Compliance programs: What separates 'good enough' from 'great'?
Explore the building blocks of a world-class program that not only protects an organization from internal and external threats, but also enhances its brand and strengthens its relationships with multiple stakeholders.
The US Federal Sentencing Guidelines1 and, more recently, promulgations by the Organisation for Economic Co-operation and Development (OECD) Good Practice Guidance2 have called for companies to develop effective compliance risk mitigation programs and safeguards to protect against internal and external threats of corruption and fraud. Yet, despite decades of experience in developing such practices, the results appear to remain uneven at best, which is especially concerning at a time when risks are increasing.
Consider the stunning growth of social media, mobile technologies, and big data, for example, which has ushered in a new era of transparency, exposing illegal transactions and raising profound new ethical questions about the way business is conducted. Ethics and compliance executives may have come a long way in developing sophisticated measures to prevent, detect, and mitigate
What separates a “good” ethics and compliance program from a “great” one, though? And how
Five key differentiators
While there are a number of factors that separate the “good” from the “great,” the following five are key differentiators in the highest-performing compliance programs:
Tone at the top. The starting point for any world-class ethics and compliance program is the board and senior management, and the sense of responsibility they share to protect shareholders’ reputational and financial assets. Together, the board and senior management should do more than pay lip service to ethics and compliance, however. The ethics and compliance culture must permeate the entire organization, without exception, and should evidence itself through balanced metrics considered in the performance measurement of senior management. Moreover, the board and senior management should empower and properly resource those individuals who have day-to-day responsibilities to mitigate risks and build organizational trust. Words without actions are an empty chalice.
Corporate culture. Another essential element of a “great” program is building a culture of integrity, and that is derived from the tone at the top. Culture, after all, is comprised of the underlying values, beliefs, attitudes, and expectations shared by an organization, and against which decisions are made and behaviors are formed. For this reason, a culture of integrity is central to any effective ethics and compliance program. If an organization is not managing culture, you can be sure of only one thing—that culture is managing the organization. Importantly, ethics and compliance programs that do not clearly contribute to a culture of ethical and compliant behavior may be viewed as perfunctory functions instilling controls that are impediments to driving the “value change” of the enterprise. If and when that happens, they can become nothing more than roadblocks to be circumvented.
Risk assessments. The velocity of change in today’s world is accelerating, and with it the ever-changing risk landscape. Ethics and compliance risk assessments are not just about process, but also about the results and a deep understanding of the risks that an organization faces. The risk assessment focuses the board and senior management on significant risks and the highest risk concentrations within the organization, and it provides the basis for honest consideration of the actions necessary to avoid, mitigate, or remediate those risks. It also provides a critical tool for the allocation of scarce resources.
Testing and monitoring. Critical to the success of any organization’s efforts in managing risk is a robust testing and monitoring program to help assure the control environment is effective. All the policies, practices, and procedures developed to manage risk are irrelevant if they are poorly understood and executed and, as a result, do not change the behavior of the organization. It begins with implementing appropriate controls, which should be tested and ultimately monitored and audited on a regular basis. In the spirit of ongoing testing and monitoring, it is also crucial to perform periodic cultural assessments and reinforce the desired behaviors while remediating negative ones.
The chief ethics and compliance officer. The chief ethics and compliance officer has day-to-day responsibility for overseeing the management of compliance and reputational risks, and this officer is the agent for the board’s fiduciary obligations to provide oversight and accountability of such. It requires someone with an uncommon breadth of experiences who can design the necessary risk architecture, assess business and cultural risks across a variety of businesses and geographies, develop training and communication strategies, build comprehensive databases, and assess data analytics, while conducting sometimes critical investigations. It also requires someone who can take a balanced approach to ethics and compliance and who, by his or her nature, can build partnerships with business leaders that enhance levels of trust both internally and externally with stakeholders. A skilled chief ethics and compliance officer can create a competitive edge for his or her organization. Such individuals are not always easy to find, however, and appropriate training and coaching can benefit both the individual and the organization.
By themselves, none of the above differentiating factors can protect organizations from ethics and compliance breaches. But, when they are part of a company’s fabric and way of doing business, there’s a better chance of moving from “good enough” to “great” and becoming an organization that attracts the trust and admiration of employees, customers, investors, regulators, and other stakeholders alike.
Rising risks: What categories are receiving board attention?
Increasingly, boards recognize that ethics and compliance risks are among the top threats organizations face. In response, effective boards take a comprehensive view of ethics, compliance, and reputation risks, with a goal of aggregating them so they can be vetted. Otherwise risks can fall into functional silos or get buried under multiple management levels.
What categories of risks are increasingly receiving board attention?
Digital risks. Given the rapid changes in technology, it’s challenging for fiduciaries and risk managers to know what they don’t know. At the same time, technology managers may not consider how the potential for reputation risks, for example, could affect the organization. Those are some of the reasons digital risks are the number one set of emerging risks today, including cyberthreats and the expanding use of social media and mobile technologies. To combat them, boards should also consider whether they have the appropriate experiences among the governing authority members to appropriately address these risks. If the answer is “no,” they should ask if outside advisors or other experts are needed to supplement board knowledge or if it is wiser to add a member with those specific skill sets.
Conflicts of interest. From a US perspective, once a conflict is exposed, the issue typically raises flags. In other regions, where the majority of businesses may be family-owned, conflicts of interest are often viewed differently. Doing business with family or within close-knit groups—and the embedded sense of trust—can outweigh the importance of investigations into conflicts. But as transparency takes hold globally, more conflict-of-interest issues will likely be raised, which boards may have to address.
Bribery and corruption. There have been more than 60 corporate enforcement actions for Foreign Corrupt Practices Act (FCPA) violations since 2008.3 Globally, the U.K. Bribery Act is more expansive than the FCPA, the G20 has an ongoing agenda item related to anticorruption collaboration among countries, and there are enforcement actions being promoted by the United Nations and OECD. While bribery and corruption will never disappear, the added scrutiny from the global community and significant new cross-border cooperation between regulators and prosecutors may refocus the attention of boards to be more vigilant.
Cultural risks. To meet a company’s legal requirements, it’s critical that boards and management establish a culture of integrity and strong ethics. In fact, the law expects organizations to take extra measures to develop and promote such a culture. This recognizes both the limitations of compliance as a check-the-box paper program, as well as the powerful influence culture has on the behavior in organizations. Increasingly boards understand their role in recognizing culture as the foundation in an effective framework that allows addresses compliance, ethics, and integrity risks.
1 “US Federal Sentencing Guidelines Manual,” US Sentencing Commission, Washington, D.C., November 2013.
2 “Good Practice Guidance on Internal Controls, Ethics, and Compliance,” Organisation for Economic Co-operation and Development, February 2010.
3 “SEC Enforcement Actions: FCPA Cases,” US Securities and Exchange Commission, 2014.
About Deloitte’s CFO Program
The CFO Program brings together a multidisciplinary team of Deloitte leaders and subject matter specialists to help CFOs stay ahead in the face of growing challenges and demands. The Program harnesses our organization’s broad capabilities to deliver forward thinking and fresh insights for every stage of a CFO’s career–helping CFOs manage the complexities of their roles, tackle their company’s most compelling challenges, and adapt to strategic shifts in the market.
For more information about Deloitte’s CFO Program, visit our website at: www.deloitte.com/us/thecfoprogram.