The United Kingdom’s Financial Services Authority has their full handbook online including a section on compliance.
Category: Compliance Programs
A Unified Approach to GRC
A participated in a webinar by Carole Stern Switzer of OCEG and Sumner Blount of CA, Inc. on Unified Governance, Risk and Compliance.
Governance – the culture, policies, processes, laws and institutions the define the structure by which companies are directed and managed.
Risk – the effect of uncertainty on business objectives.
Compliance – The act of adhering to and demonstrating adherence to the external regulations and standards as well as corporate policies.
GRC is the coordination of these three areas to increase efficiency and produce more complete information for better decisions-making.
After all, bad information leads to bad decision-making.
The evolution to GRC came from one-off controls and testing as each new regulation came into place. The start was generally because of Sarbanes-Oxley. In the early days the internal audit and the general counsel operated separately from the operations group. The operations are run through the internal IT systems. As more compliance groups grew, they sent more and more audit and information requests to the operation groups. The goal is to unify and simplify the risk and compliance.
The siloed information makes it hard to determine the status of compliance and difficult to map controls to regulations. Sumner proposes a global repository of audits, risks, test and test results, cross referenced to unite the silos of information. A single source of truth for compliance, risk and governance.
The unified approach should result in giving you visibility into the state of operations and risks. This could allow you to remediate problems before they become critical.
The policy lifecycle starts with (1) identifying the requirements, (2) setting polices to meet requirements, (3) creating controls to enforce policies and then (4) monitoring and remediating the controls. This lifecycle should have feedback loops so that policies and controls stay up date and functional.
Sumner sees five management tools: regulatory content, risk management, policy management, controls management and project management.
For policy management you need support for the creation, review, self-assessment and update of policy documents. You need a workflow to track approvals. You need track people having attested that they have read, comply and will comply with the policy.
With regulatory content is difficult to develop the expertise, keep the information up-to date and translated into the control objectives. It is also great to harmonize the controls across regulations. That way you are not created redundant or even conflicting controls.
For controls management you want a centralized repository of controls mapped to the associated policies, regulations, risks and resources. You also want to store test results and assignment of actions to be done.
For project management, you want to track project status, support for an audit trail and support for reporting.
The key is to reduce costs, reduce disruptions, improve risk management, use it to drive operational improvement to gain competitive advantage.
Why Use a Hotline?
Is it important to have a hotline for reporting violations?
Reporting violations is a keystone for an effective compliance program. It can maximize the eyes watching for lapses in judgment and blatant violations. It can foster the reporting of issues and concerns as they occur or before a violation occurs.
Ethics as a Business Process
Adam Turteltaub wrote Ethics as a Business Process for the fall 2005 edition of GRC 360.
Forward-looking companies are seeking to evolve business from soft art to hard science as a means to win in the marketplace, improve competitive advantage, achieve higher market valuations, ensure employee retention, foster fruitful partnerships and strengthen customer satisfaction.
. . .
There are three key areas to consider when examining the creation of business processes around ethics:
People: An organization must examine and manage the extent which ethical conduct is embedded into the fabric of business thinking and fully understand the ethical risks employees face.
Process: An organization must set forth an effective business framework that integrates all ethics and compliance-related activities within the enterprise.
Technology: An organization must leverage tools that automate the process to achieve greater efficiency and provide management with the data it needs to assess the health of the effort and respond quickly to problems.
Compliance at The Nature Conservancy
Back in 2004, The Nature Conservancy created the job of Chief Compliance Officer and formalized is compliance and governance policies.
There is an interview with Karen Berky, Chief Compliance Officer in The Nature Conservancy’s 2004 Annual Report: Conservation That Works.
Ms. Berky talks about the Conflict of Interest Policy and the Conflict of Interest Standard Operating Procedure.
The Nature Conservancy also has a Whistleblower Policy, for reporting suspected violations of law or policy.
Evaluation of the Chief Compliance Officer
Thompson Hine put together a paper: Evaluation of the Chief Compliance Officer:
While Rule 38a-1 under the Investment Company Act requires a Board of Directors to approve the appointment, removal and compensation of a fund’s Chief Compliance Officer (“CCO”), the rule is silent as to any requirement to annually review the performance of the CCO. However, Rule 38a-1 does require that a fund annually review the adequacy and effectiveness of its written compliance policies and procedures (“Compliance Program”), as well as the Compliance Program of each investment adviser, principal underwriter, administrator and transfer agent of the fund (“Fund Service Providers”). Because the CCO is an integral part of any Compliance Program, it is reasonable to expect a board to evaluate the effectiveness of a CCO as part of, or in connection with, the annual review of the Compliance Programs.
The following statement by the Securities and Exchange Commission (“SEC”) serves as a useful starting point for evaluating the effectiveness of a CCO:
“A fund’s chief compliance officer should be competent and knowledgeable regarding the federal securities laws and empowered with full responsibility and authority to develop and enforce appropriate policies and procedures for the fund.”
Although this is a relatively vague standard, the SEC staff has informally articulated a number of specific qualities and capabilities that it believes a CCO should possess. In addition to analyzing these qualities and capabilities, a CCO’s effectiveness can be evaluated by reviewing the duties and functions actually performed by the CCO. This review should take into consideration the size, resources and business activities of the fund complex.
An Effective Compliance Program under the U.S. Sentencing Commission Guidelines
Section 8B2.1 of the 2007 version of the United States Sentencing Commission Guidelines define and “effective compliance and ethics program” for purposes of section (f) of § 8C2.5 for the Culpability Score and section (c)(1) of §8D1.4 for Recommended Conditions of Probation – Organizations:
(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—
(1) exercise due diligence to prevent and detect criminal conduct; and
(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.
(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:
(1) The organization shall establish standards and procedures to prevent and detect criminal conduct.
(2) (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.
(C) Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
(3) The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.
(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.
(B) The individuals referred to in subdivision (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.
(5) The organization shall take reasonable steps—
(A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;
(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and
(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
(6) The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.
(7) After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.
(c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.
The blog begins … as a continuation
If you’ve come to this post, you are probably wondering how long I have been blogging and what I’m all about.
I first started blogging in February of 2007 with my blog on Knowledge Management: KM Space. It started as an exploration of how blogging and other web 2.0 tools could be used inside a law firm. I quickly discovered that the consumer space was far ahead of enterprise space.
I also published Real Estate Space. That focused on the substance of legal practice, with less navel gazing than KM Space.
I abandoned those two blogs because of this blog. I published 614 posts on KM Space and 144 posts on Real Estate Space before I abandoned them in March, 2009. I switched careers to compliance in 2008. Those blogs were distracting me from focusing on compliance. They were like crying kids in the background asking to be fed.
I use this blog as a tool to help me the learning and knowledge I need as a compliance professional. You can read more in Why I Blog.
I consider the first day of this blog to February 12, 2009 when it first went public: This Site is Live.
(I hope it’s obvious that the date of this blog post does not reflect the date it was written. )