Building the Bridge(s) Between Compliance and Business
The success of a compliance program depends on a number of factors. Perhaps one of the most important factors is the strength of the relationship between compliance professionals and business. Compliance depends on business employees to share information, coordinate in compliance procedures, and ensuring overall compliance.
As one business manager candidly told me during a risk assessment interview, “if business does not take responsibility for compliance, then compliance will not get done.” Those were prescient words. A Chief Compliance Officer’s initial challenge is to work with business so that business “owns” compliance responsibilities. This makes sense and appears obvious. But the question is how should a CCO and business work together to accomplish this objective?
When starting on this effort, CCOs can always benefit from looking at the issue from the perspective of business. A compliance program is critical for an entire organization. Business has to be treated as a key (if not the key) to the success of the program. Compliance has to be in the interest of a business.
CCOs should approach this challenge in two ways – (1) demonstrate to business that a successful culture and compliance program provides the company with a competitive edge that will increase overall success and revenues of the business; and (2) work closely with the business to ensure that compliance requirements do not become an obstacle to business operations.
In other words, CCOs have to coordinate with business to establish compliance protocols that do not frustrate business operations without any identifiable purpose or benefit. Compliance procedures have to be effective but should be tailored to be efficient and focused on a specific risk. In this context, compliance cannot be an inflexible barrier to business operations.
Even in this framework, however, CCOs should look for opportunities to assist business objectives. CCOs have access to a large amount of information and data. Third-party risk management is an important example. When conducting onboarding and monitoring procedures, compliance often obtains valuable market information that may be helpful to the business. This can be regularly shared with business representatives.
Further, when designing a third-party risk management program, CCOs start from master lists of vendors, suppliers, agents and distributors. A business rarely looks at such information and when given a copy they can quickly go through the list and identify certain third parties that arer no longer used. Procurement and the business will then use this information to update their data on third parties. That is an example of what we call a “win-win.” These small victories help to build a relationship between compliance and the business.
A strong relationship between business and compliance is critical in monitoring the activities of high-risk third parties. A company can usually identify a small number of third parties that pose the greatest risk to the organization. To monitor the activities of these third parties, compliance should establish a regular meeting or consultation between the business person responsible for the relationship and compliance to review the third party’s activities.
This high-risk monitoring program is a new and innovative approach to supplement established third-party risk monitoring activities. The business person who interacts with the third party can provide important insights on the third party’s conduct, whether anything unusual has occurred, or whether there are any important upcoming activities, e.g. a bidding tender. In this respect, compliance needs the insights and support from the business. Such a meeting or consultation can be used by compliance as an opportunity to provide the business employee with updated information about the third party.
Assuming that compliance has a seat at the C-Suite table, CCOs gain access to business strategy and planning. As a participant, CCOs can ensure that compliance requirements are built into any strategy plans and can look for opportunities to support and promote business planning with access to information, research that may be helpful, training programs and other compliance measures that promote the efficient success of a new business strategy, such as a new product launch, an acquisition or expansion into a new country or region.
CCOs have to be flexible to work with the business side of an organization. With a creative approach, CCOS can build and strengthen bridges between compliance and business operations.
You are quite right that a Compliance Officer needs to build bridges. Compliance risk is in the business and seldom in the Board Room. As a non-lawyer, I worked as a Compliance Officer for four years. Based on the feedback I got from both sides it was effective because I understood the business (whence I came) and could translate legal language into stuff the Business understood. It also allowed me to be involved in brainstorming and decision-taking at the early stages, rather than come in at the end and tell them that their plans were not legally sound. Successful compliance work means acceptance by the business (and the legal community), speaking their language and coming up with alternatives that would achieve their business objectives and maintain the legal and ethical framework.