Reality Check on Compliance
No one will ever call the last twenty years of television the “golden age of television.” I have always turned off “reality” television for one reason – it is boring. For some reason, American television viewers have become less interested in entertainment and more interested in watching so-called “reality” shows which are far from realistic and have no lasting artistic value.
While “reality” does not work when it comes to television, businesses need to stick to “reality” when designing and implementing a compliance program.
What do I mean by “reality”? When it comes to compliance, “reality” starts with an accurate assessment of “risk” of a violation of law and/or company policy.
Not all violations are created equal. Some violations of the law may be more “technical” in nature (“technical” violation of a regulation) and some are egregious violations (e.g. bribery). The same goes for company policies – not all violations of company policies are equal.
I am not suggesting that “technical” or “minor” violations should be ignored. Indeed, a culture which allows such minor violations without any response undermines any culture of compliance and will inevitably lead to more significant violations.
The FCPA Guidance reiterated the importance of prioritizing risks and responding to those risks. As an example of a lack of focus, the FCPA Guidance cited an example where a company spent time focusing on review of individual expense requests while ignoring due diligence of risk transaction between the company and a foreign government.
A compliance program must maintain focus on the “reality” of relative risks. A $500 gift creates less risk than a $5 million contract with a foreign government secured with the assistance of a third party.
This example is instructive. A company must prioritize risks and should allocate resources in response to those risks. Too often compliance programs are bogged down in the details of expense reports and the review of such expenditures. This reflects a failure to realize the reality of risks.
Ranking risks leads to efficient use of compliance resources. This ranking must be regularly updated as more information is learned through monitoring of a compliance program. While this sounds fine in theory, the reality of many compliance programs is that monitoring is at best a spot check program because of a lack of resources.
Compliance officers have to monitor their compliance program and update their risks. The reality of compliance is that priorities have to be set and specific risks addressed.
Compliance officers have to secure the resources needed to carry out their mission. That requires leadership and a willingness to advocate for compliance and adequate resources.
There has never been a better time for compliance officers to advocate for resources. Companies are on edge and aggressive prosecutors are targeting businesses for enforcement. Senior management is starting to understand the importance of compliance. The reality of enforcement risks is fast becoming the reality of compliance.