By Ibrahim YEKU, LLB, BL, LLM, CCEP-I, CAMS
Compliance firewalls remind me of the famous saying, ‘Don’t lose your guard,’ which means not to drop your vigilance or something unexpected or disastrous might happen to you. In 2023, the United States Securities and Exchange Commission imposed a cumulative fine of over $1 billion on nine companies for violating the Exchange Act and the Foreign Corrupt Practices Act (FCPA). These violations included bribery, insider trading, and fraudulent accounting practices. Though in violation, these companies had compliance programs and policies, compliance officers, and audit departments as part of the measures to ensure compliance with existing legal obligations. Despite the measures, the sanctioned companies could not prevent the violations that led to the imposition of fines. The question resonating with compliance enthusiasts’ minds is, what went wrong? Why should companies with compliance programs bear the unpleasant consequences and burdens of sanctions?
This article does not aim to conduct a postmortem analysis of the companies but to highlight measures to help organisations build effective compliance firewalls against compliance violations.
What is compliance Firewalls?
Compliance firewalls, in the context of this article, are not literal physical barriers but metaphorical shields embedded in compliance programs. They help organisations proactively guard against any form of infraction or violation of external legal obligations owed by the company or prevent violations of its internal policies by itself or other stakeholders. In simpler terms, compliance firewalls are safety measures that help organisations avoid compliance violations and sanctions. They are tools that shape organisations’ cultures and help enthrone best corporate business practices.
How to Build Compliance Firewalls
At its core, establishing compliance firewalls necessitates a robust compliance program with clearly defined policies and procedures. The compliance program’s objective should be transparent and understandable for all business stakeholders. Each business unit, department, and critical associate should understand their role within the compliance program and the business’s expectations. A comprehensive compliance program should encompass the company’s value proposition, the impact and contributions of the compliance program to corporate objectives, the methodology of its implementations, and the expected outcome for the business regarding value addition and prevention of value erosion. It should feature standards, policies and procedures, training and communication, monitoring and assessment, leadership structure and oversights, reporting and response, and risk assessment.
Risk identification and corporate risk appetite
Identifying the various risk domains that may negatively impact an organisation’s business is crucial to developing an effective compliance policy response and measures to guard against the risk. Compliance policies and procedures must be designed with the understanding of the types of risks the business may be exposed to. A critical component of a compliance program is the identification of possible compliance risks that a company faces. It is risky for risk to exist but not known or seen by the business. In most cases, it is recommended that organisations should have a risk register where identified foreseeable compliance risks are listed, the severity of the risks to the business are measured, and the possibility of occurrence of such risks is determined.
Indeed, compliance policy failure is unavoidable when the policy fails to identify the associated compliance risk to the business. It means that the compliance program has design defects or is bound to fail by design. An excellent example of a defective compliance policy is when a bribe or inducement is seen as a business development incentive or part of business facilitation. This means that the compliance policy has failed to recognise payment of bribes as a prohibited act, which exposes an organisation to compliance risk.
Compliance risk identification starts with identifying risks that may arise from failure to comply with legal and regulatory obligations. This is about knowing the expectations of the law from the business. Every compliance policy and procedure must follow the law. This is so because compliance policy cannot approve what the law prohibits. Once risks are correctly identified, the next thing to do is to determine an organisation’s ability to withstand or bear the risk. This ability is often referred to as ‘risk appetite ‘. Risk appetite is the level of risk an organisation is willing to accept to pursue its objectives. Where an organisation can bear the consequences of non-compliance with its finances, reputation, and stakeholders, it may allow for some tolerance. However, it is worth stating that an organisation’s risk appetite is not determined by compliance officers but by a company’s management. Risk appetites are not chosen arbitrarily but based on careful consideration of business impact. The organisation’s risk appetites largely determine the measures to implement to avoid violations. There should be fewer compliance firewalls for risks that an organisation is willing and able to tolerate and more safeguards for those risks categorised as high risk. Where risks are not correctly identified, there will be no firewalls to guard against compliance violations.
Staffing and administration of compliance program
A good compliance program must be administered by persons whose competence and knowledge of the compliance subject are certified. Having the right persons as chief compliance officers and at the various compliance units is necessary to build a formidable compliance firewall. The administration of a compliance program is not the work of the chief compliance officer alone; other units within the compliance department must be staffed by persons with requisite skills and knowledge of the area where they function. A due diligence officer must be adequately trained to undertake owing diligence along foreseeable risk domains, whilst the investigation officer must be trained for investigation purposes. It is suitable for people with sound business knowledge to occupy roles within compliance functions. However, such persons must be adequately trained to acquire knowledge and skills that will make them succeed at the task.
A good compliance program that incompetent persons administer is as good as a lousy compliance program. A compliance firewall can only be effective when the persons administering the compliance program are fit and competent to discharge their obligations. There are instances when persons who need help understanding the compliance policy objectives of an organisation are made compliance officers. In some organisations, the error is to make persons with questionable moral and ethical dispositions a compliance team member, only for the compliance program to be compromised. Over-ambitious officers often discharge compliance functions in a manner that will enhance their career objectives. They are either overplaying or underplaying the role of the compliance officer, administering the compliance program to make them look good, not necessarily the organisation. They seek to indict all business conducts to be seen as efficient, which kills trust in the compliance program. These officers dance to the whims and caprices of the powers within the organisation.
Training and retraining of employees and other stakeholders
The importance of compliance training program implementation must be balanced. Training as a tool for equipping and reskilling members of the compliance team and training as a means of educating and creating awareness amongst employees and stakeholders on the compliance obligations of the company and their roles in helping the company discharge its compliance obligation is essential for effective compliance firewalls. Training the compliance risk owners or the units or departments that are proximate touch points to compliance risk on what is expected of them and response to compliance risk is necessary. Training to know and identify the risks and how to avoid violations is essential. Employers are the first line of defence. Hence, companies must pay attention to the training and retraining of employees and business associates.
Monitoring and evaluation in the regulatory landscape
Constant monitoring and evaluation of compliance programs have proven to be one of the practical compliance firewalls against violations. Monitoring and evaluation provide an opportunity to assess the effectiveness of the controls or mitigation measures to prevent compliance violations. The health of the compliance program can be evaluated through a compliance program audit, which provides an opportunity for proactive actions to correct any perceived or observed anomaly in the compliance program administration. There is only one way to show commitment to compliance program administration other than to conduct periodic evaluations of the compliance program to ensure that the program is working as intended and that the purpose for which the program was set up is being actualised. Monitoring internal and external factors that may impact compliance program administration is crucial for the dynamic and evolving nature of the regulatory compliance landscape. Monitoring helps organisations identify new and emerging risks and position organisations to take proactive actions by implementing appropriate mitigation measures.
The tone at the top
The tone at the top is what top management knows about compliance obligations and what they are saying about it amongst themselves. It is how compliance influences the actions and decisions of an organisation’s top management. Tone from the top is communicating and expressing the company’s commitment to compliance program implementation and administration to other employees, business partners, and other stakeholders. Top management’s commitment to compliance program implementation must be loud and clear. The tone of communication, the frequency of communication, and the mannerisms of communication must be consistent. No one should be doubtful about the position of top management on compliance-related issues. The best promoters of policies within an organisation are the top management. Therefore, top management must continue to reinforce the message of compliance and devote sufficient resources to compliance program implementation and administration.
Conclusively, compliance firewalls must be fortified and reinforced regularly to sustain the vigilance of the compliance program. One way to achieve this is by committing to continuing improvement of business processes and aligning business objectives with corporate compliance objectives.
Key Takeaways
- The objectives of the compliance program should be presented in a manner that is easy for all business stakeholders to understand.
- A compliance program should address the company’s value proposition, impact and contributions to corporate objectives, implementation methodology, and expected business outcomes in terms of value addition and preservation.
- A critical component of a compliance program is identifying possible business compliance risks. It is risky for risk to exist but be unknown by the business.
- Over-ambitious officers often discharge compliance functions to enhance their career objectives at the expense of stakeholders’ perception of the compliance program. They are either overplaying or underplaying the role of the compliance officer.
- A compliance firewall can only be effective when the persons administering compliance programs are fit and competent to discharge their obligations.
