Risk Angles
Five questions on
enterprise compliance
An interview with Donna Epps, partner, Deloitte Financial Advisory Services LLP and a closer look by Nicole Sandford, partner, Deloitte & Touche LLP.
If you’ve noticed that the issue of compliance risk is taking more of your organization’s time and resources lately, you’re not alone. As globalization continues apace, the regulatory environment is tightening and becoming more complex around the world. As a result, leaders that have been able to
“make do” with a fragmented approach to compliance are rethinking their compliance strategies as they weigh the possibility of a heightened exposure to compliance risk.
“Enterprise compliance” — a coordinated approach to compliance spanning multiple businesses, organizational units, and geographies — is moving to the top of the compliance agenda for many executives. For a term that was scarcely heard of only a few years ago, this growing interest in enterprise compliance may come as a surprise. It doesn’t help that there has yet to be a clear, shared understanding of how enterprise compliance actually works.
In this issue of Risk Angles, Donna Epps offers some thoughts on questions executives ask her most frequently about enterprise compliance. Then, Nicole Sandford takes a closer look at the pros and cons of a centralized versus decentralized enterprise compliance program.
Question Donna’s take
We’re already investing plenty on compliance issues. How is enterprise compliance any different?
The leaders I talk to every day already know they’re directing considerable resources to compliance issues. But when you take a closer look at how they’re investing in this area, what seems like a strategy from a distance actually appears to be muddled with overlapping goals and investments. Not only is this inefficient from a cost standpoint, but it may result in a critical lack of transparency and an inability to move quickly. That’s exactly where enterprise compliance can help.
Enterprise compliance may work well in a business with a fairly limited scope. But how could it actually work in a large, global organization engaged in a wide variety of very different businesses?
Granted, you have to know your limits when implementing an enterprise compliance strategy for a large, complex global organization. At the same time, that’s exactly the environment in which an enterprise-level approach could potentially have the biggest impact. You don’t need all your businesses to follow the same approach.
But you do need them to be operating with the same framework, goals and values. Set the parameters and allow for some flexibility along the way.
Who has primary responsibility for leading an enterprise compliance approach?
It’s easy to say “everybody,” and it is definitely true that everyone has some responsibility in an enterprise compliance approach. That said, some people have more responsibility than others. In our view, it’s the board and C-Suite that lead the charge.
Doesn’t it make more sense to focus on compliance culture, rather than enterprise compliance?
Compliance culture should be the goal. Enterprise compliance and enterprise culture aren’t mutually exclusive. In fact, it’s our view that enterprise compliance offers the most direct, effective path to cultivating a compliance culture. Those who can master the compliance aspect of their business strategy and give their people ample incentive to do the right thing may be better positioned to break away from the pack.
Why would we take on the challenge of enterprise compliance if we haven’t encountered any big compliance problems to date?
When’s the last time you read a newspaper or magazine article investigating the fallout after a major compliance failure?
If you’ve read one of these accounts recently, you’ll recognize a pattern: Nobody seems to have seen it coming. The truth is that we’re all operating in a more constrained regulatory environment, and we should expect that it’s going to create some unexpected headaches for some companies that may have encountered little or no compliance-related challenges.
Plus, the penalties and impact on brand can be significant. Compliance just isn’t an issue where you can take a wait- and-see approach.
A closer look: Is enterprise compliance always centralized?
Nicole Sandford
For many, “enterprise compliance” is synonymous with “centralized compliance.” But in reality, that’s not the case at all. An enterprise compliance program can take the form of either a centralized or a decentralized function. The right approach depends on the organization, its goals, and the market context. It goes without saying that there are risks and benefits to both approaches. If you’re weighing which option is right for your organization, here are some important considerations.
One risk to a centralized approach to enterprise compliance is cultural. Once you carve out a dedicated, centralized function focused on compliance, people may begin to view compliance risk as someone else’s problem — namely, the compliance functions. Compliance can essentially become a back-office function.
Line employees may begin to view those in the compliance function as adversaries — enforcers that must be tolerated — rather than business partners that can accelerate success. This is not an insurmountable challenge, but those leading a centralized compliance function should acknowledge this risk and plan to address it through consistent and ongoing communication. It is critical that centralized compliance personnel get “out in the field” to build and deepen relationships within the business units.
Meanwhile, a decentralized approach can make it difficult for executive and board leadership to look across the organization and understand how compliance risks are evolving. Just as important, it can result in the inconsistent application of compliance policies — different regions or business units are more likely to take their own approach. That’s one reason why even a decentralized strategy should include a unifying thread — a technology, or a person, or even a limited set of processes designed to confirm that risks are accounted for and being addressed. This “hybrid” approach — where certain compliance activities are pushed out to the business units but are connected through a centralized “nervous system” — can be an effective way to foster an enterprise compliance approach.
In the end, enterprise compliance is about taking a centralized view of compliance — regardless of whether processes or functional units are executed centrally.
Even in a decentralized environment, there needs to be a way for leaders to look across their compliance infrastructure to understand, monitor and address developments. The winning model for enterprise compliance is the one that can deliver that view in a consistent and efficient way.
For more information, please contact:
Donna Epps Partner
Deloitte Financial Advisory Services LLP
+1 214 840 7363 depps@deloitte.com
Nicole Sandford Partner
Deloitte & Touche LLP +1 203 708 4845 nsandford@deloitte.com
Henry Ristuccia Global Leader
Governance, Risk and Compliance Deloitte & Touche LLP
+1 212 436 4244 hristuccia@deloitte.com
This document contains general information only and Deloitte is not, by means of this document, rendering ac¬counting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. In addition, this document contains the results of a survey conducted in part by Deloitte. The information obtained during the survey was taken “as is” and was not validated or confirmed by Deloitte. Deloitte shall not be responsible for any loss sustained by any person who relies on this document.
Copyright © 2013 Deloitte Development LLC. All rights reserved.
Member of Deloitte Touche Tohmatsu Limited
Question Donna’s take
