Navigating Compliance Concerns
 

Navigating Compliance Concerns

Posted on 10-31-2017

By: Terrance Oben OBEN LEGAL                                   

THIS ARTICLE DISCUSSES PRACTICAL STEPS THAT companies can take to successfully embed a positive compliance culture and outlines a proposed approach to developing and implementing a compliance program that can be used globally, regardless of industry or the size of your company.

Understanding the Compliance Risk Framework

As a core function of corporate governance, compliance plays an integral role in achieving an organization’s primary objective— maximizing shareholder value and protecting company assets. To achieve this objective, companies must deploy sustainable internal and external long-term strategies focused on enduring operational performance, while protecting the interests of their shareholders and other stakeholders.

What Are Compliance Risks?

Every organization is unique, and so are its costs for doing business. Generally, compliance risks can be viewed as the possibility of present or future loss/damage to an organization’s integrity because of a failure (or apparent failure) to comply with laws, regulations, or other applicable business standards. Therefore, compliance risks are business risks—because they require organizations to conduct business activities within a set of prescribed ethical and/ or legal boundaries. In the context of this article, damage to an organization’s integrity includes legal or regulatory sanctions, financial loss, and damage to reputation, market share, customer base, or contracts.

What Is Compliance?

Compliance is the process of turning compliance requirements into practical operational control processes.

Where Do Compliance Requirements Come from?

Litigation – Failures in Corporate Governance

Compliance requirements have largely been driven by regulatory scrutiny targeting business conduct across the globe, particularly in the wake of several significant corporate financial scandals and the financial crises of 2000 and 2008.

For example, in the early 2000s, the Enron scandal shocked the world when it was revealed that its executives and auditors had defrauded employees and shareholders for years by falsifying financial and accounting records that concealed billions of dollars of debt and failed deals. Enron’s eventual bankruptcy, along with other corporate financial scandals (e.g., WorldCom, Qwest) revealed the need for enhanced corporate governance and ethical conduct by corporations. As a result, the Sarbanes-Oxley Act of 2002 (SOX) was enacted to improve corporate governance by requiring enhanced accountability for public companies and the adoption of a code of ethics for their executives.

The underlying message from enforcement agencies is that companies must develop and implement truly effective corporate compliance programs—ones designed to prevent violations before they occur, or at a minimum, detect and stop any violation quickly.

The U.S. Sentencing Guidelines for Organizations

Over the years, the Federal Government through the U.S. Sentencing Guidelines for Organizations (Guidelines) has attempted to influence corporate behavior by establishing a structure that assesses monetary fines for corporate misconduct based on a specific formula. In essence, the Guidelines provide a potential for fine reduction for organizations that implement and maintain an “effective compliance and ethics program.” Although the Guidelines don’t counsel companies on how to establish an effective compliance program, they do provide a list of several elements that compliance and ethics professionals should ensure that their programs include. Historically, many companies have used these elements, or some form thereof, as a foundation for their corporate compliance programs.

Targeted Legislation

In addition to the Guidelines, legislation targeting specific conduct in the United States and abroad has also had a tremendous impact on influencing organizations to establish and maintain corporate compliance programs. Examples include legislation targeting bribery and corruption, cybersecurity, financial fraud, terrorist financing, and labor conditions. These regulations have compliance mandates to which organizations must adhere, thereby creating a need for adequate compliance programs.

How Should Your Organization Effectively Manage Compliance Risks?

Managing compliance risks within your organization does not necessarily need to be complicated, but it often is. This is primarily because duties related to compliance risk management usually reside with numerous teams working together across different business units, departments, regions, and divisions. In order to successfully address this complexity, you must clearly define the essential roles and responsibilities of each participant. This will lead to a more effective and efficient compliance program. The design and approach of the compliance program will be addressed later in this article.

How Would Your Organization Benefit from Implementing a Compliance Program?

A well designed and implemented compliance program helps a company to preserve and promote its corporate health and values. More specifically, the ultimate benefits of developing an effective compliance program include:

  • Preventing violations of law and the potential consequences of violations by:
    • Reducing conflicts of interest
    • Reducing fraud risks
    • Improving accountability
  • Reducing liability for misconduct
  • Improving company operations by:
    • Implementing stronger internal controls
    • Reducing errors in financial operations
    • Improving records accuracy
  • Building stakeholder trust
  • Increasing efficiencies and consistencies

What Aspects Should Be Considered When Designing the Compliance Program?

  • Size matters. The size and complexity of your company’s business activities may require differences in the design of your compliance program:
  • Small, less complex vs. firm-wide/multi-locational approach
  • Wide range of applicable rules and standards:
    • Be mindful of potentially conflicting laws across different jurisdictions (e.g., European Union limits on how much personal information data can be transferred across borders that could impact sanctions or anti-money laundering law compliance)
  • Geography matters.
    • Domestic, regional, or global operations
    • Cultural differences
    • Language difference
  • Incentives matter. Consider various types of incentives to identify those that will be the most compelling

Before the Program: Compliance, Governance, and Oversight

Compliance with applicable laws and regulations within a company is everyone’s responsibility and should be part of the culture of the company, not just the responsibility of dedicated compliance staff (see Compliance Department section below). That said, the company’s governing bodies (i.e., board of directors or equivalent bodies) and senior management play an essential role in encouraging all employees to behave ethically and laying the foundation upon which a company builds its compliance culture.

Therefore, a commitment to a positive compliance culture begins with a strong tone at the top from the most senior levels of the company’s management. This tone at the top should be cascaded to middle and lower management levels to help ensure the tone at the top is also the tone in the middle and the tone all the way down to junior employees. This tone should be established both on paper— through policies and procedures—as well as by example, through senior management actions (e.g., verbal emphasis of company’s commitment to compliance during business meetings, organization of a compliance summit for key compliance officials, department heads, and senior management).

A corporation’s governing bodies and senior management have the primary responsibility and accountability for establishing the organization’s objectives (i.e., the reasons the organization was created). Therefore, they must be the ones to define appropriate strategies to achieve those objectives and establish governance structures and processes aligned with those objectives.

Senior management must actively support and engage in the company’s compliance efforts and demonstrate that they take compliance seriously. Employees are likely to follow the lead of their superiors. Thus, when senior management sets the right example, compliance is perceived as an integral part of the company’s business activities. Since compliance risks are ultimately business risks, a culture of compliance is simply good business.

The suggestions below for the roles and responsibilities assume a corporate governance structure comprised of a board of directors and senior management.

Responsibilities of the Board and Senior Management

The first step in establishing your compliance program is to define senior management’s responsibility for managing and overseeing compliance risks within the company. This responsibility is typically shared to varying degrees among the board, senior management, and the corporate compliance department. Jointly they are responsible for establishing and implementing a compliance risk management and oversight program designed to prevent and detect compliance issues, while promoting a strong compliance culture.

The Board of Directors

The board of directors should take on the following roles and responsibilities:

  • Establishing an appropriate culture of compliance and requiring adherence to compliance policies within the company by:
    • Ensuring that the board is familiarized with the compliance risks and challenges related to the company’s operations
    • Promoting a culture that fosters strong ethical conduct and compliance with applicable compliance laws
    • Requiring that the company and employees conduct all activities in accordance with both the letter and the spirit of applicable compliance regulations
  • Obtaining senior management commitment by ensuring:
    • Management of the compliance risks in a manner that is consistent with the board’s expectations
    • Proper ongoing communication of compliance messaging throughout the company through policies, training, and in-person forums
    • The establishment of a corporate compliance department that has a prominent status within the company
  • Exercising oversight of the program by:
    • Reviewing and approving key program elements, policies, and projects
    • Overseeing management’s timely implementation of the program and resolution of compliance issues
    • Reviewing the effectiveness of the program at least annually

Note that the board’s oversight tasks may be delegated to an appropriate board-level committee, such as an audit committee.

Senior Management

Senior management should take on the following roles and responsibilities:

  • Developing and establishing an effective compliance organization with defined responsibilities for managing compliance risks
  • Carrying out the board’s expectation of embedding a compliance culture within the company by setting a good example, such as by demonstrating an understanding and consistent application of compliance rules
  • Supervising and overseeing the implementation of boardapproved standards for the company’s compliance risk management program
  • Reporting directly to the board regarding significant compliance matters and the effectiveness of the program
  • Enforcing standards and holding staff accountable for noncompliance
  • Ensuring the business and compliance departments are provided with adequate resources to fulfill their mission

Active management support empowers employees to speak up when improper conduct is suspected or identified, so that prompt corrective action can be taken.

The Compliance Department/Function

The compliance department is a core corporate department, just like Information Technology (IT), Finance, Human Resources (HR), or Marketing. It is responsible for developing and overseeing the implementation and maintenance of the company’s compliance program. Before developing the compliance program, you should ensure that your company has an internal corporate compliance department and have a good understanding of its structure. Some common structures include:

  • The compliance department within specific operating business lines, a specific region, or locally, for companies with international operations
  • Separate units for specialized areas like anti-money laundering and terrorist financing, sanctions and embargoes, and data protection
  • The compliance department as one unit

Additionally, as there is a close relationship between compliance risk and certain aspects of operational risk, some compliance responsibilities and activities may be assigned to other departmental units such as audit, finance, IT, HR, or monitoring and testing. In these cases, to ensure proper governance and management of responsibilities, the compliance department will need to incorporate appropriate controls within its structure to account for those risks.

Notwithstanding the structure of your compliance department (i.e., stand-alone, local, or within another business unit), an effective compliance department should always include the following characteristics:

Independence. The compliance department must be appropriately independent, both in its responsibilities and reporting lines. This independence facilitates objectivity in carrying out its duties, as well as avoids conflicts of interest that may arise as a result of proximity to the company’s business lines. Some common factors contributing to independence include:

  • Formal status within the company
  • Appointment of a head of compliance (i.e., General Counsel / Chief Legal Officer or Chief Compliance Officer)
  • Governance of compliance activities (only requiring compliance staff to take on compliance-related responsibilities or adopting additional measures to avoid conflicts of interest where this is not practicable)
  • Restrictions on incentive compensation of compliance staff that is related to business performance
  • Unfettered access to any employee, information, and/or communication necessary to carry out its responsibilities

Adequate resources. In addition, the compliance department should be allocated a ring-fenced budget to carry out its responsibilities. This means that its budget is autonomous, dedicated, and protected—not subject to external diminution by business lines.

Clearly defined internal responsibilities and reporting. Roles and responsibilities within the compliance department should be clearly defined. The responsibilities for all stakeholders in the business line and other departments that perform compliance tasks should be defined as well.

Depending on the size, risks, and structure of the organization, reporting lines should be appropriately structured to minimize potential conflicts of interest. Regardless of organizational structure, all company staff should have a clear understanding of appropriate escalation protocols. Best practice is an escalation protocol requiring any employee who suspects or knows of a compliance issue or violation to report this concern to the person to whom he or see directly reports. Importantly, it should be required that the compliance department be simultaneously included in any such reporting so as to ensure that the issue is addressed appropriately. This notification could go to a designated compliance individual or to a designated generic compliance e-mail address.

Subject to periodic and independent review by internal audit. Given the critical role that the compliance department plays in the company, it is important to ensure that the department is functioning properly. This can be accomplished by the periodic review of its operations by an independent group within the company, such as the audit department.

Developing the Compliance Program

All companies, regardless of size, industry, or business, should adopt a formal document (policy, procedure, or standards) that lays out the control framework for the company’s compliance program.

The naming conventions used for the compliance program elements discussed below are not prescriptive; neither are the number of elements. Rather they reflect common terminology used in practice. Whatever elements you choose for your compliance program, together they should create an integrated framework or cycle.

Leadership and Oversight

This element of your compliance program lays out the compliance department’s governance and organizational structure. The areas covered in the section should demonstrate the robustness of the compliance organization. This includes addressing independence, resources, roles and responsibilities, and reporting lines.

Be sure to include specific statements related to the following:

  • Clearly defining roles and responsibilities of the board, senior management, compliance function (add local and regional compliance if applicable), business unit/operations staff, and internal audit
  • Defining protocols for the organization’s senior and executive management to resolve or ratify compliance risk management issues
  • Establishing documentation requirements to demonstrate adherence to protocols and oversight
  • Stating how the company creates a culture of compliance, such as:
    • Expectations for employees to adhere to policies, rules, and standards
    • Compliance embedded in executive management routines and key communications
    • Compliance responsibilities as part of staff’s day-to-day activities
  • Ensuring the compliance department has an independent position in the company with the ability to enforce compliance policies across the organization
  • Ensuring the compliance department participates in key company committees
  • Developing an independent quality assurance (QA) program to monitor and oversee effective implementation of and consistent adherence to compliance standards
  • Establishing escalation and reporting protocols to report compliance risk matters through appropriate channels:
    • Regardless of organizational structure, all company staff should have clear understanding of appropriate escalation protocols. Best practice is an escalation protocol requiring any employee who suspects or knows of a compliance issue or violation to report this concern to whom they directly report.
    • Importantly, it should be required that the compliance department be simultaneously included in any such reporting so as to ensure that the issue is addressed appropriately. This notification could go to a designated compliance individual or to a designated generic compliance e-mail address.
  • Implementing compliance management routines to establish effective oversight of compliance matters
  • Establishing a framework for the review and approval of new business initiatives
  • Establishing a process for developing annual compliance plans (corporate, business line, or regional)

Regulatory Management

This element focuses on two things: (1) how you identify new and changing laws, regulations, and standards, including the associated process of communicating the obligations to the business lines and ensuring applicable policies and processes are updated accordingly; and (2) how your company interacts with regulators and coordinates regulatory examinations and inquiries.

Regulatory development assessment, notification, and response.

Start by assessing all regulatory updates received through any means (e.g., automated e-mail notification) to determine the applicability and impact to the organization. This process may involve internal consultation with other units (e.g., legal, lines of business, senior management) or with outside parties (e.g., regulators, outside counsel, or industry groups). Incorporate input and guidance from these consultations into the overall assessment of impact resulting from the regulatory development. Draft and send out regulatory development notices to required audiences (e.g., line of business, region, senior management). A regulatory development may require that the business line conduct an existing exposure review, make changes to existing policies/procedures, conduct internal training, or take other control action as appropriate.

Interaction and coordination with regulators.

It is important to designate a company point person who will manage interactions with regulators. This person is usually a member of the legal department. If a regulator seeks to conduct an exam or inquiry, legal staff will review the regulatory requirements and create a response plan. Compliance staff should also be involved in this process. It is imperative to have a good relationship with regulators; being responsive and organized, with clear company response protocols helps to achieve this.

Your compliance policy should also address:

  • Whose role/responsibility it is to assess regulatory development and address any needed regulatory response
  • The processes for monitoring, identifying, tracking, and reporting existing laws and any subsequent developments
  • Impact analysis processes, including appropriate mitigating controls
  • Processes to manage compliance targeted regulatory events (exams) and inquiries

Risk Assessment and Reporting

Compliance risk assessment is one of the key program components by which your company’s overall compliance risks are identified, analyzed, and measured. Therefore, it is important that a consistent approach is established. The effectiveness of your entire compliance program is driven by the results of the risk assessment as it helps to:

  • Understand the impact and level of compliance risks by the business lines
  • Facilitate the reporting of compliance risks to stakeholders
  • Form the basis for prioritization of resource allocation in the business and for annual compliance plans, including risk-based training, risk-based monitoring, and testing plans

The following steps should be taken:

  • Identify key compliance risks associated with business activities and regulatory requirements
  • Identify the business line processes, systems, policies, and procedures that define the mitigating controls
  • Conduct risk assessments of business units through evaluation of inherent risk and effectiveness of the controls
  • Develop a process for consistent measurement of inherent risk and assessment of controls within a defined residual risk matrix and completion of compliance risk assessments for each business unit
  • Communicate risk assessment ratings to key business stakeholders
  • Report on the management of compliance risks, significant issues, and key risk indicators
  • Report compliance risk within established categories and reporting hierarchies

Training and Communication

Once you have identified your company’s risk exposure, you can then take steps to promote staff awareness of those risks. Effective communication and training are critical to raising awareness and building a company’s culture of compliance. This, in turn, encourages employee compliance with policies and procedures necessary to implement the controls required by a compliance program.

Compliance training should be risk-based in order for it to be relevant and effective and should involve input from business line stakeholders.

There are generally three types of compliance training that you can implement. The best approach will depend on your company’s particular circumstances:

  1. Company-wide and cross-business line compliance training
  2. Business line-specific compliance training –or–
  3. Compliance department training for compliance staff

In either instance, regardless of the selected training approach, you should:

  • Conduct a compliance training needs assessment—to identify and evaluate the compliance requirements for employees:
    • Prioritize training and awareness based on risk evaluation (i.e., impact to business and risk assessment results)
  • Develop and communicate training plans to key business stakeholders:
    • Coordinate with business stakeholders on topics, audience, and delivery methods
    • Include a training strategy and a communications plan
  • Develop training content for training topics
  • Track and report on training completion:
    • Track and report training delivery, attendance, and noncompliance
  • Periodically evaluate the effectiveness of compliance training modules and awareness efforts through course feedback

It is important to consider the factors that are unique to your audience during the development stage of your training. Factors like geography and culture can greatly influence the way the training is received. For instance, the age demographic of staff, as well as other factors, at a start-up company may lead to a certain attitude towards compliance training and a certain rate at which they consume the compliance information. This could be completely different for a more mature business line. Thus, implementing the same training to both groups would be ineffective at achieving the desired engagement. The same can be said for different business industries.

Ultimately, to achieve high participation and retention rates, you should ensure that compliance training is relevant to the business unit being trained with respect to style, content, presentation, and tone. An easy way to achieve this is by involving relevant business stakeholders from the very beginning. Think of it as building compliance training for the business, by the business.

Policies and Procedures

Your compliance department should mandate the adoption and implementation of appropriate compliance risk management controls in the form of compliance policies and procedures reasonably designed to support compliance with applicable compliance obligations, business requirements, and industry best practices. Compliance policies are also driven by the results of the risk assessment.

The following policy management factors should be incorporated into this component of the compliance program:

  • Policy life cycle definition—creation, periodic review, approval procedures, communication, recordkeeping, and archiving
  • Form and content requirements—identification of regulatory requirements, risk rationale, controls, and accountabilities
  • Ongoing maintenance process

Monitoring and Testing

Risk-based monitoring and testing are critical elements of an effective compliance program. Monitoring and testing are necessary to evaluate whether compliance risk mitigating controls work as intended, and whether deficiencies are identified and addressed to maintain an effective internal control framework. The scope and frequency of these activities will be determined by the business impact and risk assessment results.

Compliance Monitoring

Compliance monitoring is defined as independent ongoing review of data, reports, and other activities to oversee compliance with regulatory obligations. Compliance monitoring activities are one of the ways that the compliance department independently oversees processes that are implemented across the company for effective mitigation of key compliance risks.

Monitoring activities may include the following:

  • Surveillance (e.g., use of models, applications, and/or systems to review, analyze, and flag exceptions or items requiring further review on an ongoing basis)
  • Performance oversight (e.g., compliance department review of selected business line activity reports to evaluate process or performance issues on an ongoing basis)
  • Review, analysis, and trending of selected business and/or compliance scorecards (key performance or risk indicators) and supporting activities for changes or unusual trends (e.g., areas of the company identified as being higher risk should be monitored quarterly vs. annually)
  • Ongoing assessment of business activities such as completing pre-transaction or post-transaction reviews or other quality control or QA activities

Compliance Testing

Compliance testing is a risk-based, independent point-in-time review of policies and procedures, controls, or data sources used for managing compliance risk to assess the effectiveness of the compliance control environment.

In line with the annual compliance plan you established above, your company should also develop a rolling 12-month monitoring and testing plan. As monitoring and testing tasks involve business operations, input from relevant stakeholders should include business management, internal audit, and compliance staff.

In general, implementation will involve careful consideration of the following:

  • Definition of owners and governing process (i.e., what person or business unit owns which part of the implementation process for which they will be responsible for responding to questions, etc.)
  • Development of a communications strategy
  • Conducting a gap assessment (i.e., ensure that each business unit is equipped to implement the compliance program and assess current protocols vs. what the compliance program prescribes. This may require negotiating an appropriate solution—there must be agreement on the ultimate implementation plan regarding timing, responsibility, etc.)
  • Defining business change requirements (i.e., based upon the gap assessment, determine what costs, human resources, etc. are required to achieve compliance.)
  • Building and deploying the implementation plan
  • Defining and developing technology solutions (e.g., a project management tool may assist with implementation)
  • Measuring, reporting, and tracking (i.e., metrics reflecting the success of the implementation. Set clear goals for each business unit and corresponding progress reporting expectations to ensure implementation stays on track. The above technology solutions may assist with this process.)

What this looks like for your company will vary. Ideally, you want a phased approach with a pre-determined timeline. Below are highlevel aspects of an implementation guide to help you as you consider what yours should entail.

Purpose. A simple purpose statement is helpful to those stakeholders not familiar with the project. The purpose statement accomplishes three things:

  • Introduces the underlying program being implemented
  • Provides a high-level description of the underlying program
  • Explains the goal that the structured implementation guide seeks to accomplish

Scope. The guide should clearly identify the group or groups of employees or entities responsible for implementing the underlying program.

Roles and responsibilities. Because there may be numerous teams responsible for the implementation of the program, or parts of it, the guide should clearly define the roles and tasks for which each of these groups is responsible.

Communications strategy. The teams involved must carefully craft a plan for communicating both the principles of the underlying program and its implementation aspects to the rest of the company. Communication is key to keeping everyone apprised of the change process, as well as its impact and company expectations. That way, all stakeholders understand their roles, their commitments, and implications for inaction. The communication phase should be ongoing, not limited to a set period of time (e.g., weekly communications to company employees highlighting compliance risks). At a minimum, the communications strategy should consider what communications are needed, the method of such communications, and the intended audience in each case.


Terence Oben, Esq. is Managing Counsel at Oben Legal in New York, NY. His practice focusses on corporate governance, ethics, and compliance, assisting domestic and multinational organizations in a variety of industries design, develop, and implement programs and strategies that ensure decision-making, resource allocation, and business activities are aligned with appropriate ethics and compliance considerations for the organization's circumstances. Mr. Oben designs a variety of management mechanisms and tools that organizations use to operationalize legal requirements and integrate ethics into practices. www.obenlegal.com


To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Practice Notes


For an outline of a proposed approach to developing and implementing a compliance program, see

> CREATING A COMPLIANCE PROGRAM CHECKLIST

RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Checklists

For an overview of the risk assessment process, see

> RISK ASSESSMENT

RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Practice Notes

For a list of the documents that are needed in order to conduct the risk assessment process, see

> CHECKLIST - INFORMATION AND DOCUMENTS TO REVIEW IN A RISK ASSESSMENT

RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Checklists

For a high-level listing of topic categories to review when conducting a risk assessment, see

> CHECKLIST - POTENTIAL TOPICS TO REVIEW IN A RISK ASSESSMENT

RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Checklists

For a framework of the interview questions that should be asked during the risk assessment process, see

> CHECKLIST– 15 SAMPLE QUESTIONS WHEN PERFORMING A RISK ASSESSMENT

RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Checklists

For an explanation of the seven core elements that must exist in order for a compliance program to be deemed effective, see

> US SENTENCING GUIDELINES – BENCHMARK FOR AN EFFECTIVE COMPLIANCE AND ETHICS PROGRAM

RESEARCH PATH: Commercial Transactions > General Commercial and Contract Boilerplate > Compliance Programs and Risk Assessment > Practice Notes