There’s at least one thing your bank, federal and state regulators, and board of directors agree on: better compliance does not equal more compliance. With that in mind, here are 4 essentials of compliance oversight.
It can be easy to forget that the people making your life busy are very likely incredibly busy themselves. Whether meeting their own legal requirements or ensuring others are meeting theirs, decision makers on all sides of the workforce compliance equation have a lot of work to do. That means there’s at least one thing your bank, federal and state regulators, and board of directors agree on:
Better compliance ≠ more compliance.
In our recent webinar, Executive Oversight: What regulators say, and what your execs want to know, attorney Michael Semanie and Compli board member Kirby Dyess showed us precisely what better compliance looks like to an organization’s board of directors, management team, or owner(s).
According to Michael, these executive oversight teams create the tone at the top, “because they’re really the ones who are setting the policy and the direction for the company.” He told our audience that from 30,000 feet up, executive oversight teams need to consider fundamental compliance questions, such as…
- Is the board addressing compliance matters in its meetings? Is that reflected in the minutes?
- Are the compliance oversight responsibilities delegated appropriately and are committees meeting to discuss compliance issues?
- Is the oversight team reviewing policies for addressing risks and for clarity, comprehensiveness, and currency?
- Are resources being delegated to compliance management and oversight
- Does the Compliance Management Officer have appropriate authority?
- What is the process for identifying new or changing regulatory requirements and other compliance issues?
- What is the compliance review process for marketing materials?
- What is the reporting process for compliance issues and is it being utilized?
- Are compliance audits being conducted?
Sounds like a lot to think about, huh? Think of it as inspecting what is expected, and having a framework for those expectations. Let’s follow the principles of “better, not more” and break it down further into 4 essentials of compliance oversight:
In other words, your culture of compliance can be traced back to a leadership philosophy that clearly articulates intolerance for misconduct. “‘Culture of compliance’ can be a very aspirational statement,” said Michael. “It’s something that people will sometimes say without knowing what it means in practice.” He told us that, in practice, creating a culture of compliance means setting the foundation for individual behavior across the organization, and that the purpose of it is to embed compliance in everyday workflow.
Kirby added to Michael’s guidance:
“At the end of the day, you want to be able to say that your actions are in line with your compliance statements—with your tone at the top. If people are moving away from what you need to have happened, there should be visible consequences within the organization.”
In addition to portraying the negative consequences of non-compliance, it’s also important to define compliance as an affirmative choice. To instruct a workforce on what to do, Kirby recommended that organizations use vignettes: exercises that ask, “In this situation, what would you do?” and offer several answers.
“The thing that’s great about that is that your compliance statements will tell you the right thing to do,” said Kirby, who shared the fact that, as a board member, she has also had to complete these sorts of activities—just like every employee.
Organizations need to think about not only their internal message, but their external one. Michael said that companies should set the tone for third parties, such as a company’s vendors and business partners—and for more than the obvious legal reasons:
“It’s not just important for defending or preventing a lawsuit; it is good for business. If you think about having a choice of doing business with two separate businesses and they’re both identical in every way, but one has a really strong culture of compliance, and one is lax in that area, I think everyone would choose to do business with the one with a strong culture of compliance.”
As with all things policy-related, that may be easier said than done.
“I get asked a lot of questions about policies,” said Michael. “‘What do we with policies?’ ‘How do we make the policies?’ ‘We have a culture of compliance—now how do we make the policies to show that?’ One of the top things to do is start with a mission statement or vision statement for the company. All compliance actions should be in line with that statement.”
According to Michael, a mission statement gives context for why a policy is in place. Indeed, context is key for communicating why any policy is important: employees should understand not only what they’re being asked to do, but the reasoning behind it. Michael explained why organizations need to go beyond “because I said so”:
“What I tend to have clients do is not just say, ‘this is what the law says, and this is what we do, so here’s how we have to comply with that.’ I like have them start with, ‘What’s the purpose of the law?’ Let’s talk about who the law was intended to protect. What are the risks that can happen to these people? What are we protecting them from?”
Michael doesn’t give this advice to simply encourage legal education. The Consumer Financial Protection Bureau, state attorneys general, and other regulators—as well as plaintiffs’ attorneys—look at both technical definitions and the intent of regulations when going after companies.
Kirby concurred. She told us that her husband, an attorney, often says, “laws don’t just exist; they exist for a reason.” She then told us that employees should understand the real-world, indirect impact of lawbreaking as well:
“If your organization ends up breaking the law, the implications for that are a whole lot more than a fine, or that somebody goes to jail. The implications of that are reputational as much as anything else. We live in a very open world from an evaluation standpoint, and how you are evaluated by potential customers is a big deal. You can lose that evaluation very, very quickly because of the visibility of anyone engaging in misconduct. I can’t emphasize it enough: you just don’t want to be in a situation where you are inadvertently doing something that breaks that law because you didn’t understand the intent of the law and you really didn’t understand the intent of what was going to happen reputationally.”
Continuing on the topic of policy creation, Michael said that the ideal process starts at the top with a mission statement, and is then developed down to a narrower, boots-on-the-ground approach: “That includes even saying who’s responsible for each of these areas. It goes back to having an org chart, and getting very specific about how all these policies are going to be implemented.”
He then explained the role of a compliance management system in reviewing and updating policies over time:
“There are always new things happening: new technologies, new changes in the way laws are interpreted, change in the laws themselves. Congress outlawed unfair, deceptive, and abusive acts and practices in 1938, and if anyone has a policy on their shelf from 1938 that hasn’t been updated, we have a problem. So, it’s something that has to be updated regularly. It has to be reviewed. And that’s part of this whole compliance management system process. The policies themselves have to be adopted and they have to be changed when conditions warrant it.”
“You have these programs and policies that you’re implementing: Do they work or do they not work? Part of finding that out is through the audit process, because it does you no good to have a policy that doesn’t effectively address the issues it’s meant to address. If you have a policy implemented that maybe 3 times out of 10 actually catches the issue, that’s something that you need to find out. And part of the way you find that out is through auditing.”
As you might imagine, audits are highly useful for boards, as an audit provides insight into day-to-day operations board members typically don’t observe in person (they’re busy, remember?). In fact, according to Kirby, many boards actually like audits and will be the ones to initiate them in advance of the discovery of any known risk:
“After a scandal makes the news, most boards immediately commence some sort of an audit program to look for similar issues within their organization. It sets up a situation for a discussion:‘Have we really covered the risks this company has? Have we missed anything in our general audit that would be a risk that we need to include in our audits going forward?’ This becomes a very important discussion to have because the board is responsible for making sure that there are no risks to the company. They do not want to be in a situation where something comes up that is detrimental to the company—and their shareholders or their owners—in a way that comes out of left field.”
Michael added that when new laws or interpretations of laws present possible liabilities, an audit is the quickest and most effective way to determine whether a CMS can handle the issue:
“It addresses effectiveness. It addresses what you need to do to change those programs to make them more effective. And then, it fills in any gaps that you may have in policies themselves, and that can be reported back then to the board so that something can be done about it. But it all stems from doing audits.”
What does Kirby, as a board member, like to see from audits?
“Obviously, I like to see the triggers to the audit—and triggers from my standpoint are, ‘What are the regulations, the court cases, the reputational examples?’ What are the things that we are just automatically looking at as a part of that audit? What’s our approach? What are the data telling us? Is there something that we’re not covering? And then, ‘What’s the follow-up?’ Should we follow up on that? Is there something that we’re covering but it came out a little in the gray area, and we need to be careful about that?
“Reporting back to the board really closes the loop on that cyclical system,” said Michael. “From a board perspective, and from my perspective as a lawyer, I want to see everything that is documented as much I can. I want to see the whole process documented in the system, so that when we know what has happened—what the organization has done to be able to get that information back to the boards—the board can make a decision.”
Organizations must determine reporting metrics and frequency. “Work with your board to define which information about your compliance program they need to review, and how often,” said Kirby. “Deliver what they need—no more, no less—on time.”
What information should the compliance team report? Although the answer varies from organization to organization, Michael told us that boards should be wary of reports that show nothing but positive outcomes:
“I would caution anyone on a board to take a completely positive report with a grain of salt. That may be a reason for you to look a little bit deeper. It would be very unusual to have all positive results from either an audit or from any kind of feedback that gets back to a board from reporting.”
If results come back negative—as they sometimes should—the team ought to propose an action plan to remedy the situation.
“Take initiative to reduce the time and energy your board spends brainstorming solutions, said Michael. “It’s a good idea to collect input from employees with different roles to get various perspectives on the issues and what may impede any proposed action plan. Once you have adopted a new action plan to remedy the situation, stress test it to determine whether it should be further revised—it’s not good enough to implement and let it sit.”
The reporting team should also provide context for changes in results. Kirby advised our audience that when results differ from one report to the next, “don’t leave it entirely to your board to interpret why.”
“Give them the tools they need to make high-level decisions. In other words, if the results go down, the results go up—and they will—why? What’s changing? Often the changes will be a result of a strategy change, for instance. Sometimes those changes will be a result of management changes, or a significant hiring influx, or a downsizing situation. There are all kinds of reasons. And, as Michael said, boards get real nervous when everything looks real good, because often that just says that the company is not in a change-ready mode. And most companies always need to be in a change mode.”
Change-readiness is particularly important in today’s regulatory environment. As regulations change, your CMS should change, too. Michael told us that automation makes it easy to stay on top of new laws and industry practices, as most organizations do not have the resources to continually, manually monitor new laws, new interpretations of existing laws, developing industry practices, and rising threats.
Finally, the compliance team should educate your board on any new programs implemented.
“The best way to educate your board is to involve them,” said Kirby, “In other words, if you’ve implemented something, let the board try it, let the owners try it, let them see what you’re doing. You can’t do anything more impressive than that.”
Looking for more ways to impress your board? For additional guidance on board of director oversight from Kirby and Michael—and from Compli Sales Director Brian Larson, who moderated the conversation—make sure to check out the on-demand webinar, Executive Oversight: What regulators say, and what your execs want to know.