Hybrid Responsibilities in Risk and Compliance – Who Owns What?
Traditionally, managing risks to a business was thought to be the responsibility of a company’s legal team. Nowadays, that isn’t always the case.
While 29% of survey respondents in our 2022 Risk and Compliance Benchmark Report stated that compliance responsibilities upheld this historical norm, the overall findings showed there isn’t yet a concrete standard for managing risk and compliance.
Responsibilities depend on whether we mean compliance in a regulatory, ethical or practical sense.
Regulatory responsibilities
Legal teams often hold critical responsibilities in keeping a company compliant. Regulatory compliance hinges on understanding how laws, rules and regulations dictate business values and expectations.
To this end, there is a definite requirement for resources with legal expertise to oversee regulatory concerns such as security standards, privacy policies, licenses, governance, contractual obligations and audits. Furthermore, as a reactive function, this expertise is necessary to update policies in line with regional and national legislative and regulatory changes.
But is a legal team the be-all-end-all of a compliance program? Our survey bore interesting insights into how organizations delegate authority over this function. More than 20% of respondents indicated that compliance responsibilities were split across multiple departments, driven by expertise over different areas of the R&C program rather than one unified function. Meanwhile, almost half of our survey’s respondents (44%) had responsibilities beyond compliance, meaning no certainty that even legal are managing risk and compliance as the focus of their role.
While this is an effective way of balancing areas of compliance with the staff most familiar with a particular field – for example, whistleblowing or money laundering – it has a significant dependency: effective, frequent communication between functions to ensure separate contributions still form a cohesive program that employees understand. Without this, even the most rigorous policies around risk, compliance and ethics will not be successful.
Practical responsibilities
Here’s the catch: though legal considerations are crucial for a company to avoid reputational damage and penalties from regulatory bodies, the legal team has limited practical reach as an internal advocate of risk and compliance initiatives. In other words, responsibility for compliance in the regulatory sense does not necessarily equate to responsibility for how the business communicates this to its employees. There is only so much influence legal teams directly have on the actions of workers in upholding regulatory requirements.
In reality, every employee has a practical responsibility to uphold the values of a compliance program. If employees are unable to, unsure how to, or afraid of upholding requirements, companies will have difficulty communicating expected behaviors to their employees. This is why frequent training, plentiful speak-up awareness resources, and a clear and regularly-promoted code of conduct are essential in conveying precisely what employees must practice, and why in the larger scope of the organization maintaining regulatory compliance.
This must also be communicated with clear, consistent messages accessible to the company’s workforce in all relevant languages. A clear code of conduct and related resources are a great asset to a business – but initiatives will not be successful if those materials are only available in English for an internationally spread workforce. There is a practical responsibility to make sure these resources are available to everyone, which may involve teams in HR, marketing, or localization teams, as well as designated risk and compliance personnel.
Additional practical responsibilities lie in positions outside the immediate management of a program. Resolved business cases involving risk and compliance should be communicated transparently by senior leadership to ensure every employee feels they are an important part of upholding a holistic program.
Ethical responsibilities
Doing the right thing doesn’t always come under written policies around risk and compliance, meaning ethical conundrums may sometimes be more likely to enter the realm of HR than fall into the lap of a legal expert. But while regulatory and ethical functions are not opposed in interest, they serve different purposes within the business.
While regulatory compliance protects business interests, ethical concerns often protect an organization’s culture. Regulatory requirements don’t always impact ethical policies – but they do align with doing the right thing and preserving the business’ reputation, both externally and internally.
How ethical an organization is in practice also directly impacts employees’ investment in the risk and compliance program. As ethical responsibilities involve personal principles and decisions, they often make up a significant part of an employee’s decision to continue with a company. Compared to regulatory responsibilities, which react to legal changes, ethical responsibilities must be proactive: a preventative measure to avoiding conflict and a vital part of attractive company culture for recruitment and retention.
The remit of these responsibilities can be spread across roles from the ethics and compliance officer to HR members – but its reach is felt across the business.
As with practical responsibilities, to effectively deliver on an organization’s ethical obligations, management from mid-to-senior level must be consistent in their messages. Expected behaviors should be common knowledge and not conflict with company policies or formal training. For example, if a code of conduct has a firm anti-corruption and bribery policy around accepting gifts, but certain departments are quietly expected to encourage deals to close with expensive gifts to clients, it creates a fundamental ethical conflict that can alienate workers. Furthermore, having unclear or conflicting messages around ethics can be just as damaging to a business as having none at all.
While regulatory compliance protects business interests, ethical concerns often protect an organization’s culture. Regulatory requirements don’t always impact ethical policies – but they do align with doing the right thing and preserving the business’ reputation, both externally and internally.
Final words
In this year’s benchmark report, 8% of respondents indicated that no one within the organization was responsible for a risk integration strategy. This is a dangerous situation for any company as it becomes easy to miss regulatory, ethical or practical issues in maintaining a risk and compliance program. In comparison, the trend of multiple functions holding responsibilities for deliverables is not a bad approach – but it does require discipline.
While larger organizations might benefit from more clearly defined roles in ethics and compliance, expertise is a good start for an organization looking to build a robust risk and compliance program. The primary consideration for hybrid roles in risk and compliance is scoping each function’s capacity and responsibilities across regulatory, practical and ethical requirements. And most importantly, frequent communication and alignment between those responsible are also necessary.
As the economic and political climate creates challenges for managing and updating compliance programs, there are critical questions business leaders should be asking:
- Do we have the right resources and expertise to manage our compliance program?
- Are we making commitments and requirements clear to all staff?
- Are there any obstacles to our employees and stakeholders understanding or participating in compliance?
For more information on opportunities and obstacles around risk and compliance, download our 2022 Risk & Compliance Benchmark Report.