On a panel at MetricStream's Governance, Risk and Compliance conference in London today, a panel of experts discussed the rising complexity of markets and its effect on the job of the chief compliance officer.

The panel agreed that there were four key things for the average CCO to consider;

• regular regulatory change;
• an increasing workload of monitoring and reporting;
• technological disruptions; and
• an increasing emphasis on compliance culture.

Chairman Hrishik Bose of MetricStream elaborated on the fourth point: "It's making sure that everyone understands the relevance of compliance and it's not just part of something that's come from the top."

He asked the panel of compliance people how they managed these tasks in an increasingly changing world full of competition and everyday changes. Fiona Hipkiss, the managing director of compliance at the investment management firm of Hines Europe, started off.

"We manage it to the best extent we can. I'm going to talk about the 'three Ps' and the first, driving one for me is principles. We are governed by the Financial Conduct Authority here in the UK which is a principles-based regulator but I try to marry those back up with the values and the principles by which we at Hines want to run our businesses by. The only way that [high-net-worth] people will give us money to invest on their behalf is in a spirit of trust.

"Principles lead to good outcomes. Those of us who work in the UK...we're grateful for the FCA. If you've ever had to work for other regulators, either the [US] Securities and Exchange Commission's world or, God forbid, if you are working in Seoul, which (trust me) is a different place entirely, it's very very rules-based. So you have to jump through lots of hoops, lots of tick-boxes, to prove to the regulator that you're doing the right thing. It's very irritating. So, yes, we take the best practices, but then we have to delegate and allow the local businesses to get very much more granular if they have to, to be that local rules-based.

"The second P is that as a company, you want to know what your peers are doing. Do you want to be ahead of your peers, because you think that that's a good opportunity to get somewhere in the market? Or are you OK with just adopting what everybody else is doing? This is to do with this etherial concept of your risk appetite - I hate that word, by the way. Somebody gave me an anecdote the other day, saying 'our board has approved our risk appetite - it's moderate.' What does that mean? What does it mean to your people on the ground? What are they supposed to do with that?

"That brings me to the third P - the people. I have implemented two pieces of compliance software (and I'm into my third one) just this year and I like to think of the compliance and the control functions doing a lot of the paddling of the ducks and the business is just seeing it really serene. It's really easy to operate on the front end. Yes, they have to do something but it's seamless and it's integrated into their business processes. It's mobile, it's easy and it's just really accessible."

Another participant warmed to the theme of principles: "It's not about building super-rigid, grandiose frameworks. It's about empowering the people, making them understand about the guiding stars of the company's values."

A man from KPMG said that a risk officer at a Baltic firm that his firm was serving had told him: "We are working with millenials [people who came of age after 2000 AD] in the business world and they're not going to take instructions, believe me. If something comes top-down and they don't agree to it, they're not going to follow. Gone are those days. They need to make sure that the instructions that are coming top-down are in line with their business objectives.

"It's also that the business feels that it is actually helping them in their goals and their core expertise. That's really the cultural change that organisations are trying to manage and it's great to hear that you are agreeing to that."

Fiona Hipkiss ended this odd reverie by saying: "We all talk about millenials. I'm right on the cusp. I think that we can't let the millennial tail wag the dog just yet. We've got a lot of tech dinosaurs out there and we've got to be responsive to them and help them get up the learning curve as well and not leave them behind." This drew murmurs of approval from all over the hall.

The chairman then asked the panel how they managed compliance 'programmes' (by which he presumably meant plans of action) that they were running with enough resources and the right balance of technology to keep those programmes agile. One panellist said that the key lay in striking a balance between super-centralisation and decentralisation across jurisdictions.

Fiona Hipkiss thought that this comment hit the nail on the head.

"To give a Hines potted history, we're a family business that started in Texas and the way that we grew our business was that Mr Hines had some really good mates and he said 'go and open up Germany or China' and gave them total discretion to do whatever they wanted. We're now just having our third generation and it's saying OK, Dad and Granddad, for us to last for another 60 years we've got to change how we operate. We're in siloes, we're not cross-selling, we're not taking the benefits of efficiency, we are not going to survive the next decades.

"So for us, we are coming from a decentralised model and making it more corporate and centralised and that has been totally across the business. We have a chief transformation officer and we have reorganised the way the real-estate part of the business works with the financial part of the business [the investments specialise in real estate], the investment management versus the people on the ground doing the real estate.

"In compliance we felt really privileged because in compliance we've never siloed. We've always looked across jurisdictions. We've never been...OK, are you investment management or are you the person on the ground? We've always all been pulling in the same direction. And so actually some of the business is pulling best practices from compliance, so we've organised more in themes and in topic areas and expertise as opposed to this business versus that business. We try to look for those commonalities. We are looking for technology and the compliance technology has always been across the whole business. There's no point for me to get one solution in one place that doesn't work somewhere else. Bringing that all together is too difficult."

She added that the biggest piece of work that she had done that had brought together a vast array of her company's people and functions was the European Union's General Data Protection Regulation.

"With the GDPR, we have really understood what it is for us all to work together. It crosses out into all the different parts of our business. I needed people from our Hines aviation group, I didn't even know that we had one, to IT people and legal people and people running websites. Everything we do now has this data lens. The most complicated aspect is the inconsistency of the law, which then goes back to best practices. If you've decided that the GDPR is your standard, actually from a compliance perspective it's easier for me to push that globally than to cut the cake.

"It has helped everybody realise that they have to be involved in compliance. 'Compliance is the brake' is no longer a conception for us. It's more this understanding that all the control functions and the central functions, be that HR or insurance, we all have to come together and it's been a wonderful opportunity. It's been a horrible headache but it's been a great opportunity."