3-to-1: The Golden Ratio of Sustainable Governance

To protect your information or your money, you don’t just rely on one source. Instead, most of us use multiple tiers of security for the job, such as personal/private computers and software, keys, passwords, banks and law enforcement if needed. Likewise, as both corporate officers seek to protect their businesses’ reputation and compliance officers seek to effect lasting change, they must prioritize and engage multiple lines of defense.

Many businesses take a short-sighted approach to preventing ethics violations and external investigations by designating compliance and risk officers as the primarily accountable first line of defense. This perspective effectively silos compliance away from other areas and reduces its role to inadequate, reactive firefighting. Rather, a business using Sustainable Governance as a means to increase social and financial capital assigns three lines of defense towards maintaining an ethically efficient workplace. This 3:1 ratio of three defense layers to your company’s unified anti-fraud/ethics obligations will deliver an ROI on compliance resources that minimizes fire-fighting and maximizes business efficiency.

First Line/The Business Itself: All departments in your organization should participate in compliance. Compliance officers may not be the first to witness errors, unethical behavior or faulty product designs (consider the recent SEC enforcement actions on Wealthfront and Hedgable’s non-compliant “robo-advisors”), so everyone across a company should be empowered to act.  This first line of defense should be prepared to engage with compliance; effective training and information is key to that preparation. Training materials should emphasize the personal edge earned when business leaders adopt ethically responsible business practices. Because of this, the primary motivation for employees to perform this defensive mandate will rest mainly on their own self-interest, should the training prove successful. Compliance officers should measure the value and ROI of their efforts and share them with the business leaders they serve. Particularly at this time of year, they should also share annual compliance reports throughout the organization.

Second Line/The Management Tier: Management personnel is the second line of defense. From facilitating cooperation with compliance to self-reporting regulatory gaps and setting behavioral expectations for their departments, they set the tone of enforcement. They should also be trained to perform as deputized compliance officers. My recent podcast with Tom Hardin details how fudge-factor thinking that nomalizes disregard for ethics and compliance can corrupt departments. Managers can counter that with strong incentives when the 3:1 ratio empowers them to do so.

Third Line/The Compliance Tier: This tier includes compliance officers and the internal audit team. With a Sustainable Governance framework, they utilize technical tools and resources to perform their duties, regularly report on the ROI of the compliance program and interface symbiotically with their colleagues in the first and second lines. Once a compliance issue reaches their attention, they can take appropriate action. Compliance take the lead on readjusting the workflow, systems and policies of the first and second lines within this framework. Finally, they can implement engaged training which instructs on defensive procedures that also foster smart innovation and growth.

Beth Haddock is author of Triple Bottom-Line Compliance – How to Deliver Protection, Productivity and Impact, and advocates delivering sustainable compliance that increases brand protection, risk mitigation, productivity, and employee engagement.

To receive a concise snapshot of how your current compliance program is serving you, take Beth’s complimentary assessment.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>