openpages_ the high cost of non-compliance_ reaping the rewards of an effective compliance program

Upload: saurabh-mehta

Post on 02-Jun-2018

216 views

Category:

Documents


0 download

TRANSCRIPT

  • 8/10/2019 OpenPages_ the High Cost of Non-Compliance_ Reaping the Rewards of an Effective Compliance Program

    1/8

    Business AnalyticsIBM Software Financial Services

    The high cost ofnon-compliance:

    Reaping the rewards of an effective compliance progr

    Executive summaryCompanies are nding legal and regulatory compliance costs soaring while effectiveness declines, giving rise to huge nes, penalties,awards and settlements often in the billions of dollars. Policies andprocedures build with each new law and regulation but are disparate,duplicative, and fail to comprise an effective compliance program.

    Some companies not only have made their programs effective andefcient, but also gained tremendous business benet. Understandingthe rationale for ever expanding legal and regulatory requirements, theyrecognize the underlying marketplace drivers and align strategicinitiatives to gain market share, prot and return.

    By aligning business objectives and building compliance programs intoexisting management and business processes, responsibility andaccountability is put where it works best, increasing effectiveness,reducing cost, and providing senior management and the board withthe information they need.

    Whats the state of your companys compliance program? Is it trulyeffective, and are you satised with its costs and benets? Have seniorexecutives in your organization said things like:

    Were ne, because weve never had a major compliance problem.The kinds of problems our peers suffered couldnt happen here were better and smarter than that.

    We already have a code of conduct, whistle-blower channel, and other

    elements of whats required for compliance.Our general counsel has responsibility for ensuring were fullycompliant with all laws and regulations, so were covered.

    If youre an experienced compliance professional reading this, youre probably cringing at these positive expressions of satisfaction.But whatever your corporate responsibilities, if youre concerned aboutthe cost and effectiveness of your companys compliance program,please read on.

    Contents:1 Executive summary

    2 The back breaking costs

    2 Beyond the direct costs

    3 How we got here

    3 Keys to getting it right

    6 Making it happen

    7 The rewards

    7 About the author

    7 About IBM Business Analytics

  • 8/10/2019 OpenPages_ the High Cost of Non-Compliance_ Reaping the Rewards of an Effective Compliance Program

    2/8

    The back breaking costsLeaving program effectiveness for a bit later, lets take a lookat the tremendous costs of dealing with compliance whichcan be viewed similarly to those automobile motor oil ads oflong ago you can pay me now, or pay me later a fewdollars now, or thousands later, although here, the laternumbers are much larger.

    Cost information varies based on any number of surveys,but they provide at least directional insight. One survey ofseveral years ago shows for every $1 billion in revenue, thecost of compliance programs comes close to $6 million.1 Another shows the cost of Sarbanes-Oxley compliance aloneaveraging $4 million for companies with $5 billion revenue,and $10 million for companies with $10 billion and more in

    revenue. More telling is that for companies with more than$1 billion revenue, compliance costs equaled 190 full timeequivalent employees.2

    And when we consider one of the highly regulated industries the U.S. securities industry compliance costs for each rmaveraged a whopping 13 percent of revenues.3 And this is ofcourse before the near nancial system meltdown andlegislative and regulatory reaction now under way.

    When looking at the cost of a compliance failure, the numberstake on even greater signicance. The later study found that

    $1 billion revenue companies having just one compliancefailure incurred $81 million in costs consisting of settlementfees of $64 million, lost business of $14 million, and ne,remediation and business interruption of $3 million.4

    Unfortunately, those numbers pale in comparison tocompliance failures suffered by many companies eachrunning in the billions of dollars. Looking at just a handful ofthose companies, media reports show the following payouts:

    American Home Products diet product $3.75 billionBank of Credit and Commerce fraud $17 billion

    BAT Industries tobacco settlement $73 billionCinergy pollution $1.4 billionIBM age discrimination $6 billion Johns Manville asbestos $3 billionPhilip Morris tobacco settlement $9 billionPrudential Insurance sales practices $4 billion Texaco interfering in merger $3 billion Time Warner accounting practices $3.5 billion Visa anti-competitive business practices $2.25 billion

    Loss of market capitalization often is dramatic, with examplesincluding Mercks Vioxx product liability cutting $40 billion inmarket cap and Marshs bid rigging causing a reduction ofover $10 billion.5

    So, while implementing a compliance program may seemhigh, its clear that not putting an effective complianceprogram in place can be signicantly more expensive. The already high and growing cost of complying with lawsand regulations to which companies are subject has gotten theattention of senior management and the board of directors.Drawing signicant focus is the reality that while costscontinue to rise, the effectiveness of compliance programsdoesnt necessarily keep up and may in fact deteriorate.So, with costs becoming virtually unsustainable in the contextof other business pressures, senior management teams andboards are looking at ways to make compliance programsboth more efcient and effective.

    Beyond the direct costs We should make no mistake compliance is up there withstrategy and risk management in boardroom discussions today. As noted, its not just the signicant costs, but programeffectiveness that has captured attention, for good reason.Directors are well aware of the myriad laws and regulations to which their companies are subject. As a brief sampling, theseinclude broadly applicable requirements related to product

    safety, employment, workplace health and safety, employeebenets, pensions, securities laws; those cutting across anumber of industries dealing with information privacy,anti-money laundering, and appropriateness of product tocustomer prole; and industry-specic mandates forgovernment contractors, pharmaceuticals, and health care,tobacco and telecom companies.

    Just as eye-catching are enforcement and related regulatoryactions for non-compliance. These include ongoing andrenewed activity by the Securities and Exchange Commissionand Department of Justice, each of which is known to take acarrot and stick approach being more lenient where acompliance program is strong, and tougher enforcement whenit is not. Then there are the Delaware Chancery and SupremeCourt cases which underscore board responsibilities forensuring effective compliance programs. Also having gainedcritical notice are the federal sentencing guidelines which deal with criminal misconduct and companys programs forassessing and reducing the related risks.

    Business AnalyticsIBM Software Financial Services

    2

  • 8/10/2019 OpenPages_ the High Cost of Non-Compliance_ Reaping the Rewards of an Effective Compliance Program

    3/8

    of responsibility. While in some respects appealing, reality isthat this approach places responsibility for effectingcompliance in the wrong place.

    Another factor is viewing compliance as a necessary evil, anda costly one at that. Certainly, the thought goes, its a drain onresources that could otherwise be used to grow the businessand enhance protability. This philosophy, however, can becounter-productive from a business perspective.

    Keys to getting it rightSome companies have avoided these pitfalls and succeeded notonly in reducing compliance costs, but also enhancingefciency and gaining real business benet. Lets look at howtheyve succeeded in getting this right.

    Strategic perspective. Moving from seeing compliance as acostly but necessary evil, forward looking management teamssee the bigger picture, beginning with the realization thatnew laws and regulations arise from corporate actions thatcaused damage to consumers, employees, investors or thecommunity. Each legislative or regulatory reaction raises theperformance bar in such areas as product safety, humanresource discrimination, information privacy and security,the environment, sales practices, and nancial reporting. These insightful corporate leaders recognize that despiteraising of the bar, the marketplace sees these new standards as

    a minimum, with consumers looking for those products andservices that meet their higher expectations.

    Successful managers get it, and their companies reap thebenets in terms of market share, protability and return.One can look to the auto manufacturer that has long been aleader in gaining better mileage performance, or anotherthat has been a leader in vehicle safety. Companies thatrecognized the demand for healthier food products both retail and restaurant based have gained market share. And an airline instituting a passenger bill of rightscontinues to achieve high customer satisfaction ratings,

    gain market share and lead competitors in protability.Companies with fair and forward looking HR programsattract and retain the best personnel, and those with reliableand transparent nancial reporting are viewed by theinvestor community as lower risk resulting in lower cost ofcapital. These companies recognize that legal andregulatory requirements indicate a demand for betterperformance, and have met the challenge by exceedingminimum requirements.

    Experienced directors know well that a major compliancefailure can not only cost billions of dollars in direct costs, butalso bring a company to its knees. At a minimum, it steals timeand energy of top management, detracting from day-to-dayrunning of the company and new initiatives to grow thebusiness. And damage to a companys reputation, which takes years to develop and can be destroyed overnight, affectsrelationships with customers, suppliers, alliance partners,bankers, and investors, as well as retention of key humanresources and ultimately long term success.

    How we got here To see the best way forward, its worth taking a quick look atsome of the factors that caused companies to get to theuntenable position many are now in.

    Companies typically have in place a number of policies andprocedures directed at legal and regulatory compliance,6 including a code of conduct, whistle-blower channel,educational programs, and annual employee sign-offs.In large companies, sometimes depending on the industry,there is a designated chief compliance ofcer and staff, whereas in others the general counsel or other corporatelawyer serves in the role. But too often these are disparateelements that fail to function effectively as a truecompliance program.

    Also typical is a build up over time of layer upon layer of

    policy and procedure, each dealing with various aspects oflegal and regulatory requirements. For each new law orregulation, new internal procedures are designed to deal withspecics of the rule. Unfortunately, often each is free-standing without considering existing protocols in theorganization that may already address the new requirements.

    Responsibility for compliance rests with one senior manager.From the perspective of a companys chief executive, itsdesirable to be able to look to one individual with theauthority and accountability to achieve desired performance.

    This of course holds for business operations, as well as forsuch areas as nance, technology, human resources, and soforth. Responsibility for compliance is placed with thecompanys general counsel or chief compliance ofcer, wherethis individual is charged with ensuring the organizationadheres to all legal and regulatory requirements to which thecompany is subject. This approach also is embraced byboards of directors that see benet in such central assignment

    Financial ServicesBusiness AnalyticsIBM Software

    3

  • 8/10/2019 OpenPages_ the High Cost of Non-Compliance_ Reaping the Rewards of an Effective Compliance Program

    4/8

    Financial ServicesBusiness AnalyticsIBM Software

    4

    Built into business processes. Recognizing the underlyingmotivations behind legal and regulatory requirements andrelated marketplace expectations, forward-looking companiesalign their compliance process with the companys businessgoals and objectives, and build it into its existing businessprocesses. As such, responsibility for compliance rests not with a compliance ofcer, but rather with each and every lineand staff manager in their spheres of responsibility.

    Yes, a chief compliance ofcer is critical to ensuring acompliance program is well designed and provides thenecessary support to the management structure for itsimplementation. This responsibility includes ensuring whatoften are disparate elements are crafted into a cohesivecompliance program. More on this in a moment.

    The take away point here is that administrative costs soar ifcompliance is superimposed on top of existing procedures. When built into the management process, compliance isboth more effective and efcient. Looking at one simpleexample, a broker-dealer seeking to comply withrequirements for use of current marketing materials forcustomer proposals added costly monitoring proceduresfrom an independent compliance group. Another, however,placed responsibility with local sales managers who areclosest to the action and know well what materials arebeing used by local sales personnel. Not only is compliance

    more effective better ensuring use of current materialsand meeting clients expectations for quality service it is also more efcient, even when accompanied byancillary monitoring on a test basis by compliance orinternal audit personnel.

    A program founded on ethics and integrity. To betruly effective, the compliance program must be groundedin a culture based on integrity and strong ethical values. A companys culture is based rst and foremost on the actions(more so than, but including, the words) of top managementas well as managers cascading throughout the organization.

    Without integrity, a compliance program will have formbut not substance, and over time will fail to do what itsdesigned to do.

    Central to an effective compliance program is an ethicspolicy designed to meet the activities and culture ofthe company. The policy needs to be sufcientlycomprehensive, but also organized and written to beunderstandable, and readily accessible as needed to deal with day-to-day real life issues. The same holds for allpolicies, which need to have a business owner and be keptcurrent and responsive to changing conditions. A recipe fordisaster is having policy material that is too long, written inlegalese, outdated and hard to locate such that non-compliance is virtually assured.

    With integrity as a hallmark, a compliance program mustengage the companys employees. They need to understandthe reasons behind the rules for the benet of thecompany, its personnel, customers, and others. Reality isthat employees who dont know why theyre supposed to dosomething will go through the motions with a checklistmentality, if at all. So, educational programs should be inplace not just upon hiring, but ongoing coupled withon-the-job reinforcement by unit leaders. With whistle-blower channels in place dealing with any potential wrong-doing, not just whats required by Sarbanes-Oxley personnel need to know that using those channels isfundamental to a culture of integrity and ethical values, andis in the companys best interest and their own. The channelneeds to be truly user-friendly, such that there is no

    uncertainty in reporting any concern, with an ombudsmanor other support personnel ready to answer questions andfacilitate communication. And of course, appropriate followup action with no possibility or concern of reprisal is a key.

    A risk-based approach and clarity aroundresponsibilities. Companies sometimes set a zerotolerance approach to compliance, which indeed makessense from a mind-set perspective. Ignoring small wrongdoings can send an unintended message that compliance isntreally important. With that said, reality is that some rulescarry more signicance than others, and resources always

    have limitations.

  • 8/10/2019 OpenPages_ the High Cost of Non-Compliance_ Reaping the Rewards of an Effective Compliance Program

    5/8

    Financial ServicesBusiness AnalyticsIBM Software

    5

    Accordingly, risks need to be identied as to where andhow non-compliance can occur and the likelihood ofoccurrence and impact on the company if it does. And withneeds targeted, resources need to be placed where they will do the most good, bringing the risks down toacceptable levels.

    As noted, responsibility for compliance is best placed withline and staff managers who run operating business and stafffunctions. This involves more than simply assigningresponsibility. It also distinguishes design, execution andmonitoring activities, including interfaces betweenoperating and support units and the compliance and centralmonitoring functions, and clear handoffs with overlapsavoided. With roles understood and built into HRprocesses, accountability can be established andperformance measured over time.

    Technology. For mid-size and large organizations, central toan effective compliance process is sound use of technology.Done well, IT facilitates such matters as ensuring the code ofconduct and other relevant policies are readily accessible,supporting the ongoing education process, facilitatingemployee certications, and providing a user-friendly meansof providing information or addressing concerns regardingpotential non-compliance.

    Recognizing that the regulatory environment continues toincrease in complexity, leading organizations have movedaway from manual based methods for compliance,deploying technology to centralize and manage the fullrange of compliance activities. As a critical enabler,technology supports established compliance managementprocess and methodology, but does not dene them. Among the benets are:

    Providing real-time data management and decisionsupport to ensure that senior management and theboard of directors receive accurate information on

    causes, nancial impact, and mitigating actions tocontrol risk of compliance failuresEnabling policy lifecycle management to create,approve, maintain, store, monitor, and automate tasksbased on company policy requirementsDelivering policy training and awareness, surveys, andrelated testing feedback

    Establishing automated workows to establishemployee accountability Automating and streamlining processes andinformation retrieval, including control testing, surveys,certication and regulatory reportingSupporting measurement and reporting through acentral repository of policies, procedures, risks,and controls

    These capabilities are used to x responsibilities forrequired actions by managers or monitors, and to trackactivities and enable inquiry from and to senior personnel.Real-time messaging and reporting capabilities provide thenecessary information for use throughout the managerialranks and the compliance function, with tailored dashboardsand drill-down capability to home in on matters ofparticular interest.

    Strong compliance ofce. As noted, critical to effectivecompliance is a designated chief compliance ofcer, whodepending on the companys industry and size can be apart-time position or full-time with dedicated staff. This individual must ensure all the necessary pieces are inplace and brought together to be truly effective.

    For instance, managers in the organization must receiveinformation on existing and new laws and regulations

    relevant to their operational responsibilities. They all haveday jobs and cant be expected to know whats required,unless the legal or compliance function provides them withneeded information in a form thats easily implemented.Importantly, the compliance ofcer needs to be sure anynew requirements are considered in the context of existingprocedures, to avoid adding unnecessary layers. In manyinstances, existing protocols may already address new rules,or require only minor tweaks to get them where they needto be. Overreaction can be as debilitating an under reacting,as scarce resources are wasted on unnecessary procedures.

    The compliance ofcer must ensure close coordinationbetween the various activities that drive compliance,including monitoring of program effectiveness with theinternal audit function, and interface with legal counsel (ifseparate from the compliance ofce) and top management.

  • 8/10/2019 OpenPages_ the High Cost of Non-Compliance_ Reaping the Rewards of an Effective Compliance Program

    6/8

  • 8/10/2019 OpenPages_ the High Cost of Non-Compliance_ Reaping the Rewards of an Effective Compliance Program

    7/8

    Financial ServicesBusiness AnalyticsIBM Software

    7

    The rewardsChange is never easy. For most companies, however,continuing along the same compliance path is not a viableoption. Costs are soaring, instances of non-compliance rising,and the risk of a devastating failure all too real.

    Getting to a truly effective and efcient compliance process isattainable. Some companies have already gotten there,realizing the tremendous associated business benets inunderstanding that the marketplace consumer, work force,investor and societal sees legal and regulatory requirementsas a minimum standard, which when exceeded signicantlyenhances market share, protability and return.

    When one considers the current costs and lack of

    effectiveness, together with the upside potential, a decision toget this right becomes evident. Those companies that do get itright position themselves to reap the associated rewards.

    About the authorRick Steinberg is CEO of Steinberg Governance Advisors,Inc. in Westport, Conn., where he advises boards of directorsand senior executives of major multinationals as well as largeand middle market companies on board responsibilities,governance best practices, and compliance and risk issues.

    Steinberg previously was a senior partner at

    PricewaterhouseCoopers, where he served as the rmscorporate governance practice leader. He also was a founderof the rms risk management and control consulting practice,and served as its global leader.

    A sought-after speaker, Steinberg has authored numeroushighly acclaimed reports, includingCorporate Governance andthe Board What Works Best and its companion, AuditCommittee Effectiveness What Works Best . He also served as thelead project partner in developing the COSO InternalControl Integrated Framework, now recognized as alandmark representing the standard of internal control, andplayed a similar role in the COSOs Enterprise Risk Management Integrated Framework.

    Steinberg is frequently quoted in the nancial press andfeatured on national TV nancial news programs, and hasguest lectured at leading business schools. He has served as amember of the Conference Boards Global CorporateGovernance Research Center Advisory Board, he is a memberof the Open Compliance and Ethics Group Executive Advisory Panel, and is a member of corporate advisory boards.He is also co-founder of the Directors College, presented byPricewaterhouseCoopers and the University of DelawareCenter for Corporate Governance.

    About IBM Business AnalyticsIBM Business Analytics software delivers complete, consistentand accurate information that decision-makers trust toimprove business performance. A comprehensive portfolioof business intelligence, predictive analytics, nancialperformance and strategy management, and analytic

    applications provides clear, immediate and actionable insightsinto current performance and the ability to predict futureoutcomes. Combined with rich industry solutions, provenpractices and professional services, organizations of every sizecan drive the highest productivity, condently automatedecisions and deliver better results.

  • 8/10/2019 OpenPages_ the High Cost of Non-Compliance_ Reaping the Rewards of an Effective Compliance Program

    8/8

    YTW03140-USEN-01

    Copyright IBM Corporation 2011

    IBM CorporationRoute 100Somers, NY 10589

    US Government Users Restricted Rights - Use, duplication of disclosure restrictedby GSA ADP Schedule Contract with IBM Corp.

    Produced in the United States of America May 2011

    All Rights ReservedIBM, the IBM logo, ibm.com, WebSphere, InfoSphere, Clarity, OpenPages andCognos are trademarks or registered trademarks of International Business MachinesCorporation in the United States, other countries, or both. If these and otherIBM trademarked terms are marked on their rst occurrence in this information with a trademark symbol ( or TM), these symbols indicate U.S. registered orcommon law trademarks owned by IBM at the time this information was published.Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the Web at Copyright and trademarkinformation at www.ibm.com/legal/copytrade.shtml.

    Other company, product or service names may be trademarks or service marksof others.

    1 OCEG 2005 Benchmarking Study

    2 META Group research conducted on behalf of PricewaterhouseCoopers

    3 Securities Industry Association Compliance Report, 2006

    4 META Group research conducted on behalf of PricewaterhouseCoopers

    5 Holland & Knight, 2006

    6 Many companies also consider adherence to internal policies within the scope ofcompliance.

    Please Recycle