As compliance continues to evolve from a list of necessary evils to a strategic initiative, Deloitte is offering senior business leaders and board members some insight into how leading organizations are taking their compliance efforts to the next level.

Deloitte has published a new booklet, Enterprise compliance: The Risk Intelligent approach, to explain the key components of enterprise compliance and serve as a practical guide to address some tough questions that boards and senior executives should be asking. As government regulations continue to deepen around the world, and indeed overlap for companies operating in multiple jurisdictions, the role of compliance only continues to grow as well, the firm says. The most progressive compliance functions are evolving beyond rudimentary activities and evolving to more integrated, strategic operations within organizations, says Robert Biskup, director at Deloitte Financial Advisory Services, who is presenting this week at the Compliance Week 2013 conference.

“You could almost think of it as a third generation of compliance programs,” says Biskup. The first generation involved some basic codes of conduct and hotlines following Enron and Sarbanes-Oxley, he says, and the second generation can be seen as a continued building on basic structures, with compliance departments, dedicated resources, and increased board oversight and governance. “In this third generation, we are seeing from Washington and the states that there needs to be more integration. The tactics are good, but it needs to be more at a strategic level. Companies should be thinking about compliance broadly across their business operations."

Deloitte's booklet offers some of the questions boards and senior managers should be thinking about to aspire to such a compliance approach, such as how they should identify, monitor, and adjust for emerging compliance risks and requirements, and how to assure employees understand their responsibilities as it pertains to compliance. It also addresses how boards can determine whether resources devoted to compliance programs are adequate and aligned with the organization's risk appetite, and how to look for ways to reduce compliance costs while also increasing their value.

The “third generation” compliance process would be built around a governance concept that there would be a person in charge of compliance who has authority and respect within the organization and who would report directly to the board of directors, says Donna Epps, a partner with Deloitte Financial Advisory Services who also is presenting at the Compliance Week conference. “The concept of risk assessment is really important,” she says. “Where do you put your time, your personnel resources, your money, your investment in data capture or data analytics?” Then companies need to determine what kind of organizational structure makes the most sense for their particular circumstances, she says.

Obstacles to such an approach can vary, but the challenge is to figure out a way to operationalize it, says Epps. “There is no one black-and-white answer,” she says. “It has to be based on what works in that organizations and what addresses the particular compliance risks of that organization. It can be overwhelming.”