The delegation of risk and compliance responsibilities to nominated officers in legal firms is designed to ensure appropriate organizational focus on regulatory compliance and to enhance accountability for the reasonable and specific discharge of all relevant risk and compliance deliverables. However, whilst the system of delegation was not designed to dilute senior leadership’s ownership of risk and compliance outcomes, it appears that abdicating their responsibility for risk and compliance in some firms is an unintended consequence.
A key challenge with regard to the abdication of the responsibility for risk and compliance is that it is not usually easily evident before a major failure arises from such behavior. Furthermore, the false comfort that arises from delegating a non-revenue activity to others obscures some of warning signs that may indicate that the leadership of risk and compliance is inadequate.
Some of the warning signs to consider include the following:
1. Absence from agendas
The absence of risk and compliance as a regular agenda item at meetings of the senior leadership team and/or board is a sign of its relative unimportance in a firm. In addition, to receiving regular and structured updates on the performance in this area, it should also be a useful forum to receive briefings on key strategic updates from regulators. Imagine the profile of risk and compliance in a firm if the level of awareness of key risk updates from relevant regulators at senior leadership and/or board level is comparable to the awareness of competitor activity and lateral hires in their market segments.
2. No budget
The absence of a dedicated budget for risk and compliance activities could be an indicator of its relative unimportance. Specified budget lines tend to indicate those aspects of expenditure that senior leadership wish to pay close attention. If risk and compliance expenditure is hidden under another budget line, then it may suggest that an over spend in this area is not a major concern either because it is very unlikely or the allocated expenditure is negligible.
3. Weak performance management
The common phrase ‘you can only manage what you measure’ is relevant to risk and compliance. The absence of a robust performance review process for risk and compliance activities is a sign that senior leadership is not that bothered about performance in this area. Another common phrase ‘measure what matters’ may also be relevant as the management information pack of performance indicators considered by senior leadership highlights the relative importance of risk and compliance. It is recognized that developing KPI’s (Key Performance Indicators) for risk and compliance can be challenging but the effort deployed to iteratively develop them indicates that senior leadership takes it seriously.
4. Selective enforcement
Persistent non compliance with risk and compliance policies by staff that generate the most fees is largely overlooked by senior leadership whilst others are expected to address any non-compliance swiftly. Such selective enforcement of risk and compliance policies is a strong sign that senior leadership are not proactively shaping the right culture and compliance is discretionary for some.
5. Lone ranger
The role of compliance officers can both be lonely and confusing and the absence of appropriate supervisory arrangements to provide them support and to recognize their contribution is a warning sign that risk and compliance is not that important. Being an ethical monitor and/or critical friend within a firm may on occasion give rise internal conflict. Furthermore, effective compliance officers should constantly be horizon scanning and identifying opportunities to improve performance in alignment with the firm’s strategic ambitions even before the ‘burning platform’ necessitates change within the firm. The absence of appropriate supervisory arrangements may adversely impact the performance and morale of risk and compliance officers.
Do you recognize any of these signs in your firm?