The Five Fundamentals of Compliance

Written By Patrick Hayes

Becoming a Trusted Business Partner for Your Firm

Compliance officers often have the perception of being the “no” police. And yet, there is so much more to our work than simply telling organizations what they can and can’t do.

This is why it’s crucial to cultivate trust within your organization, so that both parties can maximize the true value of your role.

I had the pleasure of chatting with Jim Downing, the current chair-elect of the NSCP Board of Directors and current Chief Compliance Officer for Morningstar, about his insight into building trust as a compliance officer. Here are two key takeaways:

Establish a Culture of Compliance within your Firm

In order to become a trusted business partner for your firm or organization, you must set the tone for your role within the company. However, your first step shouldn’t be to walk in, establish your authority, and start telling the executive team what they should and shouldn’t be doing. 

Your very first action within any organization needs to be seeking to understand the organization. As Jim mentions, you need to “check your ego at the door” and take the time to understand the unique ins-and-outs of the firm, from how each department functions to the overall mission and mission of the organization.

Jim shared a few of his first steps in establishing a culture of compliance within the firms he works with:

  • Meet with the executive team and get an idea of how the firm operates. Ask about the firm's goals, mission and vision, and business strategy. 

  • Sit down with each department, from sales to operations. Meet them where they are and take the time to understand what their day-to-day looks like. 

  • Consume content from your firm/organization. Seek to get a pulse on the business and how their strategy is being executed.

  • Aim to be a problem-solving partner, rather than the “no” police.

By going out of your way to collaborate and understand the different functions of the organization, you’ll build the necessary trust and knowledge to inform your future advice.

Always Use Data to Support Your Counsel

This may seem like common sense, but we’ve all found ourselves in a situation where someone asks for our opinion or advice and our gut response is to “shoot from the hip”. When we establish a clear system of gathering data across the organization, we can ensure that every recommendation we make is built on thoughtful analysis.

Here are Five Fundamentals of Compliance that Jim shared in our discussion:

(1) Start with a Risk Assessment

A risk assessment sets the table so that your compliance team and organization are speaking the same language.

Through this assessment, your primary goal is to understand the regulatory requirements of the organization, and identify any controls and risks that are out there.

This can be accomplished by asking the following:

  • What are the firm’s inherent risks?

  • What controls are in place?

  • What is the residual risk?

(2) Conduct Policies and Procedures Training
Limiting your compliance training to focus on policies and procedures can have a major impact on your firm. 

Using information from your risk assessment, you can start to identify who’s doing what, what are the controls, and what actions need to be taken by the employees.

This process is a great opportunity to collaborate with the organization on next steps.

(3) Monitor and Test Controls
It can oftentimes feel overwhelming when you look at ALL of the monitoring and testing that you can do within an organization, and the problem is, your time and resources are limited.

This is why it can be extremely helpful to use a risk-based framework to inform how you spend your time. After identifying the higher risk areas within the firm, you can allocate your time accordingly. For example, Jim shared that he typically focuses about 75% of his time on high risk areas, 10-15% towards medium risk areas, and 5-10% towards low risk areas.

From here, it’s important to put together guidelines on how to monitor controls. This ensures that your results are “normalized” and you can receive an accurate assessment of how your controls are working.

(4) Identify Issues and Conduct Examinations
In addition to helping our colleagues set-up and facilitate examinations, we also want to inform on any issues that showed up through monitoring and testing. Provide advice and solutions for how the firm can overcome these issues, and prioritize following up to see how these changes are being implemented.

(5) Create a Report
Finally, gather metrics from the previous four fundamentals. This data can give the organization a clear picture of what has improved and what still needs to be addressed.

This data will ultimately inform a new risk assessment, where you will repeat each of the five fundamentals. See an example of what this cycle looks like here.

Any advice you provide your organization should be drawn from information you obtain through implementing these five fundamentals.

By establishing a culture of compliance within your firm and utilizing the right data, you’ll become a trusted business partner and resource as you look to inform on future decisions.

Patrick Hayes
Previous

3 Takeaways For Being a More Impactful Leader