The Article below written by Philip Brennan, Founder & Managing Director Raiseaconcern.com will be published as part of the title “Yearbook of Global Ethics, Compliance & Integrity” published by the German publisher “Deutscher Fachverlag – dfv” in October 2018.
The Article is a summary of an address given by him to the 4th Viadrina Compliance Congress in 2016, hosted by Europa University, Frankfurt (Oder) and organised by the Viadrina Compliance Centre and the Compliance Academy.
The Editor asked me to summarise my presentation to the 4th Viadrina Compliance Congress on 6th July 2016, hosted by the Europa University, Frankfurt (Oder) and organised by the Viadrina Compliance Centre and the Compliance Academy.
It was a privilege to be invited to speak in the company of such distinguished fellow speakers and attendees. The congress was an unquestionable success.
Culture of Compliance
Let me start by sharing some introductory views on creating an appropriate compliance culture. These are personal views, based on my experience.
When I refer to compliance, I mean not just regulatory compliance, but also business ethics.
Tone from the top
Let me start with ‘tone from the top’. There is no question in my mind that the predominant recipe for successfully implementing a strong compliance culture is having clear, frequently expressed and unequivocal support for compliance from the board and senior management team of the parent organisation. This must permeate to boards and senior management of subsidiaries, particularly in countries and cultures different to the parent. If employees do not detect this endorsement (and employees do detect these things) no Compliance function, no matter how good it is, will successfully inculcate a strong compliance culture.
Words, however, are not enough. Directors and senior management must not alone speak positively about the importance of a strong regulatory compliance culture, they must also act, and be seen to act, as they speak (e.g. by refusing to sell products unsuitable to a customers’ needs). They must ‘walk the talk’, so to speak.
During the discussion after my presentation, a conference attendee made the point that middle as well as top management must also set the right tone. I could not agree more. To junior staff, their line of sign often does not go beyond middle management.
Recruitment
Personal values must be a key attribute of staff recruited at all levels in the organisation, from board members, to management, to front line staff. Behaving appropriately and doing the right thing must run in the genes of everyone in the organisation.
Spirit vs. letter of the law
The Corporate Code of Ethics, the Code of Behaviour and all the Policies should focus not just on the letter of the law or regulation, but also on the spirit. Culturally, some countries struggle with this. Regulation cannot cover everything. If a product or practice does not ‘feel’ right, the corporate ethos should discourage employees from engaging in it. More and more stakeholders expect organisations to act responsibly as well as legally.
It doesn’t matter what competitors are doing
Boards and senior management should adopt a maxim that, once the actions of the competition offend their own compliance culture, they should not be replicated. There is often a strong temptation to set corporate standards by reference to what the competition is doing. This strategy is short-term and can result in a race to the bottom. Explaining that you were following the norm or the competition is not a defence when things go wrong.
Systems and processes
Regulation in financial services and indeed in many other industries is complex, extensive and ever-increasing. It is no longer possible to rely on human nature or human intervention to ensure that the organisation acts compliantly. A culture of compliance must be underpinned by systems and processes which automate, to the maximum possible extent, legal and regulatory responsibilities. So many of the compliance failures that arise are due not to deliberate action or inaction by people but to inadequate systems or, where human intervention is required, to human error.
Training and competency development
To embed a culture of compliance, organisations must strongly invest in training and competency development. This ranges from training on conduct and behaviour to technical training where employees need to know why and how to follow regulation.
The Chief Compliance Officer
I will speak more about this under the heading of governance. Suffice to say at this stage that the technical competence, ability to influence and independence of mind of the Chief Compliance Officer (“CCO”) are critical factors in developing and maintaining a strong compliance culture. The CCO should be interviewed by a board member and the board, not management, should ratify the appointment. He or she should be the ‘minder’ of the board and senior management on regulatory compliance matters.
Governance
Let me turn now to the second subject matter we are considering - that of an appropriate governance structure to ensure that an organisation maintains a strong compliance culture. Again, based on experience, I am going to identify what I regard as the key elements of such a structure:
Ownership of the responsibility to comply
Establishing ownership and the role, scope and accountability of all parties relating to regulatory compliance is really important. It should be clear to everyone across the organisation that the ownership of compliance rests, not with the CCO or the Compliance function, but with the board which bears ultimate responsibility and which, in turn, delegates this to senior management.
So the board must hold management accountable for acting compliantly and the governance structure should position the Compliance function to act ‘schizophrenically’, as it were by, on the one hand, advising and assisting management on how to act compliantly and, on the other, independently monitoring the standards of compliance being operated by management and reporting to the board/audit committee on this.
COSO framework
My preferred governance structure for oversight of compliance, for those of you familiar with it, is the COSO framework, or at least an adaptation of it. This involves three lines of defence – management in the first line (being primarily responsible for compliance), the Compliance function in the second line (advising on and independently monitoring and reporting to the board on standards of compliance) and Internal Audit in the third line (overseeing and reporting independently to the board on the effectiveness of operation of the first and second lines).
Positioning, composition and independence of the Compliance function
The positioning, composition and independence of the Compliance function are, in my view, a really important part of the governance structure of any organisation. Let me share a few thoughts on this:
· The CCO should be a member of the executive management team. He/she needs to be in a position of influence among senior management and should have unfettered rights to monitor and review what he/she considers necessary. The CCO should have a power of veto on certain regulatory matters.
· The CCO should report functionally to the Chief Executive Officer and independently and directly to the chairperson of the board audit committee. The board is ultimately responsible for compliance. Given that they have no role in the operation of the company, they must rely on management to assure them that the organisation and its employees are acting compliantly. However, they also need someone who understands the subject matter to validate management’s assurance. This should be evidence based and independent. This is the role of the CCO and the Compliance function.
· Staff of the Compliance function should have a firm knowledge, not just of regulation but also of the operation of the business – one is just as important as the other.
· The Compliance function should be proactive and solution-minded rather than police men/women.
· The CCO should be accountable for the Compliance function in all jurisdictions. Local compliance officers should not report to local management but to the enterprise CCO.
· The CCO should manage the relationship with all regulators
Monitoring
Compliance should be regularly and independently monitored. Monitoring should be based on a risk assessment compiled independently by the Compliance function with input from management. Compliance officers should maximise the use of technology to identify areas of high risk.
Reward
A long time ago, I remember reading an article by Steven Kerr entitled “On the folly of rewarding A while hoping for B”. It sums up for me the importance of building compliance into the reward structure. Reward should be based, not just on financial performance, but on a balanced scorecard involving numerous measures, an important one of which should be adherence to compliance standards. Compliance should be a qualifier: in other words, if a manager or employee fails to meet the appropriate standard, or worse still, is found to have breached regulatory compliance or ethical standards they should, in my view, be disqualified from receiving any discretionary remuneration that year.
Employee Disclosure
The final key tool in the compliance governance toolkit that I want to cover is the whole area of employee disclosure.
Ensuring an organisation remains compliant is not an easy job for anyone, at board, management, Compliance, Internal Audit or regulatory level. Monitoring compliance is labour-intensive. No matter how good risk assessments are, tail-risks can pop up from nowhere. Problems can be latent in systems. Wrongdoing deliberately perpetrated by individuals can be difficult to predict and detect.
Employees are the ones who are most likely to know where “the skeletons are buried” so to speak – where the latent problems reside, where things are likely to “blow up”. Organisations, through their boards and senior management, should actively encourage employees to disclose concerns about wrongdoing and ensure that staff are regarded in a positive rather than a negative light for doing so. If a culture of employee disclosure is fostered, it can bring about a situation where every employee becomes a compliance officer, every employee engages in the monitoring of regulatory compliance and business ethics.
Creating the right culture here is of paramount importance. The identity of employees who make disclosures should, as far as possible, be kept confidential. Ensuring they are not penalised, even if their reasonable suspicion proves to be wrong, is equally as important (save of course where the disclosure is known to be false and is made for malicious or malevolent intent). Following up/addressing the issues raised and giving feedback to the disclosers are all part of the recipe for success.
Employees should be facilitated to disclose their concerns both inside and outside the organisation to a trusted recipient. The employer should focus on the concern disclosed, not on the discloser.
Ideally, employers will want employees to raise their concerns with local business management. However, this is not always practical or possible. For this reason, there should be a trusted internal confidential recipient for employee disclosures. This should, in my view, be the CCO in the home country.
Equally, there should be a trusted external confidential recipient employed by the firm to receive employee disclosures, to independently advise employees and to protect their identity.
If an organisation’s culture encourages and looks positively on employee disclosure and if its governance structure facilitates it, it is an all embracing, focused and cost-effective manner of monitoring standards of regulatory compliance – a key part of the governance toolkit in protecting the reputation of the firm, irrespective of the business involved.
Philip Brennan is founder and Managing Director of Raiseaconcern.com, a body which works with employers in the prevention, detection, investigation and remediation of workplace wrongdoing. He was formerly Group General Manager, Regulation & Compliance in AIB Group, Head of Group Taxation in AIB Group, Chairman of the Association of Compliance Officers in Ireland and President of the Irish Tax Institute.
Philip holds an MSc in Business Administration from Trinity College Dublin and a Professional Diploma in Compliance from University College Dublin. He is a fellow of the Irish Tax Institute, the Association of Compliance Officers in Ireland and Institute of Banking.