When the Board Comes Calling About Compliance: A Risk-Intelligent Approach

When it comes to compliance risk, board members know the drill all too well. Every six months or so, they receive a new report indicating that everything is mostly under control.  So it’s no wonder they’re surprised when a compliance issue blows up – and it’s no wonder they’re asking tougher questions of compliance executives with every passing quarter.

As regulatory oversight continues to grow, the challenge of dealing with compliance risk will only become more pressing.  It’s not just an item on the agenda – compliance is its own agenda these days.  Given the pace and scale of change, both compliance executives and boards are increasingly concerned that old, reactive ways of managing compliance may cause them to fall behind the competition — or leave them exposed to new regulatory and reputational risks.

If your organization is looking to increase its Risk Intelligence quotient through full-spectrum compliance, three broad areas will command your attention:  Environment, execution, and evaluation.

Environment: Bring out the magnifying glass.

In general, industry, geography and emerging issues are the most important areas for assessment when it comes to compliance risk.

Industry.  Companies in the same industry, of roughly the same size, may be facing very similar compliance challenges at any given moment. But when you’re looking to lead the pack, sharing the same strategies as your competitors won’t do. How can business leaders and board members establish a compliance strategy rooted in industry, without taking the exact same approach as close competitors?

Start with a measuring stick: What are our peers doing? How do we match up across key benchmarks? Then zero in on what the organization is doing differently (good or bad) today and what it should be doing differently tomorrow.

Geography.  Compliance issues extend as far as your products or services are offered and throughout the entire supply chain.  Adding to the challenge, different cultures have different ideas about what constitutes adherence and corruption. Also remember that this complexity does not stop at the country level. In the U.S., for example, different states enforce different regulatory guidelines, and cities and counties will often add more layers to suit their own requirements.

Emerging issues. It’s often those issues that no one anticipated which present the biggest challenges. But just because no one saw it coming doesn’t mean someone couldn’t have. Too often, compliance efforts are focused on the steady state of the business. Board members have a special responsibility to make sure their organizations are preparing for emerging issues as well.

Execution: Without it, nothing else matters.

Roles.  Ownership of compliance tends to disappear only a few layers deep into the organizational chart. As a result, employees in business and functional operating units may be performing compliance-related activities every day without knowing the potential consequences of not executing them properly.

Integration.  The benefits of a consistent framework and tight integration with the business can be significant in compliance risk management. But it’s not just about a smoother, less expensive approach. It’s about delivering more value to the business. Establishing enterprise-level management and communications standards can go a long way toward driving efficiency, control, and knowledge.

Growth.  Compliance fears should never override the pursuit of growth. But they must inform that pursuit at every turn:  when developing the business case, driving risk analysis, conducting due diligence, managing expectations, and contributing to decisions and strategies along the way.

Education.  Compliance executives and boards must understand how leadership is communicating expectations and values when it comes to compliance. It often takes a wide range of activities for communications to break through to the front lines.

Transparency.  Increased transparency about compliance — even about failures — can improve the trust that stakeholders have in the organization and its leadership. And it’s not just about avoiding fines and penalties. If everyone understands and shares the board’s vision for compliance, they’ll be more likely to make it happen.

Board oversight.  The rules of engagement must be clear, drawing a bright line between the roles of board members in providing oversight and those of the executives responsible for driving compliance activities. To monitor compliance effectively, the board should have open access to the Chief Compliance Officer.

Remediation.  Many regulators (not to mention the Federal Sentencing Guidelines) recommend or require proactive measures. It’s the right thing to do – and it’s often the law.

Evaluation: What gets measured gets done.

Risk assessments, ROI analysis, and monitoring are the three primary levers executives can use to help determine that the right level of effort is going into evaluation initiatives.  Each covers a different dimension of evaluation.  Taken together, they provide a full-spectrum view of program effectiveness.

Risk assessment.  How can board members be confident they’re getting reliable answers to tough questions about compliance risk assessments?  Ask to see your company’s risk register. This catalog of existing and potential compliance risks specific to the organization can ultimately serve as a framework for prioritizing risk at every level.

ROI analysis. To determine ROI, boards must first understand how much has been invested and what is being gained. While it may not be realistic to achieve a perfect view of your organization’s compliance activities, establishing the scope of compliance is a good place to start. Next, gain agreement on the KPIs and KRIs you should have in place.

Monitoring.  Monitoring can help uncover instances where compliance has gone awry. But just as important, it can be used to examine compliance processes as part of a continuous improvement effort. It’s also the smart way to stay ahead of emerging issues.

What should you do?

It may be tempting to focus on individual elements presented here, but don’t lose sight of the big picture.  Having that “full spectrum” view of compliance is the most effective way to serve as a catalyst for cultural change.

Another thing you can do is underscore the competitive power of excellence in compliance. Companies that master compliance risk management are often better positioned to break away from the pack. And in the final analysis, that’s what every compliance executive should be focused on.

For more insights on the key components of enterprise compliance, download Deloitte’s new book, Enterprise Compliance: The Risk Intelligent Approach.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.

About the Author

Donna Epps

Donna Epps, DeloitteAbout the Author
Donna Epps is a partner in the Forensic & Dispute Services practice of Deloitte Financial Advisory Services LLP, the national leader of the Anti-Fraud Consulting group, and co-leader of Deloitte’s Governance and Risk Management practice.

Donna brings a wide range of client service experience to her insights on governance and risk management issues, including 20 years of auditing public and private companies, carrying out regulatory filings with the SEC, and leading regulatory compliance examinations at the state and federal level. In addition, she has worked with the senior management teams of multinational clients in several industries including telecommunications, manufacturing, and oil and gas in conducting complex, multi-year restatements of financial statements, leading Sarbanes-Oxley preparation projects, and providing merger and acquisition related services.

Her current focus is in proactive risk services and enterprise risk management. She works with companies to become risk intelligent with a focus on value protection and value creation.

Donna received her Bachelor of Business Administration degree from Texas A&M University.

Donna can be contacted via email at depps@deloitte.com.

Donna contributes to the regular column Your Risk Intelligent Enterprise™ for CCI with Henry Ristuccia and Rob Biskup.

As used in this document, ‘Deloitte’ means Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, and Deloitte Tax LLP, which are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.