Developing effective compliance strategies
March 2014 | ROUNDTABLE | BOARDROOM INTELLIGENCE
Financier Worldwide Magazine
All organisations face increasing ethics and compliance demands, and even the most sophisticated businesses may struggle to maintain compliance with today’s growing multitude of regulations. The risks that corporations face change frequently and sometimes with dramatic speed. The success of any compliance strategy, therefore, depends on how well it is planned and implemented, and how well it responds to new standards. While compliance is an obligation of everyone within the firm, appointing a compliance officer can ensure nothing falls through the cracks. However, company-wide training is the key to instilling company ethics and disseminating a culture of compliance.
FW: Could you provide a brief overview of the increasing regulatory challenges companies face in today’s corporate environment? How important is an effective compliance strategy to manage these challenges?
Miller: One of the key compliance issues facing companies with an international footprint is the Foreign Corrupt Practices Act (FCPA). The FCPA is a rapidly evolving area of the law, and the enforcement agencies continue to raise the bar on their expectations of what corporate compliance should look like. As a result, we are seeing a lot of companies moving to expand their compliance structures, both in terms of written policies and procedures, and in terms of personnel devoted to compliance oversight. Many companies’ compliance structures are getting more complex very quickly.
Mazur: All organisations are facing consistently increasing ethics and compliance demands and responsibilities. Only last month, Brazil published new regulations and requirements to prevent corruption. China is quickly establishing an infrastructure that will increase ethics and compliance standards, monitoring, enforcement and reporting responsibilities. An effective compliance strategy to manage these new challenges is extremely important. An organisation’s strategy must be nimble and allow for quick response to new risks. It must anticipate future regulation, given the number of recent instances – for example, the Wall Street ‘market research’ scandal – when corporations were held accountable for misconduct that, at the time, was not considered illegal.
Ritchie: The regulatory challenge is growing for all companies. In response to the global financial crisis regulators have gone into overdrive having determined that in most cases the reason for failures during the crisis was too much leeway given to corporations that was used inappropriately. For most companies this means the need to upgrade compliance programs, and for those that aren’t upgrading them it probably means some angry words from the regulator a little down the track. The key issues these organisations face in addressing the growing regulatory challenges are, first, the volume of regulatory change; second, organisational structures and commitment; and third, the role of the compliance function.
Zimiles: The most significant compliance challenges corporations face today are changes in risk and regulatory focus. The risks that corporations face change frequently and sometimes with dramatic speed. It can be difficult for a compliance program for a large or complex company to respond with the necessary agility. Also, regulators have been more aggressive in enforcement of compliance regulations, which means it is even more important to stay current on emerging issues and risks. In the wake of the financial crisis, regulators of financial institutions have been the subject of criticism by Congress and the press, making them more focused on their available enforcement tools than ever before.
Zylberberg: As a major worldwide telecom operator, we have to face many challenges regarding compliance. Eight domains have to be considered – finance, competition, human resources, fraud, personal data, safety, corporate social responsibility, and regulations, in particular telecom regulations. Among them, we choose to focus on four issues – corruption, antitrust policies, personal data protection and international sanctions. We believe that they could have a major impact upon our company. Of course, it does not mean that we ignore other topics. An effective strategy for compliance is based on tone at the top, effective governance, risk analysis, established policy and procedures, training and awareness, and controls.
Smith: Even the most sophisticated global traders struggle to maintain compliance with a multitude of regulations that take many forms and come from many agencies and jurisdictions. Perhaps the most challenging aspects of any global compliance program are communication and consistent implementation. Companies often find that disseminating compliance processes and controls to far flung locations with different languages and cultural nuances can be difficult. This is especially true when they don’t always appreciate the need to be compliant with the regulations of other jurisdictions. Further, you must have a process in place to monitor changes in the regulations. This becomes critical if you want the opportunity to submit comments that may help influence the drafting of the regulation.
Farrell: The financial services industry in many jurisdictions, but particularly in the US and the UK, faces the most challenging regulatory environment in recent memory. There are two reasons. The first is that there is increasing regulatory scrutiny with the addition of new regulatory agencies focused on consumer fairness, and with the addition of new laws and regulations that are principles-based, not technical requirements. The second reason is that there is an increase in the evolution of technology in financial services delivery, bringing with it an unchartered frontier in regulatory compliance.
Odoner: Today, companies face unprecedented scrutiny from regulators around the world, who are approaching enforcement with great vigour and new technological tools. Activist shareholders, employees, customers, NGOs and other traditional and non-traditional stakeholders also put companies under the lens, and social media enables perceptions – whether or not justified – to build almost instantly. While enforcement activities related to the financial crisis may be running their course, there are a host of new compliance issues at the eye of the storm, such as those relating to cyber security and data privacy, as well as more traditional risks that are receiving increased regulatory attention, such as insider trading, bribery, money laundering and financial reporting fraud.
FW: In your opinion, what are the key issues that firms should address as part of their compliance strategy? What essential provisions and controls should this strategy include?
Mazur: Firms’ compliance strategies should focus not only on laws and regulations but also on ethics and culture. In fact, a firm’s strategy should be a careful balance of risk management, understanding of and respect for laws and regulations, and a culture of ethical business behaviour. The strategy should not be minimalistic, opportunistic or ‘check-the-box’. Among key issues are discipline – that ethics and compliance standards should be followed consistently and regularly enforced— and incentives, such that the firm’s incentive systems should specifically and directly reward ethical behaviour. Essential provisions and controls include a well-written and well-communicated code of ethics; ethics training that spans all levels of the organisation, including the board of directors; and a direct reporting line from the chief ethics and compliance officer (CECO) to the board.
Ritchie: There are a few critical issues to be addressed in establishing a compliance strategy. The first is executive and board commitment to the strategy and the role of compliance. Without executive buy-in and support the compliance function is destined to remain somewhat ineffective. The strategy must clearly articulate the role of the compliance function for the executive and board to demonstrate their unequivocal support. Second is the appropriate number and skilled resources. The function must contain staff with appropriate skills and knowledge, and the depth of resources to support the entire businesses compliance requirements. If the function does not have enough skilled resources to cover the key areas of compliance risk they will be unable to demonstrate effectiveness of the function. The third issue is a clear understanding of the organisation’s compliance obligations and the key risks to those obligations.
Zimiles: The key issues facing any compliance organisation are people and technology. Your systems have to keep pace with the sophistication of your business, regulatory expectations and the risks that you are trying to identify and mitigate. The second and related issue is staff. You must have enough staff, at the right level of expertise and management skills to execute the program properly. A balance between technical and management expertise is crucial in this environment.
Zylberberg: It is important to differentiate two types of issues here. The first are those which could have a major financial and reputational impact for the company – we could call them defensive issues. The others are key elements to reinforce our customers’ confidence, for instance, personal data. We have many controls and provisions already in place but nothing will be better than a global and widespread awareness of all our employees regarding those issues. We know that our customers care about those issues and we try our best to respond. We provide technical tools to protect personal data but we also have to educate customers to be careful in the new technological environment where the difficulties could arise at any moment.
Smith: First and foremost is to know what regulatory exposure your company has. Some can be industry specific while others can be broader in scope. Understanding the ones that impact your business is critical and should be reviewed in a full scale regulatory risk assessment. Controls such as assessment, monitoring, reporting, training, and so on, are considered fundamental to any compliance program. But a compliance strategy should consider issues such as the company’s relationship with the federal agencies who regulate them. Building a trusting, cooperative relationship with them is vital. Engaging in the regulatory creation process is another strategic step that addresses the risk at its core. Beyond these, a solid compliance strategy should include executive or board level support.
Farrell: The most critical issue is corporate culture. With a regulatory emphasis on principles-based rules, it is essential to have a fairness-based culture. Since culture begins with the tone at the top of the house, the organisation’s compliance strategy must start with executive management and the messages that are sent purposefully as well as incidentally to the organisation as a whole. As important is the fact that the compliance leader must set a strategic and proactive tone for the compliance program. It is not enough to be reactive anymore. Some essential provisions of such a strategy include a strategic compliance plan, a proactive plan to scan the risk horizons and a commitment from the lines of business to be an effective first line of defence.
Odoner: Compliance failures are often not just ethical failures but also business failures. A key issue for firms to address as part of their compliance strategy is how to ensure that compliance is strategically important. This must begin with the board and senior management, who set both the ethical tone and business priorities for their organisation. In a world of myriad risks, it may be worthwhile to identify and prioritise those that have the greatest potential to damage the enterprise, or to keep it from reaching its potential, and to develop both the substantive compliance program and the ‘case for compliance’ around these most significant risks. An effective compliance program should, however, incorporate a continuous risk assessment process to keep the program ‘relevant’ and to ensure that the risks associated with new business activities are anticipated, to the extent possible, during and as an integral part of the business planning process.
FW: What initial steps should firms take when beginning to build an effective compliance program? What sources are available in terms of model guidance and framework templates?
Ritchie: The steps a firm should take when building a compliance program include understanding the organisation’s appetite for compliance risk. Whilst in many instances the appetite for compliance breaches is stated as ‘zero tolerance’, in reality the amount of effort and cost an organisation is willing to put in to addressing compliance is somewhat lower than that necessary to achieve zero compliance issues. The second step is establishing an appropriate mandate – through ensuring those tasked with establishing the compliance function have the support of the board and the executive. The final step is recruiting appropriately skilled and senior resources – the compliance function needs capable, intelligent and independent people who are willing to challenge the business and stand by their perspectives.
Zimiles: The best place to start evaluating your compliance program is a risk assessment and gap analysis. A risk assessment will tell you those areas that need the most compliance attention and resources. A gap analysis is a methodical measurement of the regulatory requirements measured against the controls, including systems and technology, which you have in place. Without a risk assessment and gap analysis, you will not be aware if your program is missing any elements and how important those elements are. Once these foundational understandings are in place, the program must address them appropriately.
Zylberberg: The very first step when building an effective compliance program is to secure full support from all group executives, which translates into strong tone at the top delivered at all levels of the company. The next stage is to design a simple and structured approach that everyone understands and which will be applied on all compliance programs across the organisation. Then, of course, understanding the risks for a proportionate approach and setting up the controls to ensure your program is effective are ‘must do’ in most compliance guidance. But most of all, communicate, communicate and communicate, again and again.
Smith: The first step is to conduct a thorough risk assessment of the regulations pertinent to your specific business model and industry as a whole. Next is to leverage that information to gain full support from the senior executives and board. That support should be expressed openly and in writing to the general workforce, by having it added to the code of conduct or similar governance publications. It should also include a requirement for annual senior executive compliance training. As for resources to help develop a program, sometimes the best places to start are the websites of the regulatory agencies pertinent to your business. However, the foundation should be built using the US sentencing guidelines or similar publications in other countries.
Farrell: When building a compliance program the executive team, the line of business leaderships and the leaders of the other risk disciplines – operations, technology, and so on – must be engaged. Compliance departments cannot keep the organisation in compliance. It takes the organisation as a whole. The lines of business must buy into the fact that they own compliance for their products. They must be their own monitor and not depend on an outside group to make them follow the rules. The compliance leader is a key to the success. Hiring the right person – even if he or she is not a subject matter expert – is essential. The ideal compliance leader requires outstanding leadership qualities, including persuasive skills that can get people to follow him or her, even if they don’t have to and to places they may not want to go.
Odoner: At the outset, the board and senior management should discuss, debate and reach consensus about what they want to achieve from the program and what its broad contours will be. At a minimum, the compliance program should include policies and procedures that address risks arising from the laws and regulations that apply to the particular company wherever it is doing business. Some companies may wish to go beyond this baseline and set more stringent standards that may not otherwise apply; this decision may also be influenced by the wishes of third parties such as joint venture partners or customers, or as part of remediating problems – sometimes high-profile – that have arisen in the past. Decide whether the company wants or needs to have a ‘best-in-class’ compliance program from the outset and whether that is realistically achievable, or whether to start with something more modest and make improvements over time.
Miller: It is not difficult to find model FCPA provisions, but the key to implementing an effective compliance program is tailoring it to the specific needs and business flow of your company. Trying to impose someone else’s template on a company is not likely to win converts out in the field, where your key stakeholders will be located. Those are the people you need to reach, and the people you need to be able to trust. If they sense that a generic compliance program is being layered over the top of their business practices, then they aren’t likely to follow it and it won’t result in effective implementation. It’s much better to think through how to create a compliance program that can be integrated organically into the way your business operates — especially your sales, marketing or business development functions.
Mazur: A firm should identify who in the organisation currently has responsibilities for compliance and organise everything under the CECO, to ensure consistency and effective use of resources. Second, the firm should identify the organisation’s values and, if necessary, update them as tools for establishing a culture of values-based ethical business behaviour. Third, the organisation should identify a resource – such as the ECOA – where it can ask questions of and otherwise benchmark against other organisations so as not to ‘reinvent the wheel’ or make unnecessary mistakes. And fourth, the organisation should identify ethics and compliance-related responsibilities in all jurisdictions in which it operates, to ensure nothing required is left out of the program design.
FW: What are the advantages of appointing a compliance officer and establishing a compliance committee? What are the functions of each, and how should firms determine their responsibilities?
Zimiles: While compliance is everyone’s obligation, it is important to have one person in charge of the compliance function so that nothing falls through the cracks. The compliance committee on the other hand will establish the appropriate ‘tone at the top’ that senior management takes the company’s compliance obligations seriously. A compliance committee will also make sure that the company’s business leaders understand the risks and the mitigation efforts that compliance uses to reduce the risk.
Zylberberg: Having a compliance officer at the group level shows that the tone at the top is not a phrase but an actual policy. This compliance officer must have at least two assets – a very good knowledge of the company and having the possibility to interact directly with the executive members. If there is a compliance committee, it shall not dilute the responsibility of the compliance officer.
Smith: Having a compliance officer sends a very clear message. It tells the world that regulatory compliance has a seat at the table and it establishes a level of accountability missing in many organisations. Officers should focus on maintaining consistent controls throughout the organisation and ensuring that communication, monitoring and reporting efforts are being supported. Committees inject a level of objectivity that may not be there with an officer alone, often serving as a form of checks and balances. Together they help the company to develop and maintain a cohesive compliance strategy aligned with the goals of the business. The key for both is the level of empowerment they each are given by the board and senior executives.
Farrell: Regulated financial institutions in most jurisdictions are required to appoint a compliance officer. The regulatory risks in this industry are great enough that a good leader is essential. Creating a compliance committee consisting of different stakeholders throughout the organisation can provide cohesion to the organisation’s compliance effort. This committee, acting as an advisory board, can give the compliance organisation great input as well as become informed of the compliance strategy and key issues that arise. Working with a compliance committee allows the compliance leader to get buy-in from these stakeholders for the compliance program initiatives.
Odoner: Centralising responsibility in a chief compliance officer who is a well-respected member of senior management, who has ready access to the board and appropriate board committees and who is well-armed with appropriate corporate resources – both in terms of funding and personnel – is an important key to an effective program. The chief compliance officer is generally tasked with driving the company’s efforts to translate federal, state, local and applicable foreign laws and regulatory requirements into well-articulated and communicated behavioural expectations and appropriate controls and procedures within the company. Often, the chief compliance officer sits at the head of a committee composed of representatives of the company’s legal, internal audit, technology, human resources and similar functions as well as business leaders who champion the program within their units. The committee meets frequently to direct and review the compliance program’s implementation and to assess its effectiveness.
Miller: It is absolutely key to have a single person with day-to-day responsibility for compliance oversight. If one person doesn’t do it, then nobody will do it because it will always be someone else’s responsibility. Depending on the size of the company, compliance can be one of several responsibilities in an employee’s portfolio, but for the compliance role to be effective, the officer needs to have adequate resources – including the time – to do the job right. That person should also be at a sufficient level in the company and have enough authority and independence to say no when he or she needs to say no. For most companies, this will mean setting up a direct reporting line to the audit committee or other independent committee of the board of directors, rather than having that person report solely to the general counsel or management.
Mazur: One advantage of appointing a CECO, who reports to the CEO and the board of directors, is that operating and functional units will see that ethics and compliance will be taken seriously in the organisation. Another advantage is that a single leader is best positioned to ensure consistent standards, communication, enforcement and remediation of ethics and compliance issues. A third advantage is that having a CECO will increase the likelihood of achieving the level of true independence that is necessary for the program to be effective. The function of a CECO is to lead the ethics and compliance program, to ensure it is integrated into all facets of the organisation’s business strategy and business plans, and to communicate about the program and its progress to the CEO and the board of directors. The function of an ethics and compliance committee is to help the CECO ensure that ethics and compliance issues are raised as often as necessary, and at the right times.
Ritchie: Appointing a compliance officer and establishing a committee provides a focal point and visibility for the compliance function and more widespread recognition that compliance is a real and tangible expectation. Each officer provides the ability to monitor compliance within the organisation, and generate the impetus for the wider business to acknowledge compliance requirements and be deliberate in the way they manage compliance requirements. Compliance officers also provide a mechanism for articulating and enforcing consequences, which are an important component of effective compliance.
FW: What advice can you give to companies on developing compliance training programs across their organisation? How important is it to effectively monitor and update training programs?
Zylberberg: Training is key to disseminating a compliance culture. It is also a way to get operational employees on board and avoid the traditional divide between corporate and operational functions on such matters. Monitoring and updating training is important to protect the company and show how it takes compliance seriously, and a way to keep your employees updated.
Smith: Training for compliance must include the C-suite. All too often, senior executives not well versed in their company’s regulatory risk think that it is limited to the high profile financial regulations implemented in recent years. Once, perhaps twice a year, senior executives should be required to attend compliance awareness training preferably conducted by legal counsel. A distinction should be made between ‘awareness’ training and ‘operational’ compliance training. A well designed training program will take that into consideration. Further, employee turnover presents a risk when compliance training is not part of the new hire onboarding process. It is imperative that training programs be revised as needed when the regulations change or new ones are created.
Farrell: Compliance training is essential; this fact cannot be overstated. In some cases training is required by statute. But in all cases, laws and regulations are often complex and difficult to understand. Compliance training should be tailored to the employee. Awareness training should be used broadly to allow a large group of employees to have a high level understanding of the law or regulation. Some employees need in-depth training on certain regulations that have a particular applicability to their job. For example, while all employees of a bank need to be aware of the applicable anti-money laundering laws, those employees who open accounts or handle cash need more specific in-depth AML training. Web-based training is relatively cheap and can be administered easily, but it is not the best medium for groups that need in-depth training. Live, classroom training is the best mode to convey difficult concepts or to relay deep knowledge.
Odoner: Companies should ensure that compliance training programs are tailored as appropriate to address the risks that are relevant to the audience and the issues they are most likely to encounter. Training programs should be delivered frequently, in digestible amounts and in an engaging manner. Some companies conduct key training programs on a face-to-face basis periodically, and deliver other programs via webcast. Companies should ensure that they carefully track who attends which training programs and follow up on any laggards; when conducting investigations, regulators may focus on the frequency of and attendance at trainings as an indicator of how seriously compliance is taken within an organisation. Training should be completed by personnel at all levels of the company.
Miller: The most important thing to do in training programs is to give employees practical, instead of theoretical, advice. It makes no sense to give oilfield workers, for example, a law school symposium on the legal requirements of the FCPA and then expect them to take the information and apply it to new issues that may arise in the field. Employees need to have the company explain to them exactly what types of things they need to look out for and how those issues are likely to come up in their own work. This requires thinking through exactly where the risk areas are in your own company and what sorts of issues are likely to arise. Then tell them not to try to figure it out for themselves when a real-life issue does arise — they should go to the compliance officer or general counsel and seek assistance.
Mazur: Organisations should ensure that the ethics and compliance training programs are designed to be interactive, such that, to complete the program, trainees must be engaged. Also, managers should receive special training that helps them respond to ethics and compliance issues – in a consistent way that reflects the goals of the program – from their employees as well as model the behaviour called for in the training. It is important to effectively monitor training programs to identify whether learning is occurring and behaviour is changing. Also, it’s important to identify issues where employees are answering training test questions wrong – whether or not you notice and do something about these failings, regulators or prosecutors might.
Ritchie: Compliance training programs are just like any other training program and should be developed with key learning principles in mind. Using a variety of media and techniques appeals to different learning styles and enhances the learning outcomes. Testing the contents and learning outcomes of compliance training allows an evaluation of knowledge transfer and progress. Firms should maintain records and be clear about consequences, and training should be a process not an event. The continuing changing compliance landscape and the inevitable turnover and movement in staff means that it is essential to regularly monitor and update compliance programs.
Zimiles: While every employee should receive compliance training, it is important to consider whether the training should be tailored to the audience in certain circumstances. Depending on the topic, for example, call centre employees may need to be given different training from account executives and sales staff. Similarly, you must keep the training fresh and updated if you want it to have any real impact on the employees. It is also important to track and document that the employees have taken the training and that there are consequences for employees that fail to do so.
FW: How should companies – particularly multinationals – approach the process of rolling out a compliance strategy? What challenges regularly surface at the multijurisdictional level, and what solutions may be used to overcome them?
Smith: Getting full support in a multinational, or multi-jurisdictionally, can be difficult. Problems can arise when internal stakeholders fail to understand or support the notion that firms operating in one country or jurisdiction may be held accountable for compliance with the regulations of another country or jurisdiction. A good example of this is the FCPA which is a US law that prevents a company from engaging in activities that are considered corruption in the US, but may not be considered the same in another country. Stakeholders operating in the foreign country sometimes have difficulty understanding why they must refrain from activities that are considered normal and legal in their country.
Farrell: Ideally, compliance strategies should be consistent and unified, even if adjustments need to be made for different jurisdictions. While the focus of the programs may involve different laws and regulations, the overall framework the organisation uses can be consistent. For example, if the organisation has charged the line of business – the so-called ‘first line of defence’ – with the primary responsibility for compliance, this strategy can be used across the organisation, even if the particular laws and regulations are different. Also, a proactive and strategic compliance program can be rolled out in a multinational setting even if the particulars of the program vary between jurisdictions.
Odoner: The designated board committee, compliance officer and business leaders should agree on how and when the compliance program will be rolled out. Roll-out includes how the overall initiative is to be communicated to employees and other affected parties, how and when the code of conduct and other policies and procedures will be distributed, and when training programs will commence. To avoid confusion, particular care should be taken in relation to the dissemination of any region-specific policies that may have been adopted. Depending on who will be delivering training programs, the company may need to ‘train the trainers’ using prepared training materials in advance of the roll-out. Multinationals should ensure that the code of conduct and other relevant documents – as well as the whistleblower hotline – are available in different languages where needed, so that the roll-out can be conducted on a coordinated basis across all of the company’s operations.
Miller: Rolling out a new or improved compliance program is a big deal. If you want it to work well, and you want people to accept and implement it, you need to do a lot of groundwork in advance. This calls for a diplomatic effort at all levels, from the bottom to the top, from the workers in the field to senior management and the board of directors. All these constituencies need to be brought on board before the program is rolled out. In the case of the board and senior management, you need to have a clear mandate and the backing of key members. Keep them apprised of how the program is developing and bring them into the process by seeking their input on key decision points. Get everyone to invest so when the program is finally rolled out, everyone will have a stake in its success.
Mazur: Multinationals should identify ethics and compliance requirements in all their jurisdictions. Beyond checking with enforcement authorities, they should conduct an employee assessment, with representation from all jurisdictions, to ensure the roll-out will cover all ethics and compliance-related risks they and the organisation face. A second benefit of the assessment is that it helps the new strategy earn the ‘buy-in’ of local employees. An early goal should be the creation of a code of ethics like Hewlett-Packard’s, where common standards representative of the HP Way are applied in every jurisdiction, such that every employee is held accountable to the same corporate values. This approach offers many benefits, including the ease and success of employees transferring between locations. For ethics and compliance rules or issues that are country or region specific, an addendum can be added to the code.
Ritchie: The key to successfully rolling out a multinational compliance strategy is empowering the local compliance professionals to take ownership and adapt the strategy to take account of local nuances. Extensive consultation – and listening – throughout the design phase is essential for gaining support in offshore locations and for ensuring that the global compliance strategy will be effective in managing local compliance risks. Challenges that regularly surface include designing a solution at head office and assuming it can be implemented and effective in multiple jurisdictions; not taking account of local regulatory nuances, or even differences of opinions between local regulators; inappropriate timescales – either too short or too drawn out; lack of sponsorship by senior executives; and focusing on ‘regulatory excellence’ rather than on enabling the business.
Zimiles: One of the biggest challenges for a multinational company may be harmonising the various local rules and regulations that relate to compliance. The company has to determine whether they want a compliance policy that is truly global, which may mean compliance controls in many jurisdictions may be stronger than required by local law or whether they want a more decentralised program with a number of truly local policies. There are pros and cons for each approach, but the organisation should have an enterprise-wide approach that may need local adjustments. Whichever approach is taken, education and communication is the key to implementing an effective roll out. You should take the time to obtain input from all the stakeholders – for example, compliance, technology, business and operations – and educate them about the strategy and why it is important.
Zylberberg: Every company is different, and each firm has its own culture and own history. Furthermore, each case is different and it is difficult to give global advice. I would say that you must follow at least three principles. First, always check if the global message is understood and in line with local culture. If not, you should find ways to make it understandable and endorsed at local level by local leaders of opinion. Second, be transparent when difficulties occur, as they are always more manageable at the very beginning rather than when damage has begun. Third, don’t consider compliance as a burden but as a way to accompany the changes in the way the companies does business.
FW: How important is it for companies to ensure that appropriate communication lines and protections are available to encourage internal whistleblowers? If a particular issue is formally reported by a whistleblower, how should the company respond?
Farrell: In the world of risk management today, whistleblowers must be taken seriously and be protected. In some jurisdictions whistleblowers are rewarded by the government and therefore, are incentivised to bring problems to law enforcement agencies rather than to their own institutions. In any case, any organisation should want to know the information a whistleblower brings before it is released to the public. The best way to keep the information inside the organisation is to have a robust employee reporting structure that encourages information flow. Culture plays a role here too. If whistleblowers are punished, none will come forward. The information must be treated with privacy and respect in order to continue to encourage employees to report what they know.
Odoner: Communication lines and anti-retaliation protections are essential to encouraging internal reporting of concerns. In the event that compliance concerns exist, it is preferable that they surface via internal reports – which may indicate at least some measure of compliance program effectiveness and give the company a head start in investigating and, if warranted, correcting the problem – as opposed to detection by an auditor or regulator. Encouraging internal reporting is especially critical now in light of various bounty programs that reward whistleblowers who report to a regulator such as the US Securities and Exchange Commission or the Internal Revenue Service. The company should provide a range of channels for raising questions and reporting concerns, which may include reporting to a supervisor, the audit committee or a confidential whistleblower hotline that is managed by a company ‘ombuds’ or a third-party service provider.
Miller: Dodd-Frank has changed the landscape when it comes to whistleblowers, because now there is an incentive for whistleblowers to go straight to the SEC and bypass internal reporting procedures. Companies should do whatever they can to make it easy for employees to report suspected compliance violations internally, rather than have them running directly to the government. Companies need to have hotlines that are easily accessible to all employees, with both telephonic and email channels. The hotlines need to be well-publicised throughout the company, so when an issue arises, the potential whistleblower has the information at his or her fingertips and it is a simple matter to pick up the phone.
Mazur: It is extremely important for organisations to ensure that appropriate communication lines and protections are available to encourage internal whistleblowing. To the extent that local laws allow, the lines and policies should permit anonymous reporting, as one of many means of protecting employees from retaliation. The strategy, as part of the overall goal to achieve an ethical business culture, should seek to achieve a ‘speak up’ culture, where employees are not only not punished for raising concerns but are actually rewarded for demonstrating their care for the organisation and its goals. If a particular issue is formally reported by a whistleblower, the organisation should honour pre-existing protocols, policies and procedures for handling such calls.
Ritchie: Whistleblower programs are an important tool to ensure customers or staff within an organisation have an avenue to pass on information about perceived inappropriate behaviour, actions or outcomes that they witness but are not in a position to communicate through normal organisational channels. The programs must be supported by appropriately independent investigation teams and the anonymity of the whistleblower must be protected. All credible – and the word credible needs a very broad interpretation – disclosure needs to be investigated by an independent party. This may be as simple as checking whether the alleged activity was possible, through to a thorough investigation of the broader activities and behaviours of the subject of the whistleblowing.
Zimiles: It is crucial that companies design and implement a program to encourage and protect whistleblowers. Under the new SEC rules, a whistleblower program may help you avoid liability and will enable you to identify and resolve compliance issues as soon as possible. Companies must take issues identified by whistleblowers very seriously. Internal or external counsel or a combination of each should conduct a robust investigation of the allegation and should report their findings to senior management or the board. If the allegations turn out to have merit, management can decide the appropriate action and whether the company should make a disclosure to regulators or law enforcement. One step that some companies omit is to use the results of the internal investigation to help improve the existing compliance program. If the issue has merit, you can determine whether it was a systems failure, a training failure, a rogue employee or something else that can provide ‘lessons learned’ and prevent such failures in the future. These lessons should be communicated so all relevant personnel receive the benefits.
Zylberberg: Even if whistleblowing is partly out of French or European culture, it is important to offer your employees the chance to inform the company when they see something wrong. They must have proper protection when they do it and the company should verify the facts. In the meantime, the company is not the police or the judiciary – if an official inquiry must be launched, firms should provide all the information to the relevant authorities.
Smith: It’s very important to maintain communication lines and protections. Hotlines and third party solutions do add value to a compliance program. Firms that use this type of tool often find it being used to report mismanagement as opposed to material breaches of compliance, but still, providing this option is a great way to encourage employees to speak out. A well-managed compliance program should include options for speaking directly to senior executives who reside outside of the employee’s chain of command. This was done in the form of an ‘open door’ policy at one company that allowed any employee to meet with any executive without the need to arrange it through their chain of command. Another tool is the ‘skip level’ meeting where executives are required to meet regularly with employees a level below them in the organisational structure. Whistleblowers are important to a compliance program and should be afforded every available protection against retaliation.
FW: Today’s boards face increasing pressure to offer greater transparency and compliance reporting, and to ‘own’ the compliance process. What more can boards do to position compliance as an integral and strategic element of business?
Odoner: In setting board and committee calendars at the beginning of each year, corporate secretaries, lead directors and committee chairs should ensure that agendas allocate sufficient time for focus on compliance issues. Board and committee responsibility for compliance oversight should be specified in the corporate governance guidelines and committee charters, and the effectiveness of that oversight role made an important topic during board and committee evaluations. The compliance function needs to have credibility within the organisation for it to become an integral and strategic element of the business – this requires at a minimum the allocation of sufficient resources to the compliance function and the designation of the compliance officer as a senior leader with direct access to the board or committee, and business leaders.
Miller: There are several things that a board can do to ‘own’ the compliance process. The first is for the board to be involved in developing and implementing the compliance program itself. This should include instructing management in what the board wants to see done, monitoring the process and contributing expertise where possible, and having final approval authority over the finished product. The second thing a board can and should do is to have a direct reporting line from the audit committee or other committee of independent – non-management – board members to the chief compliance officer or other individual who has primary responsibility for overseeing the compliance program. This reporting should include presentations at regularly scheduled committee meetings and ad hoc reporting at other times. The third thing a board should do is to take appropriate action when a suspected breach of internal controls has occurred.
Mazur: To successfully position ethics and compliance as an integral and strategic element of their business, boards of directors can mandate that all strategic initiatives involve the CECO in their planning and design. This will ensure that ethics and compliance issues are addressed early and will receive their due attention as key business decisions are made. Further, boards of directors can give ethics and compliance and the CECO an amount of time at each board meeting that is commensurate with other important initiatives. Additionally, directors can invite the CECO to prepare customised ethics training for the board. The training will not only inform directors of the standards to which employees are being held accountable, it can deliver actual skill-building, given the extremely serious responsibilities that directors have in making difficult ethical decisions.
Ritchie: Boards need to insist on a more significant role and budget for the compliance function. They also need to put more pressure on the existing compliance resources to grasp a stronger position within the organisation. In many instances the nature of the personnel in the compliance function limits the functions effectiveness when the organisation is asking it to step up and be counted.
Zimiles: The board should hear directly from the chief compliance officer about compliance and risk issues, regardless of whether the CCO reports directly to them. It is also a good practice to meet with the CCO in a session without senior management, so that the board can assure itself that compliance is getting the attention and resources it deserves. The board should set the tone at the top that compliance is a key to an effective business strategy.
Zylberberg: Our organisation model is based on a managerial culture of compliance and responsibility where tone from the top is key, with full delegation of implementation. This decentralised execution model includes selective reporting, comprehensive self-assessment and strict local traceability. Compliance fosters a culture of protection which supports business development. Applying a proactive, firm and structured compliance approach has become a prerequisite to winning contracts, particularly in calls to tender issued by government organisations and major multinational corporations. In this context, compliance provides the assurance of responsible and honest business management.
Smith: Regulatory compliance should be an agenda item at every board meeting. Next, when possible, directors with compliance experience should be appointed. Shifts in the regulatory environment, whether they emanate internally by activities such as mergers and acquisitions and new product development, or whether they are externally driven should be anticipated by the board and included in a firm’s strategic plan. When developing an organisation’s long term vision, the erosive effect of regulation on a company’s profit should be anticipated and mitigated where possible by deeper engagement during the regulatory creation process. Boards should also understand the synergies that evolve between a compliant culture and the ability to attract and retain a world class workforce. Ethical people want to work around other ethical people; it’s as simple as that. Transparency and reporting should be used as tools to build a comfortable place for these ethical people to work.
Farrell: The best things boards can do is to treat compliance as an essential element of the business. Pay attention to the compliance reports and encourage freedom of information in board meetings. If compliance is treated as a burden, or if only pro forma attention is paid to it, the information will become less valuable over time. Also, board members who sit on risk and compliance committees should ask lots of questions and expect management to find the answer. Board members should be vocal and insist that the company’s compliance with laws and regulations is a top priority. Compensation for executives should depend, to some degree, upon the success of the company’s compliance program.
FW: Going forward, do you expect to see further regulatory change place more pressure on corporate compliance strategies and processes? How would you rate the ability of most companies to prepare for and adapt to a heightened regulatory environment?
Miller: There is not likely to be significant legislative change in the FCPA. The changes we are likely to see will be in the area of enforcement. If current trends provide any indication, we are likely to see a continuing increase in FCPA enforcement actions and a broadening of the enforcement agencies’ interpretations of law. The JP Morgan investigation in China is a good case in point. In that case, according to news reports, the government is investigating JP Morgan not for making payments to Chinese government officials, but for allegedly giving jobs to the children of Chinese officials for the purpose of obtaining business from Chinese companies. It’s a basis for an investigation that we haven’t seen before, and we are likely to see more such novel enforcement activity in the coming years.
Mazur: As global business continues to expand, with guidelines and regulations appearing at all jurisdictional levels, CECOs and their organisations must build and maintain a smooth process for identifying and responding to new standards. I see more enforcement from jurisdictions that, regrettably, see fines as a growing means to raise public revenue. I see social media exploding the level of transparency in the corporate ethics and compliance space – where billions of citizens with nothing but a mobile phone can bring misconduct to the world’s attention in a matter of seconds. I see organisations losing years and years of positive brand capital in an instant if they don’t take ethics and compliance seriously. I rate the ability of most companies to prepare for and adapt to a heightened regulatory environment as average at best, primarily because of an outdated reliance on solely compliance rather than a values-based ethical culture.
Ritchie: The volume and nature of regulatory change is not likely to abate any time soon. This means the pressure on corporate compliance functions will continue to be high. As these functions seek to make themselves more relevant to enable them to execute against their mandate, the volume of requirements they are expected to marshal the organisation through grows. Most companies’ ability to adapt to the new regulatory environment is poor. In many instances compliance functions and the corporate culture were not well established prior to the heightened regulatory compliance activity. The increased expectations have not, to date, been met by organisations increasing their capability in the compliance space in a wholesale manner.
Zimiles: The regulatory landscape is always dynamic, and the more that business changes, the more regulation and regulators will change. Many companies have a difficult time preparing for anticipated changes in the regulatory environment. It is the cornerstone of any organisation’s culture to focus on business conduct – that is, what is the right conduct in any case, regardless of a law or regulation. As the specific rules change or enforcement of the same rules is increased, the focus on the spirit and not just the letter of the law, will serve organisations well.
Zylberberg: The next steps will not come from regulation, they will come from customers and via social networks. All companies will have to adapt and to listen to their customers’ needs.
Smith: Regulatory change will of course put more pressure on companies, and it’s the responsibility of the board and senior management to anticipate it and plan for it. But it should be seen as a two-way street where regulators should be pressured by the regulated to ensure that the fundamental purpose of a new regulation is based on a legitimate need and not some knee jerk reaction. Good corporate compliance strategies should include proactive steps to lessen the burden placed on a corporation. Preparing for and adapting to change is one of the abilities that separate the world class companies from the laggards. So, for large companies with a well-defined compliance plan, changes in the regulatory landscape will be managed as they always have, but for smaller organisations with limited resources, adaptation will not be easy and these changes could spell disaster for them.
Farrell: In the consumer-centric environment in which most financial institutions find themselves, there will continue to be more pressure on compliance departments to find strategies that work. Also, as financial services delivery becomes more technologically advanced, there will be pressures to comply with laws and regulations that do not fit the technology. Also, with profit margins becoming thinner, there will be increasing stress on budgets. Developing more efficient and effective compliance programs will be necessary.
Odoner: The regulatory environment continues to evolve in a way that exposes companies to heightened compliance risks. Some industries are currently experiencing greater scrutiny and regulatory change than others, including the financial services and healthcare-related industries. Companies with well-resourced and effective compliance programs that are subject to robust oversight and continuous risk assessment should be well-prepared to adapt to regulatory change.
Mark Miller’s practice focuses on white-collar criminal defence, corporate investigations and complex civil litigation. He has represented corporations and individuals in federal grand jury investigations, SEC enforcement actions, Justice Department investigations, and in federal prosecutions, both in trial courts and on appeal. He has conducted internal investigations, developed corporate compliance programs, conducted due diligence and provided counselling to clients on a broad range of FCPA matters.
Tim Mazur has over 26 years of experience in business ethics, compliance, and social responsibility. As leader of the ECOA, he leverages his experience as a former ethics officer at two Fortune 500 corporations to shape the association’s strategy. Prior to joining the ECOA, Mr Mazur was vice president, ethics, at Countrywide Financial Corporation. He has published numerous professional articles, and worked for the US Congress.
Mike Ritchie is the Partner In Charge of KPMG Australia’s Financial Risk Management (FRM) division, which incorporates KPMG’s Regulation and Compliance Practice. He has been a partner in the FRM team since 2005 and was appointed to the PIC role in July 2010. He specialises in operational risk, regulatory risk, enterprise risk management, and group-wide risk strategy development and implementation.
Ellen Zimiles is head of Navigant’s Global Investigations and Compliance Practice, and has more than 25 years of litigation and investigation experience. She is a leading authority on anti‐money laundering programs, corporate governance, regulatory and corporate compliance, fraud control and public corruption matters. She has worked with a multitude of financial institutions preparing for regulatory exams, developing remediation programs and assisting organisations as a regulatory liaison.
Laurent Zylberberg was appointed as CCO for Orange in 2013. Prior to this, he was CEO at Orange Vietnam. Mr Zylberberg holds a PhD in sociology and political science. He has acted as a Ministerial adviser in the Home Office and Ministry of Defence, as well as in the Prime Minister’s office. He has also taught political science and public law at the Sorbonne.
Marshall Smith is a customs manager with Starbucks Coffee Company in Seattle, Washington. He has over 30 years experience in management including over 20 years in international shipping. His career has included such diverse industries as customs compliance, importing and exporting, cargo security, oil & gas drilling, industrial sales, television retailing, customer service and real estate.
Kathlyn Farrell has worked in the field of regulatory compliance for over 30 years, advising banks of all sizes. She is a licensed attorney and has functioned as in-house counsel and compliance officer to medium and large financial institutions. She is the author of the ABA’s ‘Reference Guide to Regulatory Compliance’ and the ABA’s ‘Law and Banking’ textbook.
Ellen Odoner heads Weils’s Public Company Advisory Group, which advises US public companies and US-listed foreign private issuers on corporate governance, SEC disclosure, financial restatements and internal control matters. She is one of the leaders of the firm’s high-stakes corporate counselling team. She also specialises in merger & acquisition and securities transactions, particularly those with cross-border elements.
© Financier Worldwide
Baker Botts L.L.P.
Tim C. Mazur
Ethics & Compliance Officer Association (ECOA)
Starbucks Coffee Company
Treliant Risk Advisors, LLC
Ellen J. Odoner
Weil, Gotshal & Manges LLP