Breaking Down Compliance

The keys to creating a successful compliance program—as told through the letters of COMPLIANCE

Still being a young role and profession, many people are working to define what makes a successful compliance professional and program, and what can help them improve. After traveling the country for the past few months at conferences, roundtables and other compliance events a few key things come to mind.

So, let’s break down compliance (literally) and take a look at compliance program traits that, when embraced, will help programs get to the next level.


The compliance industry is a close-knit group. Not just within the same company, but with compliance executives at other companies…even competitors. Compliance executives like to learn from each other and have no problem opening up and discussing challenges they are facing, mistakes they once made and most importantly, what they are doing to ensure a compliant organization.

This is more unique than you might think. For example, in departments like sales, it wouldn’t be as likely for a group of sales directors to sit around the table and share how they improved sales by 50% last year with a competitor.

Many of the CCOs I talk to say they spend hours of their day reading and researching to learn what is going on in their community. Since this profession is still evolving and a key goal of all programs is continuous improvement, it’s not surprising that compliance executives have formed a sense of community—and that openness doesn’t look like it’s going away any time soon. By working together, programs only become stronger and more effective!

Other Departments

To understand what is going on throughout your entire organization, you need to be able to easily pull information from other departments to really enable data-driven decisions. Making decisions with only some of the company’s data (i.e. just the data from the compliance department) is still a relatively uninformed decision.

It is key that other departments embrace a culture of compliance and have an awareness of compliance initiatives, such as the hotline, submitting a disclosure, etc. If compliance processes are not being followed in one department, the overall culture and compliance health is affected.

They key is working with other departments, not just mandating rules. The most effective organizations see the compliance department as a team member that will help, not as the “bad cop” who is looking to get people in trouble. It is helpful to build relationships with other departments by attending meetings and working with managers, while still being respectful of other’s time and needs.

“I try very hard not to waste anyone’s time,” said Amy Much, Director of Global Compliance at Under Armour, when discussing her approach to working with other departments. “I try to respect that if I have something that’s important to me and you need to be a part of that you’ll understand that I’m only utilizing your time because it’s important. Really basic ABCs of human interaction—be human, understand people, respect people.”


Good compliance professionals recognize that front line managers in every department are their best friend in creating a culture of compliance and keeping the company on track. They’re the ones who interact with employees and key risks everyday, and they set the tone for their department.

It’s critical to train and work closely with the managers of each department so that everyone is on the same page and issues are being handled consistently throughout the organization.

According to CEB’s State of Compliance and Ethics Function 2014 report, 66% of employees choose to report concerns directly to their managers. With this in mind, it’s critical to have a tool or technology in place for managers to easily and consistently document cases, conversations and reports. Some programs also make configurable compliance solution dashboards available to managers. This insight adds value for them and increases personal buy-in in keeping their team (and the company) compliant.

The more mangers are involved and following correct processes, the more that mindset will trickle down.

Predictive Data

Simple metric reporting doesn’t cut it anymore. Teams need access to structured and unstructured data that enables them to identify trends and dig deeper when needed. Only this level of analysis will help programs be more predictive and prevent potential risk areas or mitigate hotspots before they present problems.

The biggest challenge right now is getting that data, which is why many compliance professionals are reevaluating the technology they use. Most historical technology (much of which is sadly still in place) makes it difficult to collect and holistically analyze information from your entire program. Currently, since data is separated in different silos, many compliance teams spend weeks finding specific answers to the questions they are being asked by the executive team or board of directors.

However, as compliance technology advances, modern solutions are emerging that enable you to take all of your compliance data—like case management, disclosures, hotline metrics, attestation rates, etc.—and bring it together with data from HR, ERP systems, etc. Having all this information in one place paints a much more complete picture and helps teams really dig into issues (and enabling those levels of reporting!), leading to better data-driven decisions.

Levels of Reporting

I cover this a bit under “Predictive Data” and I’ll go into it a bit more more when we get to the letters I, N, C and E, but having multiple ways to look at your program data is incredibly helpful and insightful … and is quickly becoming a must-have. Looking at data the same way over and over again won’t reveal any new trends or key insights, and you could be missing out on big areas of risk or program weakness just because of the way you’re reporting.

You need the ability to surface information easily and in real-time, customizable reporting dashboards that let you see exactly the type of information you want in an easy-to-consume way and access to raw program data that will let you pull information in different ways to get a 360° view of your program. Together, these multiple layers of reporting help you react immediately and in the long run.


I alluded to this one already under “Other Departments,” “Levels of Reporting” and “Predictive Data” but it’s so important it’s worth mentioning again. The more information a CCO has, the better equipped they are to make data-driven decisions. The best programs are even beginning to gather enough information in one place to move toward predictive, proactive measures and program improvements based on data.

In fact, the No. 1 thing I hear from CCOs is that they want better access to more complete information. They feel this is the key to making leaps in program effectiveness and ultimately being able to tie compliance to larger business objectives.

Information isn’t limited to just internal organization data. Even if your team does connect to data from other departments, it’s also important to consider external information (such as industry trends, peer benchmarks and public opinion) and information on current and pending laws and regulations along with enforcement trends.

Taken together, all this information allows CCO’s to start making connections and correlations about different aspects of their program and company culture.


Since compliance practitioners have so many different things going on, push alerts are incredibly helpful. This calls attention to things that need to be handled immediately without the need to constantly be checking in on every aspect of your program. This is also extremely helpful if you delegate parts of your program management to different teammates—including those outside the compliance department.

For example, conflicts of interest are common but how often you receive a new disclosure might not be consistent. Instead of making it a daily task to check the system for new disclosures or risk the possibility of letting a disclosure sit unattended for days, an automatic alert every time a disclosure is filed makes sure the correct person is notified right away. For companies that put COI disclosure management in the hands of front line managers, these alerts are even more important since managing compliance isn’t their number one task and might not be top of mind.

Or if you have a team of investigators handling your case management, alerts can immediately call it to their attention if they’ve been assigned a new case or a new piece of information was added to an existing case.

Alerts let team members focus on their work while making sure nothing new slips through the cracks.

No Waiting

Things move too fast these days to have to wait for information. And while your compliance program might not move as fast as Twitter, being able to follow information, trends and happenings in real time is critical to staying ahead.

Real-time dashboards give compliance professionals an immediate view into the health of their program and individual initiatives, as well as an immediate warning if something needs extra attention or is at risk of going off track.

With the current risk landscape, you can’t afford to wait until the end of the quarter to discover a new risk area has developed or your old measures are no longer doing enough to mitigate a certain risk—by then the damage may well be done and you’ll be forced into cleanup mode, which can be costly, difficult, time consuming and shake the company’s trust in your compliance team.

By having access to real time information on demand, teams don’t have to wait to assess their program and can immediately address issues as they arise—before they cause real problems.


With so much data, it would be very helpful if it was categorized by department, country, individual, initiative, etc. This ties into the need for deep data and the ability to slice and dice information in useful ways to surface meaningful insights.

By being able to categorize different sub-sets of your organization, you can see if the sales department has a lower than average rate of conflict of interest disclosures; if a particular location has high reporting rates or more cases of a particular nature; if an individual has a history of attesting to policies late; if training scores fell after you released the newest version of a long-standing policy; or other key information that can help your focus your efforts or identify a key risk.

Being able to categorize by just one category won’t give you the breadth or depth of insight that modern programs really benefit from. Remember, it’s when you’re able to look at your data in multiple ways that trends will emerge.

Employee Reports

Being able to pull reports by individual employees can give you a lot of valuable information. There are a lot of parts and pieces involved in compliance programs and it’s extremely helpful to be able to look at the record for an individual employee and see their entire compliance history. In one spot you should be able to see:

  • Which policies they attested to and what version those were
  • Training scores
  • Communication history
  • Any cases they’ve been a part of (including their role in that case, the outcome and any sanctions filed against them)
  • Conflict of interest disclosures
  • Gift and entertainment disclosures

Having this information in one place not only makes reporting and analysis easier, but can also come in handy if the employee comes under investigation by the SEC or DOJ. One of the most famous examples of this is from when an employee of Morgan Stanley was investigated for FCPA violations. Morgan Stanley was not fined in the case because it could prove a history of policy reminders and training about FCPA compliance delivered to that particular employee.

Taking the extra step to connect your employee compliance reports to their ID number in an HR system helps keep all information about that individual neatly tied together.