Yesterday I introduced, with the help of the Red Baron, the topic of a Compliance Center of Excellence (CCoE). Today I want to expand out into how a Chief Compliance Officer (CCO) or compliance practitioner would design a Center of Excellence (COE) for compliance.
About the best representation of a CCoE comes from Mark Vaughn, author of the Navint white paper, entitled “Financial Services: Compliance Center of Excellence”.
Through this diagram, Vaughn lays out a way for you to think through your CCoE. He believes a CCoE will be successful, in large part, because of the personnel you assign to it in a variety of areas. These areas include advanced levels of compliance knowledge and compliance competencies and would include training and certifications. Moreover, your CCoE staff must be “capable of working in a consensus-based organization and committed to knowledge sharing, developing and leveraging various standards and methodologies and be able to communicate new approaches and leading practices to the organization.”
This circle clearly represents many concepts that every CCO and compliance practitioner will be quite familiar with from their own experience. Under Risk and Controls environment, it would include the three steps of the risk management process and then add on remediation management. It would also include risk data information, data protection and data privacy components that you would need to test. Finally, if there was a breach, it would facilitate both investigation and root cause analysis.
Policy and Process moves beyond simply compliance policies and procedures to include compliance as a business process; delineating roles and responsibilities. There would be a focus on both reporting requirements and governance. Further, the CCoE would develop metrics and independent testing for verification and feedback.
For Solution Design, there would be focus on the overall compliance regime requirements to provide a functional solution design. This area would provide the support architecture needed to create the infrastructure and roadmap for compliance moving forward. After deployment of new solutions, this area would also provide continued support.
Under Go-Live Support, there is roll out, deployment and ongoing support activities from the CCoE to the business units. This helps to facilitate knowledge transfer and further the operationalization of compliance down to the business unit level. This area would also include certifications, examination and audit support. Finally, it would also facilitate ongoing compliance communication.
In the Requirement Analysis quadrant, there would be a group focusing on your internal control and rule-making lifecycle. It could provide legal analysis of anti-bribery and anti-corruption requirements across the globe; providing consistent definitions which would assist the employee base. You could also include industry bench-marking in this group. Lastly, the Training and Education grouping would help to develop the compliance training materials for both internal stakeholders and external business relationships such as agents, distributors, vendor, joint venture partners or others similarly situated. This group could also work with your corporate Human Resources (HR) function to communicate company expectations around ethics and compliance throughout the lifecycle of the employment process. It would use social media for ongoing communications on compliance and develop best practices in this area as well.
What would success for a CCoE look like? Here Vaughn has some criteria. A successful CCoE would help to build a tighter and frictionless alignment between the business and infrastructure units — especially compliance, risk, reporting and technology. It could move more quickly and more forcefully to improve the adoption of and adherence to compliance requirements from a wide variety of regulators literally across the globe. It could then pair this with end user solutions supporting compliance reporting with better design, planning, training and fit to purpose tools.
A CCoE would take the lead in developing the strategies and business priorities to meet regulatory compliance initiatives and would work to achieve overall business agility by increasing the success of processes and technology through ongoing improvements. Next it would increase the success of designing and deploying the compliance solutions and technology required to meet compliance requirements; thereby delivering more value, less cost and less time.
Vaughn ends by noting that in developing and delivering the compliance needs of any global, multinational organization requires an integrated approach, which requires an interconnected organization aligned to support a common set of goals and objectives; most directly to more fully operationalize your compliance regime. Deploying a CCoE requires the broad participation of the company and the commitment of senior leadership to drive the organizational transformation. This transformation requires a clear vision of the people, process and technology required, properly aligned to support policy, strategy and governance. Applying the principles of a CCoE will provide organizations with the strategic platform they need to more fully operationalize compliance across the ever-widening scope of anti-corruption requirements across the globe.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2018