Even the best companies, with a culture that flows from the top and oozes a commitment to compliance, will make mistakes. We’ve all seen it, time and again, in the papers.
But some avoidable mistakes are made more often than others, and that is the focus of this discussion. These are the five mistakes I have seen frequently.
Considering compliance the responsibility of the chief compliance officer (CCO), then compounding that mistake by failing to give the CCO the resources necessary to do the job.
While we all know that compliance is everybody’s responsibility, especially executive and operating management’s, too many executives think that they should let managers focus on results and that compliance is only a staff function. Instead, they should instruct management that they are responsible for both results and compliance. The role of the CCO is as a mentor and coach to help them understand applicable laws and regulations and comply with them every day.
Companies compound the error by asking a busy member of the legal team to take on added responsibilities as CCO with little or no budget. While experts will differ on whether the CCO should report to the general counsel or be independent, all will agree that it should be a full-time job with the resources to work with management, help them ensure compliance, and then monitor to confirm that compliance measures are effective.
Scattering compliance activities across the organization.
In any company of size, it is likely that multiple parts of the organization will have to comply with the same laws or regulations. To optimize both the effectiveness and efficiency (i.e., cost) of compliance, it is important to coordinate common activities, share best practices, etc. But that is often not the case.
Some years ago, I was the executive responsible for internal audit at a large global corporation. We ran multiple factories in China, each of which had to comply with the same Chinese customs regulations; these are somewhat complex and require automated reporting. But, our various factories belonged to different operating units and, for whatever reason, decided to address the requirements totally independent of the others. As a result, no single factory was able to find the budget to hire a recognized expert. They relied instead on accountants who had attended a training class, and each acquired a different computer system.
The result was non-compliance, fines and business disruption at a number of locations.
When compliance activities are not coordinated, there is also a high likelihood that something will fall “in between the cracks.” The answer is not moving everything under the CCO (see point #1), but ensuring that responsibilities across the organization are understood and activities are coordinated.
Failing to communicate in the language of the business.
One of the most critical mistakes is publishing the code of corporate conduct and other important policies, standards, and procedures only in English. It is essential that people can not only read but also understand these very important policies as they establish expectations for conduct and actions.
While many may have a ”passing grade” in English comprehension, that does not mean they fully understand what it means – especially when their experiences and the culture of their youth is different. This is especially true in nations where there are different standards when it comes to bribes and other inducements.
Training also has to be in a language and form that is tailored to individuals across the world. What will work in the U.S. or Europe may not be effective in Vietnam, Japan or Libya.
Being satisfied with mediocrity.
There are some aspects of corporate compliance, such as the Sarbanes-Oxley (SOX) program, where a focus on continuing improvement after achieving effective compliance can reap significant benefits.
Most corporations have been able to report for a number of years that they have effective systems of internal control over financial reporting. But, once that was achieved, their focus on the SOX program diminished. While they may have had one or two initiatives to optimize their scope and minimize the cost, they became satisfied and complacent with its current state.
However, studies find continuing to streamline the program to be top-down and based on the risk of a material misstatement of the financial statements can trim costs in the seven figures – even in mature programs. These savings can then either flow to the bottom line or be used to enhance other (especially compliance) activities. For more on common mistakes in the SOX program, see this discussion.
Continuous improvement in compliance programs is an essential ingredient to success. Not only may conditions change, requiring adjustments to the program, but technology is improving at a tremendous pace – offering significant opportunities to enhance the effectiveness and efficiency of compliance activities. Just because it is working adequately now does not mean it can’t and shouldn’t be improved.
Failing to integrate performance, risk, and compliance.
Failing to comply with applicable laws and regulations may represent a significant risk to the company and its ability to achieve its objectives. Compliance is frequently not given sufficient consideration when it comes to establishing corporate objectives and strategies. Instead, compliance is an after-thought, leading to higher costs and a greater risk of non-compliance.
In fact, if an organization wants to optimize performance, all risks to the business and the achievement of its objectives need to be considered when establishing goals and strategies, and then executing on them to deliver optimized performance.
Unfortunately, risk management and compliance are often managed in silos. The companies who have greater success over the long term are able to combine discussions of risk and performance, and consider compliance early in the strategy and planning processes.
Compliance is never easy and even the best make mistakes on occasion. But we can learn from our own and others’ mistakes – and not repeat them.
About the Author
Norman Marks, CPA, CRMA, is vice president, governance, risk, and compliance for SAP’s Business Objects division and has been a chief audit executive of major global corporations for more than 15 years. Norman is also an OCEG Fellow and Honorary Fellow of the Institute of Risk Management.
Norman contributes to the professional field through his activities in support of the IIA and ISACA, articles in various publications, and membership of periodical review boards (including the Internal Auditor, ISACA Journal, CAE Bulletin, and EDPACS). He is also the contributing editor to Internal Auditor’s “Governance Perspectives” column.