Yes, yes—corporations everywhere know that demonstrating an effective compliance program is more important today than ever before. Regulators, boards, shareholders, and other groups all are clamoring for proof that your efforts to achieve good conduct are successful.
THE PANELISTS
The following executives participated in the April 26 roundtable on measuring and demonstrating the effectiveness of compliance programs.
Paul Barringer,
VP, Compliance,
Unitedhealth Group
Thomas Bishop,
SVP, Compliance Officer & General Counsel,
Georgia Power
Jill Edmondson,
Manager, Corporate Compliance,
The Home Depot
Steve McGraw,
President & CEO, Compliance 360
Scarlett May,
VP, General Counsel & Secretary,
Ruby Tuesday
Ronald Lepionka,
VP, Chief Auditor,
Internal Audit,
AGL Resources
Bob Miromonti,
VP, Ethics & Compliance,
Centene Corp.
Peter Stanos,
VP, Compliance,
IASIS Healthcare
Randy Stephens,
Division Counsel, Compliance & Records Management,
Family Dollar Stores, Inc.
John Todd,
Deputy Chief Compliance Officer,
Aetna
Tim Tripp,
VP, Internal Audit/SOX,
Newell Rubbermaid, Inc.
For More Information on Compliance Week Roundtables
Compliance360 Survey on Effective Compliance
So how do you actually do it?
That was the question that occupied nearly a dozen compliance and audit executives at Compliance Week's most recent editorial roundtable, hosted with software firm Compliance 360 in Atlanta. All agreed that regulators have been more forthcoming in specifying exactly what they want a compliance program to do. But many questions remain: What are the best reporting structures? What technology and infrastructure should be used? How are policies best communicated, and what types of training programs should be used?
“Across industries, we are seeing boards of directors and regulators beginning to look beyond the mere existence of compliance programs; looking for evidence that the programs are actually working,” said Steve McGraw, president and CEO of Compliance 360. “Their focus is on the ability to demonstrate that compliance programs are proactive and preventative in nature.”
The prime example of that trend is the increasing demand from regulators to see data on their compliance practices. Indeed, many roundtable participants said they don't worry so much about whether their companies are actually in regulatory compliance, as much as they worry about whether the data they provide to regulators proves that point.
Most companies have “fairly robust compliance programs, so we're comfortable that we're doing the right thing,” explained Ronald Lepionka, chief audit executive at AGL Resources, a natural gas distributor in Atlanta. However, effectively capturing the detailed information to report compliance to regulators is a much more difficult exercise.
The question many companies struggle with, in particular, is what kind of data should be tracked that gives regulators the ability to say “yes, you are doing the right thing, and this data demonstrates you have an effective compliance program,” McGraw said. “That data varies industry by industry.”
“We are going to have to rethink what our products look like, what regulators we deal with, and how we develop relationships with them,” said John Todd, deputy chief compliance officer for the $34 billion health insurer Aetna.
The challenge is that regulators often ask for different data, or sometimes for the same data in different ways, Todd said. For example, healthcare reform requires insurers to report annually their medical-loss ratio—the amount of premium revenue they spend on medical care and services. But state and federal regulators don't have uniform definitions regarding administrative costs, or what constitutes quality improvement activities. “Asking us to maintain that data is presenting huge challenges for us,” Todd said.
Regulators are also doing validation audits to ensure the data supplied to them is correct. Many attendees doubted, however, that regulators even understand what all the data means, much less what to do with it once they have it. Regardless, roundtable participants agreed that one sign of an effective compliance program is the ability to provide reliable data quickly, whether for use internally or to satisfy a regulatory request.
Got Compliance? Prove It
Companies in highly regulated industries, such as healthcare and financial services, have the most at stake, as regulators continue to ratchet up enforcement activity in these sectors. Some roundtable participants from the healthcare industry expressed the concerns that rising regulatory pressure has even led to the government becoming more involved in what those compliance efforts should entail.
“This has been heightened by the passage of healthcare reform,” said Paul Barringer, vice president of compliance for the public programs businesses at Unitedhealth Group. Under the healthcare reform laws passed last year, companies are now required to implement certain compliance plans, where before they were voluntary.
“The pace of this shift varies by industry,” McGraw added. “The most highly regulated industries, including healthcare and financial services, seem to be moving rapidly compared to others.”
According to a survey of 846 compliance professionals in the healthcare sector conducted by Compliance 360, 84 percent of insurers and 79 percent of healthcare providers ranked “demonstrating compliance effectiveness” as one of their top priorities. Health plans cited pressure from Centers for Medicare & Medicaid Services, which administers those programs, (83 percent) and other regulatory pressures (48 percent) as their top two drivers for demonstrating compliance effectiveness. “Health plans need to ensure that they are crossing t's and dotting i's appropriately,” Barringer said.
Family Dollar Stores Division Counsel, Compliance, Randy Stephens shares some insights (left), while Paul Barringer, VP, compliance at Unitedhealth Group, looks on.
“The pace of this shift varies by industry,” said Steve McGraw, president and CEO of Compliance 360. “The most highly regulated industries, including healthcare and financial services, seem to be moving rapidly compared to others.”
Banks and other financial services firms are also feeling the pressure to prove they have robust systems in place to keep themselves on the staight and narrow. According to a separate Compliance 360 survey, 71 percent of banks and 84 percent of other financial services firms ranked “demonstrating compliance effectiveness” as one of their top priorities. The banks cited “increasing regulatory focus from the Dodd-Frank Act” as their top driver. Across other industries, the need to demonstrate compliance effectiveness was noted as a top priority by at least three out of four of the survey participants.
Another party pressuring compliance officers on demonstrating effectiveness: their bosses in the boardrooms. Numerous roundtable participants said board directors increasingly want to understand how mature their companies' ethics and compliance programs are, and how well those programs have resolved any past issues.
Boards want to know, “What are we doing to ensure that we don't make the front page of the paper?” stated Bob Miromonti, vice president of ethics and compliance at Centene Corp.
Throughout the Compliance 360 surveys, pressure from the board ranked as one of the top four drivers for demonstrating compliance effectiveness, across all the industries surveyed. Roundtable participants agreed that good compliance programs should provide plenty of feedback to the board, and include reporting structures that emphasize accountability to the board.
Cultural Concerns
Attendees also discussed communication and training efforts, so that employees know how to put compliance programs to good use. Whistleblower hotlines came up as one tool where training is critical, since almost all public companies have hotlines but not all of them are put to full use. “The key for us is making sure people know about it, how to use it, and more importantly, that the employees understand what their obligations are in that light,” said Tim Tripp, vice president of internal audit at Newell Rubbermaid.
Likewise, compliance programs should also focus on encouraging those who know about misconduct to step forward and report it—because, as Todd said, “there is always someone in the company who knows what's going wrong. The issue is not so much discovering it as much as it is making sure those who know communicate it to those who need to know.”
Peter Stanos, VP, compliance at IASIS Healthcare joins the discussion. At left is Jill Edmondson, manager, corporate compliance, for The Home Depot.
Encouraging that freedom to speak up really gets to questions of corporate culture. Miromonti said Centene tackles that issue via an employee survey, and the CEO then focusing his attention on the small portion of employees who don't feel comfortable speaking up—wanting to know why that is, Miromonti said, and how to tell that group that they can.
Still, while such tone at the top is laudable, roundtable participants said they worry just as much about tone at the middle. Assuming employees are comfortable enough to report problems to managers, the question then becomes how well are managers being trained to address those complaints. “If the practices put into action in the middle are broken, the tone at the top can't really make a difference,” McGraw said.
At Centene, rather than simply talk about compliance requirements during training, the company tries to engage employees via case studies, linking real compliance issues to their day-to-day jobs, Miromonti said. “We've been having a lot of success with that,” he said.
Roundtable participants all agreed that regulators are likely to keep pressuring them on the systems they use to ensure compliance, which will compel companies to pay more attention to measuring and demonstrating the effectiveness of their programs. “The data will vary by industry but the compilation of key compliance program data will be imperative in managing board and regulatory expectations,” McGraw said.
To that extent, tracking and maintaining the data needed to demonstrate evidence of compliance is becoming critical. Moreover, providing full visibility to the board and developing relationships that facilitate trust with regulators are important as well.
“We can't just be reactive,” Barringer said. “We have to be proactive—not just meeting the expectations of regulators, but exceeding them.”
No comments yet