We often hear the adage – “compliance has to understand a company’s business;” “compliance has to work well with the business side.”
While I generally agree in principle with these phrases, there is a more important point here. A compliance professional has to understand a business, the specific business processes, and its operations. In other words, a compliance officer has to understand step-by-step a business process.
My sentiment here is fairly categorical. It is meant to underscore the importance of compliance officers learning a business down to the step-by-step events in the relevant functions, including basic manufacturing, safety, quality, packaging, and transport functions.
Apart from these basic functions for transforming inputs to finished products, there are relevant business processes governing the supply side (e.g. vendors/suppliers) and the sales distribution side (e.g. sales agents, distributors), contracting, and supply chain management. Compliance officers interact with other important functions including human resources, information technology, security and other processes.
Compliance understanding of business processes is a critical part of understanding internal controls and a company’s risk profile. Compliance officers are adept in identifying and assessing risks. In doing so, a compliance officer can spot a control weakness, a potential risk (e.g. fraud) and develop potential solutions that do not disrupt the business process. This is the key skill and training of a compliance officer. They have a keen eye and sensitivity.
For example, I have worked with compliance officers to manage invoice to payment processes. This is a key risk process identified by the SEC in the anti-corruption and fraud areas. Compliance officers often take the time to speak to business functions involved in this process. To understand the process, compliance officers may map the step-by-step tasks involved in the process. By doing so, compliance officers can zero in on opportunities for misconduct leading to fraud, mistakes, or even bribery. In this process, a compliance officer can establish points where segregation of duty conflicts can be mitigated and improvements can be built into the system.
As I have said on several occasions, compliance officers have an expertise in the design and implementation of internal controls. They are subject matter experts in this area and deserve a broader remit to apply this skill to business operations. Unfortunately, when it comes to internal financial controls, CFOs and other financial executives are reluctant to give compliance officers a seat at the table. That is a mistake.
CFOs have taken the issue of SOX controls to build a pre-determined silo that excludes compliance from an important role. Compliance has the ability to understand and assess controls related to the compliance function. What the CFO fails to understand and appreciate is a CCOs’ ability to contribute to overall internal control functions.
CCOs understand the importance of working with business, building relationships and loyalty. CCOs often (and should) leverage this relationship to build strong relationships with the business to expand a relationship that provides opportunities for CCOs to expand monitoring, testing and proactive business and compliance planning.
CCOs need to expand on this important relationship with the business side. A CCO is only as good as its relationships, cooperation and coordination with the business and critical company functions. A CCO may be able to design impressive policies, procedures and training programs, but in the end, the ability to work with the business will be a key determinant in a CCO’s overall success.