For compliance departments that need to do more with less, it’s tempting to lean into automated systems. Compliance and ethics consultant and author Vera Cherepanova warns that focusing on numbers — and not people — can cause more damage in the long run.
With compliance teams around the world dealing with cost-cutting edicts from their employers, chief compliance officers face a tough question: how to cut costs while ensuring that ethics and risk management targets are met.
Many practitioners believe that homing in on data-based decisions across the board is the the solution to the challenge, but in reality, every decision must be underpinned first and foremost by a risk-based, rather than data-based approach. By keeping risk at the forefront of decision-making, organizations see far better results while still protecting the biggest risk of all — corporate reputation.
New ethics, compliance and reputational risks appear daily with companies facing ever-increasing regulatory obligations. However, while a global recession continues to hang over our heads, every department is being forced to examine its own budget. Compliance is no exception, but the crux of the problem for CCOs is how to do more with less.
How to De-Stress Budgeting for Your Compliance Program
Strong compliance programs don’t just happen. They require planning — and budgeting. Being thoughtful and proactive will help drive appropriate budgeting that supports and promotes program effectiveness, while reducing your stress both now and throughout the next fiscal year.Read more
Infrastructure and process
From the outset, CCOs must ensure that they have in place both the infrastructure and the processes to ensure reliable information is constantly being passed up the chain. This gives CCOs the confidence they have an accurate view of what personnel are doing throughout the organization, which allows them to zoom in on problem areas and take action as required. Clearly, the more thinly they are stretched, the greater the chance of mistakes.
The best ethics and compliance programs are tailored to individual company needs, but one thing they all have in common is a CCO with oversight of all the compliance and reputational risks facing their board. An understanding of the risks that are most significant to individual organizations enables them to decide how to avoid, mitigate or even remedy them. Taking a broad-brush approach, the most effective CCOs have robust systems in place to catch mistakes that might otherwise slip through the net.
Chief compliance officers operate in a complex legal, regulatory, social and economic environment. They are required to respond to rapidly emerging risks while keeping an eye out for everything from bribery and corruption to money laundering and cybercrime, using a series of frameworks as outlined below:
- Due diligence: Clear policies and procedures are predefined in a straightforward, easy-to-follow system. Having robust procedures to follow when due diligence inquiries emerge gives staff the confidence they need to tackle emergent issues. Cost savings might even be achieved by going one step further and using an automated system to organize and document the company’s due diligence activities can provide an even more secure safety net.
- Third-party risks: Clear procedures to monitor and audit third parties coupled with guidance on how to elevate third-party risks so the correct compliance, legal and business managers are able to review and respond to them directly are essential. Without compromise, CCOs must have a system in place that creates a pathway for employees to alert them of potential risks.
- Testing and monitoring: Robust monitoring systems provide an early warning system, which allows compliance professionals to identify potential compliance issues as early as possible. Without testing, flaws may take months or years to emerge, which explains why testing and monitoring programs are a regulatory requirement in industries like financial services.
- Document advice: A system for recording and documenting legal advice and counsel, including both written and verbal advice tailored to specific risks, as well as actual documentation of legal directions, and resulting actions taken is strongly advised.
Risks over data
Having established procedures will not catch every potential mishap, but they are likely to limit damage or at least reduce the potential severity of risk events. Systems can also help CCOs prioritize which risks need to be most actively managed. Some may choose to focus on testing and monitoring or employee training, while others may rely on the analysis of hotline statistics, transactional records, audit findings and compliance exception reports depending on where risks lie.
It can be tempting to compile vast quantities of data for the benefit of the board, data that supports your findings, to demonstrate the hard work of your team and illustrate how many checks have been made. However, by prioritizing risk over data, it may be possible to make some of the key cost savings that are required. By tapping into new technology and investing in automated tools that analyze data to sense risks through social media monitoring or surveys, some manual labor can be reduced.
However, while these tools can help isolate some risks, they are mere weapons in the CCO’s armory rather than services that offer a catch-all for compliance and ethical risks. For that, you need human oversight as well.
Lack of personnel oversight invites vulnerability
Compliance and ethics risks are a major concern in personnel management, as they can have significant impacts on a company’s reputation, financial stability and legal standing and yet senior managers often don’t have enough oversight of what their junior staff are doing day-to-day.
Common examples of such risks in personnel management include:
- Discrimination and harassment: Hiring, promotions and terminations should be free from discrimination and harassment based on factors such as race, gender, religion, sexual orientation and disability.
- Privacy concerns: Personnel management activities often involve collecting, storing and sharing sensitive personal information about employees. Ensuring the privacy and security of this information is critical to avoid breaches and data theft.
- Conflicts of interest: Conflicts of interest can occur when personal interests of employees or managers clash with the best interests of the company.
- Unlawful retaliation: Personnel management activities should not include retaliation against employees who raise concerns about compliance and ethics issues.
To manage these risks, companies typically need policies and procedures in place to ensure compliance with relevant laws and regulations and to provide guidance on ethical conduct. Training employees and managers on these policies and procedures to promote a culture of compliance and ethics is also crucial for success.
Prevention always better than cure
It’s worth noting that even when the best systems are in place, senior management may still have little idea how their personnel are operating on the ground day-to-day. The high-profile example of Wells Fargo, where thousands of employees opened bank accounts without customers’ knowledge so they could reach sales quotas that would count toward bonuses, illustrates the importance of the compliance and ethics department.
It was certainly a costly mistake: Wells Fargo has not only been fined $185 million, but it’s also had to set aside $5 million to compensate customers it hasn’t already paid back. The moral of the story? Prevention is always better (and cheaper) than detection and rectification.
The key to preventing such a scandal is rooted in developing a strong ethical culture throughout your company. Employees need to understand that they will not be persecuted for speaking up and will be protected if they do so. In the case of Wells Fargo, many of those who complained or reported their colleagues for opening fake accounts were fired. Had there been swift investigation and processing of those whistleblower complaints, that scandal may have been uncovered much earlier, costing the bank far less both in terms of reputation and financial penalties.
Strong ethical culture
Corporate culture is defined from the top down, which means leaders must work hard to ensure they are setting the right tone. While the CEO is the figurehead to whom employees look for vision, guidance and leadership, the CCO plays a critical role as well. The CEO’s actions guide employees on how they should behave and what they will be rewarded or punished for, but the CCO must also be beyond reproach, standing up for what they believe in while almost overcommunicating their integrity and values.
While some enterprises may view compliance officers as gatekeepers, more successful organizations treat them as partners, collaborators and strategists. By providing guidance on what is permissible, compliance teams will be sought after for their trusted counsel and their approachability, which is what is required for them to root-out risks and safeguard an organization and its reputation.
Whatever costs have to be cut over the year, personnel management must not be compromised. This area holds so much risk. Human error should never be underestimated. Neither should the power of monitoring and testing for those errors. Ongoing surveillance and analysis enable organizations to uncover potential compliance violations early. The best testing programs assess personnel operating at every level of accountability, allowing them to identify weaknesses early.
Reducing risk over the long term is ultimately about building and maintaining a strong ethical culture that is woven into the fabric of the company — a culture that cuts across all departments and teams. An organization with a clearly defined moral compass is less likely to drift when decisions impacting corporate reputations and integrity need to be made.