Published On: 06.06.2020Tags: 9.1 min read

THE RESOURCES FOR AN EFFECTIVE COMPLIANCE FUNCTION (Part 2)

Often, the compliance function is under-resourced, not supported by adequate tone from the top and the middle management. To fix this, we must understand and address the reasons first.

Below, you can find some typical reasons mostly arising from the lack of understanding what compliance function needs to be doing and what are the benefits and attributes of an effective compliance and integrity management system, the role of management and other employees in this.

Below is the breakdown of these reasons and solutions examples presented in more details on how to resolve them, as proven in practice.

The cause

The solution example

The compliance function is a new function, often still unrecognised, therefore its understanding by the various departments within the company can be very different. You might be also facing improper position or insufficient authority in the organizational structure.

  • Regularly communicate and educate, mostly using the cases that are specific and relevant for your company.
  • Be professional, but brief, concise and very concrete in your counselling; be part of a team, invest your energy in the knowledge of business objectives and plans, help find solutions, but remain principled in terms of compliance and business integrity, and you should be able to build genuine authority and reputation.
  • If your formal position within the company is not on a high enough level, this approach may help you to achieve it easier, but don’t forget to warn your management about it in the right moment (use arguments from the principles of good governance, efficiency and independence of the compliance function, which basically protects the company and the responsible persons in it).

Poorly defined compliance function in the internal documents (classification, management policies).

  • Propose amendments to internal documents, including the definition of the role of other areas and services in the compliance system (see e.g. ISO 19600 or EISEP template of compliance policy, any other resources – many are available online); present specific compliance risks areas and use concrete cases to illustrate the role of the compliance function and other departments or functions.

The lack of compliance risk assessments.

  • Use the structure and professional approach, help yourself with the existing methodologies and processes for risk assessments within the company, but adjust it to the nature of the compliance risks (which should be assessed more quantitative than qualitative); be inclusive, use the interviews and focus groups approach from all areas of the company in order to truly get to know them, listen to them and finally gain a very good understanding of the compliance risks throughout the company; and build your capacity to identify compliance issues and bad practices early.

The lack of the annual plan of operation or insufficiently specified and planned activities of the compliance function.

  • Plan specified tasks and activities of the compliance function, depending on the requirements of regulations, your internal policies, international standards, etc. and put emphasis on risky areas. Always plan time for unplanned ad-hoc activities in accordance with your past experience (like dealing with controlling procedures and requirements of the regulator, unexpected changes, significant internal investigations or activities associated with the identified breaches, the new legislation, the requirements of the Supervisory Board, etc.)

The desire to shift the liability is also a common reason.

  • Combination of rational and grounded solutions, described above and below, can be effective.

Central tools in communication with the management board (CEO, senior management) when presenting argumentation of the role and differentiation of the compliance function, are:

– At various occasions keep presenting what are the benefits and attributes of an effective compliance function, highlight the ethical premium (www.worldsmostethicalcompanies.com), higher evaluation by  business partners, and other proven benefits for the business;

Systematic and regular planning of compliance tasks and activities – best if based on the compliance integrity risks assessed or at least identified specifically for an organization, with specification of reasons, results – benefits and the required SCOPE and resources!

Regular, at least quarterly management reporting by the compliance function, based on clear and comparable indicators (like: the scope of provided advice for business units, necessary and achieved alignments, compliance checks and investigations, the training performed etc.). This way, management becomes gradually more aware of what you do and of the benefits and this also increases your professionality and credibility.

It often happens that the compliance function is pressured to undertake additional operational tasks outside the typical scope of compliance primary responsibilities, the damaging consequences can be the following:

  • The compliance function starts to lose key added value for the board and the company in terms of effective internal controls and the system of defence against risks, which are important for the company’s security. At the expense of small and less important, operational tasks, which are not part of the internal control system and can be performed by other functions, like legal.
  • The compliance function starts to lose itself in operational tasks, harming its own systematic and strategic activities. It can also threaten the implementation of the compliance functions’ regulated responsibilities, which will be eventually recognized by the regulator (or an auditor), or the risks will materialize, because the compliance function wasn’t able to help identify it, or had no opportunity to assist the company and the management to protect themselves against them. This can cause the company’s and managers liability and loses.

One practical tool, which can be immediately used in favour of the argument of being overburdened as a compliance function, is a structured and analytical display of all existing tasks and activities, the distribution of existing resources, with an estimation of the resources needed for any additional activities. This shows whether you can take over additional activities or not, or in what scope. Of course under the primary condition, that there is no conflict of interest with the nature of the compliance function. We could practically use it like this:

  1. Make a list of all existing tasks and activities, which you already perform as a compliance function and which may be additional ones.
  1. Make a list of possible tasks and activities, which you plan to add shortly as necessary ones for implementing the tasks required from the compliance function (depending on regulations or the recommendation of the regulator, possible specific regulation or high risk detected, the request of the Supervisory Board or something else, which is not optional).
  1. Arrange your available resources among these activities, according to the FTE method. This means Full Time Equivalent = number of hours paid for full time work in a specified period of time, for example per year; 1 FTE represents 1 full-time employee. According to the number of working days in 2019 (249 days = 1992 hours), 1 FTE is on average 229 working days (1832 hours) this year, with 20 days of annual leave included and a sick leave not included. This method allows us to see how many FTEs are available in our department (usually corresponds to the number of full-time employees; if there’s a part-time employee, we count him or her as 0.5 FTE for example). Then, we arrange them among the activities on our list. Maybe 0.1 FTE will be given to some activities (which is the average of 183 h/year and 15h or around 2 working days per month in 2019), or maybe 0.3 FTE (550 h/year and 45h or around 5 to 6 working days per month). The sum shall equal the number of FTEs in the compliance department. If we exceed this number, we may not be planning well or it means that we don’t dedicate enough effort to certain activity, or that we need additional resources for the existing scope of required tasks. Here, one must also explore the possibilities of how to increase productivity with existing resources by reducing the FTE scope for certain tasks, on the account of additional process improvements, skills and knowledge improvement, IT or other types of support.

Other approaches and arguments for improving the perception of the compliance function, which can help to acquire needed resources and get the adequate tone from the top and the middle, are:

  1. The argument of the regulated function. Derived from the EBA (European Banking Authority) guidelines on the internal governance, Basel Guidelines (Compliance and the Compliance Function in Banks), guidelines of the banking and other financial sector regulators on the internal governance and the role of the compliance function.
  2. Your company’s own internal acts – definition in the Compliance Policy, Rules on the operation of the compliance function.
  3. Annual work plan of the compliance function (you may even have the business compliance strategy) based on the defined tasks and responsibilities and on the compliance risk assessment.
  4. Allocation plan of the existing compliance staff to all required activities and tasks, in the annual planning – using FTE = Full Time Equivalent (according to the max. available resources, calculated precisely according to the time, this is the one way to very transparently and mathematically demonstrate the scope of work that is possible to manage with existing staff).
  5. Evaluation and reporting about the suitability and sufficiency of all resources (staff, finances, IT, power of authority etc.) for performing the compliance function, given the regulatory requirements and compliance risks specific for the company. Compliance should present this to the management and offer proposals regarding potential gaps. This is also good tool to confront the board with a necessary decision about what should be the priorities in your company’s compliance program, what compliance  should or should not be doing according to them, given the limited resources (compliance should hereby clearly explain to the board, what the compliance function must be doing, according to the regulations and risks).
  6. Self-assessment of the compliance programme and eventually conducting an external, independent and professional assessment of the compliance programme (delivery of the Compliance Policy and Code of Conduct). This should be presented to the board, together with proposals based on the gaps (which may include e.g. better differentiation of functions, exclusion of certain activities from the compliance function or the inclusion of some other, supplementation of available resources, new or improved policies and processes, etc.)

It is the compliance officer’s responsibility to properly manage the available resources for professional and reliable implementation of activities, which are required by regulation and internal acts and focused on mitigating the most critical compliance integrity risks. Compliance officer is also responsible to present these activities and evaluate resources in a clear manner, so that the board can make an informed decision. This way, the issue of possible work overload or inappropriate conditions for the compliance function is clearly presented to management and documented, for the purposes of any control of the regulator, auditors, Supervisory Board etc. As the senior management and the boards are primarily responsible for assuring effective internal control systems, including the compliance and integrity management and for allocating sufficient and adequate resources.

 

Originally published in Association of Serbian Banks Magazine, June, 2020

About the author
Portrait photo of speaker Andrijana Bergant sitting in a chair in the garden

Andrijana Bergant

Andrijana Bergant, LLB., MBA, AICA, is a seasoned expert with over 15 years of experience in business compliance and ethics across industries and international markets. She is focusing on integrity leadership, strengthening ethical culture and business resilience, offering insights that deliver returns on integrity.

Book

Andrijana
to speak at your
conference

Copyright © 2024 Andrijana Bergant. All rights reserved.

Permission is granted to use, distribute, and reproduce this article in any medium, provided the source is properly cited and a link to the original article is included. Unauthorized use or duplication without proper citation is prohibited.