Best Practice and Delivering Value – The Future for Compliance
Optimal structure and reporting lines
One of the questions most often asked of the authors of this paper is:
“Is Compliance an essential ingredient of management or another oversight control?”
We have seen Compliance Departments operate in both capacities – mostly at the oversight control end of the spectrum. However the most effective Compliance Departments that we have observed act in both capacities simultaneously, and do so in a dynamic fashion, recognising the changing demands of the business and the regulatory environment. This dual role is required both to effect the change that is so necessary, and also to act as the required counterbalance to ensure that the change is effective from a Compliance monitoring perspective.
Such “best practice” Compliance Departments usually have another interesting characteristic in that they have not only addressed with clarity their own internal organisation, structure and reporting lines, together with those between the business and Compliance, but they have also clearly understood and established the basis of working between themselves, internal audit and risk – who are two of primary oversight controls – together with senior management, within a modern 21st century financial services organisation.
So often in many organisations’ Compliance Departments, this is the missing ingredient whereby internal audit, Compliance and risk operate in isolation – perhaps at best displaying a “joins where it touches” approach – and by so doing, fail to truly grasp not only their own role within the organisation but also the contribution that they can bring to other areas of the business.
Elsewhere, reporting lines need to be clear and appropriate to the business needs. Local Compliance Directors will normally report directly to the CEO of that business unit, whilst reporting indirectly to either or both the local Risk Director and the Group Compliance Director. This multifaceted reporting will usually be replicated in turn in the direct reporting line of the Local Compliance Director. Rarely have we seen effective Compliance Departments where reporting has been in one but not both directions.
Whatever the structure and reporting lines, communication should be two-way, and in addition to providing management and the regulators with the information and assurances they need, Compliance should always be willing to solicit views and respond to the changing agenda.