CEB Blogs


Compliance & Ethics

Corporate Compliance Programs Must Move to be Native

The need for quicker operations and the demand for greater rigor from corporate regulators means compliance departments must do more to integrate their processes into business operations

It’s only across the past decade or so that most major companies really began to invest substantial sums into their corporate compliance and ethics programs and, possibly for that reason, these programs are often separated from normal business processes or workflows.

This divide can slow down any company. For instance, compliance requirements can delay the onboarding of third-party vendors by about 17 business days, which is guaranteed to perturb internal stakeholders (see chart 1).

This stand-alone approach — which CEB calls “bolt-on” compliance support in its research – is no longer sufficient. First, it creates extra work for employees. Second, it can cause confusion and redundancy because it’s often uncoordinated with other assurance activities across the firm.

Also, the expectations of regulators are changing as well. “Every piece of your [compliance] program needs to be tied to the actual operations of the company,” said Hui Chen, the compliance counsel at the US Department of Justice (DOJ) during a public roundtable in November 2015 (pdf; page 5).

Combine these factors with the rapid shifting nature of risk and with the “DOJ Yates memo” – a 2015 policy shift stating that individual officers or employees should be accountable in cases of corporate wrongdoing. matters – and it’s clear why board-level thinking has changed.

Directors want more than the compliance team’s perspective on the threats facing the company. They want compliance integrated into all enterprise risk activity.

How compliance slows things down

Chart 1: How compliance slows things down  Source: CEB 2015 Third-Party Risk Diagnostic

Notes: The 17 business days is the median time to bring a third party from RFP to contract

Moving From ‘Bolt-On’ to ‘Built-In’

Corporate compliance and ethics teams may well ask how they should build compliance into the operations of their organization. Recent CEB research  provides a blueprint for creating a “built-in” program that lowers the burden on the business by connecting workflows to compliance activities (see chart 2).

This blueprint has three elements:

  1. Design of compliance activities: Move from separation to integration by helping employees through their existing processes instead of adding activities.

  2. Coordination with other assurance functions: Ad-hoc information sharing isn’t enough. All assurance functions should systematically collaborate on achieving similar goals.

  3. Assessment: Don’t stop with evaluating whether your program’s activities are carried out. Take a close look at measures like: how employees rate the ease of working with your team, and the degree of activity integration into existing work

Chart 3 provides a high-level view of how “bolt-on” and “built-in” approaches differ across these categories.

What compliance must do to build compliance into busienss operations

Chart 2: What Compliance must do to build compliance activities into business operations  Source: CEB analysis


What distinguishes the bolt on from the built in approach

Chart 3: What distinguishes the ‘built in’ from the ‘bolt on’ approach  Source: CEB analysis

More On…

Leave a Reply



Recommended For You

Compliance & Ethics: Fishing and Improving Your Policy Management

The key to good policy management is to have the right governance structure, otherwise it's...