Editor: What is the key to successful compliance programs?
Varges:Recognizing it's a new kind of challenge. At its core, compliance is primarily a strategic, leadership, and operational task. It's about setting specific goals, motivating, and executing, not just advising.
The tone from the top is critical but insufficient without the right supporting compliance infrastructure to execute and work on all levels of the culture. Employee credibility can be lost if the right tone is not accompanied by evidence of robust structures and initiatives. In these efforts it's important to get senior management support for the compliance program but to do so in a way that avoids the impression that it comes from a current management team only. Good governance has longer-term sustainability when it is perceived as an institutional and intergenerational commitment - like a constitutional foundation to which all generations of managers and employees become subject.
Editor: Doesn't this then place even greater responsibility on the chief compliance officer?
Varges:Yes, and on those in other key functions who work on different pieces of the puzzle. A head of compliance contributes most by helping keep governance, good values and attention to regulation on the front burner daily and by moving the implementation agenda ahead, even when there may be other legitimate corporate priorities. In this context, a key ingredient is the right degree of independence, both issue independence and functional independence. Issue independence is being able to point to problems and report them up the ladder. But a successful compliance program also requires sufficient functional independence. This is the ability to develop a strategy, marshal resources, provide day-to-day leadership and implement initiatives preventively, even where others may not readily see a risk. These tasks are harder and require greater skill than reporting individual issues as they arise. In this regard, it's quite helpful for the compliance function to have a distinct budget and to otherwise operate to meet emerging compliance management principles, including those implied in the revised U.S. Sentencing Guidelines regarding adequate resources.
Editor: Please give our readers some examples of hot compliance issues from a global perspective.
Varges: The big explosion in Europe in the last two years was Parmalat, the equivalent of Enron's downfall. One lesson for U.S. companies is not to underestimate the non-U.S. compliance risk. Even though fines in Europe may be lower, when the press picks up ethical issues, the impact on share price and on confidence in the company could be as great.
As in the U.S., D&O premiums in Europe - a barometer of governance and litigation risks perceived by the market - have increased considerably. Another large European development is the expansion of the concept of corporate criminal liability.
A more global trend is the growing recognition of the supervisory duty of the board of directors for compliance - not just for violations but for strategies and performance against those strategies. Given all these trends, one conclusion is that if a company does business across borders, its compliance program cannot be based solely on its home country's laws or compliance practices.
Editor: What is the cornerstone of an effective compliance program that works well in multiple jurisdictions that have different environments and different management teams?
Wexton: Start with who owns compliance. The 210 people who report to me do not own compliance. One of the messages that I give to everyone from the CEO to the front-line manager is that compliance is their job. Risks are imbedded in each of the functions performed by every employee. I am here to help them reduce those risks and make them manageable, but they own them.
Varges: That's absolutely right. And for a cross-border compliance team to be helpful to managers and employees in this regard, it's essential it has the right mix of skills - jurisdictional, business, cultural, linguistic, etc.Being a technician is not enough. The greater need is for internal change agents, with the right substantive command, who can relate well with others and get them to do what has to be done. Worth mentioning here is the need for the compliance function to be at the right level. There is a growing trend of companies upgrading the compliance function, such as by placing its head at the same level as other key senior officers. Hence one is seeing compliance or ethics EVPs at places like MCI and others. Not only does this help meet the Sentencing Guidelines expectation of "high level personnel," but it can clearly contribute to effectiveness. It also sends a powerful signal internally and externally about the seriousness of the company's compliance commitment.
Editor: How do you monitor whether your compliance program is achieving its intended results? How do you encourage the right behaviors?
Wexton: Everyone takes a compliance test annually. By grading the tests, we know the areas in which each business unit needs to work.
We have universal e-training supported with classroom training. Our toolkits are replicable for use whenever we acquire a new business. For example, we have a checklist for acquisitions due diligence. As well as questions to be asked, it has a sheet to be filled out of what was there and what needs to be fixed if we complete the deal.
I have a set of measures, called the Bangkok 13, used across the businesses. One is the number of suspicious activity reports that have been filed per country compared with the number of transactions. If a unit with 10 million customers has filed only one suspicious transaction report, I know the process is broken.
We deal with intermediaries in our mortgage business. The only way to keep track of these third-party brokers is through scorecards. Are any the subject of too many complaints? If we see brokers who need attention, we retrain them. If they still have problems, we discontinue the relationship.
I insist that every business have a compliance review board chaired by the CEO of that business. It meets monthly with certain items on the agenda each month to ensure that there is a commonality of what gets discussed in all jurisdictions. I want to know what went wrong, who is taking ownership of it and what progress is being made.
Varges: One helpful, though complex, lever for encouraging the right behaviors is the reward system. In this context, the effort is not only to withhold rewards from those who fail to meet some minimum on behaviors, but also to reward those who excel in their positive contribution to the corporate culture and the compliance efforts. This may include evidence of consistently giving high priority to compliance issues when they arise, or of providing extraordinary support to employees when they raise issues, or of taking the initiative to get additional personal compliance training. These are all behaviors that should be recognized and that serve as positive models for employees.