5 Myths About Compliance Programs (Myth #3) – My Compliance Team is “Terrific”, So No One Else Needs to be Involved
The leaders of compliance functions strive for excellence. It is proper that corporate leaders place an enormous amount of trust in these leaders. These functions can and should advise on the components of the compliance programs and program improvements over time. It is proper that compliance teams provide guidance, experience and expertise.
No matter how excellent an organization’s compliance teams are, they are NOT as intimate with the processes nor do they have direct responsibility for achievement of objectives as that of the line management and their teams. It is the line management who must fully understand and embrace the organization’s objectives to ensure success. Ongoing or periodic monitoring is critical to consistent execution and proper management, but monitoring is not “doing”. By definition, the compliance functions’ roles are to monitor internal and/or external developments that affect the firm, assess/audit/test firm activities to ensure consistency with the intent of management and the Board, and identify and advise on issues identified and actions recommended to ensure consistent execution to achieve objectives. A “terrific” compliance team is necessary but not sufficient for organizational success.
The compliance/risk management teams at Washington Mutual Bank (WaMu) knew and had warned management that the bank was taking unsustainable positions. Indeed, in the complaint brought against the CEO, COO and Home Loans President by the FDIC they cite that these officers, “led WaMu on this lending spree knowing that the real estate market was in a “bubble” that could not support such a risky strategy over the long term, that WaMu did not have the technology to adequately manage and evaluate the higher risks associated with the portfolio, and in the face of continuing warnings from WaMu’s internal risk managers.”(p.4). Even more troubling, the complaint notes, “A February 14, 2006, memorandum from the Chief Enterprise Risk Officer reported that “[a] major concern” of the internal WaMu Fraud Steering Committee “is the inadequacy of WaMu’s fraud tools compared to the industry.” Fraud management was placed in the business lines, and there was no Board-approved fraud risk management policy that established the framework and delegated responsibility and authority for the development and oversight of this area to a particular group.” (p.46) (http://online.wsj.com/public/resources/documents/WamuSuit.pdf ) This reckless activity, which led to significant short-term financial gain for these three officers amongst others, persisted leading to the biggest bank failure in US history. Did the risk managers “do their job” in this case? Certainly, they identified and warned very high levels of management about the problems. Obviously, this was not adequate. This organization demonstrates significant flaws in the overall internal control structure that allowed known issues to remain unaddressed leading to failure of the organization. It’s very important to note that no members of the Finance organization are identified in the complaint, but it is difficult to argue that they were “doing their job”. This bank failure is but one recent reminder that compliance must be pervasive throughout the enterprise to ensure success.
Given the importance of compliance, everyone needs to be involved. There are many aspects of compliance, especially those activities dictated by the mission or beliefs of the company and its leadership, which directly affect the success of the company. How successful are you if you lost your soul along the way? Perhaps a good question for the leaders at Union Carbide (toxic gas release at Bhopol, India in 1984 that killed more than 3,700 local residents), Foxconn Technology Group (18 employee attempted suicides/14 deaths at their facilities in 2010) or Kathy Lee Gifford/Wal-Mart (use of sweatshop & child labor to sew clothing in the Kathy Lee Wal-Mart line during the 1990s). These are just a few examples. We all know many others. It`s easy to say “I didn’t know”, but hard to admit “I should have known”. Unless you make a huge, and really not justified, investment in compliance teams that can, in effect, know most of what everyone knows, you cannot expect to be successful w/out educating all involved. It is essential to direct a culture that supports and, indeed, celebrates those taking action to ensure compliance w/ the directives. Compliance is everyone’s responsibility.
We must lead our organizations, partners and clients to success in an increasingly competitive and complicated world. We need to leverage technology to better communicate not only the expectations, but the “Why” behind those expectations, including how the activity-level objectives demanded of the line employees roll up to the overall objectives of the organization. We need to leverage this technology not only to communicate but also to foster transparency and accountability. Regardless of how “terrific” your compliance teams are, EVERYONE needs to be involved. That is the path to leverage compliance.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/