There’s no perfect solution. 100% completion means 100%. Get all five tips on the certs process and building an effective compliance framework from the Head of Central Compliance at the London Stock Exchange Group, David Stephens
In this blog space, we’ve been consistent in asserting the importance of hitting the 100% completion point for certifications. In numerous resources, we’ve laid out best practices for getting there. The notion has merit. One of the metrics regulators look at in determining whether a firm has an on-the-ball compliance program is the rate of certs completion. The thinking being, if a firm is persistent and organized enough to get sign-off from every last employee—a known challenge—then it’s likely persistent and organized enough to be running the rest of its compliance program well, too.
The danger here is thinking that’s all there is to it, i.e., hitting 100%. In that spirit, today we offer five takeaways from a recent chat with David Stephens—Head of Central Compliance at the London Stock Exchange Group—about making sure your firm’s approach to compliance doesn’t fall into the trap of simply ticking the box.
1. 100% CERTS COMPLETION MEANS JUST THAT
For a blog that’s supposed to be about NOT focusing on the certs completion rate, this may seem a strange initial takeaway from our subject matter expert. But just because David wants to make it clear there’s more to certs than the completion rate, doesn’t mean he can’t appreciate the value of hitting that magic number. On the contrary, he’s positively emphatic about hitting it. David: “At LSEG, we always aim for 100%. And when we say 100%, we mean 100%. Not 99.9% rounded up. All of our colleagues are requested to certify, so we certainly pay attention to completion rates, but we use it as a starting—not an end—point. Then we ask: ‘What does this data tell us? How does it inform our thinking and our processes? What do we need to do?’ Critical insights will emerge from observing and analyzing the seemingly simple process of issuing certificates.”
2. YOU CAN’T PROVE COMPLIANCE
David has been in risk and compliance for more than two decades, the last seven years of which has been spent with LSEG. LSEG has been using Star technology for the last five years or so. While David recognizes the comfort that may be derived from having certain tech or processes in place—or certain numbers at hand—to provide assurance that a firm’s policy compliance program is fit for purpose, he cannot ignore the following, inescapable fact. David: “It's impossible to prove 100 % compliance because we’re talking about human beings, and as we know human beings make mistakes. So my approach is to look beyond certifications, to use the technology to help identify any areas where awareness or understanding could be enhanced, and to use that information to improve our controls. That helps us to demonstrate both that our compliance framework is strong, and that it continues to evolve to support our colleagues, and therefore our business, in being compliant.”
3. BUILD A FRAMEWORK THAT WORKS WITH EMPLOYEES
Given that any firm is reliant on its employees to act in compliance with the requirements set out in its policies, the design of a clear framework which assists employees in meeting their obligations is clearly advantageous. David: “I want a set of compliance policies that articulate requirements clearly, and can be easily understood. I want my compliance technology to work in tandem with those policies and support processes that enable both employee compliance and the demonstration of that compliance. I also want my policies to inform mandatory and other training and awareness processes and communications—to ensure that the individuals working in our organization are aware of firmwide policies, understand those policies, and know inside-and-out the processes and the technology that have been developed to support their declarations of compliance within the system.”
4. BUILD A FRAMEWORK THAT ENABLES LEARNING FROM MISTAKES
If all of your compliance metrics—like certification completion rates—are coming back in at 100% each and every time, is that cause for celebration? Does that automatically mean you have a strong compliance framework? In the mind of David Stephens, the answer to these questions is a firm “no.” Rather, it simply means your processes are being followed: that the proper boxes have been ticked. His solution? Build a policy framework that captures mistakes and enables the firm to learn from them.
“We can only know whether things are truly understood and working if we can identify when they aren’t," says David, "and some of this knowledge comes from assessing the quality and completion of records within our systems. What I'm saying is, while we've developed our tech—in partnership with Star—around the terms set out in our policies, and built our training and guidance to support the procedures and steps required for compliance, we’ve retained flexibility. We haven’t built a system that mandates every step for record completion. Records can be entered at any time, in some cases retrospectively, and the sequence of input isn't prescribed. And making the system easier to use and navigate improves adoption and data capture. Alongside this flexible approach, we’ve put in place the mechanisms to identify errors, so that we can work with our colleagues to better understand reasons for mistakes. This all enables us to better understand and improve the technology and the underlying policy requirement, which allows us to better assess and manage our compliance risks.”
5. THERE’S NO PERFECT SOLUTION AND THERE NEVER WILL BE
The only constant is change. How often have we heard some variation of this statement? Compliance is certainly not immune to this universal principle of unending evolution and David is quick to acknowledge it as a guiding ethos for how he approaches policy compliance. David: “There's no perfect solution. It doesn't matter how long you've been in compliance or how well you think you know it. There's no perfect solution because regulation, legislation, and risk appetites are always evolving, and businesses and people are constantly changing: adapting to new environments or ways of working. As such, compliance needs to be equally flexible—to be able to evolve and adapt—to meet the changing needs of the business and to effectively communicate that change and train our colleagues on it. We’ve spent the last two years working with Star to tweak the platform. It's been changed very subtly. It’s still the base STAR system, but we've adapted the rules and workflows within it to accommodate this flexibility, and to allow us to identify and manage the instructive errors that people make.”
“Coming back around to certs, where our discussion began, go back to the start and ask yourself: ‘Do I have a compliance technology that’s hard-coded with mandatory, policy-enforced rules and controls and prohibitions? A system that restricts and controls data workflow? A system that doesn’t allow for flexibility? If so, the certificate will go out, and you may well tick the 100% completion box, and you may appear to be perfectly policy compliant. But this approach leaves little room to learn, improve, or adapt. I know every process has to have ticks-in-boxes, don't get me wrong, but this shouldn’t be the end goal. We return real value to the business by continually improving what we in compliance do.”
Interested in more of David Stephens’ views on certifications and building an effective compliance framework? So are we, so look for five more takeaways from our recent, in-depth StarBlog chat with the LSE’s Head of Central Compliance next week in this same space.