Many companies lump risk and compliance officers together. And, while compliance programs are, by their very nature, quite complex, there is a straightforward starting point that can set businesses on the path toward an effective compliance program. It all starts with a risk-based approach.
Kevin Hyams, the partner in charge of Friedman LLP’s Governance, Risk and Compliance Services Practice, works with both inside and outside counsel to create risk-based approaches to compliance, performing risk-assessments and constructing compliance programs that are effective and efficient.
Hyams has worked with a variety of companies that have dealt with compliance issues in multiple jurisdictions. One common issue he sees is that companies sometimes feel that compliance is a matter of checking boxes on a list. That strategy might work in China, for example, but it could prove disastrous in the United States.
Other common issues that Hyams sees is that companies might lack global-minded chief compliance officers (CCO) or have one that lacks direct contact with the board. Or companies might see compliance as a siloed exercise, which creates a problem, since strong compliance programs need input from all business areas.
In starting a risk assessment, Hyams and his team begin by interviewing principals and practitioners to see what policies are already in place. Creating proper policies and procedures, ones that are continuously revisited and updated, is an essential step in this process. These risk assessments and compliance programs cannot be “off-the-shelf,” Hyams explains, as those solutions won’t take unique business needs into account.
Hyams also emphasizes the importance of training and education. Employees need to understand how serious compliance matters are and have a clear comprehension of what is happening and who is accountable. In fact, some companies do not even have a CCO, which can be problematic. Hyams also believes that the CCO and the GC should be separate individuals, though this is often a function of size. When the jobs are split, the CCO can approach the GC for wisdom and vice versa.
Risk assessments are most effective, he says, when done proactively. Setting up flowcharts of existing processes and refining those processes is a good start. In many cases, it is the board itself that is driving these assessments, due to new requirements in the Dodd-Frank act. These assessments also cover extreme matters, such as what happens if a responsible party quits, which is a matter that some companies may not have considered.
These are just some of the complexities that companies must deal with when taking a closer look at their risk and compliance departments, which is why, sometimes, it takes an outside perspective to help inside counsel decide what to do and how best to do it.
For more on risk and compliance, check out the following: