How to Define Compliance Success
How do you define and measure compliance success? We spend so much time defining what can go wrong, what has gone wrong, and what may go wrong – we lose sight of some of the positive impacts of a fresh compliance strategy.
It is too simplistic to just say that if you are not caught, you are in compliance. I would suggest a broader definition. Compliance defines a new equilibrium for a company – the program is designed, implemented and working “effectively.” That does not mean that every aspect of the company’s operations is in full compliance. Instead, the company’s compliance controls are working properly, identifying issues for review and resolution, and protecting the company from undisclosed issues.
If a compliance department does not raise and resolve difficult issues, that is the sign that the program is not working. The goal of a compliance program is to work as closely as possible with the business units, plan for compliance as part of the overall business strategy, and ensure compliance from the beginning. In the process, there may be difficult legal and compliance issues which need to be resolved. Risks have to be identified and weighed against business considerations.
How the line is drawn among the competing consideration of business and risk is a continuing process. The company’s risk appetite will help to define where the proper boundaries are drawn.
For example, the business elements may want to engage a third party agent. The due diligence process conducted by the compliance staff has identified some red flags including prior corruption allegations and family connections to some government officials. The business wants to go forward with the agent; the legal and compliance staff urges caution, and proposes some remedial measures to reduce the risk – representations and warranties which protect the company, as well as a detailed monitoring plan over the third-party agent’s activities. The issues are joined and raised to senior management. At this point, the company’s risk sensitivity will come into play and senior management decides whether the benefits outweigh the risks.
The fact that the company has to decide these issues underscores the operation of its compliance program. Even if decides not to go forward with the third party agent, the compliance program is working. The issues were raised, analyzed and considered by senior management – it may end up being the wrong call, and if the third party agent runs into trouble, that does not mean the company’s compliance program did not work.
Perfection is a short-sighted and unrealistic goal. Compliance programs manage risk and are designed to do so consistently with the company’s overall business plan and priorities. If a compliance officer is working effectively, that means he or she is involved in these risk judgment calls and providing objective advice for the company to weigh. If the advice is fair and accurate, and the company weighs it properly against the potential business benefits, then the compliance program has been successful.