Management: Compliance Management Techniques

How to manage compliance is always a favorite topic with compliance managers. The ABA National Regulatory Compliance Conference offered a variety of sessions on compliance management, starting with how to set up a compliance program. Suggestions were offered for all size banks but the consensus was that any effective compliance program takes time. The experts estimated that you should expect to spend between 18 and 24 months getting a program set up.

Susan Walters, a Principal of Kraemer & Walters, LLC, presented a session on the stages of development of a compliance program and a time from conception to completion.

Walters' timeline begins with Strategic planning. This phase can take up to three months. It begins with a program assessment, determining where the institution stands at the start. This phase then includes actual program design. During this phase, the program developer considers the organization design, resource requirements, and drafts a program. Note that this creative part takes only 3 months. It is reality - the implementation - that takes longer.

Walters' next phase is selling the program - the time during which you obtain support and approval of the draft program. She estimates another 3 months needed for this phase. It is worth taking into consideration, as a reality check, that it can take at least as long to get support for the program as it does to develop it. From a techniques aspect, this is the phase where the compliance manager begins to work with and through other people.

Then comes the day when you launch the program - actual implementation. Here, too, you are working with and through other people in the organization. During this phase, the compliance manager is working with others to develop and implement policies and procedures, conduct training, take steps to raise compliance awareness, and design monitoring and reporting mechanisms. This, in short, is the guts of the program. This phase may not begin until the program development process has already been underway for 6 months. This phase, by itself, takes another 6 months, rounding out the first year.

Once launched and underway, the program should be evaluated. It may be the best design in the world, but the most important question is how effective it is in your singular organization. Once underway, you should implement and review monitoring and reporting results. This is also the time to identify areas of weakness and design fixes. In fact, this process of identifying and fixing weaknesses never actually ends. It is how the program adapts to change.

During the last six months, you can coast with fine tuning and maintenance. Like identifying weaknesses, this process never ends either. It includes tweaking the program and maintaining (and testing) ongoing communications, training, and awareness. It also involves the constant process of documentation.

In selling your program, Walters points out several important steps. First, you must have management buy-in and sponsorship. To get and keep this, you need to build a business case. Saying "because the regulation says so" won't get the kind of affirmative support you need.

Second, know who your compliance partners are and make sure you get the information and feedback from them that you need to keep the program in tune. Communication is the core of any compliance program. Finally, bring the regulators on board. It never hurts to tell them what you are up to and it usually helps. Better yet, if they know about and agree with your program up front, they are more likely to be supportive than critical when they come in to examine you.

Finally, compliance is all about change. The compliance program that is right for your organization is one that takes your organization into account (and that includes the people) and the fact that everything, including regulations and organizations, changes. So your program has to be designed to adapt to change. In other words, it's never done.

ACTION STEPS

Review the development process for your compliance program. If you didn't go through these steps, this might be a good time to do so - or to repeat the process. Privacy makes the perfect topic.
Make sure that any assigned compliance responsibilities and accountabilities are current and appropriate to the jobs.
Evaluate the different ways in which you learn about or identify the need for change or program tweaking. Consider whether you have all the necessary channels of communication open.
Now that privacy is in place, think about how effectively the process worked. Consider whether you had the appropriate support from management and other departments in the bank. If not, figure out how to get it.