Compliance independence - avoiding conflicts of interest

The recently published Generally Accepted Compliance Practice Framework (GACPF) stresses that in order for the compliance function to be effective it must be independent of other business activities, so it can discharge its duties objectively, both to the company and to the relevant regulator. This can sometimes be difficult in practice, and avoiding conflicts of interest needs to be handled carefully.

Having a good relationship with the business is vital to the success of the compliance function, particularly when it comes to assessing the compliance risk of the business. An adversarial relationship should be avoided and the compliance officer should not be seen as a barrier to conducting normal business. Companies with a mature compliance culture tend to think of the compliance function as a vital element of business operations and no decisions on, for example, new business ventures or business services would be taken without the involvement of the compliance function.

Segregation of duties is one of the strongest controls in any system of internal control, and the Framework advises that, at the very least, the head of compliance shouldn’t have any other responsibilities. Risk management is a possible exception as compliance is part of a broader risk management framework. Internal audit responsibilities are definitely not appropriate, as the compliance function should be reviewed periodically.

Remuneration policies could also lead to conflicts, particularly if compliance staff is remunerated based on the performance of the business units for which they have compliance responsibilities. Compliance staff, particularly, the head of compliance, should never be put in a position where they need to achieve business targets on the one hand while trying to embed ethical standards and a culture of compliance in the organisation on the other. Remuneration linked to the performance of the business, as a whole, is less likely to cause conflict. Ideally, remuneration policies and, certainly, performance appraisals should take into account the compliance and ethical standards expected of all members of staff.

Reporting lines for a head of compliance should also be designed to enhance independence and the GACPF recommends that the head of compliance has both functional and operational reporting lines. While the operational reporting line (i.e. the person who approves leave, pays his or her salary, etc.) should be to a member of top management, the functional reporting line (i.e. the reporting line for the status of compliance of the business) should be to the CEO, the risk committee, the board audit committee, or top management collectively, depending on the governance structures of the company. What is crucial is that the head of compliance has direct access to the CEO to ensure he or she can escalate any matters of grave concern.

Of course it can be harder to avoid conflicts of interest in smaller organisations, which should segregate responsibilities to the best of their ability. If the desired segregation is not achievable, joint decisions should be taken and the reasons for those decisions documented and lodged at the appropriate governance forums for noting.

Ultimately independence is more a state of mind and professionalism than a state of internal policies and controls. Organisations should ensure that they employ people who will be able to fulfil the role in an independent manner, and align with the standards of ethics of the organisation.