Before you read through this article it’s important to set out a few markers. Firstly if you are on the Board of a business, or a senior leader in a business and you are not finding compliance hard your business is probably not compliant and you might want to start asking some searching questions. Harsh, but experience suggests fair. Secondly, if you are finding it hard and are struggling to get good information and support from your often overwhelmed compliance team, you are not alone.
Over the past two years TCF has worked with many firms who are wrestling with compliance and regulation and who, as a result, are engaging in programmes of change to alter everything from their products, their governance, their technology, their business systems, their operational processes, their sales and marketing practices and their compliance and risk arrangements to ensure they can meet regulatory standards of compliance. They are most definitely not doing this for fun – they are often doing it in response to direct demands from the regulators or pre-emptively, having spotted a problem, to head of such demands.
So what’s happened in the world of regulation and why is compliance seemingly harder than ever? This article provides a few thoughts on the whys and wherefores and hopefully a few useful tips on what to do about it.
Without doubt the last few years has seen the regulators extend their powers and broaden their reach whilst governments have increased their regulatory expectations, but that is only a part of the story and plenty of other things have changed too.
Regulators are no longer simply accepting that firms have done the right things. They are now deeply engaged in not only the what, but the how and even more importantly the customer outcome generated. This is about the regulators not just accepting a ”box ticking” approach from firms. Regulators are demanding Boards and leaders apply judgment and create “compliant cultures” within their firms so that all staff might apply effective judgment. This is made harder as the regulators, whilst providing some principles for guidance, are not providing many specifics as to what a compliant culture actually looks like. Indeed, while they have talked about what ‘bad culture’ is, they have tended to avoid articulating what a ‘good culture’ looks like. At the same time, regulators also demand evidence and want to see effective monitoring processes completed. So while they require judgment to be applied, they also still want their boxes ticked.
Regulators are also expecting compliance functions to be strong, well resourced and capable of challenging the Board and leadership and raising concerns on a regular basis. This means that for many businesses greater investment in resources and training is required. For compliance functions, this means being pulled in many directions, both strategic and tactical.
The last 10 years has also seen a massive change in how customers, suppliers, employees, regulators and the media interact with businesses. Opaque firms are being regularly challenged and transparency is the order of the day. An action perhaps thought seemingly insignificant in one part of the business can have a massive impact across the whole of the business if it is captured and goes “viral”. Think United Airlines. This is the new normal and is not going to go away. Firms in multiple industries have to rethink their focus on treating customers fairly and delivering compliant, customer centric cultures. Firms need to be prepared to respond to breaking news, both mainstream and social media, and manage their reputations whilst putting in place the procedures to ensure it doesn’t happen again. Compliance has moved out of the back office and is now providing critical support to Boards and business leaders.
To complicate matters further, exerting the necessary level of control over today’s businesses to ensure compliance is not simple. The days of direct command and control are long gone as today’s businesses have complex and long supply chains. Algorithms in business critical systems and software may well originate from a couple of contractors working for a third party supplier based overseas. Firms are now having to work extra hard to ensure they have a clear line of sight and appropriate controls throughout the supply chain. They have to ensure that everyone who contributes to the business is aware of and delivering to the necessary compliance standards.
So yes, compliance is hard and it’s not going to get any easier.
However, the firms that are managing compliance well seem to be doing so by following a few simple guidelines.
Here are the top five things that we at TCF think make the difference for those firms and Boards who are doing OK at compliance:
To do all these things requires line of sight to the Board and leadership and strong management, both programme and ongoing. That is a huge task, but at TCF we would remember the 80/20 rule and recommend that a business leader is better off making a start on one or two of these than being daunted by the prospect of doing the lot and not starting at all.