Essential to Recognize Traditional and Non-traditional Regulations

John D. Rhea, Compliance Officer & Attorney, OGE Energy
1094
1865
362
John D. Rhea, Compliance Officer & Attorney, OGE Energy

John D. Rhea, Compliance Officer & Attorney, OGE Energy

Volume and Velocity of Regulations: A Challenge

The two largest challenges for compliance today are volume and velocity of regulations that impact companies.  By that I mean the volume of regulations is growing exponentially and the velocity with which regulations are being promulgated is moving faster and faster. 

As is always the case, the first step in compliance is recognizing which regulations apply.  Although I work in an industry that has been highly regulated for decades new regulations are created constantly. These regulations come from both traditional and non-traditional arenas.  The NERC reliability standards are a good example of traditional regulation in that, NERC has been around since 1968, but in 2005 FERC was given authority to essentially turn what were previously voluntarily standards that evolved over decades into mandatory requirements that change annually.  In fact, since 2008, when NERC’s Critical Infrastructure Protection (“CIP”) regulations were initially implemented, NERC has now approved its 5th version of CIP and is currently working on versions 6 and 7. 

“Although no compliance officer can know the details of every regulation that could impact their company, they can develop a set of tools to reduce the risk of missing something”

A good example of a non-traditional regulation is the recent Conflict Minerals legislation.  On its face, electric utilities like ours would not seem to be impacted because it is about raw minerals from certain countries in Africa, but when you get into the details, it could.  To address this potential compliance issue required first that we know the legislation existed, second that we analyze the legislation to understand it well enough and third to then analyze its potential impact on our company.  The fourth step would be seeking compliance relief for our entity through exclusion if appropriate.  All of this takes time and energy from both compliance staff and our subject matter experts.

Healthy Line of Communication

There are three things a compliance officer must be prepared to do every day.

a. Maintain awareness of your regulatory exposure,

b. Develop and foster relationships both inside your company and out,

c. Be prepared to take a stand even if it puts your job at risk

Although no compliance officer can know the details of every regulation that could impact their company, they can develop a set of tools to reduce the risk of missing something. Chief among those tools is relationships inside your company and within your industry.  Maintaining relationships with your subject matter experts in your company is the first step in the process.  There must be a healthy line of communication going both ways with your subject matter experts.  The next step is developing relationships with your regulators so that you can know how they view your company.  Last but not least are your contemporaries in other companies in your industry.  They are in the best position to know what you are going through and can provide sage advice on dealing with your regulators, a heads-up for new issues, a safe place to explore ideas, and a shoulder to cry on.

The most important tool though is the willingness and ability to take a stand.  You owe it to your company and yourself to hold the Company accountable to do the right thing for the right reason, every employee, every day.

2) Advice to Fellow Compliance Officers

Every Compliance Officer I have ever met has had the awkward elevator conversation with their CEO that goes something like this. 

CEO to CO “Are we in compliance today?”

CO – [Awkward Pause] “Yes”  [thinking] “I sure hope so”

CEO – [Awkward Pause] “Good”  [thinking] “Why do I pay  a Compliance Officer”

What a good compliance officer knows is that during that brief exchange a new regulation could have become enforceable that the CO knows nothing about; while at the same time someone in the company could be making a decision causing the company to be out of compliance.  A good CEO wants to be supportive and receive assurance that the CO has it covered.  So the first thing to do is to prepare your elevator speech in advance that is both true and relevant.  A better answer for the CEO could be, “We have effective compliance governance policies and procedures in place to recognize the company’s compliance obligations, an accountability structure in place to ensure those obligations are being met, and a compliance assurance function reviewing evidence of compliance to make sure the company can prove its compliance.  We are leveraging our cost effective Compliance Management Tool to tie everything together.  I appreciate your commitment to our company’s compliance and for setting the tone for everyone.”  When you can truthfully make this speech every time you see your see CEO, you will both be much happier.

Read Also

Easing Compliance: Expanding an Ethical Culture Through Technology

Easing Compliance: Expanding an Ethical Culture Through Technology

Raphael Richmond, Global Director-Compliance, Ford Motor Company [NYSE: F]
Cybersecurity Risks and Why Internal Partnerships and Cross-Functional Resources Matter

Cybersecurity Risks and Why Internal Partnerships and Cross-Functional Resources Matter

Adrian Mebane, VP & Deputy General Counsel, The Hershey Company [NYSE: HSY]
Chief Compliance Officers And Cyber Security: A Match Made in the Boardroom

Chief Compliance Officers And Cyber Security: A Match Made in the Boardroom

Robert Garretson, GM, Governance Strategy, United States Steel Corporation
Avoid Non-Compliance by Getting Your SSH Keys under Control

Avoid Non-Compliance by Getting Your SSH Keys under Control

Fouad Khalil, Director of Compliance, SSH Communications Security