Survival of the Fittest:

Compliance Program Evolution

Case Study in Assessing

Compliance program maturity 

As all compliance programs continuously evFull Transcriptolve, how do you measure your success or plan for the next step in the development of your program? This video introduces a practical approach to assessing the current maturity of your program and processes using a compliance program maturity model. This model is designed to help you track and communicate your current state as well as pinpoint the places where your program can level up including governance, risk, process, culture, and design.


Ann Oglanian

Ann Oglanian has more than 25 years’ experience in the investment management industry and is sought after for her practical guidance on strategic business planning, organizational and operational matters, and compliance program development and assessment. Prior to founding ReGroup in 2002, Ann served as managing director, general counsel, and chief compliance officer of Montgomery Asset Management and partner in the investment management practice of Vedder Price.

 You can download a full copy of the slides from this webinar.

 

Download 

Full video transcript available below 

Kind of a case study, we do a lot of these, and so, this particular one will show you how we think about it. Here's an example. This shows on the left-hand side the level 1, 2, 3, and 4 that we talked about from the maturity model. Then of course, across the axis are the pillars. We only had room for 4 of them. There would be 6 more on here. We say to ourselves, "Governance risk and supervision, what are the indicia that we're looking for in terms of good compliance design, and what have with got?" For this particular client, we didn't have much. They just didn't have the indicia that we were looking for, and so they were kind of at the reaction stage. However, you can also see that they had amazing culture and leadership. They were absolutely at the top of the top. They had the right people talking about the right things. The messaging was repeated. It was outstanding, and they meant it. It was like everyone in the firm could repeat what I would call the ethical culture of the firm and the thoughtfulness was there, but they also weren't having the conversations about the compliance program that they should be having on some periodic basis, and they certainly had no record keeping around that because they weren't doing it. We're like, "Hm, maybe governance would be a place where you could kind of kick it up."

Policies and procedures, a little bit medium, definitely not [inaudible 00:25:22], and inside policies and procedures, again you can have very individual things that are strong and individual things that are weaknesses. You could maybe not be doing a gap analysis of your procedures, you've never done one. You didn't realize that, I don't know, the custody rules had changed several years ago, and that needs to be upgraded. You maybe have no process for updating your policies and procedures. They've been sitting on the shelf for a couple of years, you know, at a minimum we like to ask the CCO to sit down and read through the whole thing at least annually.

Then program evaluation, we were seeing somebody who really didn't have a good grip on how to evaluate their own program, how to do the testing, how to talk about it, how to understand that what you were testing should be tested against the conflicts of interest that the firm has, not a good understand, and never had had anyone else come from the outside to ever look at their program, and so they were a little skittish. Not comfortable with program evaluation, had not had an S&C exam and probably were not prepared. This is just a way of looking at it. Now we say, what's the result of that then? Remember there'd be 6 more columns here, and we say, now we can dive in and say very specific things that can be done to kick these levels up. We can standard governance and risk. Here's an example, excuse me.

The next few slides show the questions that we asked related to each one of the pillars. This one is governance risk and supervision. We'll go through these to give you a little bit more of an understanding about why this is about design and not about regulatory substance. Does the firm's org structure reflect its actual supervisory structure? You could have an org chart that not quite matches who's supervising who. Is the governance structure clearly articulated, understood, and utilized by the firm’s management? Is there one, right? Is it [inaudible 00:27:32] to include management committee, investment committee, it's called decision rights, who has the decision rights, and are they clearly understood? Is the risk assessment process designed to assist the firm in identifying and resolving issues, avoiding errors, reducing exposure to the risk of individual action, and unacceptable business or regulatory risk, or damage to the brand and reputation?

Does the firms’ governance structure define expectations, grant power, and verify performance? You know it's a trust, but verify system. Is the governance structure clear, understandable, and useful to the management of the firm or is it just sort of this thing we have to do, we don't really see any value in it at all? Is the firm's governance structure designed to assist with regulatory compliance, meaning, do you have a compliance committee? Does the supervisory structure provide wealth clarity? We find wealth clarity, especially as your firm gets bigger, it can get really complicated. Are the firm's risk management processes transparent, deigned to identify regulatory risk related to the business model, or have you borrowed somebody else's risk assessment who isn't related to you and designed to help insure that those risks are adequately managed? The issue with the risk management process being transparent is whether, are you doing it by yourself in a room alone, not good, right? It's a start, but it's not really how it should be done. It should be a group conversation, so can you elevate that and get other people involved in how they think about risk. They may not agree with you.

Here's an example of the processes of policies and procedures pillar design. Are the compliance procedures written? For some of you that probably sounds crazy, but we see a lot of procedures that are not in writing. Are the compliance procedures designed to clearly reflect current regulatory requirements? Are they managed through a life cycle process that's designed to ensure that they reflect regulatory and actual business practices? Are they understandable to the people who are accountable for their execution? If they're super legal legally and that's not helping anybody. We lots of procedures written, especially by law firms that are beautiful articles on best execution, they're beautifully written, but there's no procedure in there. Not always what we're looking for.

Here's the culture and leadership pillar of design. Is the messaging from executives robust, consistent, and reiterated throughout the firm? We can't say it once. Is the messaging supported by a commit to hire competent employees? Is the development of reward structure that promotes good internal controls and effective governance, and appropriate consequence for core compliance performance? The example there is do you have any sanctioning if things are not done well? Does anybody get their hand slapped? Does it affect their bonus at the end of the year? Is it really, are their teeth in that side of the equation? Is the tone consistent with the policies and the code of ethics? Are there executives receptive to employees’ ethical concerns? Do they value ethics and integrity over short-term business goals?

Let me explain that one for a minute. For example, we actually asked people. You know, we go in and interview people and embed it in our questions, do you have, have you raised any concerns this year that management shout you down and they didn't agree? There could be reason, a really good business reason for why they shot you down, or it could be that there was a short-term business goal that they just wanted to go grab the golden ring and were unwilling, unreceptive to ethical issues.

Do executives require transparency? You can give them transparency. That's great, but what we want to see is a CEO that requires transparency, requires reporting, actual listens to you when you do the reporting, that's what we're looking for. Do executives respond appropriately if they become aware of misconduct, and do they support your recommendations for what should be done in dealing with wrongdoing? We want to see a lot of respect for your messaging, assuming that what you are recommending is solid, and its good stuff.

The next, we'll just go over 2 more of these really quickly to give you a sense of what they are. Program evaluation, does the firm evaluate its compliance program in a manner designed to comply with the law, and produce actionable recommendations that are reported to management? Lots of you are sort of doing the testing off to the side, but you're not actually producing actionable recommendations. Here's 3 things we need to do better. Are recommendations acted upon? Once you make the recommendation, does anybody support what you're doing, and do you actually go do it? Is the subject matter of the testing program tied to a risk assessment process? If your risk assessment says here's these 3 areas where we are at risk, I should see some testing of those areas that's maybe more robust, more periodic. There should be a [there 00:32:57] there.

Does the firm utilize periodic external evaluations? I'm a big fan that if you have a external evaluation of your program, whether it's by the SEC or by an outside firm every 3 years, that's my rule of thumb. Enough changes every 3 years, people, personnel, expertise, products, that you need to have somebody in every 3 years. Some people say it's more than that. I think it's a big lift. It's expensive, but I always tell CEO's, add it to your budget for every 3 years, at least. Does the evaluation process include testing and trend analysis? It's not just that you have someone come in and do this work for you, it is that who's ever doing the evaluation needs to do a really good job, and that's a whole separate conversation, how to hire a consultant.

Find out how MCO can help

Request a demo today to learn how MyComplianceOffice puts you in command of your compliance program, synchronizing your business needs with regulation. 

Request a Demo

 

MCO_brochure-image.png

Download our four page Portfolio of Solutions to learn about;

  • Personal Trade Monitoring
  • Gifts & Entertainment
  • Political Contributions
  • Third Party vendor risk management
  • Trade surveillance
  • And more

Brochure Download