1. Awareness
Training to be provided and received
Rotation and secondment across the business
Access (all areas) to corporate plans, strategy, “deals”, products, inside and other sensitive information
Trusted adviser
Culture Role
Priority access to skills and knowledge development such as:
• IT-(systems development, reports, investigative tools, machine learning)
• Leadership/management
• Communication/influencing etc.
2. Authority
Clear mandate:
• Role/responsibilities formalised in compliance framework reviewed annually/regularly reported
• Agreed and regularly updated compliance universe with great clarity on what is in and what is out – highlighting underlap or overlap with other control functions or Board expectations
• Reporting to Board/board committee/management to continually highlight known unknowns/relevant and related matters not covered by Compliance mandate but of critical importance
Independence:
• Function should not have operational responsibility (outside of running the Compliance function) and should have an appropriate reporting line
• To be reflected in fair budget and resource arrangements and any concerns here must be expressed, highlighted, and addressed by management/Board to CO’s/HoC’s satisfaction
• In many larger institutions it is best practice that the HoC makes an annual declaration to the Board that she/he is satisfied that the Compliance function has the independence to carry out its functions and is not constrained in that regard
Compliance function should be part of the work programme of other control functions – e.g .internal audit and risk (and vice versa) – and also be externally reviewed every few years.
Expectation to speak freely (and of course responsibly) Senior status – including relativities in salary/ remuneration, grade structures and reporting lines internally as well as vis-à-vis market levels.
High senior profile as reflected also in inclusion in communication, engagement, meetings, membership/ attendance at briefings/project and programme groups.
Reflected in positioning of Compliance role by CEO/ senior management with Board, regulators, auditors, other management, external parties etc.
3. Access
To be guaranteed to all Board and committee members Regular scheduled meetings (frequency to be agreed) and also by request but not dependent on an invitation:
• With CEO
• With Board
• With relevant Committee chair
Must be on circulation list as of right – not at its REQUEST - for all board/board committee papers and Executive management team papers (applicable to the Compliance function’s part of its own corporate structure and areas of responsibility).
4. Alignment
• With sibling control functions – risk, internal audit, Data Protection/Cyber/Financial Crime, ESG, authorisations, legal, and compliance colleagues in other group jurisdictions
• Develop (in)formal networks
• Schedule frequent formal meetings with these as required with agendas and action points • Share annual plans and updates
• Share own/other internal/external findings of reviews/investigations/reports
• Share concerns and areas requiring common attention/shared knowledge
• Together ensure alignment with e.g. Legal and HR, especially in relation to SEAR/IAF, F&P, MCC, PRISM issues/developments/responsibility/ regulatory relevance with the business
• Know the business – the products and processes
• Be involved/included in product development processes
• Be involved in customer care/engagement/ change/ communication processes
• Have input to policy, plans, culture and strategy issues
• Know the people and understand their objectives, goals, expectations, fears, pressures
• Understand their drivers and key and real performance metrics and targets – their areas of attention (remuneration, reward and recognition incentives and disincentives)
• Respond to what conflicts of interest these may cause
In the hybrid model face to face meetings help the eye-balling necessary as well as trust building, more openness (i.e. truth, “nowhere to run, nowhere to hide”) and better opportunities to show empathy or challenge (as required).
5. Accountability
• While it is the responsibility for all to be compliant
• Specified individuals are accountable and should be clearly identified as such
• Both across the business in those designated business processes to ensure business is carried out in a compliant manner such as in routine first line business checking, implementation, review;
• As well as in Compliance, providing briefing, training, supporting implementation, monitoring, reporting, remediation, etc.
• SEAR/IAF alignment of roles and responsibilities, agreed priorities, delivery, shared and allocated accountability is CRITICAL
• Responsibility for the management, communication, reporting and control of conflicts of interest must be properly allocated and undertaken and accountability properly understood, acknowledged and reported upon
• Experience shows (while onerous) having an annual director compliance statement process (DCS - even if not a regulatory requirement) can be very beneficial to an organisation.
• This would formally require the organisation to undertake and report upon standard (or specific) review processes carried out and signed off by the accountable owners
•Gives comfort to directors that it is in order to sign a DCS
• Balances accountability and responsibility across the organisation (the three lines of defence) and between board, management and staff
• Would greatly assist a post-SEAR/IAF world