One of the most interesting tag lines I heard at Compliance Week 2016 was the following, if you want to work in my compliance department; you need to learn how to read a balance sheet. I thought that single line encapsulated the change in the compliance function over the past few years more than any other. Why, because it speaks to the change of compliance from being centered in the legal department, run by lawyers as a rules based program, to fully understanding that compliance is a business process that needs to centered in its own discipline. For if you cannot read a balance sheet you cannot bring a positive value to a business unit.
Several different speakers emphasized this point during the conference, each coming at it from different angles. From the regulatory angle, Andrew Weissmann, Chief of the Department of Justice (DOJ) Criminal Division’s Fraud Section, spoke in terms of the operationalization of compliance as a key metric the DOJ will use to evaluate a compliance program under its new Pilot Program. Weissmann said the DOJ wants to know if the if business unit of a company is responsible for at least a part of compliance. Weissmann had an interesting angle on the real problem for a Chief Compliance Officer (CCO) stating that if compliance is not embedded into the business, that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No.
Speaking on the same panel, Stephen L. Cohen, Associate Director of Enforcement, Securities and Exchange Commission (SEC) came at it from the angle of CCO involvement in the overall strategy and budgeting process of an organization. Cohen had several questions he would ask to determine the level of CCO independence within an organization. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? He also would want to specifically know if the CCO was a part of overall strategy and company budgetary meetings?
In addition to the foregoing, Cohen had some additional questions he would consider. The first was who could over-rule the decision by a CCO within an organization? He would also inquire into who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group?
These views are an extension of what the DOJ Compliance Counsel Hui Chen spoke about when she began publicly speaking in her new role, particularly last fall at the New York University Program on Corporate Compliance and Enforcement public forum. At the forum, Chen stated there should be some significant thought put into a company’s compliance program. She expounded that stakeholders need to be a part of your compliance program design process and have input into the compliance internal controls.
Chen also made clear that your compliance program should be tied to the functional unit of a company. This means that Human Resources (HR), Payment, Audit, Vendor Management, IT, Supply Chain and all traditional indirect cost functions need to be involved in the operation of your compliance program in their respective areas of influence. Tied with the operationalization is the evidence that you, as the CCO or compliance practitioner, got out of your office and met with the stakeholders of your compliance program. This is more than simply in your compliance program design, it includes the compliance program implementation. She suggested evidence to show more than compliance simply had a seat at the table but that compliance was actively involved with operational decision-making.
Chen also noted compliance needs to be a part of the discussions around how compensation systems are designed and particularly around discretionary bonus systems. She admitted that compliance’s views on compensation are not always sought but in her mind it is one area that, if utilized, would demonstrate a commitment to compliance by the organization.
Operationalizing compliance requires providing resources to the compliance function. This mean more than monetary resources or even head count. In her remarks, Chen specified the twin resources of attention and commitment. This means how often do you meet personally with your Chief Executive Officer (CEO), Audit Committee of the Board and the full Board of Directors? Chen said that she would inquire into the details of these briefings, so, for instance, are the briefings based on employee surveys, quantitative data or is it simply anecdotal information? She said that it is important that compliance have a real dialogue with the C-Suite and not a rote briefing.
Interestingly another conference session featured three compliance professionals who have had the experience of making presentations to the DOJ where the new Compliance Counsel was present. All three spoke about Chen testing whether the compliance program was “real”, meaning had they been able to operationalize it into the organization. This step of operationalizing your compliance program entails moving far beyond being Dr. No from the Land of No. You have to move your compliance initiatives down into the business functions that oversee each step of the process. This means working with HR, IT, Internal Audit, Finance, Sales, Marketing, Business Development, Supply Chain and all the other corporate functions.
If you want to get into a compliance function, you are going to have to know more than simply the Foreign Corrupt Practices Act (FCPA), other laws, rules and regulations. You have to be seen as a part of the business that actually gets things done. Looking and playing lawyer is not going to get it done because the role of in-house counsel is to protect the company, sometimes from outside forces and sometimes from inside the organization. Operationalizing compliance means embedding the processes of compliance into each unit within the organization. Can anyone consider HR not being a compliance risk after the BNY Mellon and Qualcomm FCPA enforcement actions? Putting anti-corruption compliance processes into HR is mandatory now but if you do not understand how HR works, you will not be able to advise them how to do so.
This is the same with every other functional organization in a company. If you cannot read a balance sheet, you cannot perform the most basic function in a business. So if you want to get into the compliance profession… learn how to read a balance sheet.
The operationalization of compliance will require the compliance practitioner to understand the business.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2016