A poorly executed ethics investigation, however, can become a full-blown legal case, with the organization risking reputational and financial damages.

Customers and shareholders prefer engaging with a business that’s known to be highly ethical. This means your business has proper systems for reporting, investigating, and implementing recommendations to improve ethics within the company and its workforce.

But how can you conduct a successful ethics investigation to ensure the least possible legal and reputational trouble for your business? Here’s a look into the process.

What Would Warrant an Ethics Investigation?

A workplace ethics investigation is typically conducted when there’s credible information about significant misconduct, wrongdoing, or ethical lapses within the organization. These include office theft or fraud, health and safety violations, misconduct such as harassment and workplace violence, and time theft, such as altering time sheets for greater earnings.

An ethics investigation can also be warranted if there have been allegations against other employees to exclude the possibility of wrongdoing within the company. For instance, employee whistleblowers expose fraud in an organization 43 percent of the time compared to professional internal auditors, who only successfully uncover it 19 percent of the time, according to a study conducted by the National Whistleblower Center.

An ethics investigation aims to protect the company’s and its shareholders’ interests. It detects and prevents violations and misconduct, identifies areas where the business can improve its internal operations, and ensures the company’s activities comply with applicable laws and regulations.

An ethics investigation will unearth whether suspected misconduct did or did not take place, the circumstances leading to the misconduct, the involved parties, and whether the law or company policy was violated. An ethics investigation must be perceived to be independent, thorough, and analytical.

Whom Should Be First Informed of an Ethical Issue?

Typically, employees should be able to report potential ethical issues to their manager or supervisor. If this option is impractical or the manager or supervisor can’t resolve the issue, they should be able to speak up to people in higher positions and get the audience they need. This may include making a complaint through the company’s compliance hotline or corporate ethics office, where their reports can be heard and determined impartially and with maximum confidentiality.

Ensuring employees have a clear channel for making complaints and addressing them is crucial to avoiding lawsuits related to ethical issues and compliance and saving your organization expensive legal fees. 89 percent of employees who sue their employers do not receive a satisfactory resolution to their issues internally.

What is the Process of an Ethics Investigation?

An ethics investigation can take various stages depending on the industry or organization and its ethics investigation process. However, most investigations take the following steps.

1. Taking the Initial Complaint
An ethics investigation begins when you’re alerted of unethical behavior by someone within the company. The employee will file the complaint through the necessary channel or people. They will be responsible for documenting as much information as possible about the alleged misconduct.

The information filed from the complaint should include who is being accused of misconduct, what information has been given about their behavior, where the misconduct allegedly happened, how it happened, and when it occurred.

This information should be forwarded to your HR team and the department most affected by the ethical incident.

2. Ensure Confidentiality
Every aspect of an ethics investigation must be kept confidential. Maintaining confidentiality is crucial to the investigation’s integrity. If the investigation is not kept confidential, you risk consequences such as:

• Undermining the success of the investigation since others know of it
• Reputational damage to the accused if others learn about the allegations
• A compromised ability of the company to defend against any legal action associated with the investigation
• Liability and negative publicity for the company
• Retaliatory action from the accused
• Attempts to cover up the misconduct by the accused

Confidentiality begins immediately after the complaint is received. No other party should know that an investigation is underway, who is the subject matter, the evidence and materials gathered, the processes followed, and the investigation’s results until the final report is ready.

3. Give Interim Protection
Protecting the accuser or alleged victim should be one of the top considerations immediately after receiving the complaint. Separating the accused from the alleged victim may be necessary to avoid continued harassment or retaliation.

Some protective measures include providing a leave of absence, transfer, or schedule change. However, the complainant must be willing to take these measures. Otherwise, they can view your actions as retaliatory and file a retaliation suit.

4. Select an Investigator
A competent investigator must handle an ethics investigation. Typically, the investigator should possess the following traits:

• Investigate objectively without bias
• Have no stake in the outcome, a personal relationship with the parties involved, or have their position in the organization affected by the outcome
• Possess previous investigative knowledge and working knowledge of labor and employment laws
• Strong interpersonal skills to build a positive rapport with the involved parties and appear neutral and fair
• Right temperament to conduct interviews
• Attention to detail

5. Conduct Investigations
Once you’ve selected the investigator, you should start the investigations immediately, working quickly to identify and stop the unethical behavior before it spirals into bigger organizational issues.

While conducting investigations, the investigator should be thorough in finding the truth and reassuring employees that their submissions are confidential and non-retaliatory. This will ensure they’re more honest, contributing positively to the process.

6. Provide Guidance and Recommendations and Document the Report
Once you’ve completed the investigations, the investigator should present all gathered information and provide a recommendation for the company moving forward. This may involve recommending disciplinary action against the accused employee and effecting policy changes to ensure such incidents don’t reoccur.

After completing this process, you should write a detailed and comprehensive investigation report to provide a reference for future investigations and clear evidence that the investigation was conducted according to procedure.

Having a written investigation report will also help your legal team make a defense in court if the accused employee disputes the disciplinary action in court.

7. Talk to a Compliance Expert
An ethics investigation is a crucial process that your organization must handle properly. An effective ethics investigation process will help your organization remain compliant and avoid damaging lawsuits that can hurt its reputation and finances.

We can hope that we will never have to conduct an ethics investigation, but at most organizations of any size, the time will likely come at some point where we must. Following these steps should ensure a sound and productive ethics investigation. Done right, a proper investigation can get to the bottom of wrongdoing, put an end to the bad behavior, and hold those responsible to account.   

Jocelyn King is the co-founder and CEO of VirgilHR, a Software as a Service (SAAS) solution that empowers HR professionals to make smart compliant employment decisions in real-time.

The post How to Conduct an Ethics Investigation from Beginning to End appeared first on Compliance Chief 360.

With so many possibilities, though, what metrics should you include in your compliance report? Which ones offer the most insight to you and to management? Which metrics will best help the company manage risks?

The goal of compliance is to adhere to the rules and regulations within its industry and avoid expensive fines and enforcement actions that can also damage the company’s reputation. A compliance program must follow a multitude of processes and procedures to keep the organization fully compliant. Compliance metrics are indicators that help determine the effectiveness of these processes and procedures.

Packed heavily with data, these compliance metrics provide detailed information on your compliance program’s effectiveness and efficiency. This data can then be used to extract insights that can help fix any flaws within your existing processes.

From identifying the root causes behind violations and misconduct within the workplace to tracking your team’s response time to an issue, here are the compliance metrics to consider when reporting to the management.

Total Violations

Every industry is governed by specific laws and regulations that are meant to protect customers and employees. Failing to comply with these laws and regulations can prove catastrophic for an organization.

By keeping track of this compliance metric, you ensure the management is fully aware of any instances of noncompliance with these regulations. It also helps them understand the severity of the repercussions that may follow. Finally, by helping the organization abide by compliance laws, this metric helps fix the organization’s standing within the industry.

Complaints About Misconduct

An organization can become vulnerable to serious reputational and financial damages if misconduct of any kind goes unnoticed. For this reason, it’s important to keep track of complaints of misconduct alongside understanding their nature. When measuring complaints, focus on the type of allegation. This could include fraud, harassment, discrimination, illegal activities, and so on. To gather the right data, answer questions such as:

• How many complaints did your team receive?
• How did you receive the complaint? Was it through direct contact with the supervisor or through an anonymous hotline?
• What were your employees alleging?

Cost Per Incident

Your compliance budget incurs an expense for each incident your organization deals with. The cost per incident metric can help understand why certain incidents may cost more than others to resolve. As a result, you can determine solutions that would be more efficient.

For instance, if you’re spending large sums on due diligence, you might want to consider investing in automation. Or, if you’re spending a fortune on investigating workplace harassment issues, you might want to invest in quality training to prevent those issues from occurring in the first place.

Key Risk Indicators (KRIs)

Risks are a part of running just about any business. Successful organizations are often armed with the capacity to determine which risks are “worth it” and how they can shield their business should something go wrong. Your final compliance report must inform the management of any KRIs or key risk indicators that could affect their decision-making.

For instance, if your organization operates in the banking sector, it might include clients with high-risk accounts. These accounts would then be considered a major KRI. If the management is informed by financial compliance software of the risks associated with these accounts, they will most likely lower the number of similar accounts that can be opened per quarter. This, in turn, can prevent the organization from taking a risk it might not be prepared for before.

Mean Time to Issue Discovery (MTTD)

As with everything in the world, time is of the essence in business. For instance, the speed of your response often determines where a compliance issue can be fixed without any losses or before it transforms into a full-blow corporate scandal. The mean time to issue discovery metric unveils how quickly your team can detect a compliance hiccup. It also helps you understand if you have efficient monitoring capabilities in place to spot issues. Determining MTTD includes:

• Finding out when the incident first started
• Finding when the team discovered it

Mean Time to Issue Resolution (MTTR)

The mean time to issue resolution (MTTR) metric reveals how swiftly your team resolves an issue they discover. But what makes this metric so important?

Simply put, MTTR indicates cracks such as a lack of technology, resource shortages, or a lack of automation that may be crippling your compliance program.  Determining MTTR involves:

• Adding the total time for all incidents to be resolved
• Diving this figure by the total number of incidents

Remember to track this metric for each type of incident instead of merging all incidents into a single MTTR metric.

Compliance Investigations and Audits

Any significant audits, investigations, and QA findings performed to measure your compliance process’s efficiency must be recorded and reported. Moreover, any valuable elements such as specific findings and follow-ups must also enter the record.

Once this data is placed in a single place, your compliance team and management can establish better risk management processes. Most regulators also expect companies to maintain and produce these records when necessary.

You Can’t Manage what You Don’t Measure

Carefully measured compliance metrics not only reveal where your compliance program stands but also allow your compliance team and management to strengthen your processes.

Determining and analyzing these metrics, however, is not a one-and-done process. The management can have a clearer picture of an organization’s compliance landscape only when they’re presented with detailed and insightful metrics compared over time.

To handle evolving compliance risks, stay up to date with compliance regulations, and consistently strengthen your compliance culture, it is critical to focus on these metrics periodically.  

Giovanni Gallo is the Co-CEO of Ethico, where his team strives to make the world a better workplace with ethics hotline services, sanction and license monitoring, and workforce eLearning software and services.

The post Compliance Metrics that Matter appeared first on Compliance Chief 360.

“The demand for compliance professionals, especially Chief Compliance Officers, is as strong as it has ever been,” says BarkerGilmore Managing Partner John Gilmore. “The need for business-minded leaders, an environment of increasing regulations, and the heightened awareness of the risks associated with lack of compliance have created a competitive landscape for compliance professionals.”

According to the report, the average total compensation for all CCOs was $346,000, with males earning slightly more than females by just $2,000. Interestingly, female CCOs earn slightly more on average in base pay—$250,000 compared to $245,000 for men—while males earn higher bonuses—$86,000 for men versus $70,000 for women.

Compliance Talent In High Demand

“As the government increases regulations and expectations, companies have responded by scaling up their compliance teams,” the report’s authors write. “During a year when their in-house counsel counterparts saw an overall compensation decrease of 3 percent, overall compliance compensation increased 8 percent. The demand for talent has allowed the most talented and experienced compliance professionals to seek competitive compensation packages.”

The average pay for all compliance officers was $258,000, with women out-earning men by an average of $6,000. Not surprisingly, public-company compliance officers far out-earned their private-company counterparts, with the average public-company compliance professional taking home $347,000 in annual total compensation, compared to $242,000 for private company compliance officers.

Energy Sector CCO’s Fair Best

Compliance professionals at publicly traded energy and public utility companies earned the most, with CCO’s in those industries earning an average total compensation of $638,000 and other compliance officers earning an average of $572,000. Those in the financial services sector had the lowest total compensation packages. CCOs at public financial firms earned an average total compensation of $387,000 and other compliance professionals at public financial firms earned average total pay of $261,000.

Other key findings of the report include:

1) Compensation Changes by Position: The average annual base salary increase for all positions across industries was 10 percent. Total compensation increased by 8 percent. CCO’s total compensation rose 10 percent, with a significant increase in long-term incentive pay (14 percent) and a 12 percent increase in base compensation. Total compensation for Compliance Officers and Counsel increased by 6 percent, with the only change occurring in base salary.

2) Chief Compliance Officers: On average, CCOs received 100 percent of their target bonuses in 2022. Chief Compliance Officers with a J.D. have a significantly higher salary than their non-J.D. counterparts. Total compensation for CCOs with a J.D. was 69 percent higher than those without a J.D. The difference in compensation was observed at all levels—base, bonus, and LTI. Chief Compliance Officers with experience working at Am 100 law firms earn significantly higher total compensation than those without law firm experience and those that worked at small or boutique law firms. Total compensation packages for female Chief Compliance Officers were 1 percent lower than their male counterparts. Thirty-seven percent of Chief Compliance Officers expect to make a compensation-related job move within the next year, down 3 percent from last year.

3) Compliance Officers: On average, Compliance Officers received 100 percent of their target bonuses in 2022. The overall gap in total compensation between Compliance Officers with J.D.s and without J.D.s is 15 percent; however, the gap widens significantly based on the law school ranking of the Compliance Officer. Compliance Officers who graduated from a Top 50 law school made 56 percent more in total compensation than Compliance Officers without a J.D. Similarly, Compliance Officers with law firm experience have increased total compensation by 25 percent compared to those without law firm experience. The gap grows to 62 percent if that law firm experience was with an Am Top 50 firm. Female Compliance Officers made 2 percent more in total compensation than their male counterparts. Forty-three percent of Compliance Officers expect to make a compensation-motivated job move in the next year.

4) Direct Reports: The number of direct reports a Chief Compliance Officer or Compliance Officer has correlates with their total compensation. Chief Compliance Officers with 20 or more reports made 133 percent more than those without reports ($665,000 compared to $285,000). Compliance Officers with 20 or more direct reports made 97 percent more in total compensation than those without reports ($463,000 compared to $235,000).

5) Sign-on Bonuses: Twenty-five percent of Chief Compliance Officers in new positions received sign-on bonuses. The median value of the sign-on bonus was $40,000. Similarly, 25 percent of Compliance Officers in new positions received sign-on bonuses. The median value of Compliance Officer sign-on bonus was $17,000.

The data was collected from a random sample of compliance professionals throughout the United States through an online survey administered in March 2023. More than 500 compliance professionals of various levels of seniority within different-sized public and private organizations responded to the survey. 

Joseph McCafferty is editor & publisher of Compliance Chief 360°

The post Compliance Officer Pay Jumped Significantly Last Year appeared first on Compliance Chief 360.

Sending the Elevator Back Down: What We’ve Learned from Great Women in Compliance (CCI Press, 2020)
With the explosion of podcasts in the last few years, it may not surprise you that some of the authors on this list would hail from that corner of the media. Lisa Fine and Mary Shirley, two compliance leaders and the co-hosts of the Great Women in Compliance Podcast, share their insights from speaking to tons of other experts in the field, particularly women who are breaking glass ceilings and paving the way for others in the compliance world. In Sending the Elevator Back Down, the stories are relatable and the lessons are universal, for either the young upstart or the corporate compliance veteran, with the women they spoke to hailing from all corners of the ethics and compliance globe.

In the introduction, the authors state that they wanted to create something “different from a typical book on compliance focused on regulations, case analysis, and the substantive and serious ‘hard skills’ that benefit this profession. Instead, we envisaged woman all over the world coming together to share triumphs and truths about facing cross-cultural challenges and adversity.” And that is exactly what Sending the Elevator Back Down is.

“Implicit in the idea of sending the elevator back down is that of raising someone else up,” Shirley writes in a recent article related to the book. “Yet there are people in the workplace and community who seek to bring others down. … Sending the elevator back down rails against such toxic thinking and encourages space for everyone.”

Cybersecurity for Executives in the Age of the Cloud (Independently Published, 2020)
Just about every list of top risks at companies, regardless of whom is being surveyed, includes cybersecurity at or near the top. Cybersecurity has gone from one of those concerns that the IT folks down in the server room need to care about to one that touches and worries just about everyone in the organization. And with regulators pushing harder for companies to increase cyber-defenses and disclosure more about cybersecurity, compliance officers are spending much more time on the complex topic.

With technological revolution after technological revolution hitting the web, data breaches will be forever on the rise, and compliance professionals and executives need at minimum a basic arsenal of cybersecurity skills in their toolkits. Top executives may not be making the day-to-day technical decisions related to cybersecurity, but that doesn’t mean that they can’t hone these skills to help foster a top-down security mindset throughout the organization.

In Cybersecurity for Executives in the Age of the Cloud, author Teri Radichel gets to the root cause of many well-known cyber-attacks of today, which she says often stem from underlying, fundamental security problems, rather than crafty malware attacks. She also covers many of the technology areas that executives should be more versed on, including cybersecurity essentials such as encryption, networking, data breaches, cyber-attacks, malware, viruses, incident handling, governance, risk management, security automation, vendor assessments, and cloud security.

While the book imparts lots of cybersecurity knowledge, it’s also a surprisingly fun and interesting read with lots of examples and lessons for executives.

Empire of Pain: The Secret History of the Sackler Dynasty (Doubleday, 2021)
The opioid crisis, and particularly the missteps and lack of responsibility by the corporate pharmaceutical companies that participated in it, has many lessons for compliance professionals. It’s a great example of how poor corporate cultures can lead to bad decision-making at the top with devastating consequences. It also reminds us that satisfying the letter of the law with regulators isn’t always enough to stay on the right side of history.

Empire of Pain chronicles these and other mistakes made my members of the Sackler family and their tragic effects, from the many lives destroyed, to the crumbling of the Sackler fortune and philanthropic work. The Sackler name has never been more synonymous with unethical activity and longstanding corruption as the world finds out about the family’s work to downplay the safety risks of OxyContin, a major driver of today’s opioid epidemic.

In Empire of Pain, author Patrick Radden Keefe explores the decades-long history of ethics violations and legal loopholes the Sackler family has exploited in order to evade any sort of responsibility. The dynasty’s existence is rife with drama—pompous personal lives, disputes over property, the use of financial power to attempt to make any and all problems go away. A heavier read on the build-up to the opioid crisis, Empire of Pain serves as a reminder of the stakes of ethics and compliance work, where catching violations could mean the difference between life and death.

The Glass Hotel (Knopf, 2020)
We didn’t want to include just nonfiction in our list and there are, of course, some novels with good compliance related topics and lessons. A welcome addition to this small, but growing list is The Glass Hotel, by Emily St. John Mandel. The Glass Hotel follows an exhilarating narrative set at the strange intersection of two shocking events—a massive Ponzi scheme collapse in a Manhattan high rise and the mysterious loss of a woman from a ship at sea. Antagonist Jonathan Alkatis (think Bernie Madoff) runs a massive financial empire, moving imaginary sums of money through clients’ accounts. When it all goes downhill, the collapse ruins lives and obliterates the fortunes of many. Years later, a victim of the fraud takes the lead on the investigation into the disappearance of a woman at sea.

Exploring the intersection of the themes of hubris and greed with mystery and loss, the award-winning Emily St. John Mandel takes the audience through a unique tale of love and loss, guilt and redemption, beauty and pain. Readers won’t be able to avert their eyes from the pages of the instant classic, even if the compliance professionals among us won’t be able to stop rolling their eyes at some of Alkatis’s moves.

Billion Dollar Whale: The Man Who Fooled Wall Street, Hollywood, and the World (2018)
Now, back to nonfiction: Known now as one of the world’s greatest fraudsters-turned-international fugitives, Jho Low was once a mild-mannered graduate from the Wharton School of Business at the University of Pennsylvania. Called a Best Book of 2018 by the Financial Times and Fortune, this nonfiction thriller follows Low’s whole character arc, from his time as a young social climber in Malaysia to his rise as one of the U.S. Justice Department’s greatest cases. Billion Dollar Whale is a few years old now—are we already in September, 2021—but the narrative is as gripping as it was the first time we heard of it. And if you’re not familiar with the case, business lessons and compliance failures abound.

In the decade following his graduation, Low funneled billions of dollars from an investment fund under the nose of global financial industry watchdogs, using the money to influence elections, purchase luxury real estate, and fund his lavish lifestyle. Following Low’s heist from beginning to end, Tom Wright’s work is a harrowing yet needed lesson of the hubris and greed in the financial world.

Bonus pick: How to Pay a Bribe: Thinking Like a Criminal to Thwart Bribery Schemes (Independently Published, 2016)
OK, this one is actually an older book than the others on this list, but it’s so good we thought we’d include it anyway. Fish this one out of the bookshelf you positioned behind you during Zoom meetings and give it another read. And if you haven’t read it, this is a great example of literature that can bring your work life into sharp relief and may remind you of the importance of the work that compliance professionals do.

In How to Pay a Bribe, author Alexandra Wrage explains the backdoor dealings of bribery and corruption throughout the corporate world. Her work encapsulates words from investigative reporters, former prosecutors, and compliance experts from around the globe. Wrage takes the audience into the mind of people going to extreme lengths to get exactly what they want—to best defeat bribery, you have to understand the inner workings of the corrupt, scheming world of under-the-table bribery and theft and this book takes us there.

—

That concludes our list. So, put down the rake, grab a pumpkin latte, pull on your favorite comfy sweater, and get down to turning some pages that will not only thrill and entertain you, but will bring you many compliance lessons, examples, and situations that you can learn from and may just be able to apply in your own work. Happy reading!  

Danny Flynn is assistant editor at Compliance Chief 360°

The post The Corporate Compliance Fall Reading List appeared first on Compliance Chief 360.

Is it possible to combine the roles of chief audit executive and head of corporate compliance, or other jobs, without sacrificing the independence that’s a cornerstone of the audit function? Opinions are divided. “For internal audit to provide an objective view, they have to be independent of the functions they’re auditing,” says Peter Brady, national leader, business risk consulting with RSM US LLP, a global audit, tax, and consulting firm.

Others say that while compliance helps establish policies and procedures, it doesn’t implement them. Instead, execution is the responsibility of the operating units. As a result, internal audit wouldn’t be auditing itself, even if it and compliance report to the same individual.

“The concept of where compliance lands within the organizational chart is a hot topic,” says Brian Christensen, executive vice president, global internal audit and financial advisory practice at consulting firm Protiviti. Historically, compliance and internal audit were separate functions. More recently, as organizations have established chief risk officer (CRO) roles, some have placed multiple areas related to risk under the CRO’s direction, including compliance and internal audit, says Christensen.

At the same time, “there comes a point where it’s a bridge too far, especially in highly regulated environments,” Christensen says.

Why Combine Roles?
Organizations that combine internal audit and compliance typically point to several drivers behind their decision. One is simply the fact that internal audit typically reviews and must remain abreast of many compliance activities anyway. “An internal audit function that’s not somehow discussing regulatory and compliance risk runs the risk of not being relevant,” Christensen says.

This is especially pronounced within many large financial services companies, where managers must work with myriad overseers, both internal, like corporate compliance, and external regulators. The groups may ask similar questions, but use different frameworks, Brady says. Having separate groups respond to multiple sets of similar questions not only introduces duplication, it increases the risk that some information “falls through the cracks,” he adds.

Scott McAdams is senior vice president and chief audit, compliance and risk officer with Blue Cross and Blue Shield (BCBS) of Kansas City. His six direct reports oversee about 100 employees in audit, compliance and privacy, government relations, information security, and several other functions.

McAdams is charged with establishing an internal control framework that’s aligned with the organization’s code of conduct, as well as the many regulations that govern health plans. These are under one umbrella to ensure the controls reflect all risks to which the organization is exposed. “If you’re doing it independently, you’re losing the value of an integrated response in your mitigating controls,” he says.

By taking an integrated risk management approach, BCBS of Kansas City is able to conduct a single, comprehensive risk assessment. “You want a full vision to all the risks of the company,” McAdams says. At the same time, each area has its own leader and maintains its own list of agenda items that it reports to the audit committee. The internal audit team also independently questions the risk assessment plan. “It’s about maintaining three lines of defense,” McAdams says.

Leveraging Resources
Both internal audit and compliance often use the same frameworks, tools, and personnel resources. Combining them can be a way to more effectively leverage these resources. Darcy Morowitz is vice president, internal audit and chief compliance officer with Navistar International Corp., a manufacturer of commercial trucks, school buses, and other products. She oversees a couple dozen employees working in internal audit, enterprise risk management, compliance and several other functions.

Navistar combined internal audit and compliance several years ago to better leverage its resources. In addition, some thought leadership has theorized that having compliance report to legal could create a conflict of interest, as legal would be the activity owners and defenders in case of an issue.

“Since the reorganization, we’ve made better use of resources,” Morowitz says. She and her team conduct more training on, for instance, the Foreign Corrupt Practices Act (FCPA) and anti-corruption initiatives. They work more with executives on developing the “tone at the top.” They also host a compliance week in which all employees across the company compete in games and competitions designed to further their knowledge of compliance, the code of conduct, and other topics. They’re also leveraging data analytics to a greater extent.

To maintain some independence, the organization incorporates a matrix reporting structure. The compliance employees who are located within operating areas—for instance, emission compliance within engineering—report up through those organizations. They also have dotted line reporting responsibilities to Morowitz’s group, and use a framework developed by her group that covers policies, training, and other functions.

Maintaining Independence
As the examples of Morowitz and McAdams show, organizations that combine internal audit and compliance often put in place safeguards that help internal audit maintain its independence.

Jeff Pigott is vice president of compliance and internal audit at Lee Health in Florida.

While he oversees both functions, each has its own work plans and prepares its own report for the governance board.

The compliance group reports to the chief executive officer, with a dotted line relationship to the board of directors. Should the CEO take some action that the board should be aware of, Pigott can initiate a conversation to address it. At the same time, he and his employees also have access to the CEO. “We have the ability to move the needle, whether it’s on internal audit or compliance issues,” he says.

Like Morowitz, Pigott also plans to engage an independent third-party to assess the organization’s compliance function. “It’s inherent in the nature of the beast to bring in independent auditors when you combine internal audit and compliance,” he says.

Mitigating the Risks of Combined Roles
Organizations that place internal audit and compliance within the same department should maintain a direct reporting relationship between internal audit and the board of directors, says Mark Ruppert, chief audit executive at Northern Arizona University. “That helps ensure the functional role of internal audit remains.”

“Clear, objective boundaries are critical,” says Eric Lustig, law professor and director of the Center for Business Law at New England Law School. For instance, when an internal auditor tests the compliance function, his or her career shouldn’t be affected by the results.

When an independent firm is engaged to audit the compliance function, it should report to the board or chief executive officer—whichever has responsibility for governance, says Rob Farling, national anti-money laundering and regulatory compliance leader, also with RSM.

If the firm instead reports to audit, its objectivity will be suspect. “You’ll still have the contract with audit, which oversees compliance,” Christensen says.

Risks Remain
Some say these safeguards aren’t enough to justify combining internal audit and compliance. Brady notes that many aspects of a regulatory compliance role are executive in nature, such as implementing changes in policies and regulations. Keeping internal audit and compliance separate allows internal audit to “provide an overview from an objective standpoint,” he adds.

At many financial institutions, independence is required by regulation. For instance, the pillars of an effective compliance program within a financial institution, which were developed by the U.S. Financial Crimes Enforcement Network (FinCEN), include a section on independent testing of the organization’s compliance with the Bank Secrecy Act, anti-money laundering laws, and other regulations.

Achieving Effectiveness Without Combining Roles
While the risk of creating siloes around internal audit and compliance are real, it’s possible to keep each department independent, and yet working effectively together and providing a comprehensive view of risk. One way to guard against siloes is through better communication and reporting, Lustig says.

To leverage always-tight budgets, the departments also can share some resources, such as an issue-tracking platform or database, Brady says.

To be sure, maintaining strong relationships between any two departments takes commitment and energy. Yet more organizations are seeing the benefits of taking a holistic, collaborative approach to risk management, Farling says. For instance, a financial institution that’s entering a new market is likely to bring internal audit and compliance into their early discussions, along with legal, IT, and other areas. “With a more holistic approach and more open dialogue, you’re better able to identify risks ahead of time,” he says. 

Karen Kroll is a freelance writer based in Minneapolis, Minn. who specializes in writing on business, technology, and finance.

The post Can Chief Compliance Officers Wear Multiple Hats? appeared first on Compliance Chief 360.