How to build a crack compliance team

By Hala Bou Alwan

Compliance departments operate in a rapidly evolving environment that has fundamentally changed not only the way compliance teams need to operate, but also the tools and skills they need to be effective. The focus has shifted from tick-box compliance to a far less easy to define role, with expectations increasing along with the need to monitor and evaluate more qualitative factors such as concept risk, risk culture and tone from the top.

As the pressure to do more on a tighter budget continues to rise, scrutiny from regulators continues to tighten on corporate culture and how directors and executives influence this. Regulators and shareholders are unlikely to tolerate an approach to compliance that demonstrates anything less than best practice.

Our Expert Talk, 'How to Build a Crack Compliance Team' explains the ten characteristics the top compliance teams share.

Chapter One

From C team to A team

With the rapid change in legislation and regulatory guidelines, the compliance function has had to evolve to keep pace. Earlier incarnations of compliance no longer match the requirements of behavioral regulations with their more qualitative approach through the concepts of conduct risk and risk culture. There is no shortage of understanding what needs to be complied with – it is the how of compliance that is now far less clear. This evolution beyond tick-box compliance requires a far stronger compliance team – one with the skills and experience to address a less well defined compliance environment.

Regulators are tightening their focus on the ‘tone at the top’ and how what the top executives in the company say – and more importantly, do – entrenches an ethical culture in the company. While the cost of building a strong compliance team continues to rise, executives have little choice but to invest appropriately in the compliance function. Any other choice risks regulators and shareholders questioning whether the board and executives are truly committed to embedding best practice compliance in the company.

‘… our focus is increasingly not about telling people in detail what you can do or how to stay within the rules. Instead, our focus is on how we, and you, ensure that your firm does the right thing – if not every time then almost every time – not because the rules say you should but because that is ‘the way things get done around here’. It is about firms getting the basics right – understanding their customers, the risks they pose, and managing those risks proportionately and sensibly.’ Tracey McDermott, director of enforcement and financial crime at the UK’s Financial Conduct Authority

Chapter Two

The crack compliance team checklist

There are many common characteristics of good compliance teams across industries. The ten points that follow – in no particular order – represent those factors that make the biggest difference between an adequate compliance function and a crack compliance team.

A strong compliance team requires a good balance of skills, experience and future potential to entrench best practice compliance in the company. The compliance function needs adequate budget and the necessary tools and technologies required to support efficient functioning. While it may be hard to demonstrate a return on investment, the rapid increase in financial penalties and the reputational damage from enforcement actions demonstrate that the cost of non-compliance far outweighs the cost of compliance.

Ensuring that the compliance team has the expertise and resources they need to perform their function effectively is a reflection of how serious a company is about compliance and, ultimately, the culture of the organization.

While compliance now requires a far more qualitative approach than in the past, relying on hard compliance metrics – both quantitative and qualitative – brings a number of benefits. This approach talks to the rest of the business in a language they can understand and compliance metrics should be embedded alongside other performance metrics. Sales managers, for example, could be ranked on their compliance performance as well as their ability to drive sales volumes. Metrics also allow compliance performance within a business unit to be monitored and regularly reported back to the unit as well as to executive management.

Compliance performance as measured by these metrics should have consequences through being part of performance reviews and linking to incentives. Compliance failures need to be followed up and appropriate disciplinary action should be taken where necessary.

The use of metrics also enables a compliance team to track their own performance and benchmark their programs against peers within the group, within their industry and across industries.

With the rapidly increasing volume of compliance requirements, compliance and controls need to focus on the areas of highest risk in the business to ensure that compliance resources are allocated to the correct areas of the business. Effective compliance focuses on the underlying risks facing the company rather than on the controls in place to mitigate these risks. As the underlying risks evolve, the focus of compliance shifts to assessing whether the controls are still managing these effectively. This process starts with a comprehensive risk assessment, which is regularly repeated to monitor risks as they develop and manage control and compliance effectiveness.

Ernst & Young’s (EY) 2014 Global Fraud Survey highlights that this could be an area of concern for business leaders if the approach to managing bribery risk is any indication. While 7% of the more than 2,700 executives surveyed had been asked to pay a bribe in a business situation, less than half had attended anti-bribery and corruption (ABC) training. In the Middle East, India and Africa, the percentage asked to pay a bribe increased to 16%, while only one third of executives had attended ABC training. Despite the incidence of bribery and the global regulatory focus on eradicating bribery and corruption, nearly 20% of companies surveyed did not even have an ABC policy in place.

Technology is a crucial enabler for effective compliance and an important tool in a risk based approach. Today’s compliance officer needs to have the ability to quickly become conversant with appropriate software.

By increasing efficiency, effective technology solutions can help compliance teams to deal with their increasing workload while managing the pressure on budgets. They can also improve communication and extend the reach of compliance in an organization especially where it operates in multiple locations and regulatory jurisdictions. Software solutions can assist in risk identification through such aspects as customer screening technologies.

Other useful tools include GRC workflow solutions, compliance training management databases and online culture surveys all of which support compliance teams to manage and report on their work. Forensic data analytics tools help to improve compliance and investigation outcomes as well as providing valuable feedback for the compliance team, management and the board.

Effective compliance now requires regulatory changes, policies and related controls to flow through to risk management and overall business strategy. This makes it essential that senior compliance staff are able to command respect and demonstrate the experience and gravitas to engage effectively with executive management and the Board. Compliance needs to be taken seriously at a high level and the opinion of the Chief Compliance Officer (CCO) should be an important input in key business decisions

The CCO should be included in key meetings as a matter of course and report at a high level. Regulators increasingly want to see that compliance is viewed as partners in the business rather than as a necessary evil.

‘When legal and compliance departments are not treated as full partners in the business, regulatory problems are inevitable. On the other hand, when the culture of the firm weaves the legal and compliance functions into the business and maintains an open dialogue with them about the risks the firm faces, and when legal and compliance are at the table and consulted on important business decisions, those views are heard and typically heeded.’
Andrew Ceresney, Enforcement Director, United States Securities and Exchange Commission.

As compliance has moved away from the tick-box approach, so the range of skills required from compliance professionals has broadened. The increased expectation of compliance and expanded scope of responsibility have added to the long list of roles that are required to be played. These include the softer skills of good communication, reporting and the creativity to find innovative ways of ensuring compliance is efficient and cost effective.

Companies can build the skills available in their compliance function by taking an approach that includes both attracting external skills into the company and investing in the long-term development of current staff.

A good compliance system runs across an organization. Compliance relies to an increasing degree on information, methodology, processes and technology shared with the governance and risk functions. The compliance team needs to work closely with the audit, legal, risk management and financial reporting departments to remove a silo mentality which can contribute to duplicated processes, redundant processes and overlooked risks. These engagements facilitate a broader team approach within the organization and help to embed compliance into business strategy, processes and functions and leverages existing internal controls.

A recent survey of global compliance practices suggests that this is an area compliance teams could spend more time on. Around two thirds of compliance teams surveyed spend three hours or less a week consulting with their colleagues in the legal, internal audit and risk functions.

Compliance teams need to be able to communicate well with other functions, the executive and the board. A strong compliance team can add value to corporate strategy and its execution; through proactive insights and supplying the board and executive with current and actionable information.
The ability of the compliance team to engage constructively with regulators is another important consideration. There is a much higher expectation regarding company culture, conduct risk and tone from the top which is reflected in an organization’s skill at identifying material compliance risks, measuring progress on managing these risks and reporting both internally and externally.

The increased volume and complexity of information that compliance departments have to handle and the rising expectations of the compliance role, require ongoing training to ensure continuous development of the necessary understanding and expertise. Training should cover not only the regulatory changes that impact the organization but also the best practices that can improve compliance systems and case studies to highlight potential risks to avoid.

Training is also an important tool to influence compliance in the rest of the organization. The policies and codes of conduct that drive an ethical corporate culture are only effectively entrenched in the organization through training supported by regular congruent communication from senior management.

Given the role that compliance plays in policing the rest of the organization, it is critical that they are – and are seen to be – independent. This is especially true for the CCO. The board and senior management should ensure clear lines of communication so that the CCO can easily report concerns no matter at what level in the organizations these arise. This should be supported by an independent anonymous whistleblowing facility to ensure employees, suppliers and other third parties can communicate concerns without fear of reprisal.

Independence is further entrenched when the CCO and compliance team can only be removed for legitimate reasons – not simply because they are making life uncomfortable for any entrenched interests in the company

Chapter Three


The evolving and expanding role the compliance department is expected to play requires the Board and executive management to ensure that best practice compliance policies and procedures are in place and implemented, supported and monitored by a top quality compliance team.

Regulators increasingly expect compliance officers to engage at a high level and to have influence not only at a strategic level, but also to be able to drive the right culture and behavior down to a departmental and individual employee level. A strong compliance team helps shift the compliance focus away from helping a company stay out of trouble to understanding how an ethical culture and strategic approach that embeds compliance into the strategy and operations can add value to a business.

Thomson Reuters Risk Management Solutions

For the trusted answers that help you anticipate, mitigate and act on risk with confidence. Manage enterprise risk, corporate governance, customer and third party risk, regulatory compliance and financial risk effectively, and accelerate business performance.