Compliance Best Practices Improve The Bottom Line

Monday, May 4, 2009 - 01:00

The Editor interviews Jack Holleran, Principal, Ernst & Young.

Editor: Jack, what is your role at Ernst & Young?

Holleran: I lead Ernst & Young's Corporate Compliance Advisory Services team in the Americas. We advise clients on identifying and prioritizing compliance risks, implementing and enhancing compliance programs, assuring that compliance programs are integrated and effective and measuring their effectiveness. Prior to joining Ernst & Young, I was the chief compliance officer at Philip Morris USA. Our team includes former compliance officers, former prosecutors and other compliance professionals, and we focus on helping companies to manage their compliance risks.

Editor: What approach to compliance risk management creates the greatest risk?

Holleran: In our experience, there are two related issues that can increase a company's risk of noncompliance. The first is ineffective organizational structure, and the second is lack of clarity about roles and responsibilities. Companies that clearly identify roles and responsibilities tend to have more effective organizational structures and more effective compliance programs. Compliance risks arise at the individual employee level, which means that every employee has a role to play in managing those risks and in preventing noncompliance. As you move up the chain of command, you find progressively greater levels of responsibility.

Clarity about roles and responsibilities accomplishes two important objectives. First, it enables the company to communicate to employees what is expected of them and to hold them accountable. Second, it enables the company to design an organizational structure that effectively integrates the different components of the compliance program.

We often hear the lament that compliance is siloed, with the implication being that silos are presumptively ineffective. In our experience, silos can be effective provided that the company has a compliance program that provides the connective tissue that links the silos together.

Editor: How would an investigator go about finding the cause of a breakdown in controls?

Holleran: When controls break down, investigators seek to find out what happened and who did what. They often start at the bottom with the people closest to the controls' breakdown and work their way up.

The first area of inquiry is to determine whether controls were in place to prevent the noncompliance. If the controls were in place, the next area of inquiry is to examine their design. That is, were the controls adequately designed to prevent the noncompliance? If the controls appear to have been appropriately designed, the next question is whether they were followed or appropriately executed.

The final inquiry involves the mechanisms the company had in place to detect noncompliance. Investigators want to know whether the company had previous similar instances of noncompliance and whether the company learned from its mistakes. By parsing the controls breakdown into these areas of inquiry, the investigators will get at the root cause of the noncompliance - what happened and who did what. Companies that have strong compliance programs are more likely to prevent noncompliance from happening, thereby avoiding having investigators at their door. Companies that focus on continuous improvement are better positioned to learn from their mistakes, which is another way of reducing the possibility of noncompliance.

Editor: There seem to be fewer complaints from clients about compliance burdens.

Holleran: There seems to be a growing awareness that, rather than being a burden, compliance is good business that, when done right, can actually help give companies a competitive advantage. The Federal Sentencing Guidelines played an important role in getting companies to focus on the importance of having a compliance program for reactive, defensive purposes. My judgment, and we hear this from a lot from clients, is that when you are a chief compliance officer and you are making the business case internally for continued investment in the compliance program, the reactive, defensive rationale takes you only so far. One way to enhance your business case is to be able to demonstrate how an effective, integrated compliance program actually helps the business operate better.

There are two principal ways to do this. First, events of noncompliance cost money and tax management resources and can ruin reputations. Financial costs can include fines or penalties, outside counsel, forensic accounting firms or other experts, litigation costs and the costs of remediation. Those dollars get diverted from growing the business - R&D, sales and marketing, new systems. In addition, noncompliance requires significant management time and attention, often from very senior executives; those are hours that are diverted from growing the business. Finally, there are reputation considerations. A single major compliance failure can destroy a company's reputation and in some cases the company itself.

The second way companies can leverage compliance to make the business run better is by making sure that compliance considerations are integrated into business processes, into business decision making, and into the work getting done. This enables employees to do their work more efficiently, with fewer compliance mistakes, and to get more work done, resulting in greater throughput. Companies that think of compliance in this way see it as a business imperative that helps drive competitive advantage, not as a burden.

Editor: Looking at the whole spectrum of your clients, do you find a greater number of complaints about compliance coming from smaller clients?

Holleran: We see clients across the spectrum from large to small who struggle with making the business case for compliance internally. For larger companies in more highly regulated industries, compliance may feel more burdensome, but compliance is largely seen as part of the cost of doing business in those industries. Whether the company is small or large, it falls to the person who wears the hat of chief compliance officer to develop metrics to make the business case internally. It also falls on the chief compliance officer to demonstrate specific instances in which the compliance program or the compliance department provided value - either that potential noncompliance was prevented, that noncompliance was detected internally before it was discovered by a government agency or that a better business decision was reached because compliance was involved in making the business decision.

Editor: What are best practices in handling investigations?

Holleran: Having an effective process for handling investigations is the fundamental cornerstone of an effective compliance program. There are a number of leading practices that we work with clients to implement to make sure their investigations process is effective. First, companies should have multiple points of intake for employees to raise allegations of noncompliance. These may include a hotline or helpline, line management, supervisors, human resources, legal, and compliance and should be communicated broadly and consistently to raise employee awareness. Next, develop a way to categorize allegations to separate more serious allegations from less serious ones. All allegations should be investigated, but more serious allegations raise additional considerations. Categorizing the allegations in, for example, a two-tiered system helps make the investigations process more efficient.

Another leading practice is to develop and document your investigations process. Examples include a policy on investigating allegations of noncompliance to help clarify roles and responsibilities; a policy on nonretaliation for good faith allegations; and investigation guidelines to help assure consistency in the way investigations are conducted.

Lastly, the information that companies get from their investigations process should drive improvements in the compliance program. It is a rich data source that compliance officers and organizations can use to learn from their mistakes and from which they derive cautionary examples that can be used to demonstrate the problems generated by compliance failures - for individual employees and for the company.

Editor: What is the role of the chief compliance officer?

Holleran: Most commonly the role of the chief compliance officer is to lead the effort to design and implement a compliance program that provides that connective tissue that we talked about earlier. The chief compliance officer is the person within the corporation who is accountable for having the right answers to five basic questions:

• What are the company's most significant compliance risks?

• Who within the company owns those risks and is accountable for managing them?

• What controls do those risk owners have in place to manage those risks?

• Are the controls working?

• How do we know, that is, how do we measure the effectiveness of what we have in place and drive continuous improvement based on that information?

The chief compliance officer does not own any substantive risk area but rather serves as the architect and steward of the compliance program. He or she often serves as the champion for compliance and is its spokesperson who makes sure that employees understand the importance of driving compliance into their work, day in and day out.

Editor: What role does internal audit typically play in managing compliance risks?

Holleran: Internal audit plays an increasingly important role in making sure that the company's compliance risks are effectively managed and making sure that the compliance program is operating effectively. In their customary audit function, they may uncover compliance breakdowns, but their role is expanding.

For example, internal audit in many companies conducts an annual risk assessment, which may be combined with the chief compliance officer's annual compliance risk assessment to produce one overarching enterprise risk assessment. Also, internal audit can play a role in designing and executing auditing and monitoring programs to assess the effectiveness of controls in certain compliance risk areas.

Editor: How should a compliance program be communicated to employees?

Holleran: The compliance program should be communicated to employees consistently and often. For example, the issuance or reissuance of a code of conduct can be an important communications opportunity. Stories of compliance success or failures can play a major role in impressing on employees the importance of compliance.

Another important aspect of communications is making sure that each employee understands the company's expectations with respect to compliance. That could be done through a code of conduct, training or in communications from the functional or business unit leadership.

Many larger companies have an internal communications department; chief compliance officers in those companies should look for ways to work with internal communications to create greater awareness of the compliance program. Another leading practice is to work with HR so that compliance messages are appropriately integrated into recruiting, new employee orientation, training and management development programs.

Editor: How does Ernst & Young fit into this picture? What does it bring to the table?

Holleran: I have the privilege of leading our firm's corporate compliance advisory services practice in the Americas. We have a core team of experienced professionals who help clients manage their compliance risks.

The ethics and compliance community suffers, in my view, from the absence of a standard, adopted framework for what an integrated, effective compliance program looks like. Based on our experience with clients across industries and geographies, we built such a framework, and it consists of more than 20 components. We also built a maturity model, or "yardstick," that we use to assess the robustness of each program component on a 5-point scale, from basic to optimized. We use these tools to help our clients assess the effectiveness of their programs and to identify and prioritize opportunities for improvement. Importantly, we tailor our work to a particular client's compliance risk profile; not every client needs to have a level 5 program in every area.

We work with clients across a wide array of industries. Ernst & Young has more than 135,000 employees worldwide, including people with deep industry experience and experience with virtually every type of substantive compliance risk, including FCPA, import/export, privacy, OFAC and AML, records management and environmental health and safety. So, for every client, we're able to bring to bear our core corporate compliance team and supplement it with the right industry knowledge and the right subject matter experience to deliver premium client service.

The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP.

Please email the interviewee at jack.holleran@ey.com with questions about this interview.