According to a recent survey, the vast majority of compliance officers appear to believe that their companies are consistently underfunding the compliance function. The survey, conducted jointly by the Society for Compliance and Ethics and the Health Care Compliance Association, found that 73% of respondents felt that they did not have adequate resources. The study also found that the combination of budget pressures and other factors was leading to an unhealthy amount of stress for the typical compliance officer with a full 60% of respondents indicating that they had considered leaving their jobs in the past year.
In my prior life as a chief compliance officer and lawyer, I used to joke that the regulators could sometimes be our friends. What I really meant was that an occasional bit of trouble with the regulators can be very effective in convincing the CEO that the amount of money and effort spent on compliance was justified.
Of course, hoping that the regulators will come calling is not the best strategy for getting an increase in your compliance budget. Perhaps you have an enlightened CEO who views compliance as the “cost of admission”. However, even the most enlightened CEO probably has a breaking point. For the rest of us, it may be time to consider some better approaches to the budgeting process. In this article, we offer some suggestions that may help you to address your budgeting challenges.
1. Be like a business
Having started my career in the eighties at a large law firm, I was introduced early on to the expression “law is the noble profession”. In those days, lawyers rarely felt it necessary to justify their fees. In fact, it was not unusual for client invoices to contain just one line: “for services rendered”. What I found when I joined compliance was that many compliance groups operate the same way.
Some of the best advice that I received during my time as a compliance officer was to look at compliance as a business. Yes, it is true that compliance does not generate revenue for the company (although I did at one time think about ways that we could turn some of our activities into money makers). However, this does not mean that compliance cannot adopt some of the good practices used by business managers. For example, a compliance function could have a strategic plan. Not merely a mission statement or some lofty ideals but an actual set of objectives and a plan for achieving those objectives. The objectives should be linked to a clear benefit for the company overall (for example, improve employee compliance training scores by 10%). Budget planning could then be aligned to the strategic plan and any requested increases linked to the achievement of a strategic objective. In this sense, the compliance budget is more like that of a line of business and better understood by the CEO.
2. Demonstrate Efficiency
One legitimate concern of CEOs is that there never appears to be any economies of scale in compliance. While it is true that regulatory expectations are increasing, there never appears to be any opportunities to achieve efficiency gains.
Benchmarking your group’s resources against an industry standard could be one method of demonstrating efficiencies. Unfortunately, while some benchmarking information is available, it is always difficult to determine whether companies report their information on a consistent basis. For example, while some companies consider anti-money laundering operations to be part of compliance, others do not. Since these operations tend to be resource intensive, not including them in the compliance numbers can have a significant impact on the total reported compliance spend.
In the absence of benchmarking data, it becomes more important to find other means to periodically assess whether the compliance group is operating efficiently. For example, while it is true that compliance expectations are always evolving, is it not possible that some compliance activities are out of date and not providing the benefits that they once did? Further, does a reassessment of the risk profile of the company allow for some resources to be reallocated to higher risk activities? Also, have innovations in technology provided opportunities for efficiencies?
Efficiency gains can offer an opportunity to compensate for increased resource requirements in other areas. The ability to demonstrate efficiency gains also builds credibility and trust with the CEO at budget time.
3. Allocate costs to the first line
Under current regulatory expectations, compliance is meant to be the responsibility of the line of business with the compliance function playing advisory and oversight roles. This is often referred to as the three line of defense model where the business is the first line of defense, the compliance function is the second line of defense and internal audit services as a third line of defense.
Despite the regulatory expectation for a three-line model, many compliance groups continue to provide complete compliance services for the business. While the line of business may acknowledge that they own compliance accountability, all too often this only means that they understand that they must ultimately pay the cost of compliance. Essentially, they look to the compliance group to provide both the first and second line functions.
Confusion over accountability can have two implications for budgeting. First, the cost of the compliance function can be overstated as it is assuming costs that should be paid directly by the line of business. Second, it fails to properly distinguish between the cost of complying and the cost of compliance oversight. It is important to make these proper allocations and to have greater transparency for the CEO about the two sources of compliance costs.
While it may be appropriate to separate compliance from the business, it may have an unintended consequence for budgeting purposes. Once separated from the business, the link to the revenue generating activity that gives rise to the need for compliance programs is not as clear. Compliance can come to be viewed only as a cost and not as a cost of doing business. Clearly communicating the linkage between budget requests and developments in the business is another important exercise that can help pave the way with the CEO.
4. Measurement techniques
In our article on The New Normal, we addressed the development of meaningful risk indicators and their role in measuring compliance program effectiveness. Effectiveness measurements can also be useful tools for budget planning. Earlier, we mentioned the benefit of linking your budget to your strategic plan. Linking a budget request (the cost) to an improvement in an effectiveness measurement (the benefit) can also help to make the process more “business-like”. In turn, this makes it easier for the CEO to see how an additional investment in the compliance function will benefit the organization.
5. Risk-based exercise
My final bit of advice is to engage the CEO in establishing the compliance risk tolerance. As with any risk management exercise, compliance risk management is not an absolute science. Compliance officers attempt to assess the risk of non-compliance across the myriad of regulatory requirements based on a number of factors. Resources are then requested and allocated to compliance activities based on the assessed level of risk.
The risk-based approach to compliance is often obscured by the fact that most, if not all, companies adopt a corporate risk appetite of zero breaches for regulatory risk. Essentially, this risk appetite states the obvious as a company cannot say that it anticipates breaching regulatory requirements. However, the reality is that there are hundreds or even thousands of employees whose actions could result in a breach of a requirement. Further, not all laws are black or white. Many breaches occur because a regulator with the benefit of hindsight disagrees with a best efforts interpretation a company has made of a requirement. Therefore, the best that you can hope for in respect of a regulatory record is to stay within an acceptable level of tolerance, which will vary depending upon the size and complexity of the company and its business.
How does this relate to the budget process? While it is the accountability of the chief compliance officer to advise the CEO and the board of directors whether the company has devoted adequate resources to compliance, it is a subjective determination based on the regulatory risk tolerance of the company. Generally, additional resources will always lower the risk.
CEOs and boards of directors should actively participate in establishing or at least understand the company’s regulatory risk tolerance and how it relates to the budgeting process. It is only when the chief compliance officer is confident that this link is understood and the risk tolerance is accepted that the budgeting process can begin.
Canadian Compliance Group
One of the features of the OSFI Corporate Governance Guideline, is an expectation that directors will seek out both internal and external education opportunities. With almost 30 years experience with bank and insurance company regulation, we have the knowledge and background to assist directors to understand current regulatory issues and developments, OSFI expectations for directors and the regulatory framework within which the company operates, all essential information for directors.
We can assist your directors with a quick, cost effective training program that will give them the comfort of knowing that they are fully meeting their responsibilities and the regulator's expectations.
Call us to discuss your director training needs.
CCG and Resolver join forces
We are extremely excited to have partnered with :Resolver to build a powerful turn-key solution for compliance risk management for the Canadian banking and financial services sector. Resolver’s integrated platform supports application areas including Risk Assessment, Internal Control, Internal Audit, Compliance Management, Enterprise Risk Management and Incident Management. Resolver’s team is comprised of security, risk, and compliance experts supporting customers across 100 countries with offices in North America, United Kingdom, the Middle East, and Australia.