What is a Compliance Center of Excellence?
While there is no definition of a CCoE, there are several definitions of a Center of Excellence (COE), which I have drawn from for this article.
In a OneSpan article, entitled “Centers of Excellence (Why Create One)”, Jodi Schechter interviewed Mark Kafka, who defined a Center of Excellence as “a discipline within an organization. The concept of a Center of Excellence is to build out key processes and expertise across the enterprise. It is typically based on a technology, a critical process or an application – to help the organization adopt that process and become efficient at it.”
From this, you can see it is a team that promotes compliance collaboration within an organization. It utilizes best practices around compliance to drive greater business efficiencies, more profitability and customer-valued results. Drawing from Mark Vaughn’s Navint white paper, entitled “Financial Services: Compliance Center of Excellence”, another way to consider a CCoE is that it is a coordinated team with resources that have a range of interrelated skills and responsibilities, in a collaborative working forum, designed to share knowledge, promote best compliance practices and drive successful business results.
A CCoE should have areas, which the Horizon Group identified in its blog post “What is a Center of Excellence”. First it should offer support to the compliance function’s customer, company employees, third parties and other impacted by the corporate compliance function. It should provide support for those impacted by compliance in an organization by being a subject matter expert (SME) in the compliance arena. There should be guidance from the CCoE in compliance standards, methodologies and the CCoE should act as a compliance knowledge repository. A CCoE should provide shared learning, including compliance training and certifications, skill assessments, team building and formalized roles which are all ways to encourage shared learning. A CCoE should provide measurements, which demonstrate it is delivering the valued results that justified their creation through the use of output metrics. Finally, in the area of governance, a CCoE should allocate limited resources across all their possible uses, ensuring organizations invest in the most valuable projects and create economies of scale for their service offerings.
From this general description, I see two overarching themes for a CCoE. It should obviously begin with a regulatory backbone, through compliance SMEs supporting the company. It must also deliver demonstrable and tangible results to the business. It would have a clear mission focused on the business and the compliance requirements that must be addressed for each organization.
However, this should then morph into a more business process approach, as a CCoE would become a team of specialists who work together to develop and promote compliance best practices. While initially it may be focused on providing compliance guidance to a company, it would then move to deliver business services, or operationalize compliance throughout an organization. Vaughn notes this could include, “areas such as human capital management, project management, quality assurance, regulatory compliance, business analysis, continuous process improvement, and enterprise performance management."
A successful CCoE will aid a company to “understand and set priorities, create a roadmap, standardize approaches and support processes that improve the underlying structures of compliance over time.”
Whichever form it takes, the CCoE model should include SMEs, together with other resources that become an integral part of the compliance function, supporting the business in an advisory capacity and delivering discrete services. A successful CCoE will aid a company to “understand and set priorities, create a roadmap, standardize approaches and support processes that improve the underlying structures of compliance over time.” Indeed Kafka was quoted that a CCoE “establishes a best in class operation AND it’s a scalable and repeatable process. It becomes the organizational standard. In doing so, intel from channels of operation that have already adopted practices reduces the learning curve for those new to the organization. Documented processes can be easily rolled out to new channels.”
As with the compliance function in total, it should work with the business unit to design, create and implement a compliance solution that can be pushed out to more fully operationalize compliance. Vaughn noted that the CCoE team would “work to develop a roadmap based on careful planning and analysis, including understanding how, through scenario planning efforts, the organization will pivot one direction or another, to initially address regulatory compliance and improve it over time.”
It would allow compliance to be more integrated in planning and strategy discussions to stay tuned to the ever-changing risk profile of a company. Moreover, through this interdisciplinary approach, it would bring compliance knowhow to help the business folks understand that compliance is, in reality, a business process and as a business process, it can easily be incorporated into business unit operating procedures going forward.
A CCoE can become a very powerful tool for the compliance function in an organization. Compliance is properly seen as business process. If you integrate the compliance framework of controls, incentives, continuous information and its feedback into your company’s business process, it will not only make your organization more efficient but at the end of the day more profitable.
Design of a Compliance Centers of Excellence
Next, I want to expand out into how a Chief Compliance Officer (CCO) or compliance practitioner would design a CCoE) for compliance and then conclude with how you might fit it into your organization.
About the best representation of a CCoE comes from Mark Vaughn, author of the Navint white paper, entitled “Financial Services: Compliance Center of Excellence”.
Through this diagram, Vaughn lays out a way for you to think through your CCoE. He believes a CCoE will be successful, in large part, because of the personnel you assign to it in a variety of areas. These areas include advanced levels of compliance knowledge and compliance competencies and would include training and certifications. Moreover, your CCoE staff must be “capable of working in a consensus-based organization and committed to knowledge sharing, developing and leveraging various standards and methodologies and be able to communicate new approaches and leading practices to the organization.”
This circle clearly represents many concepts that every CCO and compliance practitioner will be quite familiar with from their own experience. Under Risk and Controls environment, it would include the three steps of the risk management process and then add on remediation management. It would also include risk data information, data protection and data privacy components that you would need to test. Finally, if there was a breach, it would facilitate both investigation and root cause analysis.
Policy and Process moves beyond simply compliance policies and procedures to include compliance as a business process; delineating roles and responsibilities. There would be a focus on both reporting requirements and governance. Further, the CCoE would develop metrics and independent testing for verification and feedback.
For Solution Design, there would be focus on the overall compliance regime requirements to provide a functional solution design. This area would provide the support architecture needed to create the infrastructure and roadmap for compliance moving forward. After deployment of new solutions, this area would also provide continued support.
Under Go-Live Support, there is roll out, deployment and ongoing support activities from the CCoE to the business units. This helps to facilitate knowledge transfer and further the operationalization of compliance down to the business unit level. This area would also include certifications, examination and audit support. Finally, it would also facilitate ongoing compliance communication.
In the Requirement Analysis quadrant, there would be a group focusing on your internal control and rule-making lifecycle. It could provide legal analysis of anti-bribery and anti-corruption requirements across the globe; providing consistent definitions which would assist the employee base. You could also include industry bench-marking in this group. Lastly, the Training and Education grouping would help to develop the compliance training materials for both internal stakeholders and external business relationships such as agents, distributors, vendor, joint venture partners or others similarly situated. This group could also work with your corporate Human Resources (HR) function to communicate company expectations around ethics and compliance throughout the lifecycle of the employment process. It would use social media for ongoing communications on compliance and develop best practices in this area as well.
What would success for a CCoE look like? Here Vaughn has some criteria. A successful CCoE would help to build a tighter and frictionless alignment between the business and infrastructure units -- especially compliance, risk, reporting and technology. It could move more quickly and more forcefully to improve the adoption of and adherence to compliance requirements from a wide variety of regulators literally across the globe. It could then pair this with end user solutions supporting compliance reporting with better design, planning, training and fit to purpose tools.
A CCoE would take the lead in developing the strategies and business priorities to meet regulatory compliance initiatives and would work to achieve overall business agility by increasing the success of processes and technology through ongoing improvements. Next it would increase the success of designing and deploying the compliance solutions and technology required to meet compliance requirements; thereby delivering more value, less cost and less time.
Vaughn ends by noting that in developing and delivering the compliance needs of any global, multinational organization requires an integrated approach, which requires an interconnected organization aligned to support a common set of goals and objectives; most directly to more fully operationalize your compliance regime. Deploying a CCoE requires the broad participation of the company and the commitment of senior leadership to drive the organizational transformation. This transformation requires a clear vision of the people, process and technology required, properly aligned to support policy, strategy and governance. Applying the principles of a CCoE will provide organizations with the strategic platform they need to more fully operationalize compliance across the ever-widening scope of anti-corruption requirements across the globe.
