Recent news that the Securities and Exchange Commission (SEC) will be pursuing an aggressive plan to seek admissions of wrongdoing before settling civil enforcement actions marks a radical change of SEC policy direction.
In an effort to arrest and restore deteriorating public trust in the Commission, the SEC’s Enforcement Division Director, Gurbir Grewal, wants to reverse the “no admit, no deny” practice that previously gave companies the choice to settle an SEC investigation with admitting wrongdoings.
Should the SEC be successful in dramatically dialing up accountability upon the company and senior management, the onus will be upon organizations to review and refine existing compliance programs. Future admissions to wrongdoings will not only carry SEC fines but also significant reputational damage and potentially a series of ramifications including criminal investigations by the Department of Justice and private litigations initiated by investors and other affected parties.
Genuine support from leadership and a well-thought-out compliance program
All of this means that a robust compliance program is more critical than ever to assure senior management that risks are sufficiently assessed, managed, and monitored.
An effective compliance program relies on strong leadership support that demonstrates the tone from the top and puts money where the mouth is. However, a thoughtfully designed compliance organization and processes are equally important to the success of the program. Amongst others, below are some key factors I consider relevant when building a compliance program:
1. Set the right expectations
A compliance program is not set up to eradicate all compliance and misconduct risks and incidents. Instead, it provides a mechanism for an organization to identify early signs of misconduct and address them before growing into "egregious misconduct". A thorough investigation process will identify the root causes of the incident so that the remedial solutions can strategically address the problem.
2. Management information, not countless of risk metrics
Organizations are usually overloaded with risk metrics. Yet, truly relevant management information and robust incident reporting mechanisms will significantly enhance the effective governance of the program. It will empower risk officers to conduct focused communication with management to help them understand how risks have impacts on the business.
3. Compliance risk is a business risk
Compliance functions are often charged with control responsibilities to review and approve day-to-day business dealings. The result is that compliance officers are overwhelmed by the volume of work, pending approvals sit in a backlog and the business process is slowed down. As a result, the traditional thinking is that more investment is needed for the compliance program but the cost is too high. However, the fact is that the front-line business should be empowered to manage the compliance risk (with the business process properly re-designed) and the compliance function should focus on partnering with the business to manage the risks and challenges more strategically. To manage the risks better, we should think about how to manage risks more efficiently.