Under the Evaluation of Corporate Compliance Programs, Prong 2, it states:

2. Senior and Middle Management

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates?

This requirement is more than simply the ubiquitous ‘tone-at-the-top’ as it focuses on the conduct of senior management. The Justice Department wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has through their words and concrete actions brought the right message of doing business ethically and in compliance to a company. How does senior management model its behavior on a company’s values and finally how is such conduct monitored in an organization?

How can senior management operationalize compliance going forward? One of the best places to start is the article from the Harvard Business Review by Professor Lynn Paine entitled, “Managing for Organizational Integrity”. Five factors, derived from the article, can be used guideposts to not only to set the right tone from senior management on doing business ethically and in compliance but also lay the ground for senior management to model appropriate behavior and then have it monitored by the company going forward.

1. The guiding values of a company must make sense and be clearly communicated by senior management in a variety of settings, to the entire company workforce.
2. The company’s leader must be personally committed and willing to take action on the values. This means that management must not simply ‘overlook’ the transgressions of top producers.
3. A company’s systems and structures must support its guiding principles and these internal systems and structures cannot be over-ridden by senior management without both justification and Board approval.
4. A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions. Sometime a company must turn down business if there are too many red flags present or by engaging in such behavior the company’s value and ethics will be violated.
5. Managers must be empowered to make ethically sound decisions on a day-to-day basis. This means senior management must fully support and back-up such decisions.

David Lawler, in his book, Frequently Asked Questions in Anti-Bribery and Corruption boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime.” I had a CEO of a client, who after I described his role in operationalizing his company’s compliance program observed the following, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’ to fully model the conduct that senior management must show.

• Reject a ‘do as I say, not as I do’ mentality;
• Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance;
• Oversee creation of a written statement of a zero tolerance towards bribery and corruption;
• Appoint and fully resource, with money and headcount, a Chief Compliance Officer;
• Oversee the development of a Code of Conduct and written compliance program implementing it;
• Ensure there are compliance metrics on all key business reports;
• Provide leadership to middle managers to facilitate filtering of the zero-tolerance message down throughout the organization;
• Not only have a whistleblowing, reporting or speak up channel but celebrate it;
• Keep talking about doing the right thing;
• Make sure that you are seen providing your Chief Compliance Officer with access to yourself and the Board of Directors.

Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book entitled, “Building a World Class Compliance Program – Best Practices and Strategies for Success”. Biegelman begins the chapter discussed in this posting with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. Inspired by a list from Joe Murphy of actions that a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business, you can do some of the following.

1. Keep a copy of the Code on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
2. Give Your CCO Real Authority. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer (CCO) report directly to the Board of Directors.
3. Hold them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
4. Reward and Punish. Have both sanctions for violation of company compliance policies and incentives for doing business in a compliant manner.
5. Walk the Walk. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
6. Be a Compliance Student. Be seen at intra-company compliance training. Take a one or two-day course or attend a compliance conference outside your organization.
7. Recognize Compliance at Your Company. You should recognize outstanding compliance efforts with companywide announcements and awards.
8. Enshrine Compliance at the Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the compliance committee.
9. Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Compliance Committee.
10. Push Compliance into Your Supply Chain. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
11. Create an Executive Network for Compliance. Talk to other CEOs and senior executives in your industry on how to improve your company’s compliance efforts.

Another area a CEO can forcefully engage an entire company through is a powerful video message about doing business the right way and in compliance. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal become public. The video featured Scott Prochazka, CenterPoint Energy President and Chief Executive Officer (CEO). He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with a with an additional resource, entitled “Manager’s Toolkit – “What does Integrity mean to you?””, which managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. Finally, as noted by Amy Lilly, Director, Corporate Ethics and Compliance at CenterPoint Energy, the cost for the video was quite reasonable as it was produced internally.

Three Key Takeaways

1. Senior management must actually do compliance; walk-the-walk, not simply talk-the-talk.
2. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization.
3. CEO as Compliance Ambassador.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you know about detect those you do not know, on an ongoing basis. 

I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the 2012 FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre­vent an infraction in a low risk area because greater atten­tion and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this. 

Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Compliance professionals should be able to say with some degree of authority, what will happen in the next three months, six months, twelve months, twenty-four months. This can facilitate resources deployment where they think is appropriate in order to meet these future demands. 

By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, are continuously refined based on incoming data. 

All of these three tools tie back into process management and process improvement. There is a balance between what is actually important for your business or for proper execution; versus the practical aspects of the whole process. Ben Locwin stated, “If you are not measuring at a high enough resolution, then you are not capturing a lot of the environmental, market forces and  external factors that probably are of high leverage to your operations in business that you simply do not know about.” 

For example, if there is a one-in-three chance of a compliance failure occurring, which a company knew that in advance; the executive committee probably almost stop the activity before there was a compliance failure and possible legal violation. This is how the risk management process can work to fulfill the three prongs of a compliance program, prevent, detect and remediate. You are using your risk forecast and you have a contingency in place, which you execute upon. In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into a process loop. From this, you will develop continuous feedback and continuous improvement. 

I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center.

Three Key Takeaways

1. The risk management process is an important backbone of operationalizing compliance.
2. You should be able monitor and measure both known and unknown risks.
3. All of these steps help a business to run more efficiently and more profitably. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

In this episode, I visit with SCCE incoming President Gerry Zack about his new role with the organization. Some of our topics include: his new role with the SCCE, why he took on the challenge of running the world’s largest compliance professionals’ organization; some of his initial observations of SCCE; where the organization will be headed in 2018 and ways for a compliance professional to become involved in SCCE going forward.