Sarbox, Dodd-Frank and Beyond

As the pace of regulatory activity is increasing, so too are the costs. And in addition to the regulations themselves, Sarbox helped usher in a whole new level of costs of compliance that needed to be accounted for.
People can argue whether the new regulations that emerged in the wake of Sarbox make sense. Either way, compliance has now become a major cost of doing business, and more importantly, one that continues to grow.

Sarbox Was Only the Beginning

Since Sarbox took hold, it”s fair to say that most businesses have managed to keep their heads largely above water when it comes to meeting compliance requirements. But while they may have weathered the storm so far, they may be less than adequately prepared for a tidal wave of additional regulations looming on the horizon.

Compliance officers can create effective compliance strategies and policies only after regulations are written and implemented. And it”s the part of the iceberg you don”t see that represents the forthcoming challenges. To cite just one major example, even as we approach the second anniversary of the passage of Dodd-Frank, less than a third of the legislation has been codified into regulations.

In addition, many of the new regulations are growing in complexity. Measures such as the UK Bribery Act or the U.S. Foreign Account Tax Compliance Act are expanding the extraterritorial reach of regulators. Compliance officers need to ensure that operations meet not only the regulatory standards within the domestic market but also those of regulators in other jurisdictions that may apply.

Better Strategy, Not More Manpower

The oncoming flood of regulations requires fresh thinking and new approaches. Managing the growing body of regulations will obviously require expanded resources. However, there are practical limits to how successfully one can manage more regulations simply by throwing more bodies at them. As the compliance environment becomes larger and more complex, new strategic overlays need to be applied. The three primary rules of compliance are still in play: Identify, Prioritize and Mitigate. But the balance in managing those three objectives is shifting.

Until recently, the emphasis has often been on mitigation. This is certainly understandable. One of the primary objectives of the compliance role is obviously to avoid sanctions and penalties being applied against the organization. In compliance, results clearly matter. But while outcomes are definitely critical, the sheer volume of regulations facing today”s businesses means that work at the front end now takes precedence.

We recently completed the “Cost of Compliance 2012 Survey,” which found that more than a third of compliance professionals spend an entire working day each week staying up-to-date with regulatory changes. With the introduction of new regulations accelerating, that level of workflow is clearly unsustainable.

So effective identification and prioritization have become essential. Compliance officers must ask themselves, “How do I tackle this enormous mass of regulations and sift through it?” Reading every word of every pertinent new regulation today is an impossibility.

So the ability to prioritize and focus on which regulations, regulators and markets are most critical to the business is key to keeping up with the regulatory deluge.

Solution = Automation + Good, Old-Fashioned Brainpower

Another factor that has changed dramatically over the past 10 years is the pace of technology. But that presents a double-edged sword. The growth of computing power, particularly mobile technologies and networks operating in “the cloud,” has contributed significantly to the explosive growth of data. Managing those mountains of ones and zeros only further complicates the task of ensuring that a business”s information is in compliance.

Thankfully, technology also offers a measure of salvation to balance the burdens that it creates. New solutions are making it easier to sort, analyze and taxonomize those enormous piles of information. Because the information is created in an electronic environment, solutions must be able to deal with that information at the same level.

Automated tools can place pieces of information into their proper workflows, ensuring that information related to anti-money-laundering, for example, goes in one direction, while securities filings go in another direction. Automation can accomplish much of the “heavy lifting” of data piles, in somewhat the same manner as early case assessment tools can winnow reams of electronically stored information for litigation into discretely coded, sorted and prioritized bundles.

But at some point, effective compliance still must rely on the human element ” the application of clear, analytical thinking and problem-solving skills. Using automation to effectively parse, taxonomize and prioritize data improves efficiency by freeing compliance officers to focus on information that is truly “mission-critical” to the business.

Investment and Commitment

In an era of tightening corporate budgets and still-jittery financial markets, securing the level of corporate resources needed to meet compliance requirements adds an additional layer of challenge. Growing requirements coupled with increasing competition for experienced talent are driving up costs. In our recent survey of more than 500 compliance professionals at companies around the globe, fully 70% expect the cost of senior compliance staff to be higher this year. At the same time, only 11% of companies expect a significant increase in their budgets for compliance this year, even as major portions of Dodd-Frank and other reforms take hold in the coming months.

Beyond the financial commitment, the compliance function also needs the proper authority and support from the board and upper management or it will not succeed. I recently participated in a panel discussion with several compliance officers who agreed that given its growing level of responsibility, the position should either report directly to, or at least have direct access to, the board and CEO. In addition, the position must have the authority to report in an executive session to either the board or the audit committee, allowing the chief ethics and compliance officer to address issues without management interference.

Chief compliance officers must be free to perform their duties in supporting the interests of the company within their organizations. Support from above and authority to act are vital in this regard. An effective chief ethics and compliance officer raises tough questions, interviews employees at all levels as well as partners and suppliers, reviews documents and more, and must be able to do so without impediment from others inside or outside of the organization.

Sarbox +10: Now What?

Sarbanes-Oxley was the dawn of a new era of regulation, and at the time, many of us were somewhat shell-shocked at the broad expanse of the new requirements. Businesses were being stretched to meet its requirements. Looking back, however, Sarbanes-Oxley merely set the bar for the wave of regulations that followed and is no longer the Mother of All Regulations it once was. And looking back at Sarbox only serves to remind us of the importance of looking forward in order to be properly prepared for what we know lies ahead.

Scott McCleskey is global head of Financial Services Regulation for Thomson Reuters Governance, Risk & Compliance. A copy of Thomson Reuters” Governance Risk & Compliance “Cost of Compliance Survey 2012″ can be downloaded at http://accelus.thomsonreuters.com/costofcompliance.

”

When Sarbanes-Oxley was passed 10 years ago, it was difficult to envision the regulatory world we live in today. Accelerating globalization of the economy, increasing complexity of financial institutions and markets, and the global financial crisis of 2008-09 have brought us to a regulatory environment that is far broader and more complex than anyone could have foreseen at the time.

Sarbanes-Oxley (“Sarbox”) was certainly a wake-up call for a lot of people. It was the beginning of a trend that accelerated following the financial crisis. It not only represented a new set of regulations, but also triggered a realization that an entirely new level of regulation, compliance and oversight was taking hold. It set the stage for new waves of regulation, including the Fair & Accurate Credit Transactions Act, the UK Bribery Act and Dodd-Frank, to name only a few.

And the pace of regulation continues to accelerate. Our analysis shows that global regulatory activity has recently been increasing by about 16% each year.

As the pace of regulatory activity is increasing, so too are the costs. And in addition to the regulations themselves, Sarbox helped usher in a whole new level of costs of compliance that needed to be accounted for.
People can argue whether the new regulations that emerged in the wake of Sarbox make sense. Either way, compliance has now become a major cost of doing business, and more importantly, one that continues to grow.

Sarbox Was Only the Beginning

Since Sarbox took hold, it”s fair to say that most businesses have managed to keep their heads largely above water when it comes to meeting compliance requirements. But while they may have weathered the storm so far, they may be less than adequately prepared for a tidal wave of additional regulations looming on the horizon.

Compliance officers can create effective compliance strategies and policies only after regulations are written and implemented. And it”s the part of the iceberg you don”t see that represents the forthcoming challenges. To cite just one major example, even as we approach the second anniversary of the passage of Dodd-Frank, less than a third of the legislation has been codified into regulations.

In addition, many of the new regulations are growing in complexity. Measures such as the UK Bribery Act or the U.S. Foreign Account Tax Compliance Act are expanding the extraterritorial reach of regulators. Compliance officers need to ensure that operations meet not only the regulatory standards within the domestic market but also those of regulators in other jurisdictions that may apply.

Better Strategy, Not More Manpower

The oncoming flood of regulations requires fresh thinking and new approaches. Managing the growing body of regulations will obviously require expanded resources. However, there are practical limits to how successfully one can manage more regulations simply by throwing more bodies at them. As the compliance environment becomes larger and more complex, new strategic overlays need to be applied. The three primary rules of compliance are still in play: Identify, Prioritize and Mitigate. But the balance in managing those three objectives is shifting.

Until recently, the emphasis has often been on mitigation. This is certainly understandable. One of the primary objectives of the compliance role is obviously to avoid sanctions and penalties being applied against the organization. In compliance, results clearly matter. But while outcomes are definitely critical, the sheer volume of regulations facing today”s businesses means that work at the front end now takes precedence.

We recently completed the “Cost of Compliance 2012 Survey,” which found that more than a third of compliance professionals spend an entire working day each week staying up-to-date with regulatory changes. With the introduction of new regulations accelerating, that level of workflow is clearly unsustainable.

So effective identification and prioritization have become essential. Compliance officers must ask themselves, “How do I tackle this enormous mass of regulations and sift through it?” Reading every word of every pertinent new regulation today is an impossibility.

So the ability to prioritize and focus on which regulations, regulators and markets are most critical to the business is key to keeping up with the regulatory deluge.

Solution = Automation + Good, Old-Fashioned Brainpower

Another factor that has changed dramatically over the past 10 years is the pace of technology. But that presents a double-edged sword. The growth of computing power, particularly mobile technologies and networks operating in “the cloud,” has contributed significantly to the explosive growth of data. Managing those mountains of ones and zeros only further complicates the task of ensuring that a business”s information is in compliance.

Thankfully, technology also offers a measure of salvation to balance the burdens that it creates. New solutions are making it easier to sort, analyze and taxonomize those enormous piles of information. Because the information is created in an electronic environment, solutions must be able to deal with that information at the same level.

Automated tools can place pieces of information into their proper workflows, ensuring that information related to anti-money-laundering, for example, goes in one direction, while securities filings go in another direction. Automation can accomplish much of the “heavy lifting” of data piles, in somewhat the same manner as early case assessment tools can winnow reams of electronically stored information for litigation into discretely coded, sorted and prioritized bundles.

But at some point, effective compliance still must rely on the human element ” the application of clear, analytical thinking and problem-solving skills. Using automation to effectively parse, taxonomize and prioritize data improves efficiency by freeing compliance officers to focus on information that is truly “mission-critical” to the business.

Investment and Commitment

In an era of tightening corporate budgets and still-jittery financial markets, securing the level of corporate resources needed to meet compliance requirements adds an additional layer of challenge. Growing requirements coupled with increasing competition for experienced talent are driving up costs. In our recent survey of more than 500 compliance professionals at companies around the globe, fully 70% expect the cost of senior compliance staff to be higher this year. At the same time, only 11% of companies expect a significant increase in their budgets for compliance this year, even as major portions of Dodd-Frank and other reforms take hold in the coming months.

Beyond the financial commitment, the compliance function also needs the proper authority and support from the board and upper management or it will not succeed. I recently participated in a panel discussion with several compliance officers who agreed that given its growing level of responsibility, the position should either report directly to, or at least have direct access to, the board and CEO. In addition, the position must have the authority to report in an executive session to either the board or the audit committee, allowing the chief ethics and compliance officer to address issues without management interference.

Chief compliance officers must be free to perform their duties in supporting the interests of the company within their organizations. Support from above and authority to act are vital in this regard. An effective chief ethics and compliance officer raises tough questions, interviews employees at all levels as well as partners and suppliers, reviews documents and more, and must be able to do so without impediment from others inside or outside of the organization.

Sarbox +10: Now What?

Sarbanes-Oxley was the dawn of a new era of regulation, and at the time, many of us were somewhat shell-shocked at the broad expanse of the new requirements. Businesses were being stretched to meet its requirements. Looking back, however, Sarbanes-Oxley merely set the bar for the wave of regulations that followed and is no longer the Mother of All Regulations it once was. And looking back at Sarbox only serves to remind us of the importance of looking forward in order to be properly prepared for what we know lies ahead.

Scott McCleskey is global head of Financial Services Regulation for Thomson Reuters Governance, Risk & Compliance. A copy of Thomson Reuters” Governance Risk & Compliance “Cost of Compliance Survey 2012″ can be downloaded at http://accelus.thomsonreuters.com/costofcompliance.

”