Best practices: organizational structure that supports compliance; Traditional organizational structure is crumbling under the weight of ever-increasing regulations that drive greater accountability and transparency. Smart companies are on the forefront of building new and improved structures that support and enhance this new compliance environment, and best practices are emerging.
Sarbanes-Oxley, more than any other regulation, has created this upheaval. Publicly traded companies that must comply with the sweeping U.S. law continue to review their organizational structures to determine the best framework for supporting ongoing compliance efforts. Even some private businesses, while technically unaffected by such regulations, are revisiting their organizational design to comply with the changing regulatory scene.
This strategic activity helps them develop more clearly defined compliance policies, procedures and roles; more timely compliance, resulting in fewer financial penalties; greater understanding among employees of expected compliance roles and behavior, as well as the consequences of noncompliance, and better communication about compliance risks and mitigation tactics.
While some companies--particularly non-accelerated filers still working toward first-year compliance with Sarbanes-Oxley Section 404--may still be considering how they will structure the compliance function going forward, others have already made changes, and some successful models for compliance are emerging.
To truly be considered a "best practice," a practice would need to have a great deal of history and consensus from many users that a particular idea or initiative supports the pattern of change needed to improve a business process. While still quite early in the process, some patterns for effective structures are emerging.
What follows are several best practices that some companies have found to be beneficial in adapting to the new regulatory environment. These are in the areas of: centralizing or decentralizing the compliance function; accountability structure; compliance-related roles and responsibilities; ethics and compliance training.
Determine the degree to which the compliance function will be centralized or decentralized
Many companies grappling with the first year of Sarbanes Oxley 404 compliance simply did what they believed they had to do to meet the requirements. For most companies, the process was neither orderly nor ideal. Now, these organizations have stepped back, evaluated what worked and what didn't and are focusing on how they can institutionalize and sustain their compliance programs. This transitional stage may be described as moving from "project to process."
To establish a truly sustainable compliance model, not just for 404 but for the range of compliance challenges facing organizations today, companies must decide on the optimal organizational structure to support the work flow, risk controls and communication necessary for effective governance. A well-defined compliance program allows companies to appropriately prioritize activities and ensures that executive-level management has the resources needed to meet requirements.
A fundamental decision in designing a framework that bolsters compliance is whether to adopt a centralized or decentralized model. A company's size, industry, geographic dispersion and business complexity determine which model--or combination of models--is best suited to the organization's needs. No matter what approach is chosen, all effective plans have a formalized structure that is designed and managed so that compliance activities can be carried out with a significant measure of objectivity and independence.
A centralized compliance function is typically composed of:
* The board of directors that takes an active role in ensuring that the company's executives are managing compliance effectively and are devoting the necessary resources to strengthen compliance functions.
* The compliance office which is led by a chief compliance officer (CCO) or other senior manager, monitors performance, oversees training and communication and serves as a trusted liaison with the board.
* Business units which assure that controls and governance, risk and compliance (GRC) activities are effective, that employees adhere to policies and regulations and that key suppliers are in conformance.
Conversely, a decentralized compliance function usually has the following features:
* A board of directors that ensures that: the company's charter is in place; that the company has communicated that charter to all employees; that all employees are receiving new and ongoing compliance training; and that executive leadership is monitoring the company's overall compliance performance.
* Compliance management that functions at the senior-management level, coordinates compliance activities and reporting from business units, develops tools and templates for customization at the business-unit level and ensures allocation of proper resources.
* Business units that appoint a chief compliance manager, gather and report compliance information to senior management, customize compliance work flow to meet industry and unit requirements and ensure that employees understand and carry out their roles.
A centralized model allows for a standardization of compliance and reporting activities across the organization, which results in efficiencies in training, cross-functionality, communication and resources.
In a decentralized model, business units can tailor compliance systems to best meet the demands of their markets, locations, and industries. This enables managers to monitor compliance activities more closely and involve employees more in the process.
For example, a banking subsidiary of a regional financial services corporation selected a decentralized approach to managing compliance. The bank appointed its manager of consumer compliance to serve as chief compliance officer. This individual then directed each business unit manager to designate a department compliance officer whose responsibility was to have a detailed understanding of specific regulations that applied to that unit. To manage and coordinate the compliance process, business unit compliance officers communicate frequently with the chief compliance officer and meet regularly with each other to share ideas and explore opportunities for process efficiencies.
In either a centralized or decentralized model, internal audit, general counsel and human resources oversee regulatory responsibilities to help their organizations build a strong compliance structure.
The internal audit department evaluates the effectiveness of internal controls, including automated controls for risk and compliance work flow; ensures that GRC data flow is timely, accurate and comprehensive; and alerts senior management to best practices in GRC-related processes.
Some of the responsibilities of the general counsel include representing the company in GRC legal matters, interpreting regulatory and legal requirements, establishing relationships with regulators and agencies and alerting senior management to new or changing legislative and regulatory developments.
The human resources (HR) function helps administer GRC-related training programs, establishes GRC-related performance guidelines for employee evaluations, discusses the company's commitment to ethical values in recruiting and hiring processes and alerts senior management to HR-related developments in GRC issues.
Create an accountability structure
Companies working to develop responsible, cost-efficient and effective compliance processes also need to establish an accountability structure that ensures that a proper level of oversight and process ownership exists and that an appropriate ethical attitude pervades the organization.
An accountability structure establishes who maintains ownership of the design and operation of controls within the organization and provides mechanisms for regulating individuals to ensure they act ethically and in the company's best interests. In this way, a robust accountability structure ultimately becomes a strong defense against corporate malfeasance because it provides guidance for making sound decisions and ensures that needed information is available in a timely manner. It also promotes an appropriate "tone at the top."
To clearly define lines of accountability, many companies have redesigned their organizational structures to include compliance as part of the wider risk function or have remodeled the function and renamed it, for example, "regulatory risk management." Responsibilities of other executives, such as the ethics officer (EO) or chief privacy officer (CPO), have also been clarified to strengthen accountability in response to Sarbanes-Oxley and other governance regulations.
Many large public companies that have opted to name a CCO find that it enables them to assign clear accountability for compliance to someone, as required by Sarbanes-Oxley. The law does not specify the use of a CCO by name, but rather an executive-level individual to oversee the compliance process. Having a single point of contact helps companies ensure a consistent approach to compliance-related issues. A 2005 survey by the Ethics Officer Association found that a majority of those who assume ethics or compliance officer roles are experienced professionals who have earned either law or advanced business degrees.
When it appointed a chief compliance officer, an international investment management firm integrated its compliance function into its risk management function. The company's CCO reports to the chief risk officer, who has a direct reporting line to the president of the executive board. In addition, all of the intangible risks associated with compliance functions are funneled from every department to the risk management office, where the chief compliance officer works proactively with senior management to assess major proposals from a compliance-risk perspective.
Ethics officers and CPOs are not usually charged with compliance oversight per se, but with helping companies establish a culture that supports compliance, in the case of EOs, or--in the case of CPOs--strengthening privacy practices in response to regulations in that area.
Although certain compliance-related titles and functions are becoming increasingly common in today's business environment, companies are not necessarily assigning responsibilities or reporting relationships in uniform ways. This is largely attributable to the rapidly changing landscape of governance regulations and companies' still evolving quest for more sustainable compliance models than those they might have used to meet first-year deadlines.
For instance, although governance experts believe a best-practice approach is for the CCO to report directly to the board of directors, at many companies this individual may report to other individuals, such as the head risk officer, CEO, CFO, CIO or legal department.
Identify compliance-related roles and responsibilities
Not surprisingly, new governance laws are impacting the roles and responsibilities of all employees. Companies realize that in today's stringent regulatory environment, compliance cannot be an isolated responsibility within an organization. Rather, it has become a duty shared by all employees.
Because compliance can have such an enormous impact on a company's business strategy and overall reputation, forward-thinking companies are identifying direct and indirect responsibilities for employees at all levels, helping them to understand their role in compliance management and oversight.
The process of identifying compliance roles and responsibilities is built on understanding and capturing the discrete tasks performed by employees. This activity can bring to light the relationship between what is specified by compliance requirements and how individuals carry out their daily tasks. Such knowledge is essential for companies to possess so that they can ensure that employees act in accordance with regulatory requirements. Equally important, the identification process can help companies recognize when employees are not following standards.
Many companies now have explicit policies that outline employees' roles in accepting responsibility for compliance-related data they are gathering or submitting. For instance, employees may be asked to sign off on financial data at each stage in the reporting process so that there is essentially a chain of custody that can be tracked.
Compliance roles and responsibilities will, of course, vary from one company to another because of differing organizational structures and local regulatory environments. Most companies can identify fundamental compliance expectations for employees, however.
Once defined, companies need to regularly update organizational roles and responsibilities to keep pace with changes in their business and in the regulatory environment. Many are also including compliance responsibilities in their codes of conduct. Some are even creating compliance mission statements, which every employee is expected to champion.
Another approach is to integrate reporting roles and responsibilities into policies and procedures, including employee job descriptions. Having clearly defined roles and responsibilities has the effect of reducing companies' exposure to risk and lessening the likelihood of employees becoming involved in malfeasance.
Provide ethics and compliance training to support the compliance role
To enhance employees' ability to understand and adhere to external regulations and internal expectations, companies should provide business ethics and corporate compliance training programs to all employees.
New staff members would typically receive this training during an orientation process, while existing employees would undergo ethics and compliance training on a regular basis, usually once a year.
Employees in high-risk job functions--such as business development, marketing and finance--may be required to participate in more frequent and comprehensive training. Accounts payable personnel with access to key financial systems and information, for example, might require special training that explains appropriate behavior and offers pointers on how to detect fraudulent or erroneous financial transactions.
Board members and senior management might also require additional ethics training about issues related to their fiduciary duties, such as conflicts of interest or insider trading.
In large companies, responsibility for ethics and compliance training might rest with an ethics or compliance officer, while the HR or training department might assume this responsibility in smaller organizations.
As companies continue to move beyond reactive compliance efforts toward more sustainable models, the organizational structures they apply will continue to evolve. As programs mature, the ability to not just react but to anticipate changing regulatory demands will improve, resulting in a shift of focus from the structural and tactical aspects of compliance activities toward a more integrated and cost-effective, sustainable compliance organization.
And while certain structural features and roles--such as compliance departments, chief compliance officers and ethics officers--will gain even more wide-spread acceptance, more distinctive variations on some of the successful practices that have already emerged should begin to evolve.
Joe Atkinson (firstname.lastname@example.org) is a Principal in PricewaterhouseCoopers' Philadelphia office and serves as the U.S. Operations Leader of PwC's Governance, Risk & Compliance practice. Susan Leandri (email@example.com) is the Managing Director of the Global Best Practices operating unit at PricewaterhouseCoopers and is based in Chicago. Global Best Practices, an online knowledge resource, can be accessed at www.globalbestpractices.com.
RELATED ARTICLE: takeaways
* The plethora of recent regulatory changes is causing organizations to rethink traditional structures and working relationships and focus on compliance.
* Sarbanes-Oxley primarily has created the upheaval as public companies review structures to determine the best framework. Many private companies are also reviewing organizational design to comply with changes.
* Best practices are emerging. These include: determining the necessary degree of centralization/decentralization; creating an accountability structure; identifying compliance-related roles and responsibilities; and providing ethics and compliance training.
|Printer friendly Cite/link Email Feedback|
|Date:||Dec 1, 2005|
|Previous Article:||Healthcare outlook 2006: from a gallop down to a canter; While healthcare costs continue to wildly outpace inflation, the rate is heading down....|
|Next Article:||Before circling the wagons, know your needs: financial executives need to focus on critical technology needs and vulnerabilities, and not be swayed...|