I believe everyone in the organization is responsible for compliance. However, everyone in the organization cannot be accountable for the organization’s compliance program. Everyone being responsible for compliance is how it worked, (actually didn’t work) in the past. Now we have compliance officers and compliance programs, and we must be sure that accountability for compliance is clearly defined, coordinated, and centralized. I keep hearing that compliance is a part of Audit, or compliance is a part of Risk, or compliance is a part of the Legal department. Is compliance a part of all those areas, or are they a part of compliance? I get concerned when authority, accountability, and responsibility for a single process reside in multiple places. Things tend to fall through the cracks, and when they fall through the cracks in compliance, the consequences can be very negative.
[bctt tweet=”@RoySnellSCCE Everyone is responsible for #compliance, however not everyone should be responsible for the #compliance program “]
I am concerned that if compliance is not structured correctly, it will become an afterthought of a department that has other priorities, as it had in the past. Non-compliance with regulations has become a problem that has resulted in the birth of the compliance profession.
A compliance program is not a complex concept. All the elements are quite simple concepts that everyone can understand (i.e. hotline, auditing, monitoring, education, etc.) What is difficult is making sure all elements of a compliance program are working at all times. The tough part of compliance is the coordination of multiple compliance efforts and filling the gaps. When compliance fails, it often fails because a piece of compliance was not handled properly. It might have been a simple piece, but nonetheless a critical one. Everyone wants responsibility for compliance, because they have a piece of compliance and they believe theirs is most important. If you have ever watched the congressional hearings of Enron, WorldCom, or Tyco, you will have seen a parade of people from Audit, Legal and the Board saying, “I had my piece covered. What failed was not my responsibility and I was as surprised as you that it failed.”
Education prevents problems, Risk prioritizes problems, an Audit proves problems exist, etc.. However, it’s the coordination of all these pieces that fixes problems. Someone needs to coordinate the whole process. For compliance to be successful, all of these simple pieces have to be implemented and coordinated successfully. When compliance fails, it is often because all of the elements of a compliance program were not coordinated by a single individual (compliance officer). What concerns me about people who say they have compliance covered is that they are usually looking at it from a 1/7th perspective. They have Audit covered or they have Education covered or they have Risk covered, etc. When a failure occurs, they inevitably say someone else had the piece that failed.
We need to stop referring to compliance as a part of some existing department. We need to encourage the participation of those departments, but they must be centrally coordinated. Simply put, compliance succeeds if one person says, “I’ve got it and the buck stops here.” That can’t happen if Risk, Legal, Audit, and HR all think they have responsibility for the coordination of compliance; they have responsibility for a piece of compliance. It’s great to have their interest in our profession and commitment to compliance, but that has not been enough. If it were enough, we would not be in the position we are in today with the compliance profession as one of the hottest jobs in the country. The graph below depicts the idea that the compliance officer and the compliance program are the hub of compliance. I don’t see this discussed enough. We need to help people understand that there is a big difference between having a piece of compliance and overall responsibility.
Covering 1/7 of compliance or even 6/7 of compliance is not enough. The whole system must be monitored and managed by a single individual. I have a theory that if everybody thinks “I’ve got it,” then nobody has it. That is what has caused so many of our regulatory problems. Nobody would think of having four or five departments responsible for legal matters. No one would think of having four or five departments responsible for auditing. Compliance should be managed the same way.