All businesses are subject to regulations, some more than others. In healthcare, financial services, energy, defense, and high-tech sectors, regulatory demands are onerous and complex, and more so if the business is global.

Business leaders are compelled to respond. Apart from penalties and fines, violations or even lack of effective compliance programs can result in loss of customers, markets, investors, and at times, the ability to get financing and required licenses to stay in business.

And, if a violation becomes public (easy in today’s information environment), the negative effect on the brand and reputation can be especially harmful, diluting trust in the business and its offerings for years to come.

Of even greater concern is the possibility of individual prosecutions (civil and criminal) for even deliberate disregard or negligence in responding to regulatory mandates. The US Department of Justice continues to focus on prosecuting individuals (particularly those in authority) as a better deterrent.

This article advises business leaders on how to respond to regulatory demands in a strategic way to satisfy their obligations and to establish a maximally effective compliance function.

Leadership response

Active leadership involvement is considered by regulatory authorities as instrumental to any company’s compliance effort.

Per the US Department of Justice, (among factors impacting compliance) “… the most important is the role and conduct of management”. And, per the US Department of Treasury, “… for a compliance program to be effective, it should have the demonstrable support of leadership”.

Obviously, regulators understand that without a modicum of direct and committed leadership, compliance is prone to weakness or failure.

Even so, the impetus to respond to regulatory exposure varies. At one extreme, regulatory risk is overlooked, underestimated, or sacrificed in pursuit of other priorities. Consequently, compliance gets peripheral attention, only scrutinized event by event or, worse, ignored altogether.

At the other extreme, there are outright demands for compliance by customers, the company board, regulators, key partners and vendors, or by risk assessors and auditors. Leadership is then compelled to respond.

Ideally, compliance risks ought to be well understood and assumed upfront as integral to the organization’s overall risk posture. This should be followed by focused and competent response by the company leadership and the board.

Taking Action

So what should business leadership do? The usual advice is to cultivate “tone at the top”, pursue a “culture of compliance”, and “walk the walk”. These do help but are inadequate. Same applies to the singular emphasis on integrity and ethics. It helps but it is insufficient.

What is needed is a deliberate approach to assimilate compliance in the actual workings of the organization. To put it another way, compliance must be designed-in so that it is intrinsic to how the organization routinely conducts itself.

Too often compliance staff is sporadically added or the compliance team positioned as an appendage in the organizational architecture. This is akin to managing talent without an integrated HR function or ensuring accurate financial reporting without a standards-based accounting function. No wonder compliance is often a struggle and potential violations (of at least related policies and directives) a persistent source of angst.

The solution is to establish a strategically positioned compliance function within the formal organizational hierarchy with sufficient reach and competence to become a participant in company decisions, direction, and relationships.

The US Department of Justice expects compliance programs to be well designed, in good faith and work in practice. This means compliance is not simply a patchwork of policies, mandates, processes and alerts. And, it is certainly not an occasional distraction or after-thought.

A practical checklist for company leaders

Taking the range of regulatory guidance and expert advice into account, the following twenty questions can serve as a checklist, assessment tool, and action plan for company leadership to ensure effective compliance.

Have you …

1. Issued clear and unequivocal statements committing your company to regulatory compliance, including your approach to achieving it? (In a code of conduct, mission or values statement, corporate policy, and similar documents).

2. Formed a board committee (or assigned an existing one) with sufficient expertise to regularly engage, understand, assess, oversee and respond to compliance concerns and challenges?

3. Established a high-level risk and compliance committee consisting of operational and functional leaders to be informed, and to deliberate, resolve, and support the compliance function with mandates, direction and oversight?

4. Appointed a chief compliance officer (CCO) and support staff, as needed, with sufficient stature, autonomy and direct access to company leadership and the board?

5. Structured the compliance function for autonomy and independence from business operations and other departments, such as, marketing and sales, to ensure its objectivity and avoid conflicts of interest?

6. Positioned the compliance department to have status comparable to other necessary functions, e.g., HR, finance, tax, sales, security, etc.?

7. Delegated frontline compliance responsibility within operations and relevant functions, such as, through the three lines of defense COSO protocol, to ensure transactional oversight and control?

8. Established compliance accountability (including disciplinary actions) and incentives (including promotions and bonuses) for the organization’s leaders and managers regardless of their assigned operational or functional responsibility?

9. Added conflict of interest screening, compliance or policy violations, and overall commitment to compliance in your hiring, assignment, and promotion decisions?

10. Ensured that all strategic decisions, including new business pursuits, product or service offerings, client and vendor agreements, partner and JV arrangements, and acquisitions or mergers are subject to review and input from the compliance function at the outset?

11. Implemented regulatory due diligence processes to evaluate all third party relationships, including vendors, contractors, partners, and new hires prior to executing applicable agreements and onboarding?

12. Implemented a third party qualification and control program to screen, evaluate, monitor, assess, support, train, integrate and commit third parties to meet company compliance standards?

13. Positioned and empowered the compliance function to access relevant operational data and information to enable comprehensive regulatory oversight?

14. Included compliance in company-wide risk assessments and mitigation efforts using specialized regulatory subject matter expertise?

15. Directed the audit function to develop or acquire specific subject-matter capability, especially for high-risk compliance exposures, and empowered it to investigate and report critical findings to company leadership/board?

16. Implemented a hotline, comment mailboxes, trip wires and other red flag reporting mechanisms (with protection from intimidation and retaliation for whistleblowers) to alert you to policy and regulatory violations, unwanted compliance events, and enforcement actions?

17. Implemented a central company-wide program for tracking violations and remediation, supplemented by secure processes for self-reporting and voluntary disclosures?

18. Ensured that costs of compliance are fully incorporated in the feasibility of any business expansion, project or venture?

19. Regularly reviewed the compliance budget allocation to ensure that there is sufficient latitude for it to successfully execute its charter, including the cost of expertise and talent, training and development, legal resources, professional association memberships, travel, investigations, and technology?

20. Mandated that business unit P&L’s incorporate compliance costs (objectively determined or verified by the compliance and accounting functions) as integral to their overhead? Note: Carrying compliance costs solely at the corporate level fails to truly assign compliance responsibility and account for the true cost of the operation or business pursuit.

Many of the actions implied by the above questions are commonly prescribed. Others are suggested only in specific circumstances. But to achieve full impact, all are necessary to establish a compliance function that has legitimacy, authority, reach, resources, and feedback to effectively pursue its mission. And, for any compliance program to be truly effective.

And, while rogue events can never be entirely prevented, diligently addressing each of the above questions will minimize such events and demonstrate that the leadership has done its part.

Some caveats

In the effort to enhance compliance, the following presumptions are essential:

a. Execution of compliance initiatives and programs must be assigned to compliance professionals (not just a good manager or a smart lawyer — unless trained and experienced in compliance). Compliance is an established and specialized endeavor.

b. Compliance critically depends on the effectiveness of other functions. For example, if accounting lacks adequate processes and standards, the compliance function will have difficulty implementing controls to prevent money laundering or bribery; if procurement is lax in vendor onboarding and monitoring, the compliance function will have difficulty screening for sanctions and imposing compliance protocols; if logistics is unable to control the supply chain, the compliance function will have difficulty preventing prohibited transactions, e.g., exports to embargoed destinations, and so on.

c. The use of consultants may be helpful, but it is often a distraction. Only fully imbedded consultants will have sufficient knowledge of the company and its organization to define and execute compliance initiatives. There is no substitute for intimate familiarity with the people, operations, direction, challenges, and structural characteristics of the enterprise in the design and conduct of compliance.

Final word

None of the leadership involvements suggested in this article should result in additional outlays over and above what is already budgeted for compliance. If they do happen to materially increase compliance costs, it will be fair to assume that compliance is not adequately resourced. This in itself is a matter for leadership deliberation.

On the other hand, positive actions resulting from the questions above could significantly reduce compliance costs, not just from preventing violations but because of the enhanced efficiency and effectiveness of the compliance program and function.

And finally, it must be said that lack of direct and sincere leadership engagement in compliance is not only untenable but potentially a dereliction of regulatory responsibility. The guidance in this article is a practical way for company leadership to do its part to achieve effective compliance and to avoid being complicit in its weakness or failure.