Compliance has yet to adopt a proper management system to substantiate the critical role they play. SEI’s Kevin Byrne discusses how, rather than continuing to raise compliance issues as they occur, CCOs should graduate to consistent, ongoing management-level reporting.
Compliance programs today are at an interesting crossroads. In 2004, the SEC adopted rule 206(4)-7, requiring all registered investment companies and investment advisers to adopt and implement written policies and procedures reasonably designed to prevent violation of the federal securities laws. Firms learned they had to review those policies and procedures annually for their adequacy and the effectiveness of their implementation and to designate a chief compliance officer (CCO) to administer the policies and procedures. Thus, the compliance program as we know it today was born.
Firms hired CCOs and tasked them with creating programs to protect investors and comply with federal securities laws. CCOs built their programs with the tools of the time – principally Microsoft Office – and while there is more experience to draw from, they largely continue to manage their programs the same way today. Policies and procedures are maintained in MS Word. Risk assessments are maintained in Excel. Communications are stored in Outlook. Documentation is maintained on shared drives or in SharePoint.
While other areas of the business have adapted to more advanced and/or integrated technology solutions, compliance has barely evolved. The trading function went from manual tickets, phone calls and paper blotters to order management systems (OMS) that capture all trading activity and allow for a consolidated view of all activity. The front office historically relied on each sales person separately maintaining their own prospect information, preventing a consolidated view into the organization’s efforts. Customer relationship management (CRM) systems were developed to consolidate information across the front office, providing management with the reporting they need. Imagine today trying to assess a firm’s sales pipeline without a management tool such as a CRM or attempting to reconcile multiple paper blotters on a daily basis.
Adopting a Compliance Management System
In order for the C-suite to effectively oversee the compliance function and the activities of the CCO and not just meet for quarterly updates or when an issue arises, the industry must develop a new technology platform to manage the activities of the compliance program. Similar to an OMS or a CRM, compliance needs a compliance management system (CMS). This platform will integrate the various parts of the program – policies and procedures, risk assessments, testing, attestations, vendor due diligence, etc. – and include robust dashboards and reporting so management can at any point in time assess the health of their compliance program and their CCO’s performance. Without the appropriate management oversight, the risk of noncompliance could cause irreparable damage to the firm’s reputation and brand, not to mention possibly incur significant financial penalties from regulators.
In addition to overseeing the CCO, the C-suite should be demanding a CMS for two additional reasons:
- A CMS will make the compliance program more effective. A centralized system of all requirements, deadlines and activities with improved reporting will help compliance better connect the dots and spot areas of weakness.
- The C-suite needs to mitigate the key person risk of the CCO leaving or being incapacitated. Without a holistic management system, the documentation and evidence of the compliance program could be widely distributed with no shared or centralized knowledge of where everything resides. Clearly, transitions are more difficult when there is no central repository of all the elements of the compliance program.
It’s Time for a Compliance Revolution
In recent years, governance, risk and compliance (GRC) systems have been developed to help address this gap in management’s compliance oversight. By and large, however, those systems were born out of the internal audit functions at large corporations. While better than the MS Office versions of old, adapting those systems to investment adviser/investment company compliance has been a challenge. Compliance needs a system that is built from the ground up to address the intricacies of a compliance program, one that has connective tissue linking the various components of the program together.
It is time for the compliance program to evolve beyond its beginnings 15 years ago. The days of shared drives and manually creating reporting should be gone forever. Just because it isn’t a front-office, revenue-generating function doesn’t mean that compliance shouldn’t have the kind of management reporting system that has evolved in other departments across the organization. Management should be demanding such a system to allow them to appropriately oversee the CCO, and the CCO should be demanding such a system to make their compliance program more effective and efficient. It is time for a revolution.
Kevin Byrne is Managing Director of Global Regulatory Risk and Compliance within 
