Setting boundaries: the three lines of defence model

One of the issues we wanted to discuss is the role of auditing in relation to compliance, i.e. what are the limits of the functions of the compliance officer and internal audits? My experience is that in many companies the Compliance area arises from auditing, and in other cases it arises from legal. And there are multiple casuistry. But not in all companies there are separate positions for the compliance office and internal audit. In fact, this happens in the smallest companies, and in some cases I have come across very large companies in Central America that cannot afford it. 

‍

América Móvil is a multinational company and is also listed on the stock exchange. How has the structure and mission of each of these two functions been approached? Now, is the annual work plan, the objectives and the division of tasks, are they set out jointly, or precisely in order not to pre-condition the conduct of others, do they operate through the so-called Chinese Wall, what is the dynamic that has been implemented, without giving too many details, in América Móvil, and what is your vision on this point?

‍

It is very interesting how Compliance is approached in a multinational. In América Móvil, the creation of the compliance office is a recent development, we are talking about an effort that is no more than three years old. This does not mean that Compliance work was not carried out in the different companies or subsidiaries of América Móvil, in the different countries, but that each Compliance or sometimes Compliance outlines were done in a somewhat intuitive way by each of the subsidiaries. And then, sometimes it was mandated by some regulatory or normative provision. Sometimes it was due to the good offices of the people who preferred to start with this type of conduct, a bit to give it ethics and moral reason for being, in accordance with certain principles that the company has. 

‍

When we arrived, we saw that each subsidiary in each country did it differently, and so we have some very interesting points, which is why this question is very important to me: How far are the limits of an internal audit, and how far are the limits of Compliance? Because in some places, the internal auditor has taken on these functions and we are currently talking to these departments, with these parts of the companies, precisely to understand how they established these regulatory controls, and how far they are and how far we are. In this sense, what I can tell you is that our main vision to be able to see where the powers and responsibilities of each one of them lie, is established in a diagram that perhaps everyone knows, which is the issue of lines of defence.

‍

We understand that there are three lines of defence. The first is precisely the operational areas, which are those who are in daily contact with the risks, with the operation, with what they do or with what may generate some kind of risk for the companies. Then comes the second line of defence, which is assumed precisely by the compliance officer, who has a somewhat strategic function and a long-term vision. He or she has to be in close contact with the partners, with the owners of the companies, precisely to understand the degree of risk that can be borne, and from there generate a code of ethics and policies, which are like the guidelines that will be derived from this Code of Ethics. What we lawyers call the positivity of this code of ethics, that is to say, it will be structured, it will generate the obligatory aspect derived from this internal founding norm that is this Code of Ethics, and then the other processes and procedures will follow.

‍

And then comes a third line of defence, which is precisely internal auditing. If we are clear about what each of the lines of defence does, we will see that they are complementary and therefore, to talk about Chinese Wall, it seems to me that sometimes it could be a bit risky in terms of the implementation of due compliance, because compliance is fundamentally based on a cultural change or a cultural structure of how things are done in a company. 

‍

That is to say, the actions that Bimbo does, the actions that América Móvil does, the actions that Coca-Cola does, the actions that smaller companies do; they have a "footprint", regardless of the brand. And that footprint is how they do things. And that way of doing things is what gives you compliance. It is "we do this the América Móvil way" and then that América Móvil way is the one that has to be based on the Code of Ethics and has to permeate horizontally in all subsidiaries. So, based on that is where we create a structure, which can be generated by policies and then those policies by some kind of audit, to be able to understand how it is being done. Or the purpose of the audit is to see how that policy is being applied and how that policy is being understood. But what internal audit does is precisely to see whether what is being done, whether the structuring of those policies are effective and whether they are efficient, and whether they are being done in the right way. In other words, what the third line of defence or internal audit does is precisely to corroborate that what is being done is being done, is being done correctly and is being done effectively. But it never says what it has to do. That part of the design corresponds precisely to the Compliance Officer. 

‍

And bringing up the issue of the different lines of defence, taking into account the role of Compliance and audit, there is a saying that the auditor is beholden to the board and the Compliance Officer is beholden to the shareholders. How correct is this statement in your view?

‍

From a broader point of view, Compliance in any company is not established as a recipe. Each Compliance has its own way of doing it, because all companies are different, in terms of size, objectives and subject matter. Compliance must therefore be tailor-made. In other words, even if you wear glasses and I wear glasses, your glasses are not going to fit me, they have to be custom-made for me, otherwise they won't work for me. I have to make a Compliance according to my way of understanding reality, of understanding the risks and of providing a solution to those risks. 

‍

So who does the compliance officer give the information to, and who does the internal auditor give the information to? It depends a lot on how Compliance is structured. What I can tell you is that shareholders have, as their right hand, a sense of consultation on what Compliance does, i.e. Compliance assures shareholders that what is being done is correct and in some way efficient. Because in the long run, what this will mean is that you will have a company that has a long-term horizon, if you do things right, then you will most likely do well, regardless of commercial strategies and these types of operational issues, which are also important and transcendental. 

‍

What is important is that, in addition to the work done by the internal auditor, what Compliance does is to ensure the viability of that company over time. So, rather than worrying about who is given the importance of one or the other, what we must be clear about is that the primary purpose of both the Compliance Office and Internal Audit is to establish mechanisms to control risks, which to some extent may jeopardise the viability of the company in the medium and long term.

‍

So, taking that into account and taking into account the relationship of responsibilities between one and the other, you can establish boundaries that will depend on your processes and what you do. And then what happens or what happens is to have conversations between internal audit and between the compliance officer, and sometimes other areas that are also included in these processes, in these conversations, to delimit responsibilities and between all of them to offer precisely these plans or processes that generate continuity in the medium and long term.