Five dysfunctions of compliance
There are five main reasons as to why a compliance team may not be highly respected by the business or is generally regarded as dysfunctional. Addressing these will go a long way to making sure that compliance is seen as a useful and value-adding business team.
1. Lack of alignment
Compliance teams are there to help businesses. Charities and non-government organisations aside, businesses are there to make a profit. The role of management teams is to execute the strategy of their board and generate shareholder value. That shareholder value is not about the value of the brand, nor is it about how the company looks across the industry – it is solely about how much the company’s shares are worth. The compliance team’s needs and those of the shareholders are aligned as compliance’s role is to increase the value of the business’s shares.
There are a number of reasons for shares changing in value that are beyond the control of a compliance team (for example, macroeconomic changes or stock market changes); however, most increases in share prices come down to something that a compliance team can control: assets and liabilities, or profit. At the end of the day, profit generates share value and increasing profits will in turn increase the value of shares (assuming that the market is reasonably stable). That being said, the compliance team – as part of management – needs to think about how it contributes to profits (that is, increasing revenue and decreasing costs).
Alignment between the compliance team and the business is essential. When the two are not aligned the business loses trust in compliance’s value and the team is seen as dysfunctional. Compliance must get aligned by mapping its goals directly against the business’s goals.
2. Lack of metrics on value
Every part of the business world works off numbers: speaking in terms of growth and in percentages, graphs, pie charts and red or amber or green lights, and talking about changes over time and the causes for certain abnormalities. If the compliance team doesn’t share that view and cannot produce metrics about compliance at the push of a button and, more importantly, show how they are aligned to the business, then the compliance department is dysfunctional.
If your compliance metrics are not up to scratch you need to invest in some tools to get them there. However, tools will not do the entire job for you – you must re-engineer the compliance programme itself to allow for it to be measured in the first place. Many compliance programmes simply don’t have any measurement attached to them or the measurement is totally obvious and therefore useless (such as keeping training records). More effective metrics are those where you can see the direct impact of the compliance programme on the business, such as measuring the number of people trained versus the number of violations or issues identified over time and the increase in revenue.
3. Lack of knowledge
Working in compliance is challenging: a compliance team needs to understand compliance and the law, but, more importantly, it must understand the business. There is nothing more dysfunctional than a compliance team that focuses inwards, learning about compliance but not enough about business.
Everyone in the compliance team needs to know the facts about the business: its drivers, its numbers, where the risks are and the identity of all of its stakeholders. If you do not have a business mind you are in the wrong job.
Knowledge must also extend to how compliance can add value to the business. You need to be ready with great examples and real facts to demonstrate how compliance adds value. Use your metrics for this purpose.
4. Lack of communication
A compliance team is dysfunctional if it does not communicate. Too many compliance teams spend all their time on training and not enough on communication.
Communication should not only include emails regarding recent cases or competitors getting into trouble, but also encompass several different forms of delivery. It should address all of the stakeholders that are relevant to compliance – both internal and external.
A dysfunctional compliance team is one that hides away from the business, fights to get any airtime or simply doesn’t appear at the front of the minds of those within the business.
5. Lack of trust
All of the above dysfunctions contribute to the potential lack of trust that the business has in compliance. If there is a lack of respect and/or trust, then the compliance function is always going to be seen as an audit function.
It takes a great deal of work to build a business’s trust in its compliance team. To do this, a compliance team must listen to, communicate with, align to and engage the business. This means understanding the business, allowing the business teams to be heard, and aligning the objectives of compliance back to their business objectives.
[Case study] How to make compliance a core element of your company’s culture – it’s not just self-assessments and audits
The company has a global compliance function as part of their legal department. This group is responsible for, among other things, creating anti-corruption programmes. The team is based in the company’s United States headquarters and does not have any international or regional headquarter resources aligned with the sales units. They have been around for a long time and have a solid programme in place at a corporate level (policies, procedures, self-assessment and e-learning). They have all the necessary pieces of the programme, and even tour the conference circuit speaking about how well the company manages compliance.
What are the challenges?
Spread around the world is a ‘Compliance & Controls’ team of more than 40 people. They report directly to the finance officers in the countries in which they operate, and they dotted-line report to multiple places – some to internal audit and some to a worldwide Compliance & Controls manager in headquarters’ finance group. None report to the legal function – either at corporate or local level – and they certainly do not report to the general counsel or the chief compliance officer (CCO) (and only ever meet with the CCO as a group for an annual meeting, which lasts for one hour).
This Compliance & Controls team did manage to get a meeting with the head of anti-corruption. In the meeting it was made clear that the anti-corruption team took the view that the Compliance & Controls managers were responsible for compliance in each country in which they operate, and that they could reach out to the head of anti-corruption if they had any questions. They never had the chance to speak to any other functional compliance people, nor did they get the chance to speak to the CCO.
What is happening
The Compliance & Controls team is made up entirely of finance people hired into the local finance teams. They are accountants and have backgrounds in finance, controls and internal audit. They predominantly spend their time on audits and business reviews, which are essentially some self-assessment dashboards for which they are required to maintain a 90 to 95 percent achievement. The actual audits themselves are focused on all aspects of spend management, but mainly cover channel payments, discount approvals and processes around pricing. It is acknowledged that some of this may have something to do with the global compliance programmes run by corporate, but realistically the Compliance & Controls team does not see any connection. The audits are entirely reactive and focus on historical issues; they do not in any way address predictive risks or risks that are emerging at a country level.
The team just focuses on its deliverables and business reviews and never really sees the strategic effect of its role and how it connects into the global compliance programme. At the end of the day, the team is simply made up of execution-based tactical-driven control officers focusing on spend management.
After meeting with several of the people in the Compliance & Controls team, the message was very clear and consistent in that the team:
- wants to be true ‘compliance’ people
- wants to be proactive rather than reactive
- wants to fix issues rather than audit them
- wants to be a globally consistent team yet feels that, since it was hired locally and reports locally, it has no true job family, no common job descriptions or levels, and very different skills across the team
- feels that there are massive gaps in the global compliance programme in countries and that it is perfectly positioned to address them
- wants a common set of priorities or goals across the team
- does not have the respect of the business teams in some countries because members are not senior enough and are seen as finance managers
- feels that, despite being seen as responsible for ‘compliance’ in their country by corporate, it does not have any real responsibility.
There are a number of clear issues in this company and in the way that it handles compliance. There are some great things that the company is doing. It has the resources and the budget, it is in a growing market, it has a great brand for compliance, and, most importantly, it has great people that is desperate to do more.
The challenge for this company is that allowing the Compliance & Controls team to function better means evolving its structure, releasing some stronghold on the staff and taking a different approach.
Key areas to address
Almost any variation of reporting lines is workable, whether ‘solid’ or ‘dotted’. It comes down to personal preference and the type of company as to whether or not the local compliance team solid-line reports locally or to headquarters; however, ideally it will solid-line report to the global compliance head and dotted-line report to local management. It will, of course, be a business partner to the local teams at all times, irrespective of where it reports. This reaches a balance and gives the independence that is often required by compliance while supporting the business ‘owning’ compliance and helping it with implementation.
While both options are possible and certainly workable, one thing is fairly clear: having a compliance team report to the local finance team is a mistake. Reporting to finance often means that the team looks solely at financial compliance (whereas if it reports to the business or to legal it tends to have a broader scope). Reporting to legal often helps in the claim of privilege over certain parts of the team’s role if that privilege is to be invoked, while reporting to the business gives the team the level and seniority that it needs to be effective as a valid business partner. Due to the way that a finance department is built and the various layers within the hierarchy of finance (which are much more pronounced and consistent globally than in a legal team), even someone at a manager level is seen as fairly junior (because finance people often hire from the Big 4, even director titles are not that senior in financial circles). Therefore, if a Compliance & Controls manager is reporting to finance they will not be seen as senior enough to be given the necessary respect.
Understanding the role of the compliance function versus auditing and self-assessments
It seems that there is a misunderstanding across the company about what the Compliance & Controls team actually does. Members of the worldwide compliance team think that members of the Compliance & Controls team are the people around the globe who work on compliance. The Compliance & Controls team also strongly supports and locally manages the activities of internal audit, which places it in an even more challenging position because it means that it is focused on auditing and conducting business reviews. This means that the team ends up doing audits and chasing down gaps in financial reporting, and is responsible for the internal audit dashboard and making things look positive.
Clearly this is a fallacy: they are focused on spend management and self-assessments, not building and implementing a compliance programme in local markets. Even across the Compliance & Controls team itself, there is a difference of opinion of the roles. This is certainly complicated by the fact that there is no common agreement and structure in which to manage the roles.
A sure way to upset other people within the business is to focus on audits and self-assessments as they are typically negatively received and seen as adding little value to a compliance programme. There is certainly a role for self-assessments, but they are just a small piece of a large puzzle around compliance. Too much focus on self-assessments and auditing will lead to a tick-the-box mentality. Focus should instead be on:
- building a simple programme
- process excellence
- behaviour change
- process implementation and change management
- integrity discussions
- reviews and forums to assess integrity buy-in
- monitoring solutions to make sure compliance is adding value.
Group and position naming
Just the name of the team – ‘Compliance & Controls’ – is a real problem. If the model is going to stay the way that it is (with the team reporting to finance and dotted-line reporting to internal audit but ‘working with the CCO’), then the name of the team should be changed to something such as ‘Business Process Excellence’ or just ‘Business Excellence’. This focuses on the positives rather than the negative elements of ‘compliance’ and ‘controls’.
If the company restructures the group entirely, then the solid lines should change to compliance at a corporate level and dotted lines locally to the business. In these cases, the position titles should be changed to ‘Head of Compliance’ or ‘Director of Compliance’ for each particular country or region.
Certainly one of the biggest challenges in gaining a great business partner in compliance is the name itself. In some cases, it is better to take the roles even further to consider governance, risk and compliance (GRC) in each country. This will support the business to look at its overall governance model (including local directors and subsidiaries), the risks that are facing that local company (either as advised by a global worldwide risk group or defined locally through a local risk assessment), and, of course, the compliance of key local legal and regulatory issues, corporate codes of conduct, policies and global compliance programmes.
Global implementations and focus
The issue with a structure such as that of this company is that the consistency of global implementations is at risk. There is no common implementation model because the things being implemented are likely to be different. In fact, the Compliance & Controls team is not implementing the headquarters’ compliance programme, which is a problem in itself. Certainly, when hiring for these roles locally (especially into finance), it is going to be tough to get a globally consistent style and approach. It will also be hard to get similar levels across the globe and even similar job descriptions. To really get value out of a global team you need to have very clear goals and objectives. The goals need to be prioritised and pushed down to each person individually; while the goals may be the same, the prioritisation in each country may be different.
The Compliance & Controls team often lacks a consistent set of priorities as there is no central leadership (i.e. from the CCO) to set the goals and priorities of the team. If these priorities are being set, they are limited to reviews, assessments, policies and auditing. If the plan is to continue to report locally, then there needs to be a common bridge so every person in the team is aligned. It is certainly preferred that this is led by the global compliance office, not by the internal audit or ‘controls’ group. Compliance is much more than reviews and audits, and not focusing on that is certainly causing a gap. The Compliance & Controls team would much prefer to be proactive than reactive.
Business partnering is a key aspect for any person involved in a function that supports the business. It will be very hard for someone in Compliance & Controls to really influence change – the name of the role is a problem, reporting to finance is a problem, lack of seniority is a problem and the work that is being done (primarily auditing) is a problem. All of these problems can be overcome if you have an extraordinarily talented Compliance & Controls person, or a person that simply bucks the position and focuses on what they should be doing instead of what they are structured to do. The business needs business partners locally to help with compliance and to educate, train, communicate, change behaviours as well as implement fixtures to counsel, coach and assist in making compliance a competitive advantage. It is hard to be a business partner when you are auditing and placing controls on people and actions.
There are a number of things that need to evolve in this company to capture the fantastic skillset that it has locally. The company has a really talented group of people that, if instructed appropriately and leveraged, could be a fantastic asset to the CCO and internal audit and finance teams.
To get the most out of the team, the executives who control this function (all of them in various capacities) should:
- change the reporting lines to the CCO, or, as a second option, a worldwide excellence team reporting to the business (preferably to the sales function)
- change the focus of the group to GRC, with an emphasis on implementing and controlling the global risk and compliance programmes, as instructed by headquarters’ risk and compliance office
- make self-assessment and spend management a responsibility of the finance team (as they should be anyway)
- make internal audits the responsibility of the audits team (as they should be anyway)
- leverage the Compliance & Controls team to do more with less and focus on broader compliance issues – not just spend management
- re-level some of the people in the Compliance & Controls team and bring in consistent job descriptions, titles, roles and reporting lines
- manage compliance with a great, new and focused team.