When prosecutors, regulators, and compliance practitioners agree on anything, I pay special attention.
Last week, Compliance Week 2016 opened with a panel of Stephen Cohen, Associate Director of the SEC Division of Enforcement and Andrew Weissmann, Chief of Fraud Section of the DOJ Criminal Division. Their topic: “Are We Defining Effectiveness Correctly?”
Cohen and Weissmann were clear about the importance of the independence of the compliance function. The issue of reporting relationships, from their perspective, wasn’t as significant as the weight of compliance being able to voice disagreement, deal with conflict, and integrating into the business.
Then they addressed the role of pay and incentives as an important component of compliance and ethics.
Cohen and Weissmann shared how they viewed incentives as an essential part of a culture of compliance, down to the “lowest level of an organization.” They said as part of their work, during investigations or voluntary disclosure, they would be going to the “source of the misconduct and looking up.”
The questions that might follow include “where was compliance,” “what was the company doing with data it received,” and what was the culture at the company that might have tipped someone to “committing a fraudulent act.”
This is a change of focus. When the Fraud Section summoned me in 2007, the questions were “tell us about your crimes, when you did them, who you did them with, and other crimes your observed.” It wasn’t a conversation about compliance, ethics, culture or tone.
The closing panel was “The Maturing of a Profession: The Rise of Compliance 2.0.” It included Keith Darcy and was moderated and led by Donna Boehme.
Donna — a champion of the Compliance 2.0 — talked about the new model of compliance that allows compliance leaders to do “to their job well, with independence, empowerment and subject matter expertise.” She also talked about the “criticality of independence.”
Keith advised attendees to learn the business, and that it’s not one size fits all. He said “understanding the business makes you a better compliance officer.”
That gets back to incentives. What better place to start examining commercial practices and challenges than with a review of growth plans, incentives, bonus packages and variable compensation?
We know that front-line teams don’t report into compliance leaders. They report to their managers who expect, at some level, to have business growth strategy executed in the field. Where those forecasts and incentives are aggressive, especially in low integrity regions, compliance can be an integral part of helping the business to manage those risks successfully, compliantly, and legally.
But that doesn’t happen by itself. It’s about recognizing that business and compliance teams need to emerge from existing organizational silos and embrace that we are all responsible for each other’s work. As Donna Boehme put it, compliance needs to have a line of sight into the business.
Richard Bistrong is a contributing editor of the FCPA Blog and CEO of Front-Line Anti-Bribery LLC. He was named one of Ethisphere’s 100 Most Influential in Business Ethics for 2015. He consults, writes and speaks about compliance issues. He can be contacted by email here and on twitter @richardbistrong. He’ll be a speaker at the FCPA Blog NYC Conference 2016.
Thank you Richard! Compliance 2.0 has indeed arrived, and I share your excitement upon seeing the principles embraced by both the SEC and DOJ! That's the last nail in the coffin of the old flawed model of Compliance as a captive arm of Legal. n its place, we see Compliance2.0 rising as a recognized,empowered Subject Matter Expert, independent from Legal with line of sight, seat at the table, and resources to do the job well. Our infographic was launched at @CW_2016 and a new website, with supporting resources, and a podcast series are all coming soon!
Richard – You have identified two specifics i.e. front line teams and low integrity regions. That is wonderful. What was Internal audit function treated as “unnecessary”, can’t afford” decades ago has gotten and became an important and “cannot do without it” function. Compliance Officers are not buskers (google who is a busker). They need a team of people to make sure the word compliance has a meaning, purpose behind it. Furthermore, software and data analytics cannot be entirely relied upon as there other are primary human factors have to be dealt with boots on the ground. Compliance is a business issue not just a legal matter.
Richard, your report back from the Compliance Week made for an interesting read.
Donna talked about the “criticality of independence.” Fully agreed, but there are several different ways to ensure this independence. Unfettered access to the Board and the chair of the Board Committee that oversees ethics and compliance is a good way for the COO to remain independent. He or she may report to the General Counsel, but can and will by-pass the GC when required. The Board should also be the authority that appoints, remunerates and fires the COO. I can assure you from experience that this type of independence is solid. And it allows the normal administrative organisation and systems of the company to operate for the COO as well (payroll, travel, office space and supplies, etc).
Keith advised attendees to learn the business, and that it’s not one size fits all. He said “understanding the business makes you a better compliance officer.” I couldn't agree more. We need a Compliance function that talks the language that the business speaks and not legalese English (you know the 49 word sentences with 9 comma's!). Being able to connect to the Business in their language (and being able to convey their questions to Compliance lawyers in the language that lawyers understand) is crucial for an effective Compliance activity.
Thank you to Donna, Subash and Frank, those are all outstanding points. Frank, I appreciate your focusing on the need for "unfettered access to the board" as being critical, even if the CCO reports to the GC. I also agree with Subash in that an over-reliance on software and data without addressing the human narrative can end up where we have a "risk-based process" missing real-world risk. Donna said it quite well, compliance needs a line of sight into the business, and that's a human line not just a "data dump." Again, thank you for sharing your perspectives.
Comments are closed for this article!