Post By: Duncan Milne, Risk & Compliance Director, Bupa, Miami, Florida
With the sheer breadth of most compliance programs in large international organizations and the number of policies, reports and KRIs to follow, it can be easy to lose focus of the bigger picture and to default towards just keeping the machine running. Generating this content can become an industry in itself and with a desire to demonstrate productivity, compliance officers can fall into the trap of measuring the input – how many reports or spreadsheets did I issue, how many training sessions did I run – rather than the output and whether it is actually having any positive impact on the business.
This approach significantly reduces the impact of the compliance program – senior management and the wider business can then view the compliance function as one of form over substance and a purely administrative cost center – something they are required to have rather than something they actually need. Or worse still, something that actually impedes business performance rather than enhancing it. It can be demotivating to compliance teams, generating endless content that nobody ends up reading, with any valuable insights getting lost in the trees.
This input-led approach is also at odds with modern regulator expectations. The Department of Justice emphasize the need for the compliance program to “work in practice” and many regulators both domestically and internationally are moving towards more principles-based regulation, where they are concerned less with prescriptive rules, but more about what the impacts or outcomes are on end consumers.
What are the signs that the process might be outweighing the outcome?
There are a number of warning signs which might indicate this is an issue in any organization, for example:
- An over-emphasis on reporting – with lack of clarity over who actually reads or acts on those reports
- Overly prescriptive and detailed compliance frameworks
- Too much focus on drafting policies, rather than actually engaging with how they work in practice
- The time required to complete compliance-related processes exceeds the value they add
- Equal focus on all compliance risks, irrespective of materiality (ie not taking a risk-based approach)
- No clear direction or measurable progress of the compliance program – who is holding the compliance program to account?
What steps can be taken to create a more impactful and outcomes-focused approach?
As with many things, the key is finding the right balance, and compliance leaders should regularly take stock of the amount of time being spent by their teams on purely repackaging and redistributing information. All good organizations clearly require prompt escalation, but where compliance teams can add value in that process is to not merely be a mailbox, but to interpret, bring clarity and digest issues in a way that facilitates decisions and solutions. Using the compliance teams’ experience to be part of those solutions rather than just highlighting issues, creates much more value and true partnership with other areas of the business and leads to a more engaged and motivated team.
It is a good idea to also spend time ‘in the field’ to really understand how the Code of Conduct and other frameworks are landing with front line staff. Are they clear and do staff understand the why just as much as the what and the how? How can frontline staff themselves become influencers and champions to the ultimate goals you are looking to achieve? Being able to demonstrate how compliance forms part of the value chain and is aligned with the company strategy is key and requires first class communication skills to bring those connections to life.
Simplicity can sometimes be best when it comes to certain areas and to avoid becoming too prescriptive with policies. In global businesses in particular, there may be many different means of getting to the same outcome and a degree of flexibility in the journey, while still being clear on the desired outcome, can be much a more effective way of staying on track.
Finally, the target outcomes of the compliance program should be specific and measurable and regularly reviewed with the Board. There may be a number of reasons why outcomes are not always achieved, and this may or may not be attributable to the compliance team, but in any event the team should be held to account in the same way as any other area of the organization when plans are not met.