Many compliance programs focus the bulk of their efforts on improving corporate compliance knowledge and redressing issues as they arise. This is, of course, a useful starting point but if a compliance program is to be effective in the long term, a structured methodology and clear set of priorities is required. Eversheds' approach is to address the compliance remit by way of a project management plan. We find that this is helpful in providing a framework for the process of introducing compliance into organisations and ensuring consistent application of compliance strategies.
Issues In Current Compliance Programs
Significant improvements have clearly been made over recent years in establishing intra-organisational compliance awareness and adherence. There remain, however, areas of concern.
As compliance resources are often stretched, compliance activities can tend to be reactive. Issues of immediate importance might take priority due to organisational breach or areas that have attracted a high degree of public attention. While these matters may take precedence in terms of management concern, a reactive approach runs the risk of missing other less high profile but equally important issues.
In addition, compliance programs that are not part of a coherent practice strategy may be relegated to corporate history as soon as the initial stages of training and policy development are complete. Regulators are focussing more closely on whether the compliance programs encourage a principles based approach as opposed to a "checkbox" style of compliance.
Compliance audit and training that addresses only a surface level of efficacy may not effectively penetrate the psyche of the organisation. The effect is that poor practice reasserts itself. Just as malpractice within an organisation might have become institutionalised, compliance and good practice needs to become integral to all aspects of business practice.
There are also core issues that continue to present challenges in securing compliance. These include cultivating international adherence to compliance requirements, compliance by contracts and agents and generating sustained support from senior management and the board.
Against this, it is clear that compliance programs require business investment and there is a need to show a business return. In order to generate a high functioning, effective and reliable output, it is necessary to deal with the task in the same way that other initiatives within the organisations might be managed.
Eversheds LLP has taken the innovative approach of applying project management to the delivery of non-contentious and contentious legal services to ensure effective planning and communication and predictability around cost. This approach has now been extended to international compliance programs to ensure that compliance activities are developed and delivered consistently for clients across business units.
Compliance Project Management
Eversheds has designed a program for project management of compliance programs. This includes structured scoping and prioritisation of compliance initiatives following detailed advice on specific compliance obligations, a timetable and project plan and support for implementation of the compliance strategy. Audit and monitoring processes are integrated into the project and a clear reporting format is established. This strategy helps to ensure that the compliance plan dovetails with the organisation's existing policies and procedures and with broader business goals. It also supports the development of programs that minimise the cost of compliance for the organisation and which make the best use of board and management time. Project management also supports consistent compliance initiatives which can be integrated properly into business practice and key messages in different forms of compliance education.
Connected to Eversheds compliance project management is the review of business practices to assist with identifying areas of legal risk and the establishment of strategies to prevent or reduce concerns. Eversheds also uses scenario planning and desk top exercises to test the application of corporate risk, business continuity and crisis management strategies.
The issues on which an organisational compliance program focuses should be prioritised on the basis of a risk assessment and overall project design rather than the locus of attention being reactive. The aim of the risk assessment stage in a compliance project is to identify the risks posed to an organisation by breach of its regulatory obligations.
This entails identification of the work carried out by the business, the regulatory requirements placed upon it, assessing the current level of compliance within the organisation and the attitude of the organisation to compliance generally and, using this information, estimating the probability of an event occurring and the magnitude of effects if the event does occur.
This stage considers the current level of compliance within the organisation and the attitude of the organisation to risk generally. It involves identifying both the risk and the ramifications of the risks occurring. General qualitative analysis is used to identify issues for attention. Where greater detail is required because an area of high priority or organisational concern has been identified, greater detail can be acquired through the use of focused investigation.
The assessment of regulatory risk should be set in the context of other sources of organisational risk and uncertainty, organisational strategy and the organisation's strategic objectives. Core concerns in terms of risk analysis are present and future points of possible compliance weaknesses such as new acquisitions, decentralised and international operations, areas of compliance breach, sections where there has been high staff turnover or significant changes in key line managers, areas exhibiting generalised low morale or poor job satisfaction, units or individuals subject to financial pressures or strong perceptions of inequality in compensation arrangements.
Project Key Deliverables
It is important to ensure that there are clearly established deliverables as part of the project and stated criteria against which these deliverables will be assessed. This might include time frames, costs, subsequent incidence of breach and evaluation by business managers and employees of efficacy.
At a minimum, organisations should have as their compliance deliverables that relate to:
the identification of jurisdictional and, where necessary, cross jurisdictional compliance requirements;
review of organisational policies, information flows, and understanding of compliance issues;
conduct of regular compliance risk assessments;
written compliance policies and codes of conduct for employees, agents and third parties and align them with local legal requirements and language;
establishing key compliance training for staff, contractors and agents on policies, procedures and reporting for staff using best practices in training delivery;
testing for multiple risk scenarios and conduct mock regulatory inspections and enforcement exercises;
compliance audit including review of internal investigations;
ensure that learning from instances of compliance breach are conveyed to the board and provide relevant follow up training to directors and managers.
There is a need for an overarching compliance project plan which is tailored to the business needs and placed in the context of the business agenda. The project plan should cover all stages of the compliance process including educating the organisation about the regulatory obligations, post-loss control measures and plans for compliance crisis management.
In terms of the initial planning stage for compliance projects, it is helpful to identify a project steering group and hold an initial meeting to scope the project, examine key areas to address and plan the next steps. Such a group might usefully include, in addition to the compliance officer and members of the Legal Department, representation from:
key operational business units;
existing compliance functions or individuals with compliance related duties;
human resources group; and
In companies with an international reach, it is helpful to incorporate wide cross jurisdictional participation in the project team to ensure that a wide range of perspectives are integral to the design of the program.
The Project Manager
In the Eversheds compliance project approach, a project manager is appointed to act as the anchor point for information from the business and from the network and ensure the program is structured, delivers on its objectives and is continually adjusted to meet the needs of the business. The project manager is able to view the situation from a multiplicity of angles. He or she is able to respond to the issues that arise as tasks are carried out, draw on the right resources to conduct the tasks and re-focus the team as needed on the project objectives.
Compliance Project Implementation
In this phase, the regulatory risk compliance program is implemented in line with the plan and follow up procedures such as audit and monitoring are put in place. While it can be tempting to deliver a one size fits all approach to training and policies, this can significantly undermine the value of the program and the time over which messages are retained and implemented. Pivotal to effective delivery is ensuring that messages are cast in a way that is effective for the audience concerned and that follow up is adequate and appropriate.
Checks need to be put in place to ensure that compliance program delivery is in line with deliverables. It is also important for the organisation to perceive that compliance is an on-going concern and not concluded once training has been delivered. The compliance program therefore needs to integrate processes for assessment of program effectiveness and on-going monitoring and support.
Project management provides a process for ensuring delivery of compliance objectives and achieving the expected benefits while paying close attention to program effectiveness. This includes careful planning so that resources are successfully and efficiently deployed and the introduction of a project manager to ensure that the tasks identified are completed. Project management is about delivering service excellence though defined processes. This should be as much an aim of compliance programs as it is in relation to any other business initiative.
Diana Newcombe is a Senior Associate in the London office of Eversheds LLP. She specializes in regulatory compliance, the implementation of legal risk management systems and best practices in corporate governance. She also provides advice in relation to corporate criminal defence and civil proceedings relating to regulatory breaches. She is qualified as a barrister and solicitor in England and Australia and may be reached by telephone at +44(0) 845 497 0861.