Operationalizing compliance is a term that often gets thrown around in compliance conversations but is widely misunderstood. What exactly does it mean to operationalize compliance?
To answer this question, we brought together some of the top minds in the space at a recent Consero event in Austin, Texas to discuss and learn from each other. The panel, led by Valerie Charles, our Chief Strategy Officer, consisted of five compliance veterans. For this discussion, we tapped on Tara Shewchuk, VP & Deputy, Office of Ethics & Compliance at Medtronic, Robert Sykes, Executive Director of Compliance at Ally Financial, Joanne Rapuano, Chief Compliance Officer North America at Embraer Executive Aircraft, Joseph Henry, US Compliance Officer at Braskem, and, last but not least, George Totev, Head of Risk & Compliance at Atlassian.
What does operationalizing compliance mean?
Before we got too deep into the proverbial compliance weeds, it’s first necessary to debunk the phrase: operationalize compliance.
By definition operationalizing means to: apply a systematic approach to automating, measuring and aggregating with business priorities in mind. When you think about that in the context of the compliance and ethics function it is really all about putting well-defined processes (think: due diligence, conflicts of interest, G&E, risk management, etc.) into working order. As compliance professionals, this is something we all know we should be doing, but the goal of our session in Austin was to highlight the real, tactical ways we can achieve this goal.
As a side note: this also widely touches on the concept of how to elevate your compliance program. If you want to dive deeper into this topic, I would encourage checking out our eBook A Step-By-Step Guide to Elevating Your Compliance Program.
Now, without further ado, let’s recap the panel discussion:
How do we ensure compliance officers understand the greater business?
Joe: I think it’s about participating by asking the business to apply resources and seeking knowledge from other leaders. To reinforce compliance’s seat at the table, it’s important to understand the behaviors your business is focused on driving and highlighting the role compliance plays to make that possible.
Tara: Intentionally partnering up with the business is huge. Create business partnerships for the compliance team throughout the organization. This will help build trust over time. It is also worth spending differentiated time with your higher-risk areas, such as your internal salesforce. I’ve found even things as simple as attending sales meetings can be very helpful for alignment and gaining a better appreciation of the risk on the ground.
George: Risk is very contextual. That is why our team members are actually into business units, which allows them to understand that area of the business on a deeper level. In order to properly manage risks, you have to really understand the department you are working with.
I have also found it helpful to pose compliance issues as a problem for the business. You need to be able to show them how this is bad for business and let them in on why this matters rather than just tell them it has to be done in a certain way. This way, the business units not only design solutions that will work for them but also will feel ownership and actually execute on them.
How do you add compliance controls in other parts of the business?
George: I think operational integrations can be very powerful. The tools, software, and processes you leverage should not be introducing new risks but rather help to balance the risk portfolio.
Whenever you work with other parts of the business you need to be open with your partners. Understand their objectives and limitations, and be honest about your goals and potential pitfalls. That establishes trust and helps the relationship.
What technology has helped operationalize your program?
Joanne: Portals have been essential for us rolling out new policies and procedures. Most of our policies have a portal in order to make sure there is a consistent process - portals include, for example, gifts, KYC, DD, sponsorships, etc.
George: Task management has been helpful and really just workflow and process management in general. Workflows are being leveraged everywhere and it really would be impossible to do any of these manually.
We are lucky that we were able to “drink our champagne” (Atlassian builds such tools) but I will encourage you to check what is already in place in your organization and how you could leverage it. You have to balance the Risk & Compliance desires with the rest of the organization and be realistic about it. No one wants yet another tool to enter data and create reports.
How do you fundamentally influence company culture?
Tara: Creating a sustainable infrastructure is key, and remember that “what gets measured, gets done.” For example, make sure there are required goals around ethics so everyone is held accountable, including at the time of performance reviews. Measuring everyone on ethical performance means all the way up to your top execs. Partnering with HR is critical to make this a reality, especially around developing key metrics to measure results.
Joe: We actually try to evaluate culture fit in the hiring process by asking ethical decision-making questions. We also involve ethical behavior in succession planning discussions as well. We also encourage employees to reach out directly to the E&C team before they make a hotline call.
Rob: Tone from the top should be mentioned in this conversation as well. We are fortunate because our CEO is a big ethics and compliance champion, is typically the first one to complete his training and actually went so far as to institute a financial hit to his executive leadership team if they are late on taking the training. It just goes to show that if a relatively minor compliance concept like training receives this amount of exposure, it doesn’t allow for excuses and, in fact, provides for a more cohesive company.
Joe: We actually evaluate 5-7% of employee’s bonuses based on their alignment to our compliance objectives such as completion of compliance training, their compliance with policies and procedures and how effectively they manage assigned risks. On top of that, if they are a leader, if their employee doesn’t perform, they will be impacted by their bonus.
Tara: The “mood in the middle” should not be ignored. Middle management might even be more important than the top, because these leaders have more direct interactions with those on the ground -- and are the ones who write performance reviews. The hiring process is another place to focus attention. Think about how you hold middle management accountable for hiring and promoting. They are often the group that we need to provide with training sessions and tools.
Do you publish compliance success stories or failures?
Joe: Yes, we take real cases and anonymize them and then leverage them in training. This makes the examples we use very relevant to what our employees are actually doing day-to-day.
Joanne: We run a “lessons learned” series which is where the compliance team shares examples to the communications team - whereby these examples are then broadcasted on television screens through the entire corporation.
Tara: On the success side of things, we celebrate and reward good behavior with our annual and prestigious Compass Award. This is a way for us to highlight 4-5 individuals or teams with great stories, which we promote across the organization as examples of principled behavior aligned with our values.
How do you get buy-in around compliance?
Joe: I think this is where the importance of relationships really comes into play. If the compliance function is focused on delivering great customer service to the rest of the organization then that will naturally help with business partnerships because they trust you. These relationships along with providing real-life examples of misconduct can go a long way around getting buy-in.
The importance of operationalizing compliance
Hopefully, by this point, you are feeling more clarification around what exactly operationalizing compliance means and will be able to speak with more confidence next time it is brought up.
As we’ve learned, operationalizing compliance can mean so many things. It really is a broad term meant to encompass how compliance processes flow into the rest of the business and drive major impact within your organization. So whether the next way you will operationalize compliance is vetting new technology solutions, reviewing how you instill ethics into your company or strategizing ways to gain executive buy-in, we are excited about the impact your efforts will have.
To read more about ways automation can help boost your compliance efforts, I would highly encourage checking out A Blueprint for an Automated Compliance Program: The Second Edition. This eBook is designed to be a detailed guide to navigating the building blocks of compliance including risk management, due diligence, training, policy management, reporting, and more.