Editor’s Note: This article was originally published on November 30th, 2009.
We are living in an era of increased regulation and renewed enforcement efforts, especially for public companies as well as private companies in industries associated with the 2008 meltdown. Governmental regulation and enforcement is typically reactionary in nature rather than proactive.
Could you imagine where we would be today if the mortgage origination industry and mortgage-backed securities had been regulated this decade?
Obviously there are costs associated with regulatory compliance and I am not suggesting that everything needs to be regulated to a high degree. What I am suggesting is that it is in every organization’s best interest to take seriously the need for a robust corporate compliance program.
The benefits of a strong program go well beyond regulatory and legal compliance to also include operational benefits. A well-balanced corporate compliance program will help ensure that a company’s organizational structure, people, processes and technology are working in harmony to manage risks, keep customers happy, grow the business, oversee vendors, and achieve numerous other goals. Perhaps many of the recent company disasters could have been diverted with a robust program. It is always easier to look back on history and play “arm-chair-quarterback”, but the beauty of a strong program is that it is proactive to divert failures and realize success.
This article identifies several elements of successful corporate compliance programs, but first let’s define a program and look at compliance within the realm of the bigger governance, risk and compliance (GRC) picture.
What is a Corporate Compliance Program?
A corporate compliance program is generally defined as a formal program specifying an organization’s policies, procedures, and actions within a process to help prevent and detect violations of laws and regulations. It goes beyond a corporate code-of-conduct since it is an operational program, not simply a code of expected ethical behavior. Clearly, a code-of-conduct is an important component of a compliance program and ethics remains the heart and soul of all corporate compliance programs. However, a comprehensive program goes further by applying the code to the specific risks of an organization and integrating measures to address those risks.
Some companies think of a corporate compliance program as strictly addressing external regulatory considerations. A more integrated approach also focuses on legal as well as internal compliance to mitigate the risks of fraud, as well as to reach strategic, operational, and financial reporting objectives. Think of a corporate compliance program as a magnet that brings all of a company’s compliance efforts together. It is essentially a codification of applicable regulatory and internal compliance requirements, as well as a roadmap to action. A comprehensive program helps position a company to divert disasters, meet objectives, and grow shareholder value.
Many organizations have components of a program in place. However, the question that must be asked is; are the components collectively maximizing organizational value or wasting resources through duplicative efforts?
A company with bits and pieces of a program organizationally scattered, and operating in a complex environment, is greatly challenged from a cost-efficiency and effectiveness standpoint. Oftentimes regulatory processes are siloed leading to a host of inefficiencies. While enterprise software can go a long ways towards addressing these inefficiencies, it often comes down to the organizational and cultural considerations to ensure an effective program across all significant risk areas.
For example, those companies who have walked down the Sarbanes-Oxley (SOX) road may have extensive policies, procedures, and testing to assess the effectiveness of entity-level controls; however, are these efforts properly integrated with those of FCPA, labor laws, PCI, etc.? Oftentimes, documentation and testing efforts can be used for multiple legal requirements and company objectives, especially in the areas of entity-level and general IT controls.
Keep it Focused and Simple to Help Ensure Adherence
The more complex, the more difficult it is to communicate a corporate compliance program to employees and stakeholder groups. Consultants and professional trade organizations have a field-day with all sorts of approaches, frameworks, and models on compliance programs. This occurs because of semantics, multiple variables, and the inter-related disciplines of compliance. Compliance goes hand-in-hand with governance and risk management, otherwise known as GRC. It is very difficult to successfully isolate one without considering the other two.
For purposes of this article, let’s focus on the “C” in GRC, but as you will read this is not entirely possible since all three areas are highly interwoven in concept and practice. This occurs because each element of governance, risk and compliance encompasses organizational factors, people, processes and technologies that cannot, and should not, be viewed separately. With this in mind, let’s proceed knowing that governance and risk management are deeply imbedded in any effective corporate compliance program.
10 Considerations to Help Ensure Effectiveness
There are certainly many ingredients and aspects to an effective corporate compliance program. One excellent source of information is Chapter 8, Part B, entitled Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program from the United States Sentencing Commission. These Federal Sentencing Guidelines forward a minimum set of requirements for development of an effective program to prevent and detect violations of law.
Here are some aspects that go into the making of an effective corporate compliance program. This list of ten considerations can be used as a checklist to see where your organization stands:
Each and every one of the above considerations should be built into the corporate compliance program. If your answer was not affirmative to any of these items, chances are you have plenty of opportunity to make your compliance program more efficient and effective. A lapse in anyone of the above ten areas could spell “doom” for your compliance efforts. Don’t think of compliance as simply a regulatory necessity, but rather as a means in protecting your number one asset – your company’s reputation.
This is an article reprint from the Governance Issues™ Newsletter, Volume 2009, Number 4, published on August 5, 2009
Ron Kral (CPA, CMA, CDMA) is the Managing Partner of Candela Solutions LLC, a public accounting firm with a national focus on governance, risk and controls. He has been an external auditor responsible for signing audit opinions and a divisional financial executive for a multibillion-dollar NYSE firm. Ron is an educator, advisor, and internal auditor. He has worked with over 200 clients as a Public Accountant, many through Big-4 firms.
Prior to forming Candela Solutions, he was a Principal Consultant with PricewaterhouseCoopers, leading performance auditing, internal controls and governance projects. Ron began his public accounting and consulting career with a California CPA firm as a Financial and Compliance Auditor, where he eventually led audit engagements as the Managing Director of a Southern California office and signed audit opinions.
Ron teaches professional education courses on accounting matters, governance, regulatory compliance, risks, SEC disclosures, auditing standards, and ethics. He believes in practical methods anchored in professional and regulatory standards, with a keen focus on growing shareholder value. Ron co-authored The Board of Directors and Audit Committee Guide to Fiduciary Responsibilities. He is a member of the AICPA, FEI, IIA and IMA. He served on FEI’s working group for the development of COSO’s 2013 Framework and currently serves on FEI’s working group for the development of COSO’s revised ERM Framework. Ron holds an MBA from Arizona State University and a BBA from the University of Wisconsin, Madison.