Building a culture of compliance that effectively mitigates risk
A good compliance program is an indication of a good culture. In the financial industry, it is critical for businesses to demonstrate a good culture of compliance to maintain their reputation and gain the trust of clients, investors and regulators.
Compliance failures can, and often times do, lead to colossal consequences. From time to time, we hear about institutions that had to pay tens, if not hundreds, of millions of dollars in fines, executives who had to resign their jobs, and worst of all, tarnished reputations that require years of re-building.
To avoid all of that, financial institutions work hard to implement an effective compliance program that leads to a good culture of compliance.
What are the components of a culture of compliance?
Every compliance organization needs to be part of the business and work within the business, so the compliance personnel can assess and understand the business and regulatory risk. After assessing and categorizing the risks, compliance needs to make sure those risks are addressed and mitigated. The way to mitigate risks is to structure processes, and policies around the processes, to ensure employees understand the risks and act in accordance with the compliance controls. Compliance cannot eliminate risk but it can reduce the likelihood that violations of rules and regulations occur. A good culture of compliance requires good compliance controls, but it also requires employees understand and follow the controls.
Let’s think of an everyday example. Outside your street there is road repair work. The employees working on the task have identified the risk that cars would hit the manhole dug in the middle of the road. This is their identified risk. They have placed orange cones around the manhole, and by doing so, are telling drivers to bypass the manhole. This is their mitigation act to reduce the risk that a car would hit the manhole. The workers cannot eliminate the risk. I.e., they cannot eliminate the manhole as the manhole is required for the repair work. However, they can mitigate the risk that the manhole would pose danger to the nearby cars.
Good controls are essential but not sufficient. Without educating employees on the importance of the controls, you do not really help employees to figure the best course of action in case of a risk. Therefore, another element of good compliance culture is ongoing training. The training sessions ensure that the policies and procedures are communicated clearly to all relevant employees.
After comprehensive training, a good compliance program needs to include testing whether the business is adhering to the policies and procedures you’ve established. In order to verify that employees understand and follow the policies, compliance teams are expected to review different business activities and ensure that those activities were done in compliance with the firm’s policies and procedures.
Mastering the testing element is probably one of the most difficult tasks in building a culture of compliance. The compliance officer needs to ensure her team is looking at areas that are high risk and allocate enough resources to provide a meaningful sample of activities (trades, email or phone communications, and so on). In most financial organizations, even those with sizable compliance budgets, the compliance staff does not evaluate more than 4-6% of the human force. Compliance technology vendors have not yet developed a robo-compliance officer that can auto-review trades, emails and/ or phone calls. The review of phone calls for instance, is one of the most painful areas to test since a 45-minute phone call would take a compliance officer 45 minutes to review. Therefore, compliance is very limited in its ability to review a meaningful portion of communications.
Testing is a critical component of the compliance program. The regulators take the reasonable view that good testing MUST yield violations. It is inconceivable, in the regulators minds, that an organization with a large number of employees (sometimes hundreds of thousands) will not have instances where employees misunderstood, forgot, or were simply not aware of the relevant compliance policies. The role of testing is to bring these cases to light and find ways to remediate the violations via more education, correction of the policies, or disciplinary actions.
When regulators review a compliance program and determine whether the organization has a good compliance culture, they primarily look at the testing efforts and their results. An efficient and thorough testing program is a testament to a good compliance culture. Compliance officers should always seek ways to make their compliance program more efficient and more reliable. Technology could play an important role in helping management leading the organization towards a good culture of compliance.
To learn more about how Tethr can help you create a strong culture of compliance, visit tethr.com/solutions/compliance/.