MOST Analysis

Mission Statement

Before an organization starts creating a compliance program, the first thing that it needs to know is the essential elements for the compliance program. The organization has to do some diligent research on the applicable laws and regulations. But simply communicating these regulations and standards to employees will not make them comply from day one. The company has to appoint a dedicated compliance administration team that will take care of all related activities. The team has to design and implement all the administrative processes to ensure compliance with organizational policies. They will also be responsible for updating the policies and monitoring compliance on a regular basis.

The organization will need a strong strategy for the implementation of the compliance program. The strategy has to define whether the organization will take a rigid or flexible approach to compliance, or switch between the two based on circumstances.

Training of employees to educate them about the laws, standards, and codes of conduct is essential. Without periodic training, employees cannot be expected to commit to compliance or understand its importance. Along with periodic training, monitoring and audits are equally important. Monitoring with established protocols and controls allows the organization to identify gaps in the compliance program and remediate them in time. Audits and reporting help prevent non-compliance and associated penalties.

It is also important to document and report any exceptions to compliance that may have been made. Untracked/ undocumented exceptions may be treated as non-compliance during external audits and may land the organization in trouble.

---

Objectives

01. Culture: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
02. Incentives & Rewards: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
03. Enforcement & Discipline: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
04. Accountability: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
05. Risk Assessment: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
06. Compliance Officers: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
07. Policies & Procedures: departmental SWOT analysis; strategy research & development. 1 Month
08. Communication & Training: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
09. Monitoring & Auditing: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
10. Issues Management: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
11. Metrics: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month
12. Technology: departmental SWOT analysis; strategy research & development. Time Allocated: 1 Month

---

Strategies

01. Culture: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
02. Incentives & Rewards: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
03. Enforcement & Discipline: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
04. Accountability: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
05. Risk Assessment: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
06. Compliance Officers: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
07. Policies & Procedures: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
08. Communication & Training: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
09. Monitoring & Auditing: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
10. Issues Management: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
11. Metrics: Each individual department head to undertake departmental SWOT analysis; strategy research & development.
12. Technology: Each individual department head to undertake departmental SWOT analysis; strategy research & development.

---

Tasks

01. Create a task on your calendar, to be completed within the next month, to analyze Culture.
02. Create a task on your calendar, to be completed within the next month, to analyze Incentives & Rewards.
03. Create a task on your calendar, to be completed within the next month, to analyze Enforcement & Discipline.
04. Create a task on your calendar, to be completed within the next month, to analyze Accountability.
05. Create a task on your calendar, to be completed within the next month, to analyze Risk Assessment.
06. Create a task on your calendar, to be completed within the next month, to analyze Compliance Officers.
07. Create a task on your calendar, to be completed within the next month, to analyze Policies & Procedures.
08. Create a task on your calendar, to be completed within the next month, to analyze Communication & Training.
09. Create a task on your calendar, to be completed within the next month, to analyze Monitoring & Auditing.
10. Create a task on your calendar, to be completed within the next month, to analyze Issues Management.
11. Create a task on your calendar, to be completed within the next month, to analyze Metrics.
12. Create a task on your calendar, to be completed within the next month, to analyze Technology.

---

Introduction

Legal and regulatory compliance failures have caused major reputational and financial damage to businesses across industries. Most had what they thought were appropriate compliance procedures in place, but they didn’t seem to function. Compliance is receiving an increasing amount of corporate resources, as well as more attention in the C-suite and board room, yet anxiety remains—and rightly so. While keeping a watch on regulatory actions, legal and compliance professionals have attempted to merge their compliance processes from fragmented parts into a cohesive whole. However, we are seeing a significant shift in what important regulators are looking at and using to determine whether or not to pursue enforcement proceedings. With that backdrop in mind, and taking into account what recent experience has shown to work in the “real world,” businesses may now build extremely effective and efficient compliance procedures. Richard M. (Rick) Steinberg outlines these game-changers and provides a roadmap with 10 essential elements to get programs where management and boards need and want them to be in achieving compliance objectives in this article, which is an excerpt from his recently published white paper sponsored by IBM Open Pages.

---

---

Introduction

If you’re a CEO, director, general counsel, compliance officer, risk officer, or someone else in charge of your company’s legal and regulatory compliance, you’re undoubtedly concerned, if not alarmed. When it comes to supply chain, product liability, marketing, antitrust, mergers and acquisitions, and alliance partners (such as resellers, distributors, agents, or joint venture partners), the list appears to go on and on. You have a feeling that people in your organization are aware of wrongdoing but aren’t reporting it. You’re spending more money on your compliance program and trying harder to track results, but you’re still not convinced it’s working.

Regulatory compliance enforcement efforts have brought corporations across industries to their knees in recent years. Indeed, legal and regulatory compliance has risen to the top of the C-and suite’s boardroom’s priority list, outshining strategy, operational execution, risk management, and CEO compensation. Too much time is taken away from “running the business,” and even as compliance costs continue to grow, many organizations’ compliance strategies fall short.

Officials from the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) have spoken about their “carrot and stick” strategy, with the SEC and DOJ being more lenient when a compliance program is good and harder enforcers when it is not. Directors are cognizant of Delaware Chancery and Supreme Court decisions that highlight the board’s role in maintaining effective compliance programs. In addition, the modified federal sentencing guidelines for criminal wrongdoing, as well as company initiatives for analyzing and eliminating related risks, are discussed.

With over 2,000 pages of new regulations introduced just last year, split over six laws, financial services is bearing the brunt of additional regulation. The Dodd-Frank Act alone is likely to grow to 5,000 pages over time. Though it is becoming increasingly challenging, the financial industry is working hard to design incoming laws so that they do not excessively hinder company opportunities and the industry’s future health. However, there’s no denying that legal and regulatory compliance affects every industry, and keeping up has become more difficult.

A New Direction For Regulation

For years, the SEC and DOJ have stressed how they give corporations “credit” for having an effective compliance program in investigations and enforcement actions. Many general counsels, chief compliance officers, and others have recognized this as one of several grounds for bolstering internal processes. However, there was little direct proof until recently that the regulators’ message was backed up by action. Indeed, it appears that the emphasis was on encouraging a corporation to build an effective compliance program after a failure rather than praising them for having one before the loss. Furthermore, businesses have complained about inconsistent regulatory enforcement techniques and have urged for more transparency and uniformity. Now we’ve got a game changer, and it’s definitely worth paying attention to.

---

Case Study

The case involves Morgan Stanley, where compliance issues arose after Garth Peterson, a managing director, allegedly persuaded the firm to sell a real estate interest to a Chinese state-owned company; however, the company turned out to be a shell company in which Peterson had a direct interest, with cash payments to Chinese officials and himself. Peterson pleaded guilty and could face a six-figure fine and five years in prison if he is found guilty. But the true story here is what happened to Morgan Stanley, or rather what didn’t. The Department of Justice and the Securities and Exchange Commission decided not to pursue any enforcement action against the corporation. Morgan Stanley already has a robust compliance framework in place, complete with essential internal controls. It provided thorough training to its personnel, compliance reminders, annual confirmations by personnel, and constant monitoring, as well as frequently updating systems to reflect risks of misconduct. And, when evidence of wrongdoing appeared, the firm launched and completed a thorough inquiry right away.

Morgan Stanley’s reputation is actually boosted by its obvious presentation of good compliance and operational practices. The message has never been more obvious. Cover up the situation and deal with irate regulators and shareholders. If you have a good compliance system in place and do the right thing, the regulators and others will look favorably on your organization.

---

What Does “Effective” Mean?

Compliance officers have been bombarded with information on what makes a good compliance process and how to create and manage one. In a series of memoranda from the Justice Department, regulators have outlined what are considered as five “must haves” for an effective system, including the McNulty Memo. The Federal Sentencing Guidelines also provide guidance.

Maintaining a compliance process that follows regulators’ rules is certainly a good idea, but having a truly effective process is even more crucial. That is, organizations with successful compliance processes that avoid substantial instances of non-compliance will often evade regulators’ notice in the first place. Beyond regulatory inquiries and enforcement actions, there are corporate incentives to avoiding compliance failures.

But what if the demands of regulators were truly in line with what actually works? That would be an excellent model to follow. One regulator, the SEC’s Office of Compliance Inspections and Examinations, appears to have gotten it right (OCIE).

OCIE of SEC

If you work in the financial services business, you’re aware that the OCIE’s mandate is broad, encompassing compliance, fraud prevention, and risk management. 4 When it comes to fraud, for example, its examiners look for signs of insider trading, market manipulation, and Ponzi schemes and cooperate with the SEC’s Enforcement Division to prosecute them. When it comes to organizations subject to examination, the OCIE casts a wide net, including not only broker-dealers, transfer agents, investment advisers, and investment companies (and now, thanks to the Dodd-Frank Act, private equity and hedge funds), but also stock exchanges, clearing agencies, credit rating agencies, the Financial Industry Regulatory Authority, and the Public Company Accounting Oversight Board, among others. But, more crucially, its director, Carlo di Florio, has defined effective compliance procedures in a way that cuts across industries.

Di Florio shares essential details on how he and his team carry out the OCIE’s comprehensive goal.

What Makes Effective Compliance Processes?

Di Florio identifies eleven components that, when combined, result in effective compliance programs (and which also, by the way, reflect the U.S. Federal Sentencing Guidelines). Here, we start with each of the parts and build on them to add knowledge gathered from years of experience witnessing organizations’ compliance programs progress from rudimentary to holistic, establishing a roadmap to achieving truly successful and efficient corporate compliance programs.

---

---

Governance

Despite the claims of certain so-called experts, compliance is the responsibility of management, not the board of directors. That said, the board has a critical role to play in overseeing compliance measures and ensuring that management has built an effective procedure. To that purpose, the board must receive regular briefings from the CEO, Chief Compliance Officer, and others on the process’ design and operation, as well as data demonstrating its efficacy (see “metrics” below). However, we’ve seen compliance programs built with the primary goal of producing reports for the board of directors, and they don’t perform very well. Effective compliance management should naturally lead to reporting, with the primary focus on assuring the mindsets and activities that drive effective compliance.

Accountability, Culture, and Values

Perhaps nothing is more vital to effective compliance than an organization’s culture, which includes the tone set at the top and is founded on ethical ideals and unambiguous accountability. The actions of top management, which must be consistent with their statements, and supported by managers and supervisory workers across the organization, form the foundation of a company’s culture. A compliance program without integrity will have form but no substance, and will eventually fail to achieve its goals. Organizations that behave with integrity and ethical ideals, without a doubt, attract the best employees, customers, suppliers, alliance partners, and so on. While it’s difficult to link a positive corporate culture to financial performance, there are signs that it exists. According to the 2011 Edelman Trust Barometer, 85 percent of global respondents said they bought items or services from firms they trusted, while 73 percent said they refused to buy from organizations they didn’t trust. 5 Another company, the Ethisphere Institute, discovered a link, finding that highly ethical businesses beat competitors by seven to eight percent annually. 6 Motivators and Rewards

Having genuine incentives for ethical behavior, as well as associated rewards and corrective actions, is closely tied to responsibility. Many organizations have leaders that talk a good game but fail to incorporate compliance into their HR practices. Objective-setting, performance appraisal, and related promotion and compensation-adjustment processes must all include compliance duties. As a result, compliance is essentially the duty of each and every line and staff management in their domains of responsibility, rather than a compliance officer. Building compliance into company operations requires this strategy, which makes compliance not only more effective, but also more efficient.

Management of Risk

To manage potential exposure, business processes must reflect relevant compliance-related risks, with policies and protocols developed inside the business process. Risks must be defined in terms of where and how noncompliance can occur, the possibility of it occurring, and the impact on the company if it does, as well as the speed with which such an event can occur. When risks and needs are determined, resources can be directed to where they will be most effective, lowering risks to tolerable levels.

Procedures and Policies

Written policies are the foundation of what defines appropriate activities and behavior, so policy administration has become an art unto itself. We’ve seen policies written in legalese with a jumble of elements and formats, all of which are in various stages of completion or modification and are difficult to find when needed. As a result, employees find it difficult, if not impossible, to recognize what acts are and are not appropriate in everyday situations. Policies should follow a consistent framework, be risk-based, relevant, transparent, and easy to understand and access, and be trusted so that employees know they have been approved and can be trusted. The policy lifecycle should be maintained, with libraries based on the most recent legislation and regulations, version control, and modifications tracked, reviewed, and approved, as well as links to specific business operations and amended duties.

Training and communication

Each employee in a company must understand what is required of them and why doing so is in their best interests as well as the organization’s. Employees must comprehend the rationale behind the regulations in order to benefit the company, its employees, customers, and others. Employees who don’t understand why they’re required to accomplish something will, at best, go through the motions with a checklist mentality. Clear communication from the top of the organization is required, proving that senior management is in charge of compliance programs. Classroom and computer-based educational programs, as well as on-the-job reinforcement by unit leaders, should be in place not just upon hire, but on a continuous basis. We understand the value of having open, accessible, and successful internal or outsourced whistleblower channels, and we also recognize that valuable information can be gleaned through social networking sites, exit interviews, and internal audit findings.

---

---

Reporting and Monitoring

These aspects are critical and should be incorporated into the business and management operations. When supervisory and management staff closest to the action are aware of actions and monitor them in the usual course of business, compliance is most successful. Upstream reporting is crucial, but it should not be the foundation of fundamental compliance process design, as previously stated. Rather, reporting should be integrated with information flows inside management processes, with a compliance office monitoring to ensure timely and effective communication of important information. Additionally, in the normal course of running a business unit, hands-on managers can test processes and information flows, with extra, focused testing performed by the internal audit function in cooperation with the compliance office and business unit leadership.

Discipline, Investigation, and Escalation

Employees must feel at ease and understand the necessity of reporting problems in a private and anonymous manner if requested. Employees are usually comfortable reporting potential misbehavior through their customary reporting procedures, which can be beneficial in firms with the correct culture and ethical norms. Simultaneously, it’s vital to have an alternate channel in place—a hot line or whistleblower channel—that can be relied on and used when necessary. Such confidence entails a firm belief that not only will there be no reprisal, but that those who report would be praised. Employees being informed of actions made as a result of their reports is a make-or-break issue, according to experience.

Management of Problems

When a compliance issue arises, action must be taken to determine what happened, the severity and consequences of the occurrence, and the repair steps required. Internal reporting should be escalated up the management ranks and, if warranted, to the board, with external reporting given due consideration. If the matter is sufficiently serious, an investigation should be conducted, with the assistance of outside legal or other consultants as needed. Understanding why the compliance process enabled the incident to happen, reassessing the associated risks, and identifying what systemic corrective action, such as improving processes, procedures, controls, or other components of the compliance process, may be required are also crucial.

An Ongoing Process of Improvement

Circumstances and practices evolve, much like other aspects of the business process, and management should stay on top of new developments. New rules and regulations, as well as pertinent legal cases, emerge, technology progresses, and experience shapes leading practices. The legal counsel should be in charge of tracking new mandates and requirements and alerting the relevant business units and compliance office of their ramifications, according to experience. Legal and compliance departments work with business units to decide what enhancements to policies that apply to everyone. Typically, business units are most qualified to assess what modifications to procedures and standards in business processes should be made, with compliance office approval.

---

---

Additional Thoughts

In addition to the ten criteria listed above, there are several other factors to consider when developing a successful compliance program.

Metrics

Compliance departments have long tried to assess the efficacy of the company’s compliance program, whether motivated by a desire to demonstrate and improve performance, or by CEOs, boards, regulators, or business partners. Many have looked at metrics like the number and type of non-compliance issues, as well as the number of calls to the company’s hotline or whistleblower channel, for years. Over time, it became clear that such measurements did not adequately address the inherent dangers or the company’s people’s mindset. Few cases of misconduct did not imply that the risks were minimal, and few calls to the hotline did not signal that there were few issues—in fact, a lack of calls could simply indicate that individuals do not trust the system. Some businesses have accumulated statistics on ethics and compliance training, as well as staff certificates for knowledge and adherence to the code of conduct, but these efforts have been deemed insufficient.

Compliance measurements have gotten more insightful in recent years. Some businesses use a simple metric to determine which areas of their online code of conduct are receiving traffic, indicating where problems may arise. Some organizations keep track of the quantity and types of reports received via standard management channels versus the hotline. Others are concerned with the nature and types of complaints presented, internal sources, and whether calls are anonymous or caller-identified. Some companies follow up with people who file reports to see how comfortable they are with the process. Real-time dashboards show where dangers or occurrences require immediate attention, with metrics connected to key performance indicators and critical risk indicators. And a growing number of businesses are monitoring social media sites for signs of wrongdoing and seeking out and following up on reports of potential wrongdoing from third parties with whom they do business. Internal compliance audits can also reveal more about wrongdoing and related concerns.

Internal surveys, often known as culture surveys or risk culture surveys, are one of the most critical indicators any firm can have. When done effectively, they can reveal a lot about an organization’s ethics and integrity, communication efficacy, observations of misconduct, and other things. People’s main worries are whether or not they trust their coworkers and managers, as well as how comfortable they are with peer and management behavior and reporting signs of wrongdoing upstream. The surveys are usually conducted twice a year or once a year, and while the raw data are valuable, especially when evaluated by business unit or other category, trend lines over time are even more relevant.

---

---

Technological Companies have access to and employ a wide range of technology solutions to assist compliance program objectives. However, research shows that many firms’ tools are simple and stand-alone, resulting in a “siloed” strategy that impedes cross-organizational collaboration and effectiveness. According to one research, the majority of compliance function operations employ basic desk-top tools, while integrated IT solutions provided by major software manufacturers are used by a minority of respondents. “A fragmented approach to GRC—the dreaded’silos’ of data and compliance activities, which can stymie compliance executives trying to acquire a holistic perspective of corporate risk,” according to the survey.

Information, communication, reporting, and monitoring are all more efficiently achieved across the company when companies use more sophisticated technology tools. Compliance risks are recognized, and procedures, controls, and accountability are established, resulting in an integrated compliance process. As a result, policy lifecycle management may generate, approve, maintain, save, monitor, and automate tasks using these technologies. They provide policy training and awareness, as well as surveys and test feedback. They provide automatic workflows and allow for the assignment of tasks for required actions by managers or monitors, as well as the tracking of activities and the ability to query senior officials. Control testing, surveys, certification, and regulatory reporting are among the procedures and information retrieval that they automate. They assist with issue remediation, incident tracking, key performance indicators, and regulatory engagements. They enable real-time messaging and reporting to disseminate information to all levels of management and the compliance function, as well as customized dashboards and drill-down capabilities to zero in on specific issues. They also present information to senior management and the board of directors on topics like the reasons of compliance failures, the financial effect, and mitigating actions.

---

---

A Comprehensive Approach

We’ve mentioned it before, but it bears repeating. When compliance programs are made up of separate parts, they rarely work successfully. That’s the truth. They must have all of the right pieces weaved together to make an integrated, well-coordinated whole to be genuinely effective. This is a basic principle that is difficult to implement in the reality of a large, complex, global business.

We know that good compliance systems are built on cultures of integrity and ethical ideals, guided by the chief executive’s words and deeds and overseen by the board of directors. All of the other essential elements flow from there.

The Benefits

Compliance costs are rising, non-compliance incidents are increasing, and the possibility of a catastrophic failure is all too real for most businesses. It is possible to have a really effective and efficient compliance process. Some businesses have already arrived, recognizing the accompanying commercial benefits and focusing on process and people to achieve corporate success. It requires focus and attention, but it is possible.

---

Executive Summary

Chapter 1: Culture

Why Is It Important To Create A Compliance Culture, And How Can You Accomplish It?

The variety of compliance difficulties encountered by organizations and employees today is vast, ranging from internal policies to regulatory obligations to criminal law requirements. It is critical to have rules and procedures in place to meet those difficulties, yet it is frequently insufficient. Compliance is most easily achieved when it is ingrained in a company’s culture.

Compliance is crucial to every employee of a company, from the top to the bottom. A compliance culture means that everyone of those employees is aware of the regulations and is committed to ensuring that they are followed.

A breach of export rules, for example, can occur in the post room just as easily as it can in the boardroom. Employees who understand the rules and are committed to enforcing them can also stop a breach of export restrictions that started in the boardroom in its tracks in the post room.

---

---

Why Should Businesses Be Concerned About Their Culture And Compliance?

Before looking at how to create a compliance culture, it’s worth contemplating why compliance, and a company’s culture in general, is so important.

The possibility of regulatory and legal fines is perhaps the most evident motivation for businesses to take compliance seriously. The reputational damage that compliance failures can cause to an organization or an individual is often just as costly. Investors are becoming more aware of a company’s environmental, social, and governance characteristics, making companies that can demonstrate that they take their compliance require