Compliance officers might be a bit dispirited by a new study of policy-management efforts in Corporate America, which shows that companies are making some improvements at the task but still struggling to achieve the mythical “effective” compliance program amid increasing regulation and tough budgets.
The survey, conducted by consulting firm Duff & Phelps, polled 380 compliance, risk, and audit executives in the public, private, non-profit, and government sectors. The result was a mixed picture of some progress (82 percent of respondents now document all policies formally) but also of bad habits (50 percent don’t use a standard template when doing so) that companies haven’t yet stopped.
Kirtley
Robert Kirtley, managing director at Duff & Phelps, notes two other worrying signals from the study. First, the pressure to “do more with less” is straining compliance programs. “Most compliance departments are not funded at the level that most chief compliance officers would like,” he says. With limited resources comes the inability to investigate fully every issue that raises concerns, he warns, and that often results in compliance failures that go undiscovered until a company is hit with a lawsuit or regulatory probe.
Second, 80 percent of respondents said they still “silo” the creation and management of specific corporate policies, based on different regulations, risks, locations, or business units. That’s bad, Kirtley says. “If you don’t have an overarching view of compliance, you might not have any one person that sees that there are a series of small issues that, viewed in combination, add up to a big red flag, indicating a serious problem.”
For multinational corporations, in particular, not taking an enterprise-level approach runs the risk of having “divergent, country-based compliance activities,” Kirtley says. A centralized policy-management program will (ideally) bring a coordinated view of policy management to the organization and the board, the study said.
“It’s vital that compliance has a seat at the table in the development of corporate policies and corporate values.”
—Robert Kirtley,
Managing Director,
Duff & Phelps
Deon Minnaar, a partner in the risk and compliance advisory practice at KPMG, says compliance officers should also break the silo mentality for a more prosaic reason: It can help spare some costs to the compliance department. Given the limited resources in most budgets today, he says, forging partnerships with other departments can help to embed company policies in the workforce mind more effectively. “It's very tough to achieve that in a siloed approach,” he says.
A siloed approach to generating and managing policies also raises the risk of conflicting or outdated policies, Minnaar warns, and the Duff & Phelps survey echoed that concern.
“Often, casting the net too wide simply results in the accumulation of numerous overlapping, redundant, and out-of-date policies,” the study said. “Many times the lack of a centralized policy management function lies at the center of these issues.”
One bit of good news: A plurality of respondents (19.2 percent) said the compliance department has primary responsibility for policy management at their business. “It's vital that compliance has a seat at the table in the development of corporate policies and corporate values,” Kirtley says. “If the compliance department doesn’t play a key role, or is inadequately funded, employees will infer that the company really doesn’t value compliance.”
Policy Management
The study also indicated that companies deploy a wide-range of efforts to effectively manage policies. A large majority of respondents (79 percent) said they disseminate new policies via a company intranet. Kirtley, however, says that while distribution by intranet is absolutely necessary, it cannot be the sole channel of communication.
POLICY MANAGEMENT BY FUNCTION
In heavily regulated industries, Compliance and Legal many times oversee the policy governance process as CLOs/CCOs usually have responsibility in the event of an infraction, yet the survey results suggest the opposite:
Duff & Phelps (December 2009)
“Just notifying people or making information available doesn’t necessarily guarantee people are actually going to read the information,” he says. Indeed, the study found that while policy distribution via intranet is most common, distribution by channels such as e-mails, newsletters, or bulletins sent directly to employees are still considered more effective. The most effective tool, survey respondents said, was required training and follow-up employee certification or testing.
“You have to keep reinforcing the message,” Kirtley says. “If you just put it out there and hope people read it, that’s not going to be enough.”
Global corporations with thousands of employees across many countries have the additional problem that even with centralized policy management, centralized policies themselves (that apply to everyone, everywhere) are rarely practical. Laws, regulations, or even internal operations at various locations may mean that some policies don’t apply or won’t work as originally drafted by corporate headquarters.
Fingerhut
“Eventually these companies need to distribute the policies to the individuals within the organization, and within their supply chain,” says Gary Fingerhut, senior vice president of software provider Axentis, a part of Wolters Kluwer’s Financial and Compliance Services division. “You can’t inundate your employees with things that are not applicable to their job. These business rules can get pretty finite.”
EFFECTIVE POLICY MANAGEMENT
How do the companies in the Duff & Phelps survey ensure effective policy management?
Duff & Phelps (December 2009)
That raises the idea of using a software tool to draft template policies, which can then be vetted for specific locations or functions as necessary. Not surprisingly, Fingerhut (whose company sells such software) is a proponent of such an approach. Ideally, he says, such a compliance system could even track failures or non-compliance with policy.
From there compliance departments should also verify that employees internalize what they’re supposed to be doing, says Kirtley. Internal audits are one way to achieve this, yet less than half of respondents (48 percent) report using them.
Companies not tracking employee performance against policy are taking a big risk, Kirtley says: They are creating policy and tracking regulatory changes, “but not actually looking at outcomes, and whether training was effective, whether behavior has changed … they are not validating that they’re doing what they need to do in order to achieve compliance.”
That can come back to haunt a company once regulators start investigating some infraction and come to believe the company was not serious about its compliance efforts—which can lead to harsher penalties, more onerous structural reforms, or even appointment of a compliance monitor. Creating a corporate culture where compliance is measured and monitored constantly is essential, Kirtley says. “It can’t just be a one-shot deal,” he says. “You need to be able to identify what’s working and what’s not so you can make the compliance program better.”
No comments yet