Compliance officers often struggle to develop the right working relationship between themselves and executives in the business operations — executives who, as best practices have told us for years, are supposed to “own the risk.”
What does that phrase mean in practice? If the business operations people are responsible for managing the risk, what does compliance do? How should compliance officers monitor and guide that risk management happening in the operations?
Compliance officers seldom talk about those questions; we’re busy pondering core compliance function duties such as internal hotlines, policy management, or automation of due diligence.
Those tasks are important to an effective compliance program, certainly — but effective compliance across the whole enterprise must also address how compliance collaborates with business operating units, too. Both groups need to support each other’s work to succeed at that larger objective, but how does a company create that environment?
Thankfully, regulators (particularly in the banking sector) have had a lot to say over the years about defining compliance and risk management duties smartly. When we distill those statements into several basic operating principles, compliance professionals from any sector can put those lessons to use.
What Should the "First Line of Defense" Do?
When we say “the business unit should own the risk,” that phrase can translate into several actions each business unit should take.
First, the unit should implement a risk self-assessment framework that connects its operations to risks the business faces and the controls meant to reduce those risks. Specifically, that self-assessment should answer the following:
- What is the scope of operations?
- What are the significant risks with those operations
- What controls exist for each risk?
- How well are those controls working, so that operations stay within stated risk appetite?
For example, a global sales team should define the products it sells and to what types of customers. Working with the compliance or audit functions (or both), that sales team can then document the significant risks: bribery, money laundering, privacy. It can document the controls that exist for each risk, and certify how well those controls do or don’t work (again, perhaps with the help of audit).
Beyond that risk self-assessment, the business unit should also document responsibility and accountability for compliance and risk management: Who within the unit does what, and what happens if that person doesn’t do it? Writing down that responsibility (and then having the relevant executives certify their awareness of it) is crucial to getting business units to take compliance seriously.
Lastly, business units should have processes in place to measure, monitor, aggregate, limit, and control risks within the unit, according to whatever limits were established by the board or a risk appetite statement. This is where compliance or reporting technology can be a big help, and also where compliance and audit teams can assist so the business unit has effective processes in place.
What the Compliance Function Should Do
The compliance function has two roles. One is to manage those core compliance duties we mentioned earlier, such as the internal hotline or compliance-related training. Another, however, is to act as guide and overseer for those business units in the First Line of Defense. (Otherwise the business units would take those steps we just outlined above by themselves, and lord knows what might happen.)
So for example, compliance officers can help business units to define the risks they should include in their risk self-assessment. You can also help business units implement policies, procedures, or controls that make sense for their operations. The business unit owns the risk, but the steps it takes to control that risk are ones the business unit devised with the advice and consent of the compliance team — that’s the ideal arrangement you’re trying to achieve.
Meanwhile, the compliance function also needs to monitor the compliance work happening among the business units. In that case, you need monitoring and reporting tools that let you review all that work in the First Line of Defense: tools that let you see due diligence completed by operating units, or spending requests reviewed and approved in a timely manner, or consent obtained before collecting consumers’ personal data, or whatever.
Two other capabilities compliance officers need are strong policy management to update enterprise-wide policies in a timely manner; as well as comprehensive reporting, where compliance can pull together information from the business units to give senior management and the board a complete, independent sense of compliance activity — including compliance challenges that aren’t being solved by the business units.
And all of this is predicated on clear lines of authority and responsibility for the compliance function, ideally endorsed by the board. That imprimatur is what lets the compliance function fill those dual roles as guide and overseer for the business operating units.
Then the compliance officer is in a much stronger position to help business units in the First Line of Defense. They own the risk, but you help them to manage that risk effectively — and to act as a backstop when they don’t.