The Three Keys to Compliance Programs: Structure, Processes and Results

aml20I often use sarcasm to make the point that compliance solutions are just a profound grasp of the obvious.  It is a little simplistic.

On the other hand, compliance can become a little too complex.  People like to come up with “sophisticated” techniques and phraseology to demonstrate they are “compliance thinkers.”  Compliance professionals who wrap themselves in complexity are usually hiding from their own personal failings.

I approach the issue from a different angle – I measure a person’s intelligence by his or her ability to explain complex issues in simple terms, or to come up with effective solutions that are relatively simple.  Not because I have a “simple” mind but because I know that the easier to understand an idea, the greater the chance that it will be adopted and implemented.

Everyone has their favorite recipes (for good food) and compliance.  I tend to focus on three important compliance principles as my guiding lights for compliance programs.  They are relatively straight-forward: (1) Structure; (2) Processes; and (3) Results.

Structure: A compliance program has to have an effective structure.  For example a chief compliance officer cannot be exiled to the basement office while reporting to the legal officer.  To the contrary, an effective structure starts with the board and the specific committee responsible for overseeing the compliance program.  Senior management then has to play an important role in the management and support of the compliance program.

The chief compliance officer and his or her staff need to establish basic reporting lines to the board and to the CEO.  In the absence of these structural basics, in many cases, the compliance program will be sub-optimal.doctor5

The Federal Sentencing Guidelines established basic structural rules for an “effective” compliance program, including a direct reporting relationship between the chief compliance officer and the board committee responsible for compliance.  Of course, this is not always the case depending on the size and nature of the company, as well as its specific risks and operations.  For the most part, the structural rules are best practices and should be applied unless there are significant countervailing considerations.

Processes: An appropriate compliance structure is meaningless if there are inadequate (or non-existent) processes to identify risks, develop compliance policies and procedures and conduct business while minimizing those risks.  In the anti-corruption context, a risk assessment and tailored policies and procedures to conduct due diligence of third parties or acquisition targets or provide gifts or meals to foreign officials are important examples of compliance processes.

gcsccosResults:  Finally, a compliance program must be measured and “results” must be captured to evaluate the performance of the compliance program, changes in risks, and possible modifications to the compliance program to improve the performance of the program.

The FCPA Guidance suggested that a compliance program should continuously improve through monitoring, measurement and modification.  This all makes sense.  The trick is how and what to measure to identify meaningful results.  It is always hard to measure the performance of anything by the absence of an event or the absence of a violation of company policy or the law.  These issues can be solved and compliance professionals are creative when it comes to measuring the performance of their compliance programs.

You may also like...

2 Responses

  1. Michael,

    Could not agree more. Keep it simple and measure by results. This means of course knowing what results you are measuring against and therefore being willing to compare yourself to those outside your organization who – just possibly – do it better. This is no place for egos.

    Anthony

  2. Monitoring the results as recommended in the new DOJ guidance can be a powerful concept.

    It all comes back to the management maxim of “you get what you measure”. Take the Hawthrone Effect – a form of reactivity where subjects improve or modify an aspect of their behavior being experimentally measured simply in response to the fact that they know they are being studied, not in response to any particular experimental manipulation.

    Obviously identifying the material “stop everything we’ve got a problem” type transaction drives value but those finds are hopefully few and far between. Where we’ve seen this be particularly powerful is by using the monitoring to generate “compliance reminders” that point out how a specific T&E expense could be questionable from an FCPA standpoint. To do this your monitoring efforts need to be integrated with the other elements of the FCPA program – such as training, policy and communications, among other factors.

    – Patrick Taylor, CEO, http://www.oversightsystems.com