I took over the Group Chief Compliance Officer (CCO) role of the Allianz Group in spring 2020, with the mandate to transform and to define a reorientation of the compliance function across the Group. I quickly defined 3 objectives for a Compliance Reorientation (CoRe):
· Culture: contribute to a strong Compliance culture across the Group,
· Prevention: rebalance the compliance functions across the Group with a higher focus on the prevention of compliance failures (more ex-ante, less ex-post activities),
· Risks and controls: reinforce the activities of Group Compliance (GC) in the assessment of compliance risks and of the effectiveness of controls in the companies of the Group.
The CoRe plan entailed many activities. One of them was the re-organization of the compliance function. This is a very important step in the definition of a Corporate Compliance Program (CCP) as defined for example by the US Department of Justice.
A choice between two organizational models
I decided to design the function based on its activities, with a value chain with 3 components:
· Prevention & advisory, the “input”, or “Design” team, focused on existing and upcoming laws and regulations, and their translation into internal standards and rules,
· Risks & controls, the “output” or “Effectiveness” team, monitoring the effective implementation of standards and rules, the assessment of risks, the resolution of failures, and investigations,
· Governance & Oversight, the “support” team, equivalent of a COO function for the function: IT solutions, people, and budgets (see my article on the Internal Audit COO),
· A separate team dedicated to the holding company Allianz SE, treated as “solo”, an important expectation by the Insurance Regulator (BaFin).
An alternative set-up, that I have seen in banks for example, is an organization by areas, the “Compliance families”. For example, for Anti Money Laundering and Counter Terrorism Financing (AML-CTF), one team would cover the entire value chain, from prevention and rule setting to risk assessment, on site checks, issue management, as well as the dedicated IT AML-CTF IT solutions and tools. This set-up, with enough resources, allows a high degree of specialization per area. I went the other way, for two main reasons:
– Talents are not the same. Many good legal minds are involved in prevention and rule setting, while risk and controls activities are well suited for former auditors, risk specialists and business process experts.
– I like segregation of duties. I prefer to have two separate teams for Design and Effectiveness testing.
The main tasks of the Prevention & Advisory Team (for an Insurance Group)
· Tracking of new Regulatory developments (laws, regulations, circulars)
· Definition and update of the Code of Conduct, the Group Compliance Policy, Internal Standards, Functional Rules
· Advice and Prevention, with the implication of the Compliance function for new legal structures, for approval process of new products, new markets or new countries, for specific transactions (distribution agreements, M&A transactions), and for business projects. Attendance to the M&A Committee, Reputation Risk Committee, ESG Committee
· Big cases and products ban: review of possible infringements by competitors (« big cases ») and of products banned by authorities and regulators
· Regulatory Compliance: liaison with other departments bearing a compliance responsibility. The Compliance function owns 3 areas: AFC Anti Financial Crime, CP Customer Protection, and MI Market integrity. Solvency 2 key control functions (Risk, Actuarial, Audit) own their own compliance obligations, and then other functions as well (Legal and Accounting, Tax, HR, IT).
The tasks of the Risks & Controls Team
· Compliance risk sssessment for all compliance areas
· Definition, development and maintenance of a methodology for the risk management of the compliance function areas: Inherent risk (driven by research on fines, penalties and sanctions), mitigating controls (primarily driven by reported deficiencies), residual risk
· Steering of risk exposure at entity and Group levels: responsibilities and accountabilities across entities per risk category, qualitative statements, and quantitative thresholds per risk category
· Liaison with the Risk function
· Monitoring of results from regulatory inspections, internal and external audits, major complaints, and fraud cases. Issue tracking (remediation and escalation)
· Monitoring of local entities Compliance policies
– Implementation follow up and tracking of Standards and rules at holding and local entities levels, monitoring of deviations, and remediation as well as possible escalation
– Evaluation of needs for guidance and trainings for employees and local entities
– Steering of local entities training activities
– Management of Bonus gates (in case on Compliance failures, training targets not met, etc.)
· Definition and maintenance of a Catalogue of Group Controls (2nd level)
· Compliance Reviews (Quality Assurance)
· Whistleblowing and Investigations (Speak up)
The activities of the Governance & Oversight Team
· Local Compliance functions oversight
– Communication, internal meetings and events and key Compliance community meetings
– Steering & Monitoring of local Compliance budgets
– Liaison with other 2nd LOD
· HR management, planning and development.
– Recruitment of key compliance executives (including CCO vetting) and Talent Management
– Performance management of key CCOs (targets and performance reviews, in link with local CEOs)
· Overall Reporting: Annual Report and Quarterly Report to the Board of Management
· Resourcing: Compliance Plan and Budget
· Compliance tools and projects: IT, Digital initiatives and project, benchmarking with competitors
This new organisation brought rapidly the overall Compliance function at a higher level of excellence, and proved to be very effective in managing a crisis situation.