Compliance risk management starts at the top, but depends on the front line

Low-angle view of hospital sign

Compliance would be easy—well, easier—if the Chief Compliance Officer controlled all of the business processes that create compliance risks for the organization.

In the real world, the decisions and actions that add up to compliance happen all over the organization. Business leaders make decisions while balancing multiple concerns and competing objectives. It isn’t a surprise to any seasoned CCO that compliance isn’t always the top priority. As a result, it’s up to the CCO to understand the business and to exert influence over those decisions that drive critical compliance risks. And if that isn’t hard enough, CCOs also need effective processes to identify and measure those risks on an ongoing, real-time basis.

At Deloitte, we focus a lot on these challenges. Our Enterprise Compliance practice represents a significant investment in the development of effective compliance risk management techniques that can work in today’s fast moving and decentralized organizations. That starts by harnessing the power of effective practices that are already in place at companies in all industries.

At the recent Cross-Industry Compliance Leadership Summit at Deloitte University, I had the chance to moderate a discussion about compliance risk management that included voices from finance, health care, entertainment, retail, consumer products, and other fields. Their different experiences were illuminating—and a number of common themes emerged.

Compliance and operations cannot be separated. Many leaders in the compliance field have already acknowledged that the compliance function within a company can’t be effective if it operates in a silo. It has become critical for the compliance people to get out “in the field” and know the business. What our summit participants made clear is that, regardless of industry, strong compliance and superior performance are highly correlated. As one seasoned participant put it: “When you see bad scores on the integrity side, you’re also seeing bad scores on the management side. They go right together.”

Compliance starts at the top, but works in the middle. Few would deny it takes leadership buy-in to develop a strong compliance program. Compliance won’t work if it doesn’t start at the top. But this was another area in which our summit conversation upped the ante. Yes, board and C-suite buy-in are critical, but it’s front-line managers who carry the daily burden of sensing risk and driving compliance.

Not everyone in the room shared the same level of enthusiasm for the “three lines of defense” structure that many regulators emphasize, especially in financial services–where the first line is risk management in the line of business, the second is the compliance or risk management oversight, and the third is internal audit. But there were concerns that trying to create a truly “independent” second line means the important role of trusted advisor is lost. First-line managers may be less comfortable consulting with the compliance function if the lines are drawn too strictly.

“It’s not about training the tone at the top. That’s a low bid, and most have already anted up,” an executive noted. In all industries, the challenge of the day is to create robust compliance programs while keeping an open line into the business and middle management.

Lines of communication–human and digital–are vital. Is no news good news? Sometimes, silence means you aren’t hearing the things you need to hear. Making sure your organization has an open dialogue about risk takes more than just communication; it takes communication about communication. People need to know the organization not only tolerates openness, but rewards it. That speaking up won’t get you reprimanded, or worse. And that when employees speak up about potential trouble spots, it leads to positive action.

As one participant put it, “Whenever you hear about significant events, somebody knew these significant events were happening. How do you use the employees you have to be your eyes and ears on the field?”

As information flows freely among people, it must flow broadly within systems. Data and analytics are key components of a compliance risk management approach that heads off problems instead of just responding to them. Tracking and identifying traditional compliance metrics is important, but many companies focus on the past rather than attempt to predict future compliance failures.

Imagine a system that “notices” innocuous patterns and behaviors and correlates them with potential risk issues. The data is certainly available, but the challenge that remains is to understand its predictive value. “I don’t yet know which of [our available] data points are really indicative of expected misbehavior long-term, but I’d really like to get to a place where I can collect it and use analytics to start identifying predictors,” one executive said.

Building those capabilities, and developing a fuller recognition of the way operations and compliance intertwine, is a work in progress for most companies. The tools are there to carry that work forward. The desire to make investments that puts them to use is something each company must develop.

“We understand the metrics of the business that managers use to manage to on a daily basis, but we in compliance are not used to managing data that way,” a financial services company compliance chief at the summit said. “We’ve got to be as savvy as any other ‘quant team’ in the company.”

Nicole Sandford
Deloitte Advisory
Deloitte & Touche LLP

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s