Best practices: organizational structure that supports compliance; Traditional organizational structure is crumbling under the weight of ever-increasing regulations that drive greater accountability and transparency. Smart companies are on the forefront of building new and improved structures that support and enhance this new compliance environment, and best practices are emerging.Regulatory changes have caused a tectonic tectonic /tec·ton·ic/ (tek-ton´ik) pertaining to construction. shifting of the organizational landscape in companies around the world. Traditional working relationships that define who is responsible for what have also shifted. New mandates--such as the Sarbanes-Oxley Act See SOX. , Canada's Bill 198, Basel II Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. The purpose of Basel II is to create an international standard that banking regulators can use when creating regulations , the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) and the European Union's Data Protection Directive, to name but a few--require companies to integrate compliance into their organizational structures  This article has no lead section.To comply with Wikipedia's lead section guidelines, one should be written. in an effort to increase transparency, accountability and responsiveness to key stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. . Sarbanes-Oxley, more than any other regulation, has created this upheaval. Publicly traded companies publicly traded company A company whose shares of common stock are held by the public and are available for purchase by investors. The shares of publicly traded firms are bought and sold on the organized exchanges or in the over-the-counter market. that must comply with the sweeping U.S. law continue to review their organizational structures to determine the best framework for supporting ongoing compliance efforts. Even some private businesses, while technically unaffected by such regulations, are revisiting their organizational design to comply with the changing regulatory scene. This strategic activity helps them develop more clearly defined compliance policies, procedures and roles; more timely compliance, resulting in fewer financial penalties; greater understanding among employees of expected compliance roles and behavior, as well as the consequences of noncompliance noncompliance failure of the owner to follow instructions, particularly in administering medication as prescribed; a cause of a less than expected response to treatment. noncompliance , and better communication about compliance risks and mitigation tactics. While some companies--particularly non-accelerated filers still working toward first-year compliance with Sarbanes-Oxley Section 404--may still be considering how they will structure the compliance function going forward, others have already made changes, and some successful models for compliance are emerging. To truly be considered a "best practice," a practice would need to have a great deal of history and consensus from many users that a particular idea or initiative supports the pattern of change needed to improve a business process. While still quite early in the process, some patterns for effective structures are emerging. What follows are several best practices that some companies have found to be beneficial in adapting to the new regulatory environment. These are in the areas of: centralizing cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. or decentralizing de·cen·tral·ize v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es v.tr. 1. To distribute the administrative functions or powers of (a central authority) among several local authorities. the compliance function; accountability structure; compliance-related roles and responsibilities; ethics and compliance training. Determine the degree to which the compliance function will be centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. or decentralized de·cen·tral·ize v. de·cen·tral·ized, de·cen·tral·iz·ing, de·cen·tral·iz·es v.tr. 1. To distribute the administrative functions or powers of (a central authority) among several local authorities. Many companies grappling with the first year of Sarbanes Oxley 404 compliance simply did what they believed they had to do to meet the requirements. For most companies, the process was neither orderly nor ideal. Now, these organizations have stepped back, evaluated what worked and what didn't and are focusing on how they can institutionalize in·sti·tu·tion·a·lize v. To place a person in the care of an institution, especially one providing care for the disabled or mentally ill. in and sustain their compliance programs. This transitional stage may be described as moving from "project to process." To establish a truly sustainable compliance model, not just for 404 but for the range of compliance challenges facing organizations today, companies must decide on the optimal organizational structure to support the work flow, risk controls and communication necessary for effective governance. A well-defined compliance program allows companies to appropriately prioritize pri·or·i·tize v. pri·or·i·tized, pri·or·i·tiz·ing, pri·or·i·tiz·es Usage Problem v.tr. To arrange or deal with in order of importance. v.intr. activities and ensures that executive-level management has the resources needed to meet requirements. A fundamental decision in designing a framework that bolsters compliance is whether to adopt a centralized or decentralized model. A company's size, industry, geographic dispersion and business complexity determine which model--or combination of models--is best suited to the organization's needs. No matter what approach is chosen, all effective plans have a formalized for·mal·ize tr.v. for·mal·ized, for·mal·iz·ing, for·mal·iz·es 1. To give a definite form or shape to. 2. a. To make formal. b. structure that is designed and managed so that compliance activities can be carried out with a significant measure of objectivity and independence. A centralized compliance function is typically composed of: * The board of directors that takes an active role in ensuring that the company's executives are managing compliance effectively and are devoting the necessary resources to strengthen compliance functions. * The compliance office which is led by a chief compliance officer (CCO (Chief or Corporate Compliance Officer) The executive person in charge of compliance issues, regulatory requirements, internal controls and managing audits within an enterprise or organization. ) or other senior manager, monitors performance, oversees training and communication and serves as a trusted liaison with the board. * Business units which assure that controls and governance, risk and compliance (GRC GRC Greece (ISO Country code) GRC Glenn Research Center (NASA) GRC Governance, Risk and Compliance GRC Gendarmerie Royale du Canada (RCMP - Canada) GRC John H. ) activities are effective, that employees adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. policies and regulations and that key suppliers are in conformance con·for·mance n. Conformity. Noun 1. conformance - correspondence in form or appearance conformity agreement, correspondence - compatibility of observations; "there was no agreement between theory and . Conversely con·verse 1 intr.v. con·versed, con·vers·ing, con·vers·es 1. To engage in a spoken exchange of thoughts, ideas, or feelings; talk. See Synonyms at speak. 2. , a decentralized compliance function usually has the following features: * A board of directors that ensures that: the company's charter is in place; that the company has communicated that charter to all employees; that all employees are receiving new and ongoing compliance training; and that executive leadership is monitoring the company's overall compliance performance. * Compliance management that functions at the senior-management level, coordinates compliance activities and reporting from business units, develops tools and templates for customization at the business-unit level and ensures allocation of proper resources. * Business units that appoint a chief compliance manager, gather and report compliance information to senior management, customize compliance work flow to meet industry and unit requirements and ensure that employees understand and carry out their roles. A centralized model allows for a standardization standardization In industry, the development and application of standards that make it possible to manufacture a large volume of interchangeable parts. Standardization may focus on engineering standards, such as properties of materials, fits and tolerances, and drafting of compliance and reporting activities across the organization, which results in efficiencies in training, cross-functionality, communication and resources. In a decentralized model, business units can tailor compliance systems to best meet the demands of their markets, locations, and industries. This enables managers to monitor compliance activities more closely and involve employees more in the process. For example, a banking subsidiary of a regional financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. corporation selected a decentralized approach to managing compliance. The bank appointed its manager of consumer compliance to serve as chief compliance officer. This individual then directed each business unit manager to designate a department compliance officer whose responsibility was to have a detailed understanding of specific regulations that applied to that unit. To manage and coordinate the compliance process, business unit compliance officers communicate frequently with the chief compliance officer and meet regularly with each other to share ideas and explore opportunities for process efficiencies. In either a centralized or decentralized model, internal audit, general counsel and human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. oversee regulatory responsibilities to help their organizations build a strong compliance structure. The internal audit department evaluates the effectiveness of internal controls, including automated controls for risk and compliance work flow; ensures that GRC data flow is timely, accurate and comprehensive; and alerts senior management to best practices in GRC-related processes. Some of the responsibilities of the general counsel include representing the company in GRC legal matters, interpreting regulatory and legal requirements, establishing relationships with regulators and agencies and alerting senior management to new or changing legislative and regulatory developments. The human resources (HR) function helps administer GRC-related training programs, establishes GRC-related performance guidelines for employee evaluations, discusses the company's commitment to ethical values in recruiting and hiring processes and alerts senior management to HR-related developments in GRC issues. Create an accountability structure Companies working to develop responsible, cost-efficient and effective compliance processes also need to establish an accountability structure that ensures that a proper level of oversight and process ownership exists and that an appropriate ethical attitude pervades the organization. An accountability structure establishes who maintains ownership of the design and operation of controls within the organization and provides mechanisms for regulating individuals to ensure they act ethically and in the company's best interests. In this way, a robust accountability structure ultimately becomes a strong defense against corporate malfeasance The commission of an act that is unequivocally illegal or completely wrongful. Malfeasance is a comprehensive term used in both civil and Criminal Law to describe any act that is wrongful. because it provides guidance for making sound decisions and ensures that needed information is available in a timely manner. It also promotes an appropriate "tone at the top." To clearly define lines of accountability, many companies have redesigned their organizational structures to include compliance as part of the wider risk function or have remodeled the function and renamed it, for example, "regulatory risk management." Responsibilities of other executives, such as the ethics officer (EO) or chief privacy officer (CPO (Chief Privacy Officer) An individual who manages the privacy issues within an organization. Arising out of the privacy regulations in finance and health care in the late 1990s, the CPO position eventually crossed over to all industries. ), have also been clarified to strengthen accountability in response to Sarbanes-Oxley and other governance regulations. Many large public companies that have opted to name a CCO find that it enables them to assign clear accountability for compliance to someone, as required by Sarbanes-Oxley. The law does not specify the use of a CCO by name, but rather an executive-level individual to oversee the compliance process. Having a single point of contact helps companies ensure a consistent approach to compliance-related issues. A 2005 survey by the Ethics Officer Association found that a majority of those who assume ethics or compliance officer roles are experienced professionals who have earned either law or advanced business degrees. When it appointed a chief compliance officer, an international investment management firm integrated its compliance function into its risk management function. The company's CCO reports to the chief risk officer, who has a direct reporting line to the president of the executive board. In addition, all of the intangible risks associated with compliance functions are funneled from every department to the risk management office, where the chief compliance officer works proactively with senior management to assess major proposals from a compliance-risk perspective. Ethics officers and CPOs are not usually charged with compliance oversight per se, but with helping companies establish a culture that supports compliance, in the case of EOs, or--in the case of CPOs--strengthening privacy practices in response to regulations in that area. Although certain compliance-related titles and functions are becoming increasingly common in today's business Today's Business is a show on CNBC that aired in the early morning, 5 to 7AM ET timeslot, hosted by Liz Claman and Bob Sellers, and it was replaced by Wake Up Call on Feb 4, 2002. environment, companies are not necessarily assigning responsibilities or reporting relationships in uniform ways. This is largely attributable to the rapidly changing landscape of governance regulations and companies' still evolving quest for Verb 1. quest for - go in search of or hunt for; "pursue a hobby" quest after, go after, pursue look for, search, seek - try to locate or discover, or try to establish the existence of; "The police are searching for clues"; "They are searching for the more sustainable compliance models than those they might have used to meet first-year deadlines. For instance, although governance experts believe a best-practice approach is for the CCO to report directly to the board of directors, at many companies this individual may report to other individuals, such as the head risk officer, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. , CFO See Chief Financial Officer. , CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. or legal department. Identify compliance-related roles and responsibilities Not surprisingly, new governance laws are impacting the roles and responsibilities of all employees. Companies realize that in today's stringent regulatory environment, compliance cannot be an isolated responsibility within an organization. Rather, it has become a duty shared by all employees. Because compliance can have such an enormous impact on a company's business strategy and overall reputation, forward-thinking companies are identifying direct and indirect responsibilities for employees at all levels, helping them to understand their role in compliance management and oversight. The process of identifying compliance roles and responsibilities is built on understanding and capturing the discrete tasks performed by employees. This activity can bring to light the relationship between what is specified by compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). and how individuals carry out their daily tasks. Such knowledge is essential for companies to possess so that they can ensure that employees act in accordance with regulatory requirements Regulatory requirements are part of the process of drug discovery and drug development. Regulatory requirements describe what is necessary for a new drug to be approved for marketing in any particular country. . Equally important, the identification process can help companies recognize when employees are not following standards. Many companies now have explicit policies that outline employees' roles in accepting responsibility for compliance-related data they are gathering or submitting. For instance, employees may be asked to sign off on financial data at each stage in the reporting process so that there is essentially a chain of custody The movement and location of physical evidence from the time it is obtained until the time it is presented in court. Judges in bench trials and jurors in jury trials are obligated to decide cases on the evidence that is presented to them in court. that can be tracked. Compliance roles and responsibilities will, of course, vary from one company to another because of differing organizational structures and local regulatory environments. Most companies can identify fundamental compliance expectations for employees, however. Once defined, companies need to regularly update organizational roles and responsibilities to keep pace with changes in their business and in the regulatory environment. Many are also including compliance responsibilities in their codes of conduct. Some are even creating compliance mission statements, which every employee is expected to champion. Another approach is to integrate reporting roles and responsibilities into policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental , including employee job descriptions. Having clearly defined roles and responsibilities has the effect of reducing companies' exposure to risk and lessening the likelihood of employees becoming involved in malfeasance. Provide ethics and compliance training to support the compliance role To enhance employees' ability to understand and adhere to external regulations and internal expectations, companies should provide business ethics business ethics, the study and evaluation of decision making by businesses according to moral concepts and judgments. Ethical questions range from practical, narrowly defined issues, such as a company's obligation to be honest with its customers, to broader social and corporate compliance training programs to all employees. New staff members would typically receive this training during an orientation process, while existing employees would undergo ethics and compliance training on a regular basis, usually once a year. Employees in high-risk job functions--such as business development, marketing and finance--may be required to participate in more frequent and comprehensive training. Accounts payable personnel with access to key financial systems and information, for example, might require special training that explains appropriate behavior and offers pointers on how to detect fraudulent or erroneous financial transactions. Board members and senior management might also require additional ethics training about issues related to their fiduciary duties Noun 1. fiduciary duty - the legal duty of a fiduciary to act in the best interests of the beneficiary legal duty - acts which the law requires be done or forborne , such as conflicts of interest or insider trading. In large companies, responsibility for ethics and compliance training might rest with an ethics or compliance officer, while the HR or training department might assume this responsibility in smaller organizations. As companies continue to move beyond reactive compliance efforts toward more sustainable models, the organizational structures they apply will continue to evolve. As programs mature, the ability to not just react but to anticipate changing regulatory demands will improve, resulting in a shift of focus from the structural and tactical aspects of compliance activities toward a more integrated and cost-effective, sustainable compliance organization. And while certain structural features and roles--such as compliance departments, chief compliance officers and ethics officers--will gain even more wide-spread acceptance, more distinctive variations on some of the successful practices that have already emerged should begin to evolve. Joe Atkinson (joseph.atkinson@us.pwc.com) is a Principal in PricewaterhouseCoopers' Philadelphia office and serves as the U.S. Operations Leader of PwC's Governance, Risk & Compliance practice. Susan Leandri (susan.j.leandri@us.pwc.com) is the Managing Director of the Global Best Practices operating unit operating unit A type of operating company that engages in transactions with outsiders and that is owned by another business. For example, in 1995 the stockholders of Capital Cities/ABC approved a $19 billion merger with the Walt Disney Company, whereupon at PricewaterhouseCoopers and is based in Chicago. Global Best Practices, an online knowledge resource, can be accessed at www.globalbestpractices.com. RELATED ARTICLE: takeaways * The plethora of recent regulatory changes is causing organizations to rethink traditional structures and working relationships and focus on compliance. * Sarbanes-Oxley primarily has created the upheaval as public companies review structures to determine the best framework. Many private companies are also reviewing organizational design to comply with changes. * Best practices are emerging. These include: determining the necessary degree of centralization/decentralization; creating an accountability structure; identifying compliance-related roles and responsibilities; and providing ethics and compliance training. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion