Due to the interest in my article on the “Seven Signs of Ineffective Compliance Programs”, I have done a slightly expanded version upon request.
= = = = = =
Over the years of designing, implementing, evaluating, and improving compliance programs, I have come to recognize indicators of what I believe to be ineffective and outdated compliance programs. I define effectiveness by a company’s ability to evidence program achievements in actually detecting and preventing misconducts and reducing conduct risks in measurable terms.
Lack of Financial and Organizational Discipline. In my experience, failed compliance programs have always mirrored dysfunctional organizations, particularly in the area of finance. These are companies that have either no enterprise resource planning (ERP) tools or a multiplicity of them that are not integrated; they have no centralized visibility into their financial transactions; their supplier databases are out of date; their payment methods have inadequate controls, and their ledgers are both duplicative and incomplete. In my opinion, it is impossible for an effective compliance program to exist in a company that lacks these basic organizational and financial disciplines.
In contrast, companies that have effective compliance programs tend to be well-organized and disciplined. They have clear processes with embedded controls, integrated ERP systems and databases that enable centralized visibility to the enterprise’s activities, routinely updated system data, and established decision-making matrix. The best processes are designed to minimize burden on employees while ensuring accuracy. For example, an expense system that enables tracking of gifts and entertainment expenditures as they are incurred would eliminate the need for a separate system to register these expenditures: this saves the expense of building another system, and is more reliable because it does not depend on self-reporting. .
Legal Dominated Compliance. Companies that treat every compliance issue as a legal maneuver, write policies like mortgage documents, and cloak everything with attorney-client privilege tend to be less interested in whether their programs actual work and more interested in how it looks as a legal defense. They are often fearful of asking questions, gathering data, analyzing root causes, sharing information, or trying new approaches, all because they are uncertain of how the findings and results might affect their legal posture.
Effective compliance programs, on the other hand, are more focused on behavior than on laws and regulations. Instead of watching every word and action that comes from the enforcers and regulators, these programs watch the words and actions of their own employee and stakeholders. They continuously ask why and how, genuinely wanting to know what is going on in their enterprises. If I were to build a compliance department today, I would hire behavior scientists, forensic auditors, and data scientists instead of lawyers: they would bring the disciplines that could help in analyzing trends and changing behavior.
Citing Sentencing Guidelines as the Standard. This is the organizational equivalent of asking “how good do I have to be so that, when I am caught with a crime, I won’t have to go to jail?” People seem to forget that Sentencing Guidelines are written for convicted felons. The actual text of the United States Sentencing Guideline’s section on “Effective Compliance and Ethics Program” begins: “To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (b)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall…” (U.S.S.G §8B2.1(a)) [Emphasis added]. In other words, “effectiveness” in this context is specific to considerations to punishment.
Effective compliance professionals have a different understanding of “effectiveness”: it’s not to reduce punishment after criminal conduct, but to prevent criminal conduct. They think of the Sentencing Guidelines the way honor students think of passing grades: they are way past it! Effective compliance programs do not aspire to meet minimum legal standards set for convicted felons: they aspire to prevent, detect and remediate real risks in real time so their companies never have to encounter the Sentencing Guidelines.
Counting Training Completion Rate (and other invalid or incomplete metrics). This is the topic of the article I recently co-authored in the Harvard Business Review. If you are still counting training completion rates and pro-compliance messages of CEOs to measure your compliance, you are demonstrating only the mere existence of a program. Training completion rate provides no indication of whether people learned anything from the training or changed their behavior as a result of training: it is not a valid metric to indicate effectiveness. Counting pro-compliance messages by themselves is as incomplete as counting calories only when you eat vegetables: messages must be measured in the context of all messages.
The compliance programs that have impressed me the most are those that use multiple metrics and data to assess, monitor, investigate, and measure their risks and compliances on an ongoing basis in real time. They are tracking everything including financial data, sales goals, growth rates, high-risk activities, cultural indicators, communications content, and comparisons with publicly available market data.
We cannot measure our physical health by what we eat and how often we go to the gym: those are indicators of our efforts to improve our health. The actual measure of health are metrics such as blood pressure, heart-rate, raspatory rate, temperature, body-mass index, etc. Counting efforts is only the first step: measure the results is what matters.
Focus on Due Diligence Rather Than Management. In the Evaluation of Corporate Compliance Program document issued by the Department of Justice’s Fraud Section, the phrase “third party due diligence” is not found. Instead, there is a section on Third Party Management. This is recognition of the fact that knowing your third party’s history at the beginning of the relationship is only meant to be a risk predictor: the actual risks lie in the activities that your third parties will be conducting on your behalf on an ongoing basis. Companies that focus on initial due diligence instead of ongoing management fail to recognize that due diligence is only the beginning rather than the end of a continuous process.
Effective compliance programs recognize that real risks arise during a company’s working relationship with employees or vendors, not just when the relationship began. These programs are managing those relationships through active and continuous monitoring. A due diligence effort at onboarding tells you what the risks might be: diligent management and monitoring tells you what the risks are right now.
Single-Statute Compliance. Companies that equate compliance programs with a single statute – most frequently the Foreign Corrupt Practices Act (“FCPA”) – tend to have more compartmentalized approach that fail to drive organizational culture and controls holistically. They overwhelm their employees with separate messages and processes, without ever integrating basic behavioral values into the daily lives and tasks of the employees. This is the kind of organizations where employees say: “I know I can’t bribe foreign officials, but no one ever told me I can’t lie to customers.” This is the attitude that results in serious compliance failures.
The more effective programs recognize common elements that underlie ethical conducts across the board: transparency, respect, engagement, accountability, discipline, etc. There is growing realization that it is unlikely an anti-corruption message cannot stand alone and prevail in an organization that cheats its customers, shortchange its suppliers, or ignore signs of financial fraud. Compliance programs that integrate messages and process across these common elements are more likely to be effective because of the consistency with which it impacts behaviors.
Disproportionate Focus on Gifts-Meals-Travel-Entertainment. This is a sibling of the FCPA-focused compliance, one that demonstrates a rudimentary understanding of risks. I have never seen a company whose largest category of spending are in these categories, yet I have seen multiples of compliance hours spent on these than on million-dollar distributor discounts or hundreds of dollars on marketing funds. In immature compliance programs, the amount of time and angst sweated over these categories is disproportionate to the risk they represent.
On the other hand, risk-driven compliance programs make resource investments proportionate with risks. They begin by understanding the business model, activity types and patterns, and compensation incentives, and focus their efforts based on the improper motives and opportunities present by the risk profile.