As seen in Bloomberg Law
For compliance leaders, navigating today’s regula-tory landscape might seem like playing a game with constantly shifting goal lines. And, these changes will likely continue as the current U.S. administration pursues its plans to pullback various regulations on businesses.
While meeting new compliance requirements will be a short-run challenge that will require greater agility, compliance leaders will also need to focus on the future, working to continuously improve their compliance pro-grams and foster greater alignment with their business strategy.
At the same time, stakeholders across the organiza-tion are seeking to increase the effectiveness and effi-ciency while cutting the cost of their compliance activities to further compete in an expanding digital and au-tomated world.
What follows are the top five areas where compliance leaders need to focus to meet the challenges this year and beyond. Investment in these areas will allow organizations to identify and respond early to shifts and trends, enabling business, risk, legal, technology, and internal audit leaders to move beyond compliance to create value.
Culture is the foundation of compliance and it is jumping to the forefront of Board and executive agen-das across all industries, prompting evaluations of their culture and a commitment to refinement enterprise-wide.
Senior leadership, in conjunction with compliance and human resource (HR) personnel and line of busi-ness executives, must establish and drive culture into all facets of the organization. This includes from the highest level employee to the entry level staff. Sub-cultures that do not align to the desired compliance culture must be weeded out.
Even in this current environment where organiza-tions are automating more and more compliance pro-cesses, and further integrating their efforts, culture remains the number one preventive control. To be effective, including in an increasingly technological world, compliance leaders must bring compliance to life for its employees, encourage a speak-up mentality, and en-hance employees’ accountability for compliance.
To achieve this, collaboration with HR to identify practical ways to build compliance responsibilities into employee performance evaluation process, and address any potential barriers should take place. By incorporat-ing compliance into employee performance process, including the awarding of bonuses and pay raises to those employees who are ambassadors of the compliance message, organizations reinforce the message that compliance counts, and that employee actions must align to the organization’s culture and values. But com-pliance must also be woven into disciplinary protocols as well, requiring actions, such as warning letters, pay cuts, or even termination, for those who fail to act in accordance with compliance requirements and the culture.
In this area, it seems there is still work to do. According to a KPMG survey of chief compliance officers (CCOs), 39 percent said that they do not, or do not know, if employee compliance with policies and proce-dures is factored into performance and compensation evaluations.
But instilling the importance of compliance into the rank and file is only part of the compliance culture equation. It’s also critical that disciplinary and incentive standards be consistently applied to high-level employ-ees and leadership. Failure to do so sends the undesir-able message that seniority and success can exempt you from following the rules, and undermines the culture of compliance.
Imparting a stronger sense of accountability among employees can also mean the organization will have to make some tough decisions to reinforce the compliance culture. Here are a few examples:
Regulators are increasingly spotlighting the need for operational integration within a compliance risk-management program. ‘‘Operational integration’’ means incorporating compliance into the business processes and into people’s daily performance of their job duties.
Integrating compliance into the business operations improves the likelihood of an organization detecting a broad range of issues—from fraud, sanctions, theft, or asset misappropriation to cybercrimes and corruption. This is because integration positions organizations to access and aggregate data enterprise-wide, thereby enabling a more holistic evaluation of compliance risks, which may stem from the organizational culture, specific jurisdictions or business units, or other parties (such as employees, vendors, and suppliers).
Operational integration facilitates a more tailored, concerted and consistent approach to risk manage-ment. In addition, integration can result in:
For integration to work, however, it needs to involve functions from across the entire enterprise, including HR, finance, legal, technology, procurement, and marketing. While many of these functions may not have traditional compliance roles and responsibilities, their position within the organization allows them to observe and offer information regarding gaps, weaknesses, or strengths in the organization’s compliance program.
Some organizations find that a more centralized governance approach or a hybrid approach to managing compliance is best. This involves centralizing key compliance activities and processes at the enterprise wide level. In this way, silos are broken down and information can flow more freely, greater consistency in controls and processes across business units can be realized, and a more cohesive approach to compliance can be implemented.
Intelligent automation is increasingly being used by organizations to automate routine tasks, increasing efficiencies and lowering costs. As technological advances occur, organizations are starting to pivot from initial automation efforts in operational processes to compliance ones.
Automation helps compliance leaders respond to growing regulatory expectations, while reducing compliance costs, increasing enterprise-wide coordination, and contributing to more agile business strategies. It can be applied to cybersecurity, monitoring and surveillance, regulatory change management, regulatory reporting, third-party risk management, and importantly, the development of predictive analytics.
When looking to automate processes, it’s essential to have an overall plan and determine which processes are best to automate and in what order. Here are some im-portant considerations when identifying compliance activities to automate:
Despite offering many benefits, new technology also has its own risks—such as algorithmic bias and insuffi-ciently robust data. To have a successful implementation and rollout, organizations should embed their risk and compliance frameworks up front in the design phase of their automation technology implementation, and then revisit their effectiveness continuously throughout the lifecycle of their transformation and thereafter.
As stated at the beginning, the compliance landscape continues to change. Therefore, regular compliance risk assessments, that not only ensure that regulations and internal requirements are being met, but which also survey the regulatory landscape proactively for future changes, are critical. Unfortunately, many CCOs are unaware of the effectiveness of their current state risk-assessment process, much less monitoring and tracking potential changes that could be quite impactful down the line. KPMG’s 2017 survey of CCOs found that 24 percent of respondents either said that their organization’s risk assessment processes didn’t consider whether internal controls are designed appropriately and operate effectively or that they didn’t know.
The critical role of sound risk assessments in compli-ance risk management was reinforced last year when the Fraud Division of the U.S. Department of Justice released a guidance document, ‘‘Evaluation of Corporate Compliance Programs, containing specific questions that organization can use to evaluate their efforts. Among the questions are: does the organization have a ‘‘risk assessment’’; what methodology is used; what kinds of information and analysis are used in the process; and how does the risk assessment capture ‘‘mani-fest’’ risks.
As regulations continue to change and compliance expectations increase, organizations will need to de-velop ever more sophisticated risk assessments to understand and assess how they are mitigating their exist-ing compliance risks, to further evaluate risk trends, and to anticipate compliance risk that may arise in the future.
To bolster the value of an annual risk assessment process, compliance leaders should consider implementing the following:
Effective risk assessments that uncover compliance gaps and weakness are only part of the process needed to maintain an effective compliance program today and into the future. Organizations must also continuously improve in their compliance efforts to ensure their con-trol environment remains firm in the face of shifting goal lines - regulatory expectations and requirements and emerging risks and is responsive to risk trends. Monitoring, testing, auditing, and investigations play a significant role in the compliance program life cycle and aid compliance leaders in identifying ways to further minimize misconduct and continuously improve. Moreover, regulators expect organizations to have a robust testing program and, in turn, for those results to be used in the continuous improvement of the program.
Compliance leaders ought to continuously assess their efforts, including their: