Moving compliance beyond policies and procedures
This is a common experience across Asia, where the majority of people working in compliance have typically been employed by financial institutions or insurance companies. While this has been changing over the last few years as regional corporate compliance officers have been appointed for large United States and United Kingdom companies, it is very much the trend that compliance officers are typically financial-focused. In many cases, these financial-focused compliance officers concentrate on building policies and procedures that address changes to local regulatory rules. They then build controls around this to ensure that their processes are aligned with these rules, for example, that bank accounts are opened in accordance with local regulations.
When working in compliance in a bank or in another highly regulated industry, the standard motive around compliance is to do what is required under the law. However, in many areas that are non-financial, the law doesn’t actually specify what exactly is required. For example, corruption laws essentially say, “don’t pay a bribe” and to have “adequate procedures” in place so bribery doesn’t occur, but the law does not actually specify what needs to be done or what the “adequate procedures” are. This means that many companies struggle with what exactly they need to do to do what is required under the law. The solution is often a mixture of best practices, being in line with industry peers and creating a programme that is within their company’s risk profile.
In addition to the challenge of working in unregulated industries, compliance as a profession now extends significantly beyond simply building policies and procedures and conducting audit checks on the internal controls set out in policies as well as more recently, providing advice to the business. Companies need to embrace this and give their compliance officers the skills to implement compliance effectively.
We recently spoke with some compliance officers from an insurance company at a training course in Hong Kong. It was clear from the discussions that their roles primarily focused on money laundering compliance. At the training, these individuals had their eyes significantly opened to look at the other opportunities where they (as compliance officers) could add value to their organisations. In fact, these compliance officers had never considered their roles as those which had the potential to add value to the business and had never considered that they may be able to actually help their companies implement business in a way that drove revenue or reduced cost. Unfortunately, they always saw their role as reducing risk (such as the risk of someone opening an account with the wrong information), and therefore breaching regulatory rules. They were, in effect, acting as “compliance police”.
These compliance officers had never considered that they may be able to readjust policies and procedures to make things faster or easier, more efficient, or more business focused. They had never considered the role that they were playing in the overall business or that they could make their account opening procedures a competitive advantage to their organisation. Who has decided to leave their bank because they were “a nightmare to deal with”? Certainly, if the bank had improved their policies and procedures the issues could have been solved, and they could have retained my business.
Intensive compliance programmes require trainees to look at a compliance programme in its totality. This includes building the commitment for compliance and having the programme endorsed by both management and the board. It pushes the attendees to consider not only policies, procedures and audits in the implementation of their programmes, but also to consider the behavioural change that is necessary in order to make programmes effective. Simply having policies and procedures and a set of internal controls is not compliance; compliance is a far more significant operation that involves developing a programme that manages risk – the risk of failure to meet compliance obligations. These obligations come from internal policies, industry codes and standards, and the company’s value system – not just strict rules and regulations.
Too many compliance officers who work for financial institutions and banks (particularly those in Asia-Pacific) simply focus on compliance as it applies to policies, procedures and audits. They need to consider all aspects of compliance and think more broadly to include corporate compliance, corruption, conflicts of interest and other standard matters of integrity which are now commonplace. Almost every day there is another failure of a bank or financial institution when it comes to insider trading failures, conflicts of interest, disclosure issues, or organisations paying significant amounts of money in salaries and bonuses without respecting the basic principles of corporate governance and shareholder values. Every single one of these companies has a compliance department, has a set of policies and procedures, and, no doubt, an audit department.
Compliance, when run correctly, can add significant value to the business. It is more than policies and procedures, and the sooner people realise this, the better.