Corporate compliance and enterprise risk management are two closely inter-related spheres. A company’s risk management program would be incomplete without covering compliance risks and without using compliance tools to mitigate risks. On the other hand, compliance management is a critical component of risk management. This is recognized in COSO’s integrated Enterprise Risk Management framework, which specifically includes compliance objectives – ensuring that integrity and regulatory compliance are achieved – alongside strategic, operations and reporting objectives as the key pillars of a corporate risk management program.
How a problem is approached determines how it will be solved. As such, looking at compliance as an integral part of risk management, and at risk management as an integral part of compliance, helps companies to address a number of things they tend to do wrong in compliance. Here are five:
1. Not focusing on what matters most
Compliance resources are limited, while requirements often seem endless. To put their limited resources to best use, companies need to focus on what matters most. This can be achieved by adopting a risk management approach: (1) map out the legal and statutory requirements with which the company needs to comply across its activities and businesses; and (2) assess the risk of non-compliance for each one. What is the probability of a breach of compliance occurring and what would be the effect on the company’s reputation or legal standing if it occurs? Each company faces a different set of risks depending on its business model, industry, and geographic footprint. Assessing the relative risks of non-compliance will allow a company to prioritize its attention and resources to those areas which pose the greatest potential exposure to the company. This should be done explicitly across all of its business functions, and involve the risk owners within each functional area and business unit. This should be an on-going exercise, and periodic updates are required to address any changes in compliance requirements and the overall risk environment. A risk management approach will also provide comfort to those who will ultimately have to answer for any important failure in compliance.
2. Not integrating compliance into the company’s risk management program and business operations
The flipside is that risk managers should incorporate compliance risk into their risk assessments and risk management program. Non-compliance can often represent a significant risk to the business. The management of this risk needs to be integrated into the business functions. It is the compliance team’s job to help the business functions to incorporate risk management, but it is the business functions that ensure compliance via their day-to-day operational activities. Making the risk of non-compliance clear to everyone in the business, and particularly to risk owners, keeps it in front of those best positioned to manage that risk. This can be reinforced by including compliance measures in performance management and remuneration.
3. Not providing a sufficient degree of independence
In many companies, the compliance role is subordinated to one of the functional areas, typically legal, finance, internal audit or human resources. This subordination distorts the compliance team’s ability to look across functions, and can subvert the team’s ability to objectively assess compliance within the respective business function. The discussion as to who the compliance officer should report to is a lively one and compliance may more naturally sit within legal than in other functional areas. That said, the compliance officer needs a strong degree of independence from those involved in the day-to-day running of the business and have a direct relationship with the Board. Additionally, it should have its own resources to apply to its duties.
4. Not seeking independent validation of compliance effectiveness
A compliance program can easily become stale and ineffective. A key component of compliance is continuous monitoring and review of business practices to ensure that the program is meeting its objectives. While it is the compliance team’s role to do this for the business functions, it is also important that the compliance program itself, along with the processes and team, are assessed periodically. This should be done by an independent party (ideally chosen by the Board) with input from the business and risk owners with whom the compliance team works. It should be done with reference to best practices for the industries and countries in which the company operates so that the program remains effective and addresses the most relevant current and emerging risks.
5. Treating compliance as a box-ticking exercise
Failure to set the right tone at the top regarding the purpose of a compliance program and to ensure that employees across the organization treat compliance as a critical component of a company’s risk management program as opposed to a pro-forma box-ticking exercise to satisfy the compliance office is one of the most common errors – and practices – in companies. Compliance for compliance’s sake creates a false sense of assurance. From a risk management point of view, a box-ticking mentality towards compliance increases the company’s vulnerability to the very risks a compliance program is designed to manage and ultimately puts it in a worse situation than not having a program at all.
Brian Weihs is Associate Director, Corporate investigations for Control Risks, based in Sao Paulo. He leads a team of consultants and researchers in providing both preventative and reactive investigation services, including reputational and integrity due diligence investigations; fraud and corruption investigations and preventative services; FCPA, anti-money laundering and other compliance services; business intelligence; litigation support and asset tracing investigations in Brazil and the southern cone of South America. Brian’s role includes regional development and delivery of fraud and compliance services across Latin America.