You have adopted your basic compliance policies and procedures, established a reporting system and visibly rolled out your new compliance program. Your board of directors has passed a resolution decisively stating its commitment to compliance. The CEO issued a letter stating her commitment to compliance and mandating every person in the organization follow the Code of Conduct and perform their activities in a compliant manner. You may have even integrated compliance training into your initial hire and periodic training programs.
On effectiveness review, the reviewer sits down with your management team. At some point during the meeting the reviewer goes through a list of critical compliance items; policies and procedures (check); training program (check); reporting system (check); compliance budget … compliance budget?
It turns out you put a great deal of effort into establishing and operating a compliance program but have never established a separate budget line for compliance. An adequate compliance budget is a significant indicator of an effective compliance program. Without a separate budget line item, you would need to reverse engineer to determine how much you have spent on compliance. You talked the talk, but did not walk the walk. In compliance, it is important to put your money where your mouth is. But enough of the clichés.
All external compliance standards require your program to be “effective.” It is difficult to imagine a program meeting effectiveness standards if no financial resources are put behind it. Having evidence of compliance expenditures at your fingertips can save a lot of effort when it’s time to defend the effectiveness of your compliance program. Establishing a compliance budget requires focus on what is required to operate your compliance program. An adequate budget indicates organizational commitment and reinforces support from the top of the organization. It also reinforces independence of the compliance officer who otherwise is required to beg for resources from other budget areas.
Compliance budgeting is difficult. The return on investment on revenues allocated to compliance is not always evident to corporate decision makers. After all, how do you prove or quantify costs that might be avoided through the operation of a compliance program? Those of us who deal with compliance difficulties fully understand the value of investment in compliance structure and operation. Companies that go through a compliance issue, particularly one that could have been avoided by a properly funded compliance program also tend to gain an understanding of the value of compliance.
This does not mean compliance should be immune from expectations of efficiency. It also does not mean an organization needs to allocate an unrealistic level of funds to compliance. Compliance efforts and resulting expenditures can be scaled to the size, nature, and complexity of the business. Issues related to scaling of compliance are perhaps the most difficult aspect of the compliance practice. In smaller organizations, resources should be focused on areas of greatest vulnerability. It is also critical to establish a system to identify and rank identified risk areas. This information can be used to establish a work plan that sets compliance priorities based on a reasonable assessment of potential risk. Compliance activities objectively determined not to create higher degrees of risk can be scheduled into the future. If an issue that arises is judged as a lower risk area, the work planning process demonstrates the issue was part of the process but not the highest priority or the area of greatest vulnerability.
Don’t ignore the need to plan compliance activities and budget based on prioritized risk. A logical and adequate budget established using a well thought out process is the key. A budget based on specifically identified and prioritized risk areas will be easier to communicate to business minded individuals on your board. It is much easier to see the potential return on investment when the compliance officer presents a well-supported work plan based on specific identified risk areas.
Source: Blue Ink Blog