3. The Profile of a Successful Compliance Department

Although there are various ways to measure success, one could say that the success of every human organisation is, in general, based on the achievement of its main purpose. When trying to achieve this purpose, organisations often aim to be as efficient and cost-effective as possible in producing the best result achievable. That premise is followed likewise by in-house departments, including compliance.

An appropriate compliance programme is built upon a prior risk assessment of the business activities and the various operations conducted by any given company. Thus, to properly determine the purpose of a compliance department, there must first be an effective compliance programme in place.

An appropriate risk analysis should cover all aspects of a company, including factors such as, but not limited to, the products and services the company offers, the systems that sustain those products and services, the targeted markets in which the company competes, whether the company conducts business with the government, the company’s relationships with third parties and the company’s culture.

There is no one formula that ensures the success of a compliance department. Rather, it depends on many factors, both internal and external. Once a company has defined its compliance programme, however, following certain steps will help to facilitate the achievement of that goal. A successful compliance department is based on strong fundamentals that serve as pillars to drive all subsequent efforts. From these fundamentals, more specific actions can be developed that will deliver the purpose of each pillar more effectively. The following are the pillars that can provide the basis of all compliance initiatives.

Tone at the top

Nothing is more effective than leading by example. Overall, no company initiative will be successful, particularly in the long term, without the proper support of the company’s leaders and management. No compliance programme can be managed effectively without this fundamental element.

There is no question that in the current economic climate, no business organisation can maintain its success in the long term unless it has strong ethical foundations and a commitment to comply with all applicable laws and regulations. This helps to avoid situations that could adversely affect a company’s reputation in the market.

The leaders of the organisation must champion the need to run the business in an ethical manner, so that everyone within the organisation follows that spirit at all levels, not least because their support will be needed whenever the company faces ethical dilemmas.

There is a big difference when all employees know that their leaders promote all sorts of compliance activities, from incentivising ethical behaviour to taking appropriate action whenever it is needed.

Compliance departments should encourage leaders to take advantage of any opportunity to spread this message, whether in a summit, an all-hands meeting or other internal communications. This type of support will enable a compliance department to achieve its goals successfully.

Code of conduct and ethics

Based on the foregoing, many companies have adopted the practice of having a code of conduct and ethics. This type of document should essentially outline the moral fibre of the company and address issues such as honesty, integrity, reporting procedures and corporate social responsibility.

It is indeed fundamental that an organisation should have its own code of conduct and ethics, so that its position on ethical behaviour is clear to both the members of the organisation and the market. This is also a good way to send a strong message that will inspire trust in customers and employees.

Nonetheless, simply having a code of conduct and ethics is not sufficient. It must be a living document and should be constantly reviewed and updated to properly address the changes in the various laws that may apply to the company and its business. Successful compliance departments must lead this effort and find ways to make sure the spirit of the code is followed by all members of the organisation, who should always conduct themselves in an ethical manner in all aspects of the company’s business and promote compliance.

In many ways, a compliance department is the guardian of the code of conduct and ethics. For that reason, the leaders of the organisation must maintain close contact and coordination with the department.

A successful compliance department should also be responsible for measuring the effectiveness of its code of conduct and ethics and in implementing initiatives to preserve the company’s ethical commitment.

Ownership and management of policies and programmes

In general, compliance programmes are based on three main objectives: (1) prevention; (2) detection; and (3) remediation. Further, effective compliance programmes are those that have the following characteristics:

  • operate according to applicable laws and regulations;
  • promote and create a culture of honesty and integrity;
  • protect the company’s reputation;
  • prevent illegal behaviour;
  • detect compliance issues at an early stage;
  • have mechanisms to correct action and remediate; and
  • build employee trust and confidence.

The policies and programmes that form a compliance programme should be owned by the compliance department. These policies should be carefully designed to make sure that they deal with the most relevant risks. A successful department should have the ability to identify issues and develop appropriate mitigation plans and strategies, including the use of effective language that can be incorporated into applicable contracts so as to mitigate the organisations’ exposure to identified risks.

For instance, in-house compliance professionals should analyse and vet business opportunities with government entities in advance. This is not only to identify potential corruption or the violation of procurement laws, but also to evaluate more broadly whether a particular opportunity with a government entity is consistent with the company’s existing business models.

As an example, assume that a company is working on a business opportunity to sell specific information technologies to a government customer. That transaction may be legally viable and possible to many companies, without contravening applicable laws. However, compliance professionals should assess more thoroughly whether a trans­action is appropriate, and whether the company has the ability to deliver, for instance without the need to use subcontractors, and thus avoid circumstances that could have legal consequences or damage the company’s reputation. If the company is not in the business of selling information technology, it is reasonable to consider certain mechanisms (e.g., subcontracting) that might affect procurement laws by increasing the cost to the government.[2] This type of transaction could also expose the company to other risks that may affect its reputation, even if no wrong­doing is found and, of course, the company’s reputation is one of its most valuable assets.

Furthermore, compliance departments will need to ensure that other internal departments participate in the drafting and monitoring of particular compliance policies and aspects of compliance programmes. This is especially so when a potential issue directly affects another department (e.g., reimbursement of corporate expenses). A compliance department will need to liaise with other internal departments to properly achieve its mission, whether for purposes of putting together policy terms, drawing up training materials or conducting an investigation.

Typically, the most common policies that reside within a compliance department are those that relate to anti-corruption, money laundering prevention, data privacy protection, export controls, conflicts of interest and other regulated areas; however, a compliance department should be able to assist other internal departments on other matters that may affect the ethical fibre of a company, such as general harassment.

Team of professionals

The human element is extremely relevant when building a group of professionals to manage an in-house department. They are a key asset, as they are the people who will ultimately determine its success or failure.

The skills of those professionals who will be supporting the compliance department should be aligned to what the company needs to execute its compliance programme. For instance, banking institutions will most likely require professionals with experience in specific banking regulations (e.g., anti-money laundering), although it is also helpful to retain professionals with general experience on other matters so as to have a diverse group.

It is also a good idea to have people from different backgrounds in the department, to the extent possible, who are not necessarily only lawyers but also executives of other types. The greater diversity of opinions a team can have, the better.

However, just having talented professionals who are skilled in the various matters that the compliance department manages may not be enough. Companies should also focus on retaining people who can reach out to everyone in the company; people with the highest level of ethics, who are trustworthy and have the ability to perform their roles in a manner consistent with the various activities that the compliance department performs. For instance, whomever is responsible for preparing and delivering training to the workforce should have the ability to communicate clearly and, ideally, inspire people. Those who are in charge of conducting internal investigations should have experience in knowing how to conduct interviews, draft reports and communicate within the organisation, including to the board of directors, auditors and others.

Internal communications and continued training

Compliance departments cannot do everything. Therefore, companies should aim to have employees who see themselves as functional ‘compliance officers’. In other words, everyone within the organisation must follow the internal policies, seeking guidance if needed and reporting anything irregular. They therefore need to be fully aware of the company’s activities, its business initiatives and the types of transactions being performed, so that they will notice if the company is doing business without proper contracts or if unusual payments are being made. As a colleague recently said, compliance starts with the people and so does the detection of potential issues and, therefore, prevention.

On the one hand, in addition to having leaders promoting integrity and supporting compliance initiatives, employees should also be constantly reminded about the company’s moral fibre and be given training on the various policies. This is especially so when policies are supplemented or modified over time, as a result of changes in legislation or when new policies are created (e.g., when the company launches new business models). In this way, the spirit of compliance can be felt by everyone.

Communicating frequently with the workforce on ethical matters is a task that can be led either by senior management or the compliance department. Communications can be made through emails, posters displayed within the premises or on the company’s internal website. Some compliance departments have implemented the practice of conducting specific activities throughout the year to remind everyone that compliance is just as important as any other activity or function within the company.

On the other hand, training is not merely a means of transmitting knowledge, but also making sure companies can show the authorities or auditors, whenever necessary, that they have acted responsibly and have done their part in training their workforce.

Successful compliance departments use meaningful and business-oriented training. This is not the usual 30 to 45 slides that have been on file for years. Training must be constantly updated and, more importantly, should be designed in a format and have content that is attractive to people – real-life situations, videos, interactive questions, whatever works. Furthermore, those materials should be crafted in a way that can be effectively understood by people from various cultures and based in different locations.

Resources and tools

Successful compliance departments should wisely select tools that will assist them in achieving their goals. They should incentivise and promote the use of technology, not only because that could assist the company to expedite business, but more importantly, because that has proven to be an effective way to maintain records and files, which are fundamental to supporting compliance investigations and authorisations.

The cost and effectiveness of tools are critical. Compliance departments should be able to understand what tools and functions are required to properly mitigate risks and ensure business continuity. For instance, many companies license screening tools to identify whether a particular third party who interacts with the business has been sanctioned by a state, meaning that doing business with that third party could constitute a problem to the company. However, vendors that license these technologies usually manage their fees based on the number of lists that are screened whenever a customer runs a search. Since there are many lists published worldwide, compliance departments need to understand what lists are required in order to manage fees.

Although the use of technological tools is highly recommended, there are other resources that can also be critical in assisting compliance departments in their function. One such resource is the use of external counsel support. This can be essential when a company is facing sensitive issues, such as government audits or when new regulations that affect the company’s operations have taken effect. In this case, as often occurs, in addition to engaging external counsel, compliance departments will need to work with other critical allies within the company’s organisation, such as the legal, finance or operations departments.

Trusted adviser and a business partner

Compliance is a business function and a successful compliance department should be able to work that way. Compliance is designed to maintain the company’s profitability.

Successful departments should act in a way that shows they are no different from any other department, for instance, when finance creates a budget to avoid having to incur unanticipated expenses or when procurement selects the most efficient and cost-effective vendor alternative. All departments must consider the financial health of the company.

Having said that, a compliance department should be able to participate in all sorts of business meetings and in the design of plans to anticipate issues, create acceptable mitigation plans and deal with issues as early as possible. Successful compliance departments should be able to demonstrate their value to the company and their role in finding the most appropriate ways to secure profitable transactions creatively, thus generating revenue and value for the company. For instance, one way is by assisting the company in obtaining specific compliance certifications, such as ISO 37001 on Anti-Bribery Management Systems.[3] Potentially, this can increase the value of the company and could even be used in sales proposals when pursuing business opportunities.

International operations

Today’s competitive environment has compelled companies to grow internationally. Setting up a business overseas usually becomes a challenge when maintaining consistency in a compliance programme. This is for various reasons, but primarily the variety of laws and cultural behaviours that exist worldwide.

For instance, on this issue, a successful compliance programme should incorporate comprehensive programmes for mergers and acquisitions and the ability to implement business models, policies and procedures everywhere.

With the support of other areas, such as finance, human resources and legal, the compliance department should analyse the international operations of the company to determine whether the market in which operations will be implemented is new to the company or constitutes the opening of a new division or line of business in a country where the corporation has previously been established. In either case, comprehensive due diligence must be conducted to establish the risks and challenges, implement mitigation strategies and develop an appropriate integration plan.

It is critical that important issues are evaluated, such as ownership, governance, whether public investments are required (which is the case in certain sectors of some countries, such as oil or telecommunications), the need for specific permits and licences or even certain authorisations when it comes to specific industries, such as banking or pharmaceuticals.

For instance, in M&A transactions (see also Chapter 11 on Assessing and Mitigating Compliance Risks in the Transactional Context), due diligence must include the following:

  • preparation of comprehensive questionnaires to be evaluated by the compliance department, and any other internal areas;
  • review of internal policies and procedures or local laws;
  • evaluation of business models and programmes to determine whether they fit with corporate policy;
  • interviews with stakeholders; and
  • development of background check reports (either internally or with the support of external agencies).

Finally, if the deal goes through, the company will need to have an appropriate integration plan; one that resolves issues and risks that have been identified, implements mitigation strategies (e.g., a spin-off of a particular division, conflicts of interest, renegotiation or termination of certain contractual relationships or a workforce restructuring) and that appropriately rolls out all corporate policies and programmes.

It will also be important to implement an appropriate local training programme, satisfying the local needs of the business and with the right cultural approach. For instance, there are certain places where a face-to-face form of training will be more effective than one that is provided remotely or online.

Maintaining close contact with the workforce

Building a culture in which employees can identify issues on their own and freely deal with those issues is critical to close the loop and to ensure the compliance department can deliver metrics that properly evidence the reality of the business they serve. This is possible by implementing mechanisms and initiatives that, among other things:

  • allow the compliance department to reach out to employees regarding their day-to-day activities; and
  • having a compliance champions programme that allows individuals from various areas to become part of a group that will serve as liaison between employees and the compliance department, to more effectively understand the needs of the business, the day-to-day realities and to cascade compliance initiatives and programmes down to the workforce.

Crisis management and remediation

Many articles have been written suggesting that compliance programmes are tested not only by the problems avoided, but also by whether crises can be overcome. This is also applicable to compliance departments, since crises can happen in any company; large, profitable and successful companies are not immune. Those that overcome these situations and maintain their position in the market are the ones that have the right processes and procedures in place, with the right people to manage them.

A successful compliance department should have appropriate internal mechanisms to deal with compliance and ethics crises and must always be involved whenever they arise. Compliance departments become a great asset in those situations, primarily because crises do not suddenly emerge from day one, but rather they evolve from an issue that was not well handled or from situations not remediated on time. For this reason, early engagement is critical.

In addition to working with other critical areas, such as legal and finance, a compliance department should also advise the company about when to engage external counsel and which areas should recuse themselves (including compliance itself), to avoid situations that could cause eventual harm to the company, even in appearance. In larger organisations, this type of situation is usually handled by multidisciplinary teams specifically created to manage a crisis.

Transparency is always needed, of course; however, that does not mean openly publishing everything that is being reported or learned. Compliance departments should be able to understand how to manage the flow of information and how to properly activate certain mechanisms whenever is convenient and wherever is possible, such as legal privilege. Also, they need to understand and appropriately manage privacy and confidentiality. Therefore, compliance departments should push to have appropriate incident response procedures and incorporate these into compliance programmes.

Consistency is also needed. Successful compliance departments should be able to take appropriate action in a timely manner and in alignment with the company’s ethical stand, as reflected in its code of conduct and ethics. That is the best way to send the right message out to the market and within the organisation, and to ensure the company survives in the long term, especially given that whenever these situations arise, a company should expect scrutiny not only from authorities but also from the market.

Once a crisis has passed, compliance departments are key to implementing whatever remediation measures have been adopted. These may include more training or the creation of new processes and procedures, the termination of contracts or disciplinary action. Compliance departments should lead, monitor and follow up on remedial actions until they are satisfactorily concluded.

Being ethical and ensuring compliance with all applicable laws and regulations is simply the right way to do business and the best way to protect the stakeholders’ interests. To facilitate this goal, companies must have an appropriate compliance programme in place and a reliable compliance department to run it. There are many challenges in daily activities that require compliance departments to step in and act effectively to prevent issues and rectify whatever has gone wrong.

The scope of this chapter does not permit detailed discussion of each of the outlined pillars, but these can be explored in more detail with the support of compliance specialists and external counsel. (See also Chapter 12, for example.) No successful compliance department can emerge from improvisation and a road map should always be established for better results. A successful company is likely to have a strong, effective compliance department. Companies should therefore take their time and be careful when developing and nurturing their compliance departments.

[1] Reynaldo Manzanarez Radilla is a senior director of ethics and compliance at Brightstar Corp and a member of the legal department.

[2] In principle, no contracts should be awarded by the government to a company that will need to use subcontractors to deliver, as this can open the door to corruption, particularly in jurisdictions with high corruption levels. Government contracts should be awarded to the most effective and cheapest option; it might therefore be questionable why a ‘middle man’ is needed. Furthermore, the reputational impact and the associated costs could be substantial to a company that is the subject of subsequent government investigations.

[3] ISO 37001:2016 – Anti-bribery management systems – Requirements with guidance for use, International Organization for Standardization < https://www.iso.org/standard/65034.html>.

Get unlimited access to all Latin Lawyer content