As risk management intensifies and Washington considers all manner of new regulatory requirements, the wisdom behind establishing and operating a compliance committee continues to get stronger.
For many companies—typically larger organizations or those in highly regulated industries—the compliance committee is alive and well, overseeing traditional, existing compliance obligations. “The question is how well equipped those committees are to deal with the increasing volume of compliance obligations,” says Miles Everson, a partner with PricewaterhouseCoopers. “We’re entering an era where compliance is going to get ratcheted up even more.”
For plenty of businesses, however, the compliance committee still doesn’t exist. In a recent poll conducted by the Open Compliance & Ethics Group, 46 percent of nearly 700 respondents said their organization does not have a compliance committee assigned to manage or oversee compliance activities.
The responses came from a wide range of organizations; a little less than half were public companies. Of those that reported having no compliance committee, 22 percent said there are plans to create one soon.
Lewis
Erin Lewis, a former federal prosecutor now with the law firm Baker & Daniels, says companies have plenty of reasons to establish a compliance committee, sooner rather than later. “You’re seeing more and more indicators from the government that it’s a good way to ensure compliance in your company is well-thought out, well-monitored and well-documented, not something that’s just dumped on a compliance officer,” she says.
In the health care sector, for example, where Lewis focuses much of her work, the Justice Department is striking an increasing number of deferred prosecution agreements, and the terms typically call for establishing a compliance committee. The agreements usually promise to forego eventual criminal actions if the entities clean house and put into place a strong compliance plan, Lewis said.
Getting Started
Whether establishing a new committee or fortifying an existing one for the rugged days ahead, compliance experts offer a number of best practices to assure the committee works effectively. First, organizations must decide, based on their culture and their objectives, exactly what a compliance committee should be empowered to do.
Everson
“Does the compliance committee have decision-making authority or a mandate to recommend how compliance should be approached?” Everson says. The structure must assure that the decision-making authority resides with whomever has the power to allocate staff and funding to get the job done, he explains. “If you don’t have the ability to direct and deploy resources, you will run into challenges.”
STRONG COMPLIANCE?
Does your company have a management-level compliance committee or “council” to help monitor and manage risks?
Answer
Percentage
Yes:
53.89%
No:
46.11%
Source
Results of OCEG’s Compliance Committee Poll (2009).
The compliance committee must also exist at the highest levels of the organization. “It needs to come down from the top,” Lewis says. “If the edict is from the top, the board of directors, saying compliance is important to us, it speaks volumes to the lower-level employees.”
Barth
The committee should be cross-disciplinary, with representatives from all essential functions of the business, says Steve Barth, a partner with law firm Foley & Lardner who focuses on corporate governance. “Having all financial or legal people doesn’t do the trick,” he says. “You have to have people in sales, marketing, human resources, and operations.”
Everson says the composition of the committee should reflect the company’s business model. “However the business model is constructed to respond to changes in the environment, those people ought to have a seat at the table in helping determine what the response is going to be,” he says.
Dan Simon, managing director at Cognito Financial Communications, says the committee should also include someone from the company’s communications function. “Communications is a management function. It has to take a seat at the big table when it comes to corporate decision making,” he says.
According to Barth, the compliance committee should strike a balance between reflecting a diversity of viewpoints, and being nimble. (Just think of how quickly financial risks exploded as a concern for the banking industry last fall—and they were the ones who supposedly managed risks the best.) “You can’t make it so unwieldy that it can’t meet and react quickly,” Barth says.
Reporting
Establishing a reporting structure for a compliance committee is an important consideration, says Gordon Kaiser, a partner with the law firm Squire Sanders. He recommends that the committee should answer to the board of directors or a committee of the board, but also to senior management in some respect.
COMMITTEE MAKEUP
Of those who answered “yes” in the above chart, what executives sit on that council or committee?:
Title:
Percentage:
Compliance Officer:
66%
Other Compliance (e.g., director of compliance):
31%
General Counsel:
54%
Other Legal (e.g., associate general counsel):
23%
CFO:
53%
Other Financial (e.g., controller):
25%
VP Internal Audit:
38%
Other Internal Audit (e.g., director of internal):
23%
Business Unit CEO(s):
30%
Other Business Unit Executive(s):
34%
Risk Officer:
31%
Other Risk Executive (e.g., director of …):
16%
Chief Operating Officer:
26%
Other Operations Executive:
18%
Chief Information Officer:
23%
Other IT Executive (e.g., security, privacy):
16%
Source
Results of OCEG’s Compliance Committee Poll (2009).
“Most of the time, reporting to the CEO or another senior member of management is probably adequate, but you want to plan for the situation where that isn’t working,” he says. “The board should know that the compliance officer or the compliance committee has the ability to get to them if they feel they really need to.”
Barth says CEO involvement with the compliance committee is essential to demonstrate the corporate commitment to compliance. Sill, he says, “you need a dotted line to the governance chair or board chair. You need that particularly if there are senior-level executives who may be subject to complaint about their compliance.”
Kaiser
Kaiser says committees should focus their resources and energies on compliance issues according to a “reverse triangle analysis” of priorities. “Make sure the most important areas, or the highest-risk areas, are covered for sure, and give less and less emphasis as the materiality or importance goes down,” he says.
While current best practice in compliance suggests companies should have an actual committee, Barth says the nuts and bolts of the compliance program are more important than the existence of a committee per se. A committee will gather in more expertise and likely lead to more buy-in throughout the organization, certainly, but a well-run program without a committee can still be successful, he says.
“If you have a very effective program, implemented from the top with great training, broad buy-in, and a lot of input from various departments, but it’s run by one person who has the ear of the CEO and the board, I’m not sure I care a lot,” Barth says. But the most successful compliance programs are governed by a committee, he adds. “The more resources dedicated to the program, the more it indicates management’s, the CEO’s, and the board’s view on the importance of having an effective program.”
No comments yet