The Profile of a Successful Compliance Department

Although there are various ways to measure success, one could say that the success of every human organisation is, in general, based on the achievement of its main purpose. When trying to achieve this purpose, organisations often aim to be as efficient and cost-effective as possible in producing the best result achievable. That premise is followed likewise by in-house departments, including compliance departments.

An appropriate compliance programme is built upon a prior risk assessment of the business activities and the various operations conducted by any given company. The functioning of a compliance department depends significantly on the compliance programme that a company designs and ultimately implements.

An appropriate risk analysis should cover all aspects of a company, including factors such as, but not limited to, the products and services the company offers, the business model that sustains those products and services, the markets in which the company competes, whether the company conducts business with governments, the company’s relationships with third parties, and the company’s culture.

There is no one formula that ensures the success of a compliance department. Rather, it depends on many factors, both internal and external, including unexpected situations such as those the world is currently experiencing with regard to the covid-19 pandemic and the restrictions imposed on certain foreign countries. These situations undoubtedly have caused disruptions at all levels in many organisations, both private and public.

Considering the above, once a company has defined its compliance programme, the following steps are presented as suggestions that could facilitate organisations when establishing their compliance departments.

A successful compliance department is based on strong fundamentals that serve as pillars to drive all subsequent efforts. From these fundamentals, more specific actions can be developed that will deliver the purpose of each pillar more effectively. The following suggested pillars can provide the basis of compliance initiatives.

Tone at the top and budget definition

Nothing is more effective than leading by example. Overall, no company initiative will be successful, particularly in the long term, without the proper support of the company’s leaders and management. No compliance programme can be managed effectively without this fundamental element.

There is no question that, in the current economic climate, no business organisation can maintain its success unless it has strong ethical foundations and a commitment to comply with all applicable laws and regulations. This helps to avoid situations that could adversely affect a company’s reputation in the market.

The leaders of the organisation must champion the need to run the business in an ethical manner, so that everyone within the organisation follows that spirit at all levels, not least because their support will be needed whenever the company faces ethical dilemmas.

There is a big difference when all employees know that their leaders promote all sorts of compliance activities, from incentivising ethical behaviour to taking appropriate action whenever it is needed.

Compliance departments should encourage leaders to take advantage of any opportunity to spread this message, whether in a summit, an all-hands meeting or other internal communications. This type of support will certainly set the tone across the organisation and enable a compliance department to achieve its goals successfully.

Once the proper support has been received from upper management, it is also important to establish a budget. An adequate compliance budget is a significant indicator of an effective programme; otherwise, organisations will need to reverse engineer to determine how much they are spending and that may create some friction internally. No corporate programme can be effective without planning and appropriate financial resources supporting it. In compliance, it is important to make sure money is well spent on critical initiatives and processes so companies are prepared whenever disruptions come into play, such as the covid-19 pandemic, the imposition of controls and sanctions and other unexpected circumstances affecting supply chains and related revenue challenges.

Establishing a budget requires focus on what is needed to operate the programme, and it also reinforces the independence of the compliance professionals who would be otherwise required to get resources from other areas. But how does one quantify costs and allocate resources? Like any other corporate activity, the organisations will need to prioritise, so more resources are allocated in activities that carry a higher level of risk (e.g., doing business in a risky territory, doing business with governments or entering into business models where there may be a greater use of third parties). It is fundamental for purposes of constructing a budget that the compliance department provides useful information with examples of compliance problems that other companies are experiencing, industry reputational impacts and new regulations that must be observed. Further, it is always good practice to identify in advance potential suppliers and vendors such as law firms, compliance risk providers and consulting firms to have the ability to negotiate quotes and discuss the scope of services.

The above does not mean that organisations need to allocate an unrealistic level of resources. Compliance efforts and resulting expenditures can be scaled to the size, nature and complexity of the business. In smaller companies, resources should be focused on areas of greatest vulnerability. It is also critical to establish a system to identify and rank identified risk areas. This information can be used to establish a work plan with compliance priorities based on a proper assessment of potential risks. Going forward, it is also important to take into consideration contingencies that may affect budgets and keep open the door to make adjustments and renegotiate with vendors whenever situations out of the parties’ control arise.

Code of conduct and ethics

Today, many companies have implemented the practice of having a code of conduct and ethics. This type of document outlines the moral fibre of the company and addresses issues such as honesty, integrity, reporting procedures and corporate social responsibility.

It is indeed fundamental that an organisation should have its own code of conduct and ethics, so that its position on ethical behaviour is clear to both the members of the organisation and the market. This is also a good way to send a strong message that will inspire trust in customers and employees.

Nonetheless, simply having a code of conduct and ethics is not sufficient. It must be a living document and should be constantly reviewed and updated to properly address the changes in the various laws that may apply to the company and its business. Successful compliance departments must lead this effort and find ways to make sure the spirit of the code is followed by all members of the organisation, who should always conduct themselves in an ethical manner in all aspects of the company’s business and promote compliance.

In many ways, a compliance department is the guardian of the code of conduct and ethics. For that reason, the leaders of the organisation must maintain close contact and coordination with the department.

A successful compliance department should also be responsible for measuring the effectiveness of its code of conduct and ethics and in implementing initiatives to preserve the company’s ethical commitment.

Ownership and management of policies and programmes

In general, compliance programmes are based on three main objectives: prevention, detection and remediation. Further, effective compliance programmes are those that have the following characteristics:

• require conduct that applies with laws and regulations;
• promote and create a culture of honesty and integrity;
• protect the company’s reputation;
• prevent illegal behaviour;
• detect compliance issues at an early stage;
• have mechanisms to correct action and remediate; and
• build employee trust and confidence.

The policies and programmes that form a compliance programme should be owned by the compliance department. These policies should be carefully designed to make sure that they deal with the most relevant risks. A successful department should have the ability to identify issues and develop appropriate mitigation plans and strategies, including the use of effective language that can be incorporated into applicable contracts so as to mitigate the organisation’s exposure to identified risks.

For instance, in-house compliance professionals should analyse and vet business opportunities with government entities in advance. This is not only to identify potential corruption or the violation of procurement laws, but also to evaluate more broadly whether a particular opportunity with a government entity is consistent with the company’s business models.

As an example, assume that a company is working on a business opportunity to sell specific information technologies to a government customer. That transaction may be legally viable and possible to many companies, without contravening applicable laws. However, compliance professionals should assess more thoroughly whether a transaction is appropriate, and whether the company has the ability to deliver, for instance without the need to use subcontractors, and thus avoid circumstances that could have legal consequences or damage the company’s reputation. If the company is not in the business of selling information technology, it is reasonable to consider certain mechanisms (e.g., subcontracting) that might affect procurement laws by increasing the cost to the government. This type of transaction could also expose the company to other risks that may affect its reputation, even if no wrongdoing is found and, of course, the company’s reputation is one of its most valuable assets. Companies should stay away even from situations that could create the appearance of wrongdoing, since that may trigger not only reputational but also legal consequences.

Furthermore, compliance departments will need to ensure that other internal departments participate in the drafting and monitoring of particular compliance policies and aspects of compliance programmes. This is especially so when a potential issue directly affects another department (e.g., reimbursement of corporate expenses). A compliance department will need to liaise with other internal departments to properly achieve its mission, whether for purposes of putting together policy terms, drawing up training materials or conducting an investigation.

Typically, the most common policies that reside within a compliance department are those that relate to anti-corruption, money laundering prevention, data privacy protection, export controls, conflicts of interest and other regulated areas; however, a compliance department should be able to assist other internal departments on other matters that may affect the ethical fibre of a company, such as general harassment.

Team of professionals

The human element is extremely relevant when building a group of professionals to manage an in-house department. They are a key asset, as they are the people who will ultimately determine its success or failure.

The skills of those professionals who will be supporting the compliance department should be aligned to what the company needs to execute its compliance programme. For instance, banking institutions will most likely require professionals with experience in specific banking regulations (e.g., anti-money laundering), although it is also helpful to retain professionals with general experience on other matters so as to have a diverse group.

It is also a good idea to have people from different backgrounds in the department, to the extent possible, who are not necessarily only lawyers but also professionals of other types. The greater diversity of opinions a team can have, the better.

However, just having talented professionals who are skilled in the various matters that the compliance department manages may not be enough. Companies should also focus on retaining people who possess the highest level of ethics, are trustworthy and have the ability to support the various activities that the compliance department performs. For instance, whomever is responsible for preparing and delivering training to the workforce should have the ability to communicate clearly and, ideally, inspire people. Those who are in charge of conducting internal investigations should have experience in conducting interviews, drafting reports and communicating within the organisation, including to the board of directors, auditors and others.

Internal communications and continued training

Compliance departments cannot do everything. Therefore, companies should aim to have employees who see themselves as functional ‘compliance professionals’. In other words, everyone within the organisation must follow the internal policies, seeking guidance if needed and reporting anything irregular. They therefore need to be fully aware of the company’s activities, its business initiatives and the types of transactions being performed, so that they will notice if the company is doing business without proper contracts or if unusual payments are being made. As a former colleague Eric Diaz, once said, compliance starts with the people. and so does the detection of potential issues and, therefore, prevention of those issues.

On the one hand, in addition to having leaders promoting integrity and supporting compliance initiatives, employees should also be constantly reminded about the company’s moral fibre and be given training on the various policies. This is especially so when policies are supplemented or modified over time, as a result of changes in legislation or when new policies are created (e.g., when the company launches new business models). In this way, the spirit of compliance can be felt by everyone.

Communicating frequently with the workforce on ethical matters is a task that can be led either by senior management or by the compliance department. Communications can be made through emails, posters displayed within the premises or on the company’s internal website. Some compliance departments have implemented the practice of conducting specific activities throughout the year to remind everyone that compliance is just as important as any other activity or function within the company.

On the other hand, training is not merely a means of transmitting knowledge, but also making sure companies can show the authorities or auditors, whenever necessary, that they have acted responsibly and have done their part in training their workforce.

Successful compliance departments use meaningful and business-oriented training. This is not the usual 30 to 45 slides that have been on file for years. Training must be constantly updated and, more importantly, should be designed in a format and have content that is impactful – real-life situations, videos, interactive questions, whatever works. Furthermore, those materials should be crafted in a way that can be effectively understood by people from various cultures and based in different locations.

Resources and tools

Successful compliance departments should wisely select tools that will assist them in achieving their goals. They should incentivise and promote the use of technology, not only because that could assist the company to expedite business, but more importantly, because that has proven to be an effective way to maintain records and files, which are fundamental to supporting compliance investigations and authorisations.^[2]

The cost and effectiveness of tools are critical. Compliance departments should be able to understand what tools and functions are required to properly mitigate risks and ensure business continuity. For instance, many companies license screening tools to identify whether a particular third party who interacts with the business has been sanctioned by a state, meaning that doing business with that third party could constitute a problem to the company. However, vendors that license these technologies usually manage their fees based on the number of lists that are screened whenever a customer runs a search. Since there are many lists published worldwide, compliance departments need to understand what lists are required in order to manage fees.

Although the use of technological tools is highly recommended, there are other resources that can also be critical in assisting compliance departments in their function. One such resource is the use of external counsel support. This can be essential when a company is facing sensitive issues, such as government audits or when new regulations that affect the company’s operations have taken effect. In this case, as often occurs, in addition to engaging external counsel, compliance departments will need to work with other critical allies within the company’s organisation, such as the legal, finance or operations departments.

Implement an efficient mechanism to monitor regulations

In a global economy, companies are subject to local and international regulations such as anti-corruption and bribery and export controls, even when they operate predominantly in local markets.

The world has seen situations disrupting supply distribution chains due to sanctions imposed on certain governments by other governments or international organisations. There is no question that today international political conflicts affect the operations of companies everywhere.

Appropriate mechanisms, in some cases with the support of outside counsel, must be implemented to monitor these regulations so companies can be ready whenever a sanction or a restriction is imposed on a particular country, company, individual or technology, since that circumstance may affect supply chains and consequently the entire business ecosystem.

Appropriate preventing and monitoring mechanisms will help organisations avoid incurring excessive costs, customer satisfaction issues and contractual breaches due to these situations. Therefore, it is important that compliance departments play an important role in the decision-making process of the company at all times, so they can tell what type of controls should be implemented in the company’s operations or provide advice whenever contracts are being drafted so these incorporate provisions that will allow the company to mitigate any negative effects such as the right to terminate these if a regulatory situation impacts on performance or to obtain further certifications or representations to avoid or mitigate any potential liability.

Trusted adviser and a business partner

Compliance is a business function and a successful compliance department should be able to work that way. Compliance is designed to maintain the company’s profitability, among other important objectives.

Successful departments should act in a way that shows they are no different from any other department, for instance, when finance creates a budget to avoid having to incur unanticipated expenses or when procurement selects the most efficient and cost-effective vendor alternative. All departments must consider the financial health of the company.

A compliance department should participate in all sorts of business meetings and in the design of plans to anticipate issues, create acceptable mitigation plans and deal with issues as early as possible. Successful compliance departments should be able to demonstrate their value to the company and their role in finding the most appropriate ways to secure profitable transactions creatively, thus generating revenue and value for the company. For instance, one way is by assisting the company in obtaining specific compliance certifications, such as ISO 37001 on Anti-Bribery Management Systems.^[3] Potentially, this can increase the value of the company and could even be used in sales proposals when pursuing business opportunities.

International operations

Today’s competitive environment has compelled companies to grow internationally. Setting up a business overseas usually becomes a challenge when maintaining consistency in a compliance programme. This is for various reasons, but primarily the variety of laws and cultural behaviours that exist worldwide.

For instance, on this issue, a successful compliance programme should incorporate comprehensive programmes for mergers and acquisitions and the ability to implement business models, policies and procedures everywhere.

With the support of other areas, such as finance, human resources and legal, the compliance department should analyse the international operations of the company to determine whether the market in which operations will be implemented is new to the company or constitutes the opening of a new division or line of business in a country where the corporation has previously been established. In either case, comprehensive due diligence must be conducted to establish the risks and challenges, implement mitigation strategies and develop an appropriate integration plan.

It is critical that important issues are evaluated, such as ownership, governance, whether public investments are required (which is the case in certain sectors of some countries, such as oil or telecommunications), the need for specific permits and licences or even certain authorisations when it comes to specific industries, such as banking or pharmaceuticals.

For instance, in M&A transactions (see also Chapter 12 on Assessing and Mitigating Compliance Risks in the Transactional Context), due diligence must include the following:

• preparation of comprehensive questionnaires to be evaluated by the compliance department, and any other internal areas;
• review of internal policies and procedures or local laws;
• evaluation of business models and programmes to determine whether they fit with corporate policy;
• interviews with stakeholders; and
• development of background check reports (either internally or with the support of external agencies).

Finally, if the deal goes through, the company will need to have an appropriate integration plan, one that resolves issues and risks that have been identified, implements mitigation strategies (e.g., a spin-off of a particular division, procedures to address potential conflicts of interest, renegotiation or termination of certain contractual relationships or a workforce restructuring) and that appropriately rolls out all corporate policies and programmes.

It will also be important to implement an appropriate local training programme, satisfying the local needs of the business and with the right cultural approach. For instance, there are certain places where face-to-face training will be more effective than training that is provided remotely or online.

When disruptive situations take place, such as the current pandemic, and particularly when conducting operations overseas in high-risk territories, a higher level of scrutiny must be maintained within the organisations. For instance, when bribes are inappropriately classified as facilitating payments to expedite permits and authorisations. The US Department of Justice has said, ‘Labelling a bribe as a “facilitating payment” in a company’s books and records does not make it one’.^[4]

International organisations are also taking a stand in ensuring that the fight against corruption and bribery remains a high priority. The OECD recently issued a statement indicating:

As countries around the world work to combat the outbreak, the OECD Working Group on Bribery, which unites all 44 Parties to the Anti-Bribery Convention, is firmly committed to upholding its obligations to fight transnational bribery in all its forms and across sectors.

It also calls on all countries around the globe to respect the rule of law, ensure integrity in public procurement, transparency, the effective protection of whistle-blowers, and press freedom to fight all forms of corruption, especially corruption that could undermine the response to the pandemic.^[5]

Facilitating payments are an exemption to the FCPA, not an affirmative defence. This means that the accused company can claim an alleged bribe was a facilitating payment and the burden of proof is on the government to prove otherwise.

Maintaining close contact with the workforce

Building a culture in which employees can identify issues on their own and freely deal with those issues is critical to close the loop and to ensure the compliance department can track metrics that properly evidence the reality of the business they serve. This is possible by implementing mechanisms and initiatives that, among other things:

• allow the compliance department to reach out to employees regarding their day-to-day activities; and
• having a compliance champions programme that allows individuals from various areas to become part of a group that will serve as liaison between employees and the compliance department, to more effectively understand the needs of the business, and the day-to-day realities and to cascade compliance initiatives and programmes down to the workforce.

Crisis management and remediation

Many articles have been written suggesting that compliance programmes are tested not only by the problems avoided, but also by whether crises can be overcome. This is also applicable to compliance departments, since crises can happen in any company; large, profitable and successful companies are not immune. Those that overcome these situations and maintain their position in the market are the ones that have the right processes and procedures in place, with the right people to manage them.

A successful compliance department should have appropriate internal mechanisms to deal with compliance and ethics crises and must always be involved whenever they arise. Compliance departments become a great asset in those situations, primarily because crises do not suddenly emerge but rather evolve from an issue that was not well handled, or from situations not remediated on time. For this reason, early engagement is critical.

In addition to working with other critical areas, such as legal and finance, a compliance department should also advise the company about when to engage external counsel and which areas should recuse themselves (including compliance itself), to avoid situations that could cause eventual harm to the company, even in appearance. In larger organisations, this type of situation is usually handled by multidisciplinary teams specifically created to manage a crisis.

Transparency is always needed, of course; however, that does not mean openly publishing everything that is being reported or learned. Compliance departments should be able to understand how to manage the flow of information and how to properly activate certain mechanisms whenever is convenient and wherever is possible, such as legal privilege. Also, they need to understand and appropriately manage privacy and confidentiality. Therefore, compliance departments should push to have appropriate incident response procedures and incorporate these into compliance programmes.

Consistency is also needed. Successful compliance departments should be able to take appropriate action in a timely manner and in alignment with the company’s ethical stand, as reflected in its code of conduct and ethics. That is the best way to send the right message out to the market and within the organisation, and to ensure the company survives in the long term, especially given that whenever these situations arise, a company should expect scrutiny not only from authorities but also from the market.

Once a crisis has passed, compliance departments are key to implementing whatever remediation measures have been adopted. These may include more training or the creation of new processes and procedures, the termination of contracts or disciplinary action. Compliance departments should lead, monitor and follow up on remedial actions until they are satisfactorily concluded.

Being ethical and ensuring compliance with all applicable laws and regulations is simply the right way to do business and the best way to protect stakeholders’ interests. To facilitate this goal, companies must have an appropriate compliance programme in place and a reliable compliance department to run it. There are many challenges in daily activities that require compliance departments to step in and act effectively to prevent issues and rectify whatever has gone wrong.

The scope of this chapter does not permit detailed discussion of each of the outlined pillars, but these can be explored in more detail with the support of compliance specialists and external counsel. (See also Chapter 11, for example.) No successful compliance department can emerge from improvisation; a road map should always be established for better results. A successful company is likely to have a strong, effective compliance department. Companies should, therefore, take their time and be careful when developing and nurturing their compliance departments.

Designing a contingency plan and returning to normal

One of the lessons recently learned by organisations around the world is that companies must be prepared to deal with the unexpected. Compliance programmes today must include processes and procedures that ensure they can continue delivering their function at acceptable levels, following a disruptive incident. Those incidents may come not only from situations inside the organisations, but also from events caused by external factors such as the covid-19 pandemic.

The design of such a plan must be risk-based. The basic elements such plan should consider are:

• re-evaluation of risks, since the company’s activities may have changed, and then conduct a new assessment of compliance priorities;
• resource allocation identifying alternatives available to the company (i.e., whenever a vendor or a system becomes unavailable, for instance);
• redefining of roles and activities in case some roles are eliminated or put on furlough and liaise with other areas, such as HR, to properly support the workforce as needed;
• review of processes to define whether some of those should be adjusted while the emergency conditions last and prepare for post-crisis stages by ensuring important compliance activities (such as recordkeeping) are not stopped or diminished;
• activation of other alternatives to run internal processes, in case the existent ones cannot be sustained or become unavailable (e.g., e-signatures or remote interviews). For instance, owing to covid-19, it will be important to redefine IT security measures to cover cybersecurity and data privacy protection risks, particularly with the increase in the use of IT tools and personnel working remotely; and
• constant communication within the organisation so everybody understands how the compliance programme will be run while the contingency lasts and that internal resources remain available.

This last element is very important, because more than ever before it is key for everyone in the company to understand that the programme is fully operational and that more than ever before they need to engage compliance personnel early.

A post-contingency plan should be designed for purposes of returning this to normal in an orderly fashion and the compliance department should be prepared to lead the organisation on compliance matters when ‘returning to normal’.

Footnotes