The Common Weakness Around Compliance Programmes
During my public speaking work, I often get asked the question “What do you consider to be the greatest weakness of modern compliance departments?” I find this to be particularly difficult to answer as there are a variety of areas that I believe need improvement, so I am often cycling between a variety of different responses. Now that I have found more time for writing, I wanted to reflect upon this topic more and give it the amount of attention that it deserves, as I believe it can help compliance departments of all industries and sizes. In my opinion, one of the greatest weaknesses of modern compliance departments is poor execution or a lack of any auditing of their programme.
What is behind the mindset to not audit a compliance programme?
In my experience working with and within a broad variety of compliance departments, I find that the main reason that many departments within the industry are failing to perform audits of their compliance programme is likely fairly simple. It generally boils down to three different issues which are that there is either not enough time, not enough budget, or that there is a reluctance to test the strength of the programme.
I typically find that the initial issue can be explained by the vast amount of time that building a compliance programme requires. After completing such a massive project, teams can often lose steam when it comes time for monitoring and measuring. Many fail to realise that this second half of the process is just as important, if not more so, because it indicates if the programme they built is any good. Unfortunately, this lack of realisation often means that no time is spent on it, and if an effort is made, then it is delegated down to an unqualified internal audit group. These internal audit groups also might not have an impartial viewpoint as they could have ties to other members of the compliance department. External audits solve both of these problems by reducing the amount of work that is asked of compliance teams and by being able to look at the programme through an impartial lense.
The root cause of the second issue can typically be attributed to compliance team’s overestimation of the cost of conducting audits of a compliance programme, which tends to actually pale in comparison to that of its implementation. Based on ETHIC Intelligence’s research, performing these audits would actually equate to less than 10% of the compliance programme’s implementation cost, though they do need to be conducted annually. This estimation includes the cost of developing procedures, training of all relevant personnel, and implementing effective improvement actions.
The reason behind a reluctance to test the strength of a programme is pretty self-explanatory and can be summed up in one word: fear. Compliance teams can be afraid that after investing so much of their time and money into building a system, there will be major consequences if it is discovered that what they build is flawed or ineffective. This should however not be an issue, because as I always preach to our clients: “The goal of audits isn’t to catch the mistakes made by professionals or the team as a whole, but rather to present the opportunities where a programme can be improved.”
Checking, validating, and improving
Once their programme is built and operational, compliance teams are not allocating enough of their overall compliance budget and time towards continuous improvement, which includes things like monitoring, review, and audit activities. They instead choose to allocate it fully towards the actual running of the programme, which mostly revolves around operational controls. These continuous improvement procedures need to made more of a priority, and through my experience helping organisations to more efficiently manage their compliance budgets, I find the that the investment which is ideal for the majority of programmes to be around 50% of their annual compliance budget.
By putting such a budget in place, your organisation will both be able to continue investing in operational controls and have the adequate resources to conduct annual compliance programme audits (as well as monitoring and reviews), which identify and address any shortcomings. This will stress to the organisation and its stakeholders the importance of reducing risk through a continuously improving compliance programme.
No matter your compliance teams’ reason for not performing them in the past, the risks presented by an ineffective or partially effective compliance programme makes the need for conducting compliance programmes audits unavoidable. If your organisation cannot handle them internally, or simply prefer the external route because of the many advantages it presents, then consider ETHIC Intelligence’s® Compliance Programme Audits™. They present a fair external review, conducted by experienced and specialised compliance professionals. Learn more about this service by visiting the Compliance Programme Audits™ webpage or contacting us HERE.
by Scott Lane
President, ETHIC Intelligence®