As many compliance officers know, being a compliance department of one, even with some administrative support, is difficult enough. What if you're an organization's first-ever compliance officer? How do you go about building a program from scratch?
The initial and most important step is ensuring that the program is correctly positioned, says Donna Boehme, principal with Compliance Strategists. “The correct selection, positioning and structuring of the compliance officer and compliance function within the company—getting this step right can make the difference between good self-governance and becoming the next Wall Street Journal headline.”
That means that the chief compliance officer needs enough autonomy from management that he or she can speak independently, yet be confident of being heard, Boehme says. Increasingly, strong compliance programs have their compliance officers report to the organization's chief executive officer, rather than the general counsel. The officers also enjoy direct access to the board of directors.
In addition, a strong ethical culture in an organization is an essential component of any effective ethics and compliance program. Management plays a very important role in promoting this. “Leaders and managers at all levels in an organization have a special responsibility to lead by example, promote the values of the organization, and “walk the talk,” says Greg Triguba, owner and principal of Compliance Integrity Solutions, LLC.
In 2005, John Hairston began building a centralized compliance program based on several decentralized initiatives at $3 billion Bonneville Power Administration (BPA), a federal non-profit marketer of electric power based in Portland, Oregon. “We wanted to design a program that would centrally address the reliability standards and other components (of compliance), like Sarbanes-Oxley,” says Hairston. As a power company, BPA is governed by a number of regulations, including those that govern financial reporting, as well as standards issued by the North American Electric Reliability Corporation (NERC); these define the reliability requirements for planning and operating the bulk power system in use across North America.
Previously, the compliance function was distributed through different areas of organizations, Hairston says. Not only were responsibilities decentralized, but “it was at the time the classic ‘fox guarding the henhouse,'” he says. The same business unit employees that performed duties then verified that they were in compliance. BPA management and Hairston wanted to develop a more traditional approach to compliance, in which an independent group would evaluate activities in the business units to determine whether they were in compliance. In addition, BPA wanted to create a group that could have an active, ongoing conversation with regulatory bodies most relevant to the organization.
For instance, as a power company, BPA is required to ensure that trees and other vegetation are a certain distance from transmission towers and lines; this reduces the risk of a blackout in the event of storms that uproot them. While employees from BPA's transmission area are responsible for ensuring the trees are properly placed or cut back, compliance employees either conduct spot audits, or review photos that demonstrate compliance.
Throughout this process, Hairston has been able to readily communicate senior management. He reports to BPA's deputy administrator, and Hairston's team brings potential compliance issues to monthly meetings of the audit and internal controls management committee, where they're discussed with BPA's chief operating officers and vice presidents, along with the deputy administrator. “I have a direct line of communication to managers, with ongoing input and interaction,” he says.
At the same time, Hairston says his ability to develop relationships with some of BPA's 3,000 employees also has been key to the program's success. To help in that regard, Hairston and his team work with about 400 subject matter experts (SMEs) across the company. These individuals are within the business units, but are assigned different elements of the relevant regulations. So, SMEs within vegetation management would be responsible for ensuring that the applicable rules are followed. “It's an important distinction, because we (in compliance) can't perform the actual work. The transmission business does, so they have to understand the regulations,” Hairston says. His group then audits and verifies that the work was done correctly.
“Leaders and managers at all levels in an organization have a special responsibility to lead by example, promote the values of the organization, and ‘walk the talk.'”
—Greg Triguba,
Owner & Principal,
Compliance Integrity Solutions
“Building strong relationships and partnerships across an organization is an important step in leading and managing an effective ethics and compliance program,” Triguba says. As an example, partnering with functional areas such as human resources, internal audit, communications, corporate security, and IT is invaluable to effectively integrating ethics and compliance programs, standards, and principles into the business. “These are some of the key partnerships in the organization needed to help you carry the torch and serve as a positive force, helping you advance the success of your ethics and compliance efforts and initiatives,” Triguba adds.
Taking the time to build relationships and promote the ethics and compliance organization as a helpful, supportive resource rather than a more legal, “watchdog” organization is an important objective to reach for, as well. “It makes the ethics and compliance office more approachable, so employees and others feel comfortable coming to you with questions and concerns,” Triguba says.
Working with other areas also helps convey the message that everyone in the organization must take responsibility for compliance. “The biggest misconception we still see today is the idea that the compliance officer ‘does' compliance,” Boehme says. Of course, the compliance officer is an expert resource and coach. However, “he who creates the risk must manage it,” Boehme adds. After all, the business managers should be most knowledgeable about the risks their areas face, and ways to mitigate them.
At BPA, training and communication have been critical in helping employees understand their role in the compliance function, Hairston says. His group makes information on ethics and compliance available on an ongoing basis and through variety of tools, including the Web-based and personal training, as well as an annual “Compliance Week,” with presentations by different parts of the company and tables in the cafeteria with information.
Administration
Along with the steps Hairston and his team took that focused on change management and corporate culture, were a number of administrative activities. At the outset, they reviewed and assessed the compliance initiatives that had been in place. Were written procedures available? If so, were they well understood? The compliance group also evaluated the monitoring and audit functions, looking for any areas that could be improved.
Early on, Hairston also reviewed information on other compliance programs, gaining a sense of what BPA's peers were doing. It became apparent that many were incorporating information from the U.S. Federal Sentencing Guidelines on effective compliance and ethics programs. BPA decided to incorporate the same elements—oversight, chain of command, documenting processes and procedures, reporting, investigation, enforcement, risk assessment—within its program, as well. “We looked at what the Federal government considers effective compliance programs,” Hairston says.
In addition, Hairston encouraged (although he didn't mandate) his managers to gain certification through the Society of Corporate Compliance and Ethics. The training helped ensure that everyone is working from the same base of knowledge.
BPA's internal risk-management experts also completed risk assessments for each element in the program. The assessments covered three levels of risk: agency, compliance, and functional. Hairston provides examples: a risk at the agency level is changing regulations. At the compliance level, a risk would be failing to document all systems and procedures. And, a risk at the functional level, such as internal controls, could be an employee's a lack of knowledge about the policies on accepting gifts.
“The highest risk areas aren't always obvious,” Boehme points out. For instance, a manufacturing company may focus on compliance with plant safety rules. While that's necessary, of course, management may overlook risks inherent in data privacy regulations.
Hairston also needed to determine what types of systems and processes would be needed to collect compliance data and communicate it to the appropriate regulatory agencies, when required. In 2009, BPA implemented a compliance software tool. The reports' data produced by the company's compliance experts can be entered into the system, which streamlines the process of reviewing, compiling, and submitting the information to the appropriate authorities.
Along with his employees, Hairston continually looks for ways to take BPA's compliance program to the next level. Among other initiatives, they develop new methods to assess and demonstrate the value of compliance, Hairston says. Working to strengthen the compliance culture also is an ongoing endeavor, he adds.
As Hairston's comment indicates, a compliance program never is truly finished. “The job is never done, and if you think it is, then it is a matter of time before the company is in the headlines,” Boehme says.
No comments yet