"The main job of the compliance officer is to put him or herself in the shoes of employees and understand what their jobs and their lives are like, to have their radar tuned for changes in the company and in the world,” says Ted Banks, founder and partner at Scharf Banks Marmor LLC.
Banks knows that compliance officers must answer to multiple constituencies—shareholders, the board, company employees and the government among them. And these days, they must be increasingly concerned with a wide array of different issues, all of which jostle to take top priority. From social media policies to the risks of bring-your-own-device programs, from the potential pitfalls of corruption when doing business overseas to issues of privacy and data security, compliance officers who are trying to stay ahead of trends (because being on top of trends means being behind) are thinking ahead to 2016 and beyond. They’re noting the trends and concerns that will cover their plates in the years to come, issues such as data privacy and security, auditing and monitoring, interfacing with the board and more.
Cybersecurity and privacy
While all companies need to be concerned with the security of their private data, those that deal directly with consumers should be even more vigilant. “Compliance officers need to work with the departments within the company that have access to employee and customer information, particularly if those customers are consumers,” says Banks. “They need to make sure there is proper security on that information and find out how easy it is to get access to online repositories of data. Consider using strategies like two-part verification to get onto a site instead of just a password. This also means limiting access of third parties.”
A proper data security strategy touches on so many aspects of the business that it requires cooperation among many disparate groups within an organization. “Compliance, legal and information technology need to be involved, while the board needs to be part of the conversation, though not involved in day-to-day operations,” explains Darlene Quashie Henry, vice president and associate general counsel, corporate & compliance, of Office Depot. “Legal needs to understand the rules and regulations around data security, how to assess the situation. They are not going to know that from the tops of their heads because of all the differences in the state laws surrounding privacy issues, so they need to know where to go to get the information. Compliance should be involved in training, putting strong programs and policies in place.”
Quashie Henry points out that data security plans need to have multiple prongs, with an information security (infosec) component and a response component. “Have a plan in place from the infosec side that monitors on a day-to-day basis what is happening in the security environment, and understand if there is an anomaly,” she describes. “One you have the IT portion in place, come up with a plan of who will notify the board and who from the executive team needs to be involved in the event of a data breach, including knowledge of who will speak to the media on behalf of the company.” She recommends running mock breaches to engage all players who would be involved in responding to a real incident to give them each insight as to what their roles would be.
One of the major regulatory concerns in this area is the fact that there is no federal data breach law, but rather a patchwork of 47 state laws plus sectorial laws. This decentralization is an issue for large companies, and matters are further complicated when companies conduct business outside of the United States. “International regulations are difficult to monitor and are changing and evolving just as quickly as in the United States,” says Quashie Henry.
Banks agrees, saying, “Many countries have limits on data transfer, the European Union being one of the best known. Something a company might do, like transferring an employee from Berlin to New York and moving his or her personnel file, may be a problem under EU privacy regulations.” Companies who do business overseas need to ensure compliance with local laws and keep abreast of any changes.
Auditing and monitoring
With risks that are constantly mutating and evolving, like the risk associated with data breaches, compliance departments find themselves squeezed. Chief compliance officers know that they need to ensure that their programs are agile and constantly evolving, but they face pressures to do more with fewer resources. Still, the need for auditing and monitoring compliance programs will remain a top priority moving into 2016 and beyond.
Of course, with those budgetary restraints come questions, such as the issue of how often a business should look at its compliance program. According to Kathleen Edmond, former chief ethics officer at Best Buy and now a partner at Robins Kaplan LLP, the answer to that question is “constantly.”
“Things are always changing in the business world,” Edmond says. “There are changes in regulation and legislation, mergers, acquisitions and more. Every time there is a change in your particular business operation or in your industry, you need to take a step back and make sure you have the proper processes and controls in place.”
This involves both monitoring and auditing, says Edmond. Auditing is more of a retrospective review, while monitoring is an ongoing, real-time assessment. She recommends an outside audit of the entire program every three to five years. It is a big undertaking and not cheap, but an independent review of various elements of the compliance program is crucial.
Lisa Beth Lentini, vice president, global compliance at Carlson Wagonlit Travel, says that you should view the health of your compliance program the same way you’d treat your own personal health. “On a daily basis, you check to make sure you don't have a fever, you check your weight, etc. You don't go to the doctor every single day,” she says. “Monitoring is like self-care, and auditing is having that third party come in—like a doctor —to tell you what your gaps are. Every day you do things to make sure you are healthy, but you don't have a full diagnostic every day. You have your well visits periodically, and the third party tells you what you need to do in order to get stronger and healthier.
Lentini points out that having a healthy compliance program goes a long way toward creating a compelling business story. She sees this as a growing trend, one that will increase in prominence in the future. “We are finally getting to a critical tipping point with compliance programs. For so long, it has been about playing defense, trying to catch up with regulatory compliance. There's still some of that, as regulations change so often, but compliance programs can be more proactive and innovative, making a lot of difference for businesses in a positive way. The compliance profession continues to progress and can be a differentiator in the long term. Programs can lend themselves to helping the business be better than ever rather than just meeting regulatory requirements.”
Compliance and the board
These matters are all top priorities for compliance departments and CCOs, but in this day and age, compliance concerns go all the way to the top. “The buck stops with the board. It's responsible for what is happening at the company and, from a compliance standpoint, it needs to be educated and informed,” explains Steve Blonder, principal at Much Shelist P.C. “The board can't do everything itself. You need to have expertise and people surrounding the board, perhaps even consultants reporting to the board, to ensure that you are fully compliant.”
This last matter is a big issue as compliance obligations become more complex and technical than ever, and boards may not have the specialized expertise needed to fully comprehend the intricacies of, say, cybersecurity. But, given access to the right expertise, it's paramount that boards be active and engaged. They are responsible for managing risk, after all, so they need to be properly informed in order to do so.
Though the board's duty is to manage risk to the best of its ability, it's always a bit of a, well, risky proposition. “One can never assess every risk; that's why it's called ‘risk,’” says Blonder. “If there was no risk, there would be no need for insurance. Boards need to figure out what risks are foreseeable and what the company can do to mitigate those risks. You can't eliminate risk entirely, so you have to decide what steps can be taken to protect the company if something does happen.” In this case, the board would work closely with the compliance department to develop that plan and implement it when necessary.
That interaction with the compliance department is something that all companies must look to strengthen in the near future. In some companies, the compliance and ethics departments are intermingled, and of course the board is closely involved in company culture. “The board needs to ensure that the company is following the letter of the law and doing what is required. But in some way, that is a minimum standard,” Blonder says. Boards need to maximize shareholder value, and ethical behavior is a part of that. “You want to be a company that people want to do business with, so your values and ethics are part of your brand, and you need to overlay them on top of compliance. Compliance is a baseline, and ethics is a higher standard, aspirational in some circumstances but something to strive for. Good business is good ethics, generally speaking, and good ethics can help maximize shareholder value.”
That ethical behavior does not spring fully formed out of the ether. The board plays a big role in this, and it exemplifies one of the key business trends of 2016 and beyond: tone from the top. “Leadership comes from the top. There's a reason that the kids’ game is called ‘follow the leader,’” explains Blonder. “When there is a problem, there is often flawed leadership at the top or circumstances that are not positive. Good leadership and messages are not communicated down, so there are problems with rogue employees or the misunderstanding of these messages. There needs to be clear communication from the leadership down so everyone understands what is expected.”
Stay on target
With so many hats to wear, so many regulations to follow and so many threats to fend off, compliance officers could feel themselves overwhelmed as they approach 2016. Banks has some advice for them: “The key principle is to keep your target audience in mind, who you are talking to. They are not lawyers; you are not trying to reteach law school. You are addressing employees, so you have to do things in terms they understand. … You are also out there talking to the government, making sure you can show that you met all requirements of federal guidelines and that you have effective programs. To a lesser extent, your compliance program is speaking to shareholders, interest groups, etc. Lawyers make the mistake of writing what makes them feel good, down to the footnotes, but all of that is not appropriate in a compliance program.”
So, if compliance officers are looking for a New Year's resolution for 2016, perhaps it could be to remember your audience. Take that as a first step, and you’re on your way do the other 999 steps in your journey.