19 June 2015
Companies are creating dedicated roles to ensure compliance
It is common to find companies appointing a chief compliance officer (CCO) in response to the growing importance of compliance and the potential impact of non-compliance. This started in the US and was driven by the Federal Sentences Guidelines and the Sarbanes-Oxley Act in 2002 (Sox).
The Federal Sentences Guidelines in 1991 introduced provisions that organisations with an effective compliance and ethics program can reduce their potential federal criminal fines by up to 95%. The Sox requirements on internal control over financial reporting spawned most US listed companies to write a plethora of procedures, which raised the need for an officer to ensure or oversee compliance.
As one would expect, organisations in highly regulated sectors such as financial services, healthcare, and oil and gas are most likely to have a CCO. According to a 2014 PwC report on US healthcare providers, 86% of survey respondents had a designated CCO reporting directly to either the board of directors or the CEO. The Association of Insurance Compliance Professionals (AICP) claims 41% of corporations in the US had designated a CCO in 2010.
The trend seems to be continuing in the UK. In some sectors, regulation is confined to standard setting via censure and sanctions, but in others, powers extend to removal of operating licence and significant fines. The impact of the Financial Conduct Authority (FCA) in the financial services sector has prompted a new report from Deloitte entitled ‘The Changing role of Compliance’, which sets out some good questions.
The first question, ‘what is the role of compliance?’, is worth considering as it has traditionally been shared around functional heads within a company. It is now worthy of a role in itself in response to increasingly intrusive regulation, and so has evolved into a question of: ‘compliance with what and why?’ Should people comply because they must or because it is the right and good thing to do? The company secretary role traditionally embraces compliance with UK company law and other legislation, the Corporate Governance Code, submission to HMRC and Companies House, Disclosure and Transparency Rules (DTR), and the whole corporate accountability calendar of meetings and reports. The CCO will be focused on compliance with the requirements of designated regulations such as the FCA’s conduct regulations: the new Senior Managers Regime (SMR) which are designed to improve individual accountability.
Whether this applies to companies operating in other sectors depends on the nature of regulation, but the FCA is providing a template for other sectors to follow. It also offers some clues as to where this is going. For example, law firms are regulated by the Solicitors Regulatory Authority (SRA) which is closely following the financial services sector in focusing on conduct issues and behaviour – also known as ‘the way we do things round here’ or more broadly ‘culture’. It is common for law firms to employ a Compliance Officer Legal Practice (COLP) with a specific remit to ensure compliance with the SRA. This is an indication of how compliance is demanding a dedicated role outside of the much-scrutinised world of financial services.
A more challenging question arising from the Deloitte report is: ‘must compliance always be reactive to regulator demands?’ and here the answer should be ‘no’. Regulators try to channel behaviour to achieve desired outcomes in the marketplace – this might be fairness of competition or affordability for customers, or it may simply be the promotion of ethical and non-corrupting practices. In most cases it should be clear to operators in regulated markets what a government expects to achieve through regulation and thus create a culture to achieve this. Regulators may also put in place specific metrics to measure progress. In some cases this will be what ought to be done – best practice guidelines and codes of conduct – and in others this will be what must be done – legal enforcement powers such as the Bribery Act.
One advantage of a dedicated CCO could be the removal of doubt about responsibility. We all know the old story about four characters called Everybody, Somebody, Nobody and Anybody, which concludes with the line: ‘Everybody blamed Somebody when Nobody did what Anybody could have done’. This point is addressed by the Deloitte paper critique of the arguably over-rated ‘three lines of defence’: operational (first line), supervisory (second line), and audit (third line). The CCO could cover any of these, but should certainly be supervisory and probably operational too. Creating a CCO function should remove rather than add doubt about where compliance sits in an organisation and avoid a blame game prompted by a non-compliance fine.
It may be possible that much compliance, although well intentioned, is barking up the wrong tree. When anything goes wrong, in an organisation or in a sector, the two inevitable responses are to ask who was to blame and what rules and procedures are needed to ensure it will not happen again. Ultimately, this approach is likely to be self-defeating. We are all human. We are creative and will find new ways to err. More rules create opportunity to find ways round them: they can stifle growth, erode trust, hamper innovation and reduce job satisfaction. Many procedures resulting from Sox have not improved control.
Sox listed the Committee of Sponsoring Organisations (COSO 1992) framework of internal control as one of three acceptable internal control frameworks along with the UK Turnbull Guidance and the Canadian Criteria for Control (known as CoCo). COSO makes it clear that the control environment is the foundation of control, a key part of which is culture: COSO says that official policy specifies what should happen but culture determines what actually happens. Consequently rules and procedures will not in themselves correct behaviour unless the culture
in an organisation supports it.
This situation is demonstrated through the question: ‘How many electricians does it take to change a light bulb?’ The answer is: ‘None but the light bulb must really want to change’. Rules will not change behaviour in the desired way unless the culture supports this. In the UK, particularly in financial services, there is a cynicism about the word compliance. The European Commission is also aware that new regulations will not fully address governance issues raised by the financial crisis.
Americans, surprisingly perhaps, seem to take a more positive view of compliance. They recognise the importance of complying with the spirit of requirements not just the word. The Federal Sentencing Guidelines have a carrot and stick approach to encouraging an ethical culture. In the US, the job title for the compliance officer will often also have the word ethics in it too – chief ethics and compliance officer. When it comes to compliance there will always be a few people who will try to sail as close to the wind as possible. The aim of boards should be to make it clear that approach is unwelcome and encourage a more mature attitude.
More attention should be placed on getting the values right in an organisation. This is no easy task but should be attempted. Corporate behaviours are driven by corporate values and beliefs and personal behaviours. Regulations and codes focus on the corporate behaviours or outputs. They take little account of human nature or personal values, which are significant inputs. More attention should be paid to personal behaviour, especially the values and beliefs of the board.
In UK financial services, the PRA and FCA place importance on judgement-based supervision. This seems to be the right direction to take if it focuses on whether things ‘should’ be done rather than just whether an interpretation of a rule says it can be done. However, it does raise a degree of uncertainty about how supervision will take place, which could be uncomfortable for people who want absolute certainty in whether a particular action is permitted.
For the company secretary, the role of CCO presents new challenges, but does offer an opportunity for their organisation to demonstrate it takes industry regulation, and by implication non-compliance, much more seriously. Like audit and risk, compliance needs a dedicated role, especially where a regulator expects dual reporting. Some compliance officers are expected to report not only internally to their board, but externally to the regulator and this can throw up some difficult, career defining decisions. It can pose a ‘disclosure risk’ for the organisation, necessitating careful management of regulator expectations, but also requires that the organisation allow the CCO a degree of independence from executive management. Here lies an opportunity for the company secretary to ensure that the CCO role is properly defined in a way that preserves that independence and works both for the company and in terms of industry regulatory requirements, with the CCO reporting to the company secretary who should, in turn, report to the chairman.
Garry Honey is the founder of Chiron Risk and Paul Moxey is Visiting Professor of Corporate Governance at ISBU and Chairman of the CRSA forum