The expression “never a dull moment” could have been tailor-made to describe the ethics and compliance function and how it has evolved over the past decade or so. The well-publicized scandals that started to take place on the market (concerning, e.g., anti-money laundering or privacy incompliances) led the policy makers to pass sweeping legislation that called for increased regulation, greater transparency, and more rigorous scrutiny of corporations.
Suddenly, the ethics and compliance function found itself front and center, its responsibilities greatly expanded, and its activities integral to the strategic core of organizations struggling to keep public trust.
What has become abundantly clear is that when it comes to creating ethics and compliance programs, organizations today cannot afford to settle. “Good enough” is simply not good enough. Rather, organizations should continuously strive for “great.”
What separates a “good” ethics and compliance program from a “great” one? How does an organization’s investment in compliance and reputation risk mitigation systems and processes measure up against leading practices? While there are a number of factors that separate the “good” from the “great,” in our experience, five factors are key differentiators in the highest-performing ethics and compliance programs.
Tone at the top—The starting point for any world-class ethics and compliance program is the board and senior management, and the sense of responsibility they share to protect the shareholders’ reputational and financial assets. The board and senior management should do more than pay “lip service” to ethics and compliance. They need to empower and properly resource the individuals who have day-to-day responsibilities to mitigate risks and build organizational trust.
Corporate culture—A culture of integrity is central to any effective ethics and compliance program. Initiatives that do not clearly contribute to a culture of ethical and compliant behavior may be viewed as perfunctory functions instilling controls that are impediments to driving the “value change” of the enterprise.
Risk assessments—Ethics and compliance risk assessments are not just about process—they are also about understanding the risks that an organization faces. The risk assessment focuses the board and senior management on those risks that are most significant within the organization, and provides the basis for determining the actions necessary to avoid, mitigate, or remediate those risks.
The Chief Compliance Officer (CCO)—The CCO has day-to-day responsibility for overseeing the management of compliance and reputational risks, and is the agent for the board’s fiduciary obligations in this regard. A skilled CCO can create a competitive edge for their organization.
Testing and monitoring—A robust testing and monitoring program can help ensure that the control environment is effective. The process begins with implementing appropriate controls, which should be tested and ultimately monitored and audited on a regular basis.
Each organization can determine how far it needs to evolve—whether it wishes, in effect, to have in place a reliable compliance vehicle or a top-fuel racing model. As an organization moves along the continuum, much more becomes possible.
In addition to the above-mentioned factors, innovative technology provides an opportunity for solving regulatory challenges. A modernized compliance program that combines new technologies and new approaches, keeping both in alignment with enterprise goals, helps deliver richer and faster insights, drives efficiencies in compliance processes through automation, reduces costs, and offers foresight into emerging risk issues.
Role of in-house and externalized lawyers
The primary, formidable risks handled by in-house departments today involve legal compliance and reputation and seldom originate in the legal function. General Counsels worry that most risks are from activities and behaviors across businesses without General Counsels’ control and without management visibility. They are concerned that even their upright employees may unconsciously breach a local regulation or set up some anti-competitive process that increases exposure to the business.
New skills, roles and responsibilities are required as legal and compliance departments move from reactive management of risk to risk-avoidance. People skilled in preventative and precautionary services are needed to fill these roles.
When it comes to outsourcing, purchasing patterns for legal services in area of compliance are changing. In-house teams are looking for tech perceptive, integrated service providers who offer more than traditional legal advice.
It is clear that compliance faces challenging time ahead with increasing internal and external scrutiny and an expectation that the function increasingly demonstrates the value they are providing. Compliance teams, which start to take action now around the key areas identified, will be better prepared to respond to these challenges and build on the capabilities and value their functions provides to the business in the future. However, Moving along the compliance evolution continuum and unlocking the potential to create material and strategic value is a process, and Rome was not built in a day.
By Tarja Krehic, Partner, and Ivan Zornada, Partner, Krehic & Partners in cooperation with Deloitte Legal