Compliance management is a critical pillar of the industry and a consideration every program must take into account. On the, compliance management is about overseeing processes and ensuring they flow through the business in a streamlined and effective manner. On the other hand, compliance management can be about the people: the talented individuals who dedicate their careers to ensuring powerful, global organizations are doing the right thing.
Let’s take a look at the most important resource a corporate ethics and compliance program has: the Chief Compliance Officer (CCO), leading the charge for effective compliance management.
I’ve long been bullish about the demand for compliance officers as the business world continues to become more globalized, more interconnected, more regulated, more transparent. Even if we don’t see huge growth in jobs with “compliance officer” in the title, we will see brisk demand for people who do what compliance officers do — building or administering programs that reduce the occurrence of regulatory violations and ethical misconduct.
So if that’s what a compliance manager is supposed to do, what are the skills or traits a person should have? We can identify four main categories.
Traits of Good Compliance Managers
Technical proficiency. A compliance officer needs to understand laws, rules, and regulations that dictate how a corporation should behave. Increasingly, he or she also needs to understand how technology can help to fulfill those obligations: which data to feed into data analytics programs, or what reports to pull from vast troves of data.
Business acumen. Even when you understand what the law requires and technology allows, you also need to understand how all those issues apply in a specific company. For example, it’s not enough to know what the Foreign Corrupt Practices Act (FCPA) prohibits; you need to know how those constraints apply to your organization, working with actual customers, resellers, business partners, and shareholders.
Leadership skills. Compliance officers generally run a team. Whole libraries have been written about how to cultivate talent, inspire direct reports, resolve conflict, and so forth. We don’t need to repeat those skills here, but we do need to acknowledge that compliance management requires them; a CCO won’t succeed otherwise.
Interpersonal skills. Beyond leading their own team, a compliance officer needs to navigate complex corporate structures: working with internal audit or HR, persuading sales to implement a new procedure, training new hires on ethics policy, and much more. That’s not leadership it’s persuasion, which depends on an ability to build trust or rapport with others.
From Four Traits to Compliance Management
Those traits define what a skilled compliance manager does. That still doesn’t quite capture what compliance management is, and what compliance managers will need to do in years to come.
The word “management” originally descends from the Latin manus, which means “hand.” By the 1500s, the Italians had devised a related verb maneggiare, which means “to put a horse through its paces.”
That concept captures a lot of what we want to convey about compliance management. For example, horses do a few basic tasks: carry baggage, run a race, plow a field. Every horse is unique, and exactly what task a horse might do will vary endlessly. Still, if you take the basic steps of caring for the horse, demonstrating authority, and training it patiently, almost every horse could do what you need it to do.
Compliance management is a lot like that. The specific risks you face, depending on your organization’s business model, people, and processes — that can vary endlessly, too. You want to achieve several basic objectives such as better regulatory compliance or fewer lapses of ethical misconduct, but those are abstract ideas. Every compliance officer will need to identify the objectives specific to his or her own company.
Once you do that, however, achieving those objectives will depend on some mix of those four managerial traits outlined above. You’ll always need to understand the law, technology, and business operations. You’ll always need to lead subordinates and persuade peers. That’s a success at compliance management.
Compliance Management Success Kit
There are many ways to define compliance management success. A declination by the US Department of Justice (DOJ) or Securities and Exchange Commission (SEC) in an investigation context is the absolute measure. In most cases, this happens only after the government’s detailed review of an organization’s compliance program, and the investigators’ conclusion that the bad act was isolated and not indicative of systemic issues. A program that survives this high level of scrutiny is a success by any measure – at least at that point in time.
Yet, if a company has not been subject to such an investigation, how can CCOs ensure that their established compliance programs are effective? How can CCOs guarantee that the company’s compliance processes can redeem corruption acts committed on its behalf? These considerations are best addressed as one takes on the CCO role, but it’s actually never too late to improve. In the author’s experience (former CCO, GC and Big 4 compliance consultant) there are certain steps that a compliance leader can take to fulfill these ends.
As the Chief Compliance Officer initially implements a compliance program, it is possible to be objectively successful: Steering the organization from an initial risk assessment through the creation of related policies and protocols, conducting training and otherwise working towards putting in place the component parts of the applicable compliance standards (take for example the Foreign Corrupt Practices Act, US Sentencing Guidelines, or UK Bribery Act). However, success is harder to measure in a day to day context. Objective measures may be difficult to establish—either internally or through benchmarking, beyond the obvious completion of a given compliance project such as personally training all members of a high risk group.
More holistically, given the demands of, and stress associated with, the CCO role, there is a gratifying element of success to be found in managing a dynamic, operationally oriented program that is: 1. focused on substance; and 2. not spending undue time on the “little stuff”—the more mundane aspects of program management (for example: identifying who still needs to take what training).
Compliance management success can thus be achieved by following four steps/guidelines that will give CCOs just that gratifying element to be head of a focused and dynamic program, tailored to achieve risk assessment, screening, training and reporting all at once. These steps encompass:
- Defining certain key terms and positioning the compliance role
- Collecting information outside office walls
- Preparing for foreseeable challenges
- Fostering a “Culture of Compliance”
Each step should act as a guideline for the work process of every CCO to achieve compliance management success and thus ensure that their companies stand the test of a DOJ or a SEC investigation. Now, let's look at the first step on the path of achieving compliance management success by dealing with how a CCO can ‘define key terms’ and ‘position the compliance role’.
Define Certain Key Terms, and Position the Compliance Role
The best case scenario is you are welcomed with open arms as the compliance leader. The CEO’s introduction might sound something like: “This is Jane (or Joe) and s/he is here to keep us compliant. We want to underscore our commitment to compliance, and that will be Jane’s (or Joe’s) responsibility…” Well-intentioned? Yes,but do you and the CEO have a common understanding of what the scope of “compliance” extends to under the company’s particular facts and circumstances? What it means to be “compliant”? Or what your “responsibility” does and does not cover?
Define Key Terms
It’s critical that a common understanding exists among you, management and the Board concerning what “compliance” means in this case, and what your role is with respect to the company’s risk universe. Similarly, make sure that the organization at all levels understands that compliance is a shared responsibility, and that your obligations are to lead and manage the compliance program—but not to act as guarantor that the company is, in fact, fully compliant.
Position the Compliance Role
Parallel with appropriately educating your colleagues about the compliance side of things, broadcast early and often that you are there to support the business and to help drive good business. Change what may be the initial “cop” perception to “sales facilitator” and make sure that a cooperative rather than a hostile relationship is established between the sales and the compliance department. Go out of your way to say “yes”, if possible, and to take time out of existing processes that slow up the sales process. Valuable goodwill and acceptance can be generated by these visible signs that you understand that compliance is there to support the business, and not the other way around.
Now you have clearly defined key terms as ‘compliance’ and made sure that the management, the sales department and other employees all take part in upholding a compliant status within the company. You have also managed to establish your role as a compliant officer, proactively contributing to a sustainable sales strategy. The next step is then to leave the office chair and get engaged with the staff and with other local stakeholders to make your risk assessments. Next week’s post will look closer at step two: Namely, “Preparing for foreseeable challenges”.
The second step on the way to achieving compliance management success is all about engaging with the people who are exposed to potential risks. After having defined key terms and positioned the role, a CCO must collect information and conduct assessments outside the walls of their office also.
Get Out of the Office
The information that the CCO needs to effectively do their job is not all to be found at HQ or online. One best understands a higher risk operational scenario by spending time in that location with the company personnel involved and with other local stakeholders.
The relationships formed with company personnel through field visits “puts a face” on compliance and demystifies the role. Merely by offering a sympathetic ear and demonstrating HQ’s interest in a local colleague’s situation and challenges, the conversation that begins with “I wasn’t sure who to call” or “I didn’t feel comfortable using the company hotline” can result in a discussion containing significant information directly or indirectly involving compliance.
Peers met at conferences can be invaluable sources of ideas and trend data—often saving many hours of research or drafting time. Developing a network of informal sounding boards to contact from time to time on a data sharing or “let me bounce something off you” basis is especially helpful in complex situations or when trying to construct meaningful metrics.
One way to escape the office and to free up time that can be used for these higher value add activities is to use an automated compliance management system. Software as a service (SaaS)—based systems function as an automated ‘system of record’. The best of these solutions are integrated and have logical workflows that help manage key compliance tasks including risk assessments, supplier due diligence, policy-signing, e-learning content distribution and that have built in repositories for associated records.
The fourth and last step to achieving successful compliance management is to foster a culture of compliance.
The term ‘culture of compliance’ is now appearing with regularity in the policies from the DOJ, SEC and other enforcement vocabulary. These agencies have likely seen too many examples of companies asserting that they had an effective compliance program, but the review shows a “check the box” band aid rather than substantive program foundation.
So what does the term mean?
In the absence of an actual legal or standards-based definition, a common sense reference is that a culture of compliance exists within an organization when its shared and integrated values and attitudes place compliance with the law as an operational and strategic priority, as evidenced by the organization’s actions and practices.
As with other compliance topics that have a longer-term strategic aspect, it is important for the CCO to communicate with management about:
- What the regulatory expectation is, and what it means to the company
- How you, as CCO, intend to work towards a culture of compliance – doing what, and over what period of time
- What support from management will likely be needed – and how it is in their professional and personal best interests to emphasize and operationalize compliance going forward
If culture is defined as the attitudes and behaviours that characterize a group of people, then establishing a culture of compliance means setting the foundations of an organization in which every individual views compliance as an operational and strategic priority. Achieving this state will take many years for most companies, but it is as important to be moving forward on the path in identifiable ways as it is to actually achieve the ultimate goal.
3 Tips For Building Management Buy-In For Your Compliance Program
When chief compliance officers take a top-down approach, they are often met with resistance—it’s just part of human nature. This dynamic can be observed in politics and the workplace, families and relationships, and it’s an ongoing issue in compliance. Whether you’re putting together a new compliance program or trying to improve or update an existing system, you won’t get anywhere by trying to do it all yourself. A successful program requires management to actively participate, not just sign off.
Why Do-It-Yourself Doesn't Work
An organization’s management (as well as its board or other governing body) must take a variety of actions to demonstrate leadership and commitment to the company’s compliance management program. You need buy-in from other departments to run a successful program, and also have a duty to support them in ways that not only triggers continual improvement, but promotes a corporate culture of compliance overall.
The compliance department, by nature of its functions, has to work and coordinate with the rest of the organization’s departments. Yet, this is sometimes not as straightforward as it may seem. Take for example, rolling out a compliance training session; If you go to a manager in HR and tell them what their people are going to have to do for compliance training, they aren’t going to want to work with you, unless they themselves fully realize and accept the importance of the task. Buy-in is equally crucial when it comes to the financial team. Finance handles the financial records and manage the financial controls that are fundamental to demonstrating whether or not your compliance program is working. You need timely reports from the team, but as with HR, the finance team doesn’t work for you unless you have buy-in from the finance department.
3 Tips for Improving Participation
1. Ask for Advice
Solicit advice from all stakeholders. Remember, it’s not enough to just get other departments to sign off. They need to feel like they’re part of the process. The finance and HR departments might be a good place to start, but don’t overlook other business units.
2. Demonstrate Respect
When you sit down with other business units to discuss the compliance program, frame your questions in ways that show consideration and respect. One example might be, “I’ll need to get these reports from somebody on your team. How could we go about that in a way that’s going to be the least disruptive to your business unit?”
3. Create a Working Group
Having a working group makes it easier to include stakeholders as you develop or improve your program. Gathering these people together around a table allows you to get quick feedback and ask questions, such as, “If I wanted to change this procedure, how would it affect you?” or “How could we reach this goal without holding up your department?”
These conversations are greatly appreciated by other parts of the business, and have a big impact on the success of your compliance program.
When You Succeed in Getting Management on Board
When management is demonstrating effective buy-in to the company’s compliance program, they are ensuring the integration of the requirements of the program into the organization’s various processes. They candidly discuss the company’s reporting procedures for suspected and actual misconduct and encourage employees to make use of these. Managers emphasize the careful handling of such reports and ensure that whistleblowers will by no means suffer retaliatory action.
Effective management buy-in also means that management is committed to ensuring the independence of the compliance department and the allocation of appropriate resources to execute compliance-related operations. Management has genuine interest in the appropriate design and functioning of the compliance program of the company and ensures that it can achieve its objectives.
Management talk the talk by communicating company policies and stance on compliance both internally and externally, and walk the walk by not only conforming to the requirements of the compliance program, and by supporting other relevant management roles to demonstrate their leadership in preventing and detecting bribery as it applies to their areas of responsibility.
It may all sound simple and tangible, but achieving a symbiotic relationship between the company’s departments is challenging. Hence the crucial element of management buy-in, also known as the tone from the top.
Leading the way on implementation and conformity to the company’s policies and procedures rubs off on employees, and as long as a company’s compliance culture is perceived as a process to which every party contributes to upholding, the efficiency of your compliance program becomes indeed tangible.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.