By Dave Curran, Global director of Risk and Compliance at Thomson Reuters
Highly regulated companies straddle a very thin line that builds business while simultaneously meeting increasingly challenging – and constantly changing – regulatory requirements. The media has focussed much of its attention on the sabre rattling of regulators and the threat of individual liability for compliance executives.
A Thomson Reuters survey shows that more than 50 per cent of 2,000 financial services risk practitioners believe that their personal liability is increasing – leaving executives vulnerable. Sixty-four per cent of the survey respondents expect that regulatory regimes introducing individual accountability will be replicated around the world.
The reality is that there are very few indictments, let alone convictions, that target individuals at companies. Moreover, coercing people to do the right thing, such as the threat of a notorious ‘perp walk’, coupled with the deluge of new regulations, has done little to modify bad behaviours.
When corporate bad behaviour surfaces today, it has global impact and dramatic repercussions on business. Volkswagen’s US November car sales were down 25 percent from the previous year¹ in the aftermath of admitting that the German automaker outfitted approximately 11 million diesel vehicles worldwide with software designed to cheat nitrogen oxide emission tests. The company has set aside 6.7 billion euros ($7.1 billion)² to recall vehicles and deal with the scandal and it plans to cut investments by one billion euros. Analysts estimate that the true cost of compliance, with fines and penalties, will surpass 10 billion euros.
Senior management, shareholders and even consumers are increasingly looking to compliance officers and the legal department to take ownership of proactive risk mitigation, especially when a company, such as Enron Corp, or a wide swath of an entire industry, such as the
US banking sector, has contravened regulations. But lining up good people to manage compliance and risk is only part of the equation. And bringing in former federal prosecutors and government regulators do not immediately solve the underlying issues that lead to the high-profile hires.
What has worked for companies that stay out of the limelight is the direct linkage between mitigation and business building – moving compliance from the shadows to the front office and providing incentives for employees to do the right thing.
Challenge – do the right thing
People are coded to do the right thing, but often the culture of a company changes their chemistry. Corporate incentive programmes value short-term revenue and immediate gains more than long-term growth. A challenge for compliance officers is to put objective processes in place so there are no places to hide or cover up bad behaviour at any level in the organisation.
There is a misconception that managers and executives know what’s going on in an entire organisation and its discrete operations. But almost one-half of the participants in a Thomson Reuters personal liability survey reported that senior managers really don’t know what is going on in their business.
Noncompliant behaviour can rise to the top, but it often does not start there. With the exception of some high-profile cases, such as Enron’s, almost all enterprise corruption or scandal starts in mid-level tiers of organisations – not with top executives.
Command and control of any business operation often follows line of sight. Senior managers, executives and compliance officers need to be realistic about their ability to discharge their responsibilities. Rather than attempt to oversee everything, compliance professionals need to manage uncertainty and risk by creating attitudes of responsibility in business staff, visualising risk with business performance and creating processes to out bad behaviour.
In effect, compliance and risk mitigation strategies must be instilled in front-office workers and aligned with their business goals, such as business development, increasing profits and opening new markets. The front office must be constantly monitored for compliance and risk mitigation.
But in most modern organisations, managing risk involves three separate lines of defence: front-office staff, policies and best practices; and audit. But like a third-rail transit system, compliance is treated as a method to keep the train on track and not part and parcel of the conductor rail – the means for locomotion.
The three lines of defence must operate as one, turning a third-rail transit system into a monorail. The new three-in-one defence can be implemented with funding, incentives and technology (FIT).
FIT for compliance
The three-in-one defence requires sufficient funding for training and compliance programmes, proper incentives for front-office workers to do the right thing and technology to make corporate behaviour transparent to deter improper behaviour.
Funding Compliance and risk professionals are typically not experts at getting funding. Today’s compliance executives must do more than passively interpret and apply laws and regulations. They must be business leaders, project managers and process engineers. Obtaining a deep knowledge of the business and its processes and technologies will arm compliance executives to persuade governing boards to commit resources to integrate compliance and risk mitigation programmes with lines of business as not just a best practice but also an urgent operations priority.
Compliance becomes an urgent priority when you measure its cost with the cost of the business being impacted by noncompliance. Measure the cost of an operation prevented from accomplishing its goals due to noncompliant behaviour vis-à-vis the soft cost of compliance to ensure proper performance. To get the necessary funding, compliance officers must harness the tools of their business counterparts – data, analytics, presentation tools, predictive modelling – so risk mitigation is core to the business versus simply a cost centre.
Incentives To get employees to increase sales, develop new technologies, launch new products and the like, you create the right incentives. That same model should apply to motivate people to do the right thing – which will, in turn, strengthen business outcomes. Instead of spending on reactive posturing, after-the-fact investigations, etc, companies need to invest relatively small amounts to drive good behaviours.
When the industrial age became laden with regulations to protect workers, factory owners and managers soon realised that workplace safety reduced the cost of replacing injured workers. They adopted measures to ensure safety and promote safe behaviour. Workplaces prided themselves on the number of days without a workplace injury. Today’s front lines of business need to do the same – ‘365 days without a major government investigation’.
“People are coded to do the right thing, but often the culture of a company changes their chemistry. Corporate incentive programmes value short-term revenue and immediate gains more than long-term growth”
Workers should know not only the goals and objectives of their role in the company but also how to attain those goals and complete tasks in a manner compliant with regulatory and industry standards. Managers must rewrite performance reviews with an eye towards compliance and risk management and workers must take ownership and responsibility for assets in their purview with compliance and risk characteristics.
Like managers and executives who sign attestations for public reports and regulatory strategies, business staff should sign off on their work and take ownership of the results. This will build a chain of evidence to confirm the status of regulatory compliance from senior individuals to junior staff and support a culture that values responsibility and accountability.
With new ownership of tasks and responsibilities, front-office workers will need training. Typically, compliance functions are underfunded, people are overworked and roles suffer from high turnover rates. Spreading the risk across the front office dilutes the compliance work, but the costs remain.
The best approach for training is to infuse departments with people who are familiar with technology, data and analytics. Most compliance and legal data is dry and rote. Put the data in a dashboard and visualise it like marketing and business data and invest in technology that provides predictive models. Use technology to blend business lines and processes, legal compliance and workflow, and visualise the output.
Technology Besides people and processes, compliance and risk professionals must be comfortable with the role that technology can play to identify and mitigate risk in business performance. Visualise risk with performance, such as measuring the soft cost of compliance in business performance inhibiting the business from accomplishing its goals. Once these costs are uncovered and easily identified, they become visible and apparent to a data analyst. Organisations will find it more difficult to hide something in plain sight.
Cognitive data analytics will show compliance patterns in real time. Once organisations find patterns and focus on a problem, they correct it and self-report it before the authorities, perhaps even before a whistle-blower.
Organisations that self-report to regulators are treated better than ones that attempt to cover up malfeasance. Engaging and maintaining proactive compliance work in a healthy business climate will support a culture of compliance and create an environment for front-office workers to do the right thing. It will also prevent executives from contravening regulatory frameworks designed to protect the public from corporate fraud and abuse.
Most people want to do the right thing. If organisations create a business culture to surface that attitude, visualise it and build processes around it to identify bad behaviour, it will have true compliance from the front to the back office.
FIT for practice
Implementing a true compliance programme across the organisation takes time and dedicated resources. A best practice is to start small, test the proof of concept in a project, demonstrate it and make it a success. Build up a compliance programme before building it out.
For big, complex global organisations, a universal compliance programme is very likely impossible. Global companies operate in many industries and jurisdictions, all subject to a wide variety of legislation and regulation. Risk mitigation must work locally and add up to global compliance. Linear thinkers who demand perfection should look for an alternative profession. Linear, sequential thinkers may not undertake a task until every potential vulnerable point is accounted for. They are often mired in the details of the moment while the business moves on down the track. With regulators, it’s not perfection that counts – it’s making progress.
If organisations wait to roll out an uber-compliance programme until all the pieces are in place, the underlying regulatory scheme will change. The programme will be obsolete before it gets underway. It will be constantly behind the train of business.
Lawyers, managers and executives must set aside their linear, reactive thinking around risk and compliance. It’s not a good frame of mind to approach and implement a proactive and progressive compliance programme. Compliance executives need to keep up with changing business operations and moving regulatory frameworks. New regulations, or newly developed or acquired lines of business, may call for new compliant operational procedures.
Besides regulation, organisations must mitigate public reaction to potential corporate fraud and abuse. If an organisation is caught red-handed by regulators, it may call for a linear reaction. But when that news becomes public, the backlash can be exponential and detrimental to the organisation’s revenue and value in public markets.
Companies successful in complying with a regulatory framework have sound long-term business plans with integrated, focussed and compartmental compliance and risk mitigation measures. They tackle regulatory challenge and change, in piecemeal fashion. A successful programme builds on the success of small projects, which can demonstrate that true compliance can be done, over and over again.
About the Author:
Dave is Global Director Risk & Compliance with Thomson Reuters and works with our major clients to help address and mitigate systemic regulatory, compliance, risk and related challenges. Dave is a senior executive and lawyer who has deep experience at the intersection of business, law, technology, compliance and risk management, and preparedness. He has been on all sides of regulatory change – as General Counsel/Chief Compliance Officer, advisor, counselor and technology services provider – and has helped many companies navigate the complex waters of regulatory change through technology-driven process improvements.