For years, executives in many corporations thought of compliance as a back-office function and those responsible for compliance reported up to the legal or finance function. Compliance was typically viewed as part of a routine, periodic safety check up--conducted much in the same spirit as people periodically changing batteries in their smoke detectors: it's extremely important but the chances of significant danger are minimal. Thus, minimal effort was typically exerted to address compliance issues.
In the past decade or so there has been a significant shift in corporate thinking about compliance, however, and it has become a key consideration for a risk-intelligent enterprise. The growing importance of compliance can be attributed to a variety of factors: overlapping and sometimes conflicting regulatory jurisdictions, heightened attention to environmental and social issues, the impact of globalization and a growing public demand for greater corporate transparency.
Boards of directors have also heightened their attention to compliance programs. Landmark legal cases, regulatory guidance and the Federal Sentencing Guidelines have each set new standards for board involvement in the oversight of corporate compliance risk. As a result, boards are becoming increasingly attentive to risk assessment and program design and execution, often through the audit committee.
As a principal liaison to the audit committee, chief financial officers are seeing this trend first hand.
As stewards of the company's financial resources, financial executives are also more interested in compliance matters. From a monetary perspective, here are a few facts or cases to consider:
* The Association of Certified Fraud Examiners (ACFE) estimated that in 2012 the typical organization lost 5 percent of its revenues to fraud each year. The median loss caused by an occupational fraud case was $140,000, but more than one-fifth of such cases caused losses of $1 million or more.
* In the area of data privacy and protection, a report by the Ponemon Institute estimated that noncompliance costs 2.65 times what compliance costs. The average cost of data privacy compliance is $3.5 million per organization, whereas the average cost of noncompliance-related problems was $9.4 million.
* In 2012, a former global financial services firm executive was charged by the U.S. Securities and Exchange Commission (SEC) with violating the Foreign Corrupt Practices Act (FCPA) on a number of counts. Because the firm was able to show that it had taken FCPA compliance seriously for many years, it was not charged (although the executive was fined and punished).
* Sometimes the cost of noncompliance is indirect. For example, when a manufacturer has to remove a product from the market, it can lose significant market share in the time it takes to design and introduce a new, compliant product.
Given the complexities of corporate operations in a global environment, compliance should be part and parcel of a broad risk management...