Taking Control of Internal Compliance
Who “owns” compliance at your firm?
It’s a fair question – and one that too many companies can’t fully answer.
Technically, any compliance officer or risk manager may take the title – and responsibility – for company risk management obligations.
Yet that’s not entirely fair or accurate given the lower-level priority companies often give to compliance functions.
According to KPMG Advisory’s 2019 Compliance Officer Survey, compliance decision makers say they don’t have enough help in dealing with key issues like maintaining regulatory obligations and capturing regulatory change in time to stay ahead of potential “red flag” issues.
Part of the problem is money – a majority of compliance officers say there is “room for additional investment” to better manage their company’s risk and compliance obligations.
A larger issue to compliance professionals is lack of a cohesive corporate structure that funds, manages and prioritizes compliance in the workplace.
While compliance officers may officially be in charge of risk and regulatory issues in the workplace, the real question for compliance managers is this – how can I “own” compliance, when I’m not getting enough top-tier support?
Who Really Owns Compliance?
Companies that do the best work on risk and compliance ownership obligations take a team approach to the issue.
That doesn’t mean that the team isn’t led by a compliance manager – it usually is.
The larger point is that the entire team takes the mantle of responsibility for company compliance, even though the compliance officer may be the point person. By spreading the work and the responsibility around to a dedicated compliance team, corporate decision makers are signaling that it’s the company, and not only the compliance officer, who owns the responsibility for proper risk and regulatory policies.
What (or who) comprises the ideal compliance team? That answer largely depends on the company’s unique compliance needs. Still, there are some commonalities instilled by the best compliance teams that can serve as a blueprint for C-level executives who want to figure out who owns company compliance.
Who should comprise the compliance team? Ideally, team members should come from every corner of the company.
That means getting expertise in key compliance areas like legal, tax and finance accounting, communications, human resources, and technology.
Either working internally or as partners to a third-party compliance provider, a collection of individual talent from different parts of the firm can help cover all potential areas of risk within the company. That strategy also reinforces the theme that it’s the entire company – and not just a compliance officer – who owns compliance.
Inserting compliance into the corporate culture. A formidable compliance team should be able to sell the importance of good risk and regulation management throughout the entire company.
By spreading the word that everyone at the firm has a stake in ensuring complete compliance with all government regulations and building a company-wide culture that promotes a solid ethical standing, the compliance team can further shine a spotlight on total company ownership of compliance, one staffer at a time.
The team shares a single compliance communications policy. A good compliance team knows how to spread the word throughout the company that everyone in the firm has a stake in compliance ownership.
That process starts with the creation and approval of a company-wide compliance policy that establishes a general rule of conduct for everyone – from the accounting intern to the chief executive officer.
This policy should cover specific issues that may be everyday occurrences if ignored (things like hiding information unfavorable to the firm or potentially unethical actions against business partners and competitors, for example.)
Cementing Company-Wide Compliance Ownership
Once the documented policy is set in place, the team can then establish points of contact for reporting unethical or illegal actions and setting out the penalties that will apply if a company manager or employee commits a serious infringement on the job that could threaten the entire company.
“By being transparent and open in communicating a compliance policy owned by everyone in the company, the compliance team can set the company-wide ownership standard needed to stand firm on corporate compliance,” said John McCarthy, BSA/OFAC Officer at Bank of Hope.
If that sounds like an “all hands on deck” for company compliance conformity, then you’re on the right track.
Done right, compliance team building really does mean that ownership has its privileges.