Nobody is above the cert. Let your tech do the heavy lifting. Get five more tips on the certs process and building an effective compliance framework from the Head of Central Compliance at the London Stock Exchange Group, David Stephens
At the end of last year, your StarCompliance blogger sat down, virtually of course, with David Stephens—Head of Central Compliance at the London Stock Exchange Group—to discuss the subject of certifications. LSEG uses Star technology to support many of its employee conflicts of interest compliance functions, including personal account dealing, gifts and entertainment requirements, and attestations of compliance to its policies and code of conduct. David had run across one of our blogs on the subject of certifications. In it, we asserted that “regulators use completion rates as a rough gauge of the health of a firm's overall compliance program.” David gently but firmly took us to task on this notion, and offered to speak with us on the record about how he views the certs process, why you can’t prove compliance, and why LSEG’s compliance framework allows people to make mistakes. Following are more takeaways from this in-depth discussion. You can catch up on the first five here.
1. NOBODY IS ABOVE THE CERTIFICATION
This point ties back to one made by David in last week’s blog. That is, 100% completion means 100% completion. It doesn’t mean 99.9% rounded up to 100%. And that means the full participation of the c-suite and other members of senior management. David: “Nobody is above the cert. Tone from the top is a cliché, but it really does matter. It's part of the equation. And of course, I’m by no means exempt from certification requirements, or any other compliance requirement.” This gets at the larger idea of compliance being a trusted brand, and that to establish that brand you have to make sure each and every employee takes part.
2. GO FOR FIVE QUESTIONS IN THE CERTIFICATE
How many questions do you ask in the cert? What should they be? These are questions David himself gets asked about the certs process. “I aim for around five questions in the certificate,” he says. “Any more than a handful and you start to lose the audience. So keep them clear and concise. Simple and with a purpose. There’s no golden rule here. It's whatever fits your company. But I do think there’s a sweet spot between not asking for enough information and asking for too much. Whatever number you end up with, the main idea is to never make the cert complicated. Never make completion difficult. Questions should be binary if possible, requiring a ‘yes’ or ‘no’ response. Try to avoid open ended or ‘maybe’ type responses. Remember, certs cannot solve or answer everything. It’s just one of the vehicles to use in the compliance framework.”
3. YOU’RE ALWAYS WORKING FOR THE BUSINESS
“You need to recognize and appreciate the purpose of what you're doing, why you’re doing it, and how you're going to return value to the business. You are working for the business after all.” So offered David in last week’s blog about where he sees the compliance framework fitting into the larger framework of the firm. "Compliance exists to keep the firm on the right side of regulators," he continues, "to ensure it acts in accordance with the requirements set by laws and governing bodies. But we’re not just a police force. We also need to be partners in the business.” So how do you give value back to the business?
David: “The words are easy: by reducing risk exposure through improved controls. But the actions are harder to deliver in practice. For example, identifying or recognizing areas of low policy awareness or understanding. Understanding the quality, or lack thereof, of the data you capture. Knowing how well compliance responsibilities and obligations are being completed or adhered to, or not. And then you have to act on this information to make changes—to continually improve training, education, and awareness—to better support your workforce and therefore the business. This is where technology can help. If you use it to ask the right questions and then interpret the resulting data, it can give you direction as to what needs to change in your framework, and how the business will need to adapt to changing policy requirements and standards.”
4. ALWAYS WARM UP YOUR AUDIENCE
When planning the certs process, there’s always a need to work with your colleagues and consider compliance requirements from their perspective. “Nobody likes a task to land on their desk and be told they’ve got a week to complete it," offers David. "So you need to warm up your audience. Our approach is, about two to three weeks before the cert is due, send out a firmwide communication, giving a summary of what’s coming—what employees can expect to arrive in their in-box, what they will be asked to do, and why. We also suggest tips for reviewing their records to make sure what they enter is accurate and complete. Ultimately, you’re trying to reach a point whereby you can easily request and gather compliance data sets from your staff. But it’s important they understand why you're asking for it, why it’s important, and how it protects the company and its reputation.”
5. LET YOUR TECH DO THE HEAVY LIFTING
This, of course, is the story of automation. Whether it’s dishwashers, self-driving cars, or pre-clearance algorithms, some piece of tech we can program to do a job—which we can then physically or mentally walk away from without excessive worry—can be a game-changer. David: “Don’t do any job that technology can do for you. Take escalation, for example. Issuing reminders and managing exceptions can be very labor intensive. By programming your technology and effectively branding your communications, you can automate reminders and management reporting through the platform. Save your energy for the thinking tasks, like understanding what the results tell you. This is the kind of approach to compliance that will tell you where your areas of risk are.”
Interested in reading more about David Stephens’ philosophy on certifications and building an effective compliance framework? Get the five takeaways from part one of our two-part blog series right here.