Today is the penultimate day of my 30 days to a better compliance program. Just as compliance programs sprang up, grew and began to evolve and mature in the middle of the last decade; the sophistication of the regulators has also increased. We most clearly see this in the appointment of the Department of Justice (DOJ) Compliance Counsel, Hui Chen.
With her initial public remarks, Chen provided insight into how she would consider the effectiveness of a compliance program. Her key point was companies should operationalize their compliance program by tying it to functional disciplines within your company. This means that Human Resources (HR), Payment, Audit, Vendor Management and similar corporate disciplines should be involved in the operation of your compliance program in their respective areas of influence. Then in April 2016 under the remediation prong, with the initiation of the DOJ Pilot Program around FCPA enforcement, the DOJ once again emphasized the operationalization of a company’s compliance program as a key metric in determining benefits under the program. You must actually be doing compliance going forward.
This evolution in the DOJ’s thinking and its sophistication of compliance program analysis is in clear response to how the market initially responded to the requirement to have a compliance program back in the 2004-time frame. More recently, each Deferred Prosecution Agreement (DPA), in Schedule C under the details of a best practices compliance program, has required the company to take “into account relevant developments in the field and evolving international and industry standards” in upgrading their compliance program. This requirement has led companies to keep abreast of best practices and continually evolve their compliance program forward. The DOJ in turn, has upped its game and now requires companies to operationalize compliance.
Compliance is a service within your organization, yet under the operationalized model, compliance is a profit generator for a business. Just as law departments generate business by doing transactions, compliance can be viewed as delivering services not only to the business unit but also third parties with whom the company does business. This means not only traditional transaction partners such as sales agents, representatives and distributors but also joint venture (JV) partners, teaming partners and others. Compliance can deliver compliance related services to these third parties as a profit center.
Doing compliance means doing business. There are multiple types of risks in a business; operational, regulatory and reputational, just to name a few. The effort to measure and then manage each of these risks can be led by the compliance function. The more efficiently these risks are measured (i.e. assessed) the more easily and efficiently these risks can be managed. This means that the business is not faced with a binary 1/0 or Go/No Go decision on risk but if compliance moved into measuring and the managing risk through the operationalization of compliance into the business unit; the process would help you to do business more efficiently and with greater profitability.
Compliance is a platform to make your company not only a better run organization but can also demonstrate the thoughtfulness and effectiveness of your compliance program should a regulator ever come knocking. This is because if you operationalize compliance into the fabric of your organization, compliance internal controls will touch every aspect of the employment experience in a way that is not obtrusive and will not slow down what you are trying to achieve.
Take compliance as a platform in HR. At every point in talent management, HR can insert compliance into the cycle. Those points include the pre-employment interview and screening, the interview process with progressively higher senior management, the initial on-boarding process, the quarterly, semi-annual or annual performance review, annual bonus review, assessment and award, promotions and even exiting of an employee. The platform of compliance can record each of these touch points and you now have an internal control burned into HR which is a compliance internal control. Further, if there is any attempt to circumvent or over-ride one of these HR internal controls involving the hiring of a son or daughter of a foreign governmental official, a red flag can be raised and sent to the compliance function for further review.
Compliance is a marketing platform. Some attention has been paid to the use of compliance as a recruiting and hiring tool for millennials. One of the facts of their generation is they want to work at companies which are seen to be doing business ethically, all the while making money. Moreover, as Ethisphere demonstrates annually with its World’s Most Ethical Company awards, businesses which win those awards, on average, exceed the New York Stock Exchange (NYSE) blue chip average for profitability. It will be interesting to see the results of ISO 37001 certification on financial profitability.
Compliance embraces public advocacy. The Volkswagen (VW) emissions-testing scandal is one of the largest corporate scandals of the past few years. One thing that makes the VW scandal so unique is that it is one of the few scandals where a company’s actions were so transgressive they damaged the reputations of its competitors. As a response to the VW scandal, Ulrich Grillo, President of the German industry association BDI, recognized that compliance is the answer. He urged companies to check their management processes, including compliance and control systems. He suggested one of the key questions to ask should be “Are we doing everything right?” When you have the President of a national industrial association saying compliance is the answer, you need to sit up and take notice.
Three Key Takeaways
For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.