given time, the commitment to an effective compliance program can come and go, with often devastating effects on the company.
No system of internal controls is worthwhile if it is not sustainable. Designing and implementing an effective compliance program is not enough. It won’t run on autopilot. In the end, the maintenance of the program determines its success. It’s also critical that everyone throughout the company buys into and fully supports the program, particularly middle management and first-line management. Finally, compliance programs need to be resilient since challenges and issues continuously change—again, autopilot doesn’t work. Several factors impact sustainability, as discussed below:
- Oversight: Boards and senior management need to fully understand their roles and responsibilities in overseeing the compliance program. While each has a duty to support compliance officers and their programs, they also have somewhat different roles and responsibilities. They have to work closely together and have a transparent relationship, but boards need to be knowledgeable enough to challenge senior executives on compliance-risk management. Setting the tone at the top to drive a compliance culture is also extremely important, however, since buy-in and adherence throughout the company are key to a successful and sustainable compliance program. Senior management needs to support compliance officers in ensuring buy-in and adherence to compliance programs.
- Knowledge: To support the compliance program, both boards and senior management must understand the risks to the company and the corresponding compliance-program framework and needs. Boards must also have a reasonable understanding of compliance-risk management. To do so, depending on the company’s complexity, it may not be a bad idea to have someone on the board who is well versed in the area. Compliance officers must present clear support for their needs, such as justifying the budget necessary to maintain an effective compliance program. Boards and senior management should check and challenge compliance officers who are leveraging information and metrics. They should work with compliance officers to ensure they receive the reporting they require, since too little or too much information can impact how well the board and senior management conduct oversight. When senior managers ask compliance officers for budget reductions in times of budget constraints, it is up to compliance officers to educate boards and senior management on the requirements to maintain an effective and sustainable compliance program.
- Funding: Compliance-risk management is not inexpensive, and it is often viewed solely as a function that severely impacts earnings due to the high staffing levels and complex technologies required to be effective. This becomes even more complicated and expensive for anti-money laundering/counter-terrorist financing, sanctions, sales surveillance and other programs that are heavily reliant on technology and staff support. However, sound compliance-risk management actually mitigates regulatory actions that impact revenue, and, with some creativity, compliance data and reputation may even be leveraged for business purposes. Funding shortfalls represent recurring root causes of compliance-program failures. Of course, every function must look internally to ensure it is operating effectively and efficiently. Compliance functions should not become money pits. However, boards and senior management must fully support the reasonable funding needs of their compliance officers.
- Compliance management: Boards and senior management need to appoint qualified compliance officers and then provide them with full access. The compliance officers’ many strengths should include: relationship management, to cascade the compliance program throughout the company; confidence in checking and challenging first- and second-line management, as well as the board and senior management; understanding of what it means to ensure their compliance program is sustainable; and ability to balance the company’s cost considerations with the needs of the compliance function. Finally, compliance officers cannot be used as pawns for irreparable compliance-program cutbacks. They must stand their ground in tough times—and may even, at some point, need to make the difficult decision of whether it is worth the personal risks and reputational threats to remain with their companies. It is up to the board and senior management to never put compliance officers in such a difficult position.
- Independent audit: Similar to the support required for compliance programs, boards and senior management must fully support and understand the workings of the third line through appropriate funding, vetting of the chief audit executive and senior staff, and reports and metrics. To be effective in their assurance work, auditors with an understanding of the compliance risks within the company are required. If any part or all of the audit function is outsourced, appropriate vendor due diligence needs to be conducted to ensure the third party is qualified and effective in its audit coverage.
Designing and implementing an effective and sustainable compliance program requires long-term commitment from boards and senior management. While a costly undertaking both in time and money, an effective and sustainable compliance program mitigates business-interruption risk and ultimately can save companies millions of dollars in fines, penalties and lost revenue.