It’s only across the past decade or so that most major companies really began to invest substantial sums into their corporate compliance and ethics programs and, possibly for that reason, these programs are often separated from normal business processes or workflows.
This divide can slow down any company. For instance, compliance requirements can delay the onboarding of third-party vendors by about 17 business days, which is guaranteed to perturb internal stakeholders (see chart 1).
This stand-alone approach — which CEB calls “bolt-on” compliance support in its research – is no longer sufficient. First, it creates extra work for employees. Second, it can cause confusion and redundancy because it’s often uncoordinated with other assurance activities across the firm.
Also, the expectations of regulators are changing as well. “Every piece of your [compliance] program needs to be tied to the actual operations of the company,” said Hui Chen, the compliance counsel at the US Department of Justice (DOJ) during a public roundtable in November 2015 (pdf; page 5).
Combine these factors with the rapid shifting nature of risk and with the “DOJ Yates memo” – a 2015 policy shift stating that individual officers or employees should be accountable in cases of corporate wrongdoing. matters – and it’s clear why board-level thinking has changed.
Directors want more than the compliance team’s perspective on the threats facing the company. They want compliance integrated into all enterprise risk activity.
Chart 1: How compliance slows things down Source: CEB 2015 Third-Party Risk Diagnostic
Notes: The 17 business days is the median time to bring a third party from RFP to contract
Moving From ‘Bolt-On’ to ‘Built-In’
Corporate compliance and ethics teams may well ask how they should build compliance into the operations of their organization. Recent CEB research provides a blueprint for creating a “built-in” program that lowers the burden on the business by connecting workflows to compliance activities (see chart 2).
This blueprint has three elements:
Design of compliance activities: Move from separation to integration by helping employees through their existing processes instead of adding activities.
Coordination with other assurance functions: Ad-hoc information sharing isn’t enough. All assurance functions should systematically collaborate on achieving similar goals.
Assessment: Don’t stop with evaluating whether your program’s activities are carried out. Take a close look at measures like: how employees rate the ease of working with your team, and the degree of activity integration into existing work
Chart 3 provides a high-level view of how “bolt-on” and “built-in” approaches differ across these categories.
Chart 2: What Compliance must do to build compliance activities into business operations Source: CEB analysis
Chart 3: What distinguishes the ‘built in’ from the ‘bolt on’ approach Source: CEB analysis