Compliance Testing Programs for Small & Medium Firms: Part 1

Compliance Testing Programs for Small & Medium Firms: Part 1

I had the good fortune to participate in a compliance panel with esteemed adviser CCOs in which we shared our lessons learned about building and maintaining effective compliance testing programs from top to bottom. To avoid drinking from a fire hose, I will cover the nitty-gritty details in a two-part blog, one starting from the top and the other building up from the ground floor.

Culture of Compliance

Starting at the top, we agreed that the firm has to operate with a culture of compliance. Critical building blocks include getting management buy-in because compliance cannot be the role of just one person. Here are some of the tips that we discussed:

  1. Minimize concentrated risk

CCOs should demonstrate to the management team that if just one person or department is “doing the work” and “reviewing the work” of the entire firm’s compliance program, then the compliance testing risk becomes highly concentrated within the organization. The firm can suffer from key person risk and inadequate succession planning. It is better to embed functions in the business and operations and allow compliance staff to review, monitor, and test the activity of the business units. This way, accountability spans the entire firm and everyone buys into compliance.

  1. Tailor your method of communications

CCOs should customize communications by tailoring message delivery to different audiences, keeping in mind the level, type, and even the age of the firm’s various employees. People learn and absorb information differently, so a good CCO will meet employees where they best perform to enhance understanding and retention of compliance requirements. For some employees, reading a blog post may be more effective than a traditional memo, while others do better with in-person training and discussions. Active compliance (i.e., by walking around and getting to know people) is often the best way to stay plugged into the business.

  1. Use data to justify necessary resources

For example, CCOs should show how investing in compliance is a risk management tool that is less costly than paying a penalty or a third-party remediation firm. Count the number of ads reviewed to quantify the dramatic increase of work being performed by your team. Discuss the number of employees overseen by compliance personnel. Get financial and talk about compliance as a percentage of gross revenue. In other words, speak the language of your business counterparts.

Creatively Gain Resources

Focusing on the never-ending dilemma of how to secure adequate resources, with people, information, and technology, the panel identified several ways to tackle doing more with less.

  • Leveraging free resources. There are a number of free resources through the SEC website, law firm newsletters and regional compliance roundtables where you can access a wealth of information and connect with peers in the industry. If you want to learn more about regional compliance roundtables in your area, we can help you locate a group in your area. On the flip side, if you run a local Roundtable you may be interested in sharing best practices. In any event, click below to let us know.

  • Explore customizable and inexpensive technology to alleviate the burden of manual tasks so that your experts can focus on the complex issues of the day. Learn more about Joot’s own technology platform here. Investing today in technology can often save time and money tomorrow. A portal which can help you manage documents and your compliance calendar may be all that you need!

  • Be creative with hiring. Attracting interns, part-time support, or shared/rotational associates can be a dynamic way to help someone get a holistic view of the business, recognize compliance as a professional career and free up senior staff at the same time.

Build an Effective Risk Assessment

The panel then walked through how to build a risk assessment which is right-sized for your firm. While there isn’t a formula mandating the specific parameters of a risk assessment, designing a practical and sustainable one just makes good sense. The question is, how to tackle this enormous undertaking. In 2007, the SEC provided some guidance, which you can read here. In addition to that guidance, we recommend the following steps.

Jump in and start. It’s understandable that you can get paralyzed through analysis or try to bite off more than you can chew. Press pause, take a deep breath and start building a simple, one-page matrix from your compliance manual. The program needs to fit your firm, so it cannot be off the shelf. It should be thorough yet not so robust that you cannot keep up with it.

Prioritize and rotate topics. Focus on the big issues in year one and build in a longer-term plan to hit mid-level items in year two and lower risk items in year three. Your risk measurements, if identified, should be taken seriously, so spend some time talking with the business partners as you build this document.

Highlight positive activities which mitigate risk. Don’t forget to take credit for the positive, non-review/non-testing functions that you perform every day. Training counts, document it. Communication is important, capture it. Lessons learned which help prevent, detect and correct will get you far.

The next blog post in this series will highlight critical components and tips to build a successful compliance program from the ground up. Stay tuned.

Dina has over 20 years of experience in the investment management industry, including as chief compliance officer, senior executive over legal and compliance, and board member for registered investment companies. She has worked at a Fortune 100 financial services firm. Recently, Dina co-founded and is Co-CEO of Global Rhino LLC. Global Rhino is an affiliate of Joot and is a boutique firm focusing on Management Consulting Services in order to bridge the gap between managing money and managing the business of asset management. Dina also serves as the Chief Strategy Officer for Joot. For more information, see