By: Ernesto Gómez Gallardo A.
When proposing, establishing, or implementing a Compliance program, many questions arise, such as: which area should the Compliance unit be in within the organization?; who should head the division or program?; or what kind of resources should be allocated to it? All of these are valid questions and should be answered, but first I would like to raise some more general than practical ideas to keep in mind before answering those questions.
The first has to do with independence. A basic part of a Compliance program or department lies in questioning, evaluating, and challenging the ways to conduct the organization’s business or activity. Likewise, to propose measures that can mitigate unnecessary risks that may not be evident when someone is proposing profit as the sole objective. To resolve these conflicts, segregation of functions exists.
In very simple terms, the person who performs an action should not be the one who reviews it.
For example, the sales area aims to sell – it is worth the redundancy, and the finance area must take care of the revenue and expenses, but its motivation is not the sales but the efficiency of managing the organization’s resources. Similarly, Compliance must focus on doing its job of enforcing internal and external regulations, always keeping in mind that the organization meets its objectives, but never sacrificing its individual purpose. The business should not intervene in the realization of the functions of the support areas.
In many organizations, the Compliance area has evolved as to where to report to maintain this autonomy. A long time ago when the idea of Compliance began, some organizations placed it reporting towards finance, as part of a financial comptrollership. As its functions have become more regulatory and legal oriented, organizations have placed Compliance reporting within the legal department. More recently, and because of the importance given to the topic of risk mitigation (not just financial), integrity in companies and society, Compliance areas or programmes have gained the required independence by reporting directly to the general management or in some cases even to the Board of Directors.
The second idea I wanted to touch on is the empowerment of the Compliance program, be there or not a department as such. This initially depends on a decision – of the highest levels in the organization – that becomes very important and transcendent when choosing to implement a Compliance program: Do I really want to have a Compliance program in my organization, or do I want to meet the trend of including these issues only in appearance?
Currently, it is very well seen for an organization to have a Compliance program and to say that integrity issues are considered in the organizational culture. But that is not enough to get results. The message that the purpose of a Compliance program has value in the organization must come from the top, and that weight must be felt.
I believe that 5 elements* should be considered to provide sufficient empowerment to the program:
- High degree of authority in the hierarchical chart. So that someone cannot dismiss a certain recommendation because it comes from someone who “isn’t sitting at the decision table.”
- Level of “seniority” of those who have the responsibility. If an intern is not intended to handle the organization’s checkbook, why would someone with that experience should manage risk mitigation around compliance of regulations.
- Specific budget for the program. If there is no specific budget, there is no independence and if there are no resources you cannot take necessary actions or hire who is needed.
- Visibility and access to the entire organization. If Compliance is applicable only to a specific part of the organization, the way to not comply with the rules will be to perform these actions where the program does not apply, and thus have “circumvented” the controls.
- “Expertise” on the core subjects of the organization. If the compliance program staff do not know in depth what the organization does, or if you do not train its people in this regard, its usefulness will always be limited.
*Obviously these 5 elements should be evaluated and determined according to the size and complexity of the organization.
Without enough INDEPENDENCE and without EMPOWERMENT, the Compliance program can hardly be successful. We will be happy at Miranda Compliance, to help you implement the program your organization requires, or evaluate the one you have to confirm that it’s on the right track.
C O N T A C T
Miranda – Compliance
Karla Valdés Posada
Ernesto Gómez Gallardo