By Blandine CORDIER-PALASSE, Revue Internationale de la Compliance et de l'Ethique des Affaires; supplement to semaine juridique entreprise et affaires n°26
Compliance is based on preserve, protect, and perform. In today's business environment, the hallmark of successful GRC professionals is their ability to help preserve corporate integrity. It's also to protect brand and reputation, and drive organizational performance. Leadership requires clear statements of values and objectives and a sustained commitment that leads to substantial changes in how the company does business. The risk management culture should be embedded not only in risk-monitoring and compliance systems, but also in business decision-making and incentive systems.
Compliance functions cannot, by themselves, impose a strong risk management culture on a reluctant organisation. But compliance functions can play a crucial role in helping the board monitor. It has a role to evaluate the performance of management in building sound risk management practices throughout the company. Many attributes of a strong risk management culture are readily observable. It should be monitored by the board with assistance and independent advice from compliance and risk functions. It is critical that the board looks for these attributes in the company's culture, identifies weaknesses and ensures that management is accountable for correcting them. In these volatile times, building a strong risk management culture is a mission-critical priority for the board.
1. The origins of compliance
Given globalisation and increased competition, on the one hand, and increasingly complex national and international regulations and standards, on the other, and lastly, the significant risks that non-compliance with certain quality processes (Samsung, legionella, Mercator, etc.) can pose to a company, non-compliance has become a major risk. A simple fact or incident can damage a company's image and reputation. It can also jeopardise its strategy, performance and even its very survival.
This increase in the risk of non-compliance has led to the emergence of a central function. The person in charge has gradually become one of the key players in a group: the Compliance Officer. First developed in the United States, this function arrived in Europe a few years ago.
2. The scope of compliance
The Compliance Officer is responsible for compliance. But what is compliance? In its highly operational and cross-functional sense, compliance covers all the processes that ensure compliance with rules, standards and processes, as well as instilling an ethical spirit in the company. Corporate compliance is therefore the result.
In fact, different organisations use different titles. There is "Director of Ethics and Compliance" and "Chief Compliance Officer". The one that seems to us to correspond most closely to the current cultural convergence between ethics and compliance is "Chief Ethics & Compliance Officer".
Some people view compliance in a very prescriptive way, focusing on the "process" and reporting aspects. They blame this new constraint for generating costs and holding back business. But when you look at the number of groups that have been sanctioned for failing to comply with laws and regulations, the number of fines and the ever-increasing repercussions of these sanctions both in France and abroad, there are fewer and fewer anti-compliance people. On the contrary, more and more managers see compliance as a vector for organisational management and performance. They see it as a formidable lever for competitiveness in an economic environment where their companies are faced with ever greater innovation and agility. For these enlightened managers, compliance risk has become a major corporate risk.
3. The essential elements of compliance
To better understand the compliance function in companies, we need to look at the issues at stake. We will then look at the indispensable role that the Compliance Officer has become. We will then look at how the compliance function can be set up and organised. What is the role of the Compliance Officer? Which profile(s) should be favoured? How can we support the change in the group's culture and organisation? These are just some of the questions our customers are asking us more and more frequently, and we will be answering them in several points.
A. - The main challenge of compliance: guarding against dangers
of other groups have had a major impact on the way the groups are run, and on their development. The consequences of this risk-taking are increasingly being felt by senior management. There are also directors, shareholders and all the company's stakeholders. The primary objective of compliance is therefore to protect the company.
Intensification of the regulatory framework. - When we talk about risk management and compliance, we often think of the regulatory framework. This has been strengthened by the Sapin 2 law, the RGPD, the UK Bribery Act, the FCPA, the NIS directive, AML, etc. But in addition to regulatory risks, companies also face financial, strategic, image and reputation risks. They can all implicitly jeopardise and thwart its development.
Reporting obligations are also increasing, particularly in terms of traceability, controls, CSR and extra-financial reporting. These are all areas requiring increased vigilance and procedures.
An increase in risks due to technological transformation. - Whether in manufacturing, where there are more and more robots and cobots, or in services, where the Internet of Things, predictive analytics and cloud computing abound, the sources of risk have multiplied, relocated and become more complex. Identifying them, managing them, implementing risk reduction measures and knowing how to react if the risk materialises are typically the tasks of compliance teams.
A recent analysis shows that1 that, according to the legal directors of major groups, the three biggest legal challenges presented by new technologies relate to personal data, cybersecurity and international compliance.
B. - The mission of compliance: preserving the reputation and sustainability of the company
Build a solid reputation. - This is where the compliance function becomes a competitive tool, as it protects and even strengthens the company's reputation. A quality brand image is the royal road to the customer you want to reach. Increasingly, a company's reputation is becoming a real sales weapon, whether in B2B or B2C. And this phenomenon can only increase with new trends in thinking. These would like companies to have a societal objective that goes beyond their simple financial role. At the same time, consumers are changing. They are looking for companies that respect and apply their principles at every stage of the production and sales process. Keeping a group's brand intact - one of its most important intangible assets - is one way of creating value for shareholders.
Maintain this reputation over time. - To respect their principles, companies sometimes have to make difficult choices in the short term, such as withdrawing from certain markets or producing differently. However, these trade-offs will enable them to prosper in the long term. Solid compliance will help to make the right choices.
C. - Participation of compliance in the company's development
Attracting and retaining talent. - Attracting and retaining the best profiles are the challenges facing human resources. Employers have to deal with the hyper-connected Generation Y. Corporate social responsibility (CSR) - now societal responsibility - and ethics are at the heart of compliance. This is an asset when it comes to attracting and retaining talent. On the other hand, this same talent is less likely to get involved. They have even less incentive to stay with a company with a "scandalous" reputation. In the prestigious Harvard Business Review, Wade Burgess even pointed out that a poor reputation or brand image becomes an additional cost of recruiting, estimated at 10 %.
Gaining new market share. - When invitations to tender are issued, the selection process is increasingly geared towards companies with ethics, integrity, cleanliness and a good reputation. It will be more difficult for companies that do not have strong ethical values and the ability to prove them to grow. Companies without effective programmes, ethical charters or codes of conduct will be left by the wayside.
Similarly, companies' relationships with third parties are being assessed and called into question. Ensuring that partners are reliable, compliant and ethical is a 'must' for all groups - and not just for large groups. A company's partners play a key role in building its reputation.
D. - Protecting the company and ensuring that teams achieve the objectives set through compliance
The equation seems simple. "All you have to do is identify the risks, analyse them, assess them, reduce them and implement risk reduction measures. But in today's complex business world, that's not enough. Companies must have good governance throughout their ecosystem, incorporating a risk-based approach.
The legal, compliance, risk and governance functions protect the company's strategy. They must therefore be involved in all the company's activities. In this way, they play an effective part in the proper deployment of the strategy. They also contribute to long-term thinking and decision-making. The functions work to reduce the likelihood of accidents and make operations safer. They quantify risk-taking, ensure business continuity and preserve the company's image and reputation. Increasingly, they are helping to avoid ethical/economic trade-offs.
A risk governance system established by the organisations. - To respond appropriately to the various risks, the management of an organisation needs to know precisely its level of exposure to the various risks and threats, translated into financial terms. These exposures are discussed and agreed within each function. They are the starting point for defining risk reduction action plans. This risk governance model is an innovative approach.
E. - The role of the Board of Directors and top management in risk governance
In Europe, some boards of directors have not yet grasped the importance of compliance for the long-term survival of their company. However, if we refer to article L. 225-35 of the French Commercial Code, it is quite clear: "The Board [of Directors] determines the strategic direction of the company's activities and oversees its implementation. (...) it deals with all matters relating to the smooth running of the company (...)".. In other words, the legislator is forcing the Board of Directors to immerse itself in compliance and ethics issues.
This approach must not be "cosmically ethical". The will, the ambition to follow values, to embody them, whatever the situations and temptations, must be real and carry with them the obligation for the highest authorities to be exemplary in all places and in all circumstances.
4. The central element of compliance: the Compliance Officer
As we have already seen. The three key concepts associated with the compliance function are: preserving, protecting and contributing to the company's performance.
A. - The position, profile and training of the Compliance Officer
Its positioning. - We have found that, although they still often report to the General Counsel, they are becoming increasingly autonomous. They report to the CEO, with the possibility of dual reporting to the Chairman of the Audit Committee.
Its independence. - They must be genuinely independent to ensure that the scope of their work is as exhaustive as possible. To this must be added the objectivity of his remarks at the point of alert. A reporting line to a function other than general management or the Chairman could jeopardise the free will of the whistleblower, who must be able to intervene at the highest level on particularly sensitive subjects that may prove to be strategic.
By stepping back from the other powers, they must be impartial in their judgements. They must not be influenced by internal or external pressure or by their own interests.
Feedback
We believe - and we see it with our clients - that compliance is a matter of corporate governance and an essential vector in the implementation of strategy. If compliance is to report directly to senior management, it must be impartial, independent, effective, legitimate and credible.
Training. - According to a study by the Cercle Montesquieu, 71 % of Compliance Officers have a legal background, 26 % have a business school background and 12 % are engineers. As far as their experience is concerned, 57 % are lawyers, 19 % come from finance, audit and risk functions, 5 % are engineers and 4 % are sales people3. This diversity can be explained by the fact that this is a new profession - moreover, several university courses are being set up to provide additional training.
We believe that having a diversity of profiles within our teams is an important point: it ensures that our different perspectives are complementary, that our analyses are rich and solid, and that we are able to address different exposure profiles, situations, risks and cultures.
The need for a sharp profile. - Given the evolution of their role and responsibilities, business transformations and technological impacts, Compliance Officers need to have an understanding of increasingly broad subjects which vary from group to group depending on geographical and geopolitical exposure, sector of activity, culture, history of the group, etc. They cover technology as well as market risks, national and international regulations, audit, strategy, etc.
By its very nature, compliance is a cross-functional function. It permeates the matrix organisation, depending on the most significant risks - be they financial, anti-trust, anti-corruption, money laundering, conflicts of interest, conflict minerals, cyber security and information security, personal data, environmental, fraud, trade compliance and export control, third party, CSR, discrimination, human rights, etc. - or any other type of risk.
The profile of Compliance Officers needs to be increasingly robust to apprehend risks: according to the 2017 Cost of compliance report4, 48 % of companies expect an increase in the personal liability of Compliance Officers in the next 12 months.
B. - The human qualities of the Compliance Officer
Leadership. - They must have a strong ability to motivate their teams and colleagues towards a specific objective and know how to define the means to achieve it. They need to win support at all levels of the company in order to be able to change practices. As a figure of authority within the company, he or she must be able to convince others, as he or she is the guarantor of the general awareness of the benefits of compliance within the company.
Rigour. - His keen sense of organisation helps to keep risk to a minimum - there is no such thing as zero risk in the company - while identifying potential risks upstream.
Charisma. - He or she is a unifying force, with a natural authority and a certain ascendancy over the people he or she is dealing with. He or she must have a strong voice and know how to make his or her ideas heard.
Integrity. - It must be exemplary in terms of the values embodied by the company and which it conveys.
Communicative and educational. - A good communicator and an excellent teacher, he adapts to the culture and language - technical or otherwise - of each individual to help them understand the ins and outs of a problem or the processes to be respected or put in place.
Human and firm. - They must be able to establish a climate of trust and legitimacy, so that the decision itself is legitimate and the authority is accepted. They must also know how to sanction without appearing to censor the business.
A sensor, even a business maker. - He has a much more general view, which enables him to get to know the business and the people so that he can anticipate constraints and assess the level of risk. He helps the CEO to feel what is happening inside the company and in its environment.
A watchman. - Faced with pressure, competition and the need to always be better, the desire to achieve this by any means necessary can tempt some to cross the yellow line and break the rules. Trust in the individual, in his capacity for analysis, discernment and objective judgement, encourages not only employees but also any other stakeholder in the company to consult him on a sensitive subject or issue.
C. - The Compliance Officer's main task: to ensure that the company's compliance culture is respected
These include national and international regulations, as well as professional and extra-professional standards. They also include the rules of ethics and good conduct defined by the company and its environment.
A 'good' Compliance Officer must be able to analyse these rules and standards from the perspective of the company, its business, its culture and its global economic, geopolitical and extra-financial environment.
His challenge? - Raising awareness and ensuring that all employees respect the company's legal standards, values and ethics. Especially as the law and certain values may seem abstract to some.
Ethics are everywhere. So are standards and rules. Spreading ethics and standards throughout the company is a real challenge. The Compliance Officer must work to standardise common values. The aim is to arrive at a system of universal values understood by all employees, in all countries, in all cultures, so that they can make them their own. They will then be able to embody them more or less naturally, but consciously, in their day-to-day duties in the service of the business, and therefore of the company's performance.
A matrix mission. - It is vertical, irrigating all levels of the Group. It is also cross-functional, working in collaboration and synergy with the other functional and operational departments.
It ensures that compliance priorities are clearly communicated and understood by countries, regions and sites. They must also be assimilated and embodied by the employees concerned.
It oversees awareness-raising and training, in meetings and/or via e-learning, relating to compliance initiatives and the
company policy.
They must also be constantly on the lookout for and identify potential areas of vulnerability or risk, and work in liaison with the managers and operational staff concerned to develop action plans to reduce or eliminate risks.
The Compliance Officer must ensure that compliance issues and concerns are dealt with, assessed, tracked down and resolved appropriately. And, where necessary, check that corrective action has been taken.
It ensures that effective systems are in place to monitor and measure the effectiveness of ethics and compliance programmes, in order to identify their success and future areas for improvement.
Raising awareness. - He must set up a "compliance chain". The Compliance Officer must ensure that everyone in the company feels concerned by the challenges of compliance and is committed to implementing it at all levels. He or she must win the support of management, staff and all the company's partners. Once they have succeeded in their mission, compliance will become a state of mind, a philosophy, and will have permeated all levels of the company and its partners.
The board. - Working closely with the Legal Department and ComEx, the Compliance Officer plays a decisive role in the alert and decision-making process when faced with specific situations (mergers/acquisitions, invitations to tender, procurement, etc.). Involved at an early stage, he or she helps to protect the company by promoting the safest strategies. Reporting. - It provides essential feedback on analysis in order to disseminate best practice within the company.
D. - The tasks carried out by the Compliance Officer via an effective programme
The way in which compliance is organised differs greatly from one group to another, from one business sector to another, and from one company to another, depending on its level of maturity... Consequently, we need to go back to the DNA of the company in order to deploy a compliance programme that is tailored to it. Specific to each company and adapted to the issues it faces, the programme is built around the company's challenges, markets, culture and functional, operational, image and reputation risks.
The Compliance Officer will have to prepare the company for the consequences of his recommendations on the way the company operates. But the company must also be aware of the benefits of this development in terms of identifying, understanding, assessing and reducing the risks associated with non-compliance, and the competitive edge that sets it apart in the marketplace vis-à-vis all its stakeholders.
The compliance programme begins with the recruitment of the Compliance Officer and the establishment of his or her team. It continues with the roll-out of the programme, training, conducting internal investigations, monitoring and reporting on actions, not forgetting the contribution to changing the risk culture within the Group.
Although it is still not highly valued, we believe that successfully transforming an organisation by integrating this function is a guarantee of success.
E. - The compliance/ethics culture: a collaborative effort between the Compliance Officer and other functions
As we said earlier, it's important to put in place a solid, comprehensive programme. The aim is to "be good", not to "look good"! In this sense, the compliance programme must be real and well thought out. There is a real credibility issue at stake here, and the risk would be an extremely strong backlash.
Don't take responsibility away from staff. - On the contrary, the aim is to make everyone at every level of the hierarchy accountable for their role. The risk is that managers will initially comply with the rules. Then, they gradually come to believe that they are necessarily applied. That's when their free will disappears. They will no longer be in a position to point out something that, with common sense, would enable them to see that the rule is not being respected.
They must therefore understand that the rules put in place are not a complement to the business. It is the rules of the business itself that they must consciously apply in all circumstances.
The importance of collaboration between departments. - Various functional (finance, audit, legal, risk, HR, information security, etc.) and operational departments will be impacted. They will therefore need to interact with the Compliance Officer.
Ideally, the operational units fully integrate the compliance function. It is no longer isolated in a silo labelled "support function". Everyone will have embraced this culture. Everyone will have understood that ethics and compliance are genuine tools for competitiveness, creating value and fostering the company's development and long-term survival. The Compliance Officer will thus be able to feel that he or she has truly transformed the company's culture.
