The Three Keys to Compliance Programs: Structure, Processes and Results
I often use sarcasm to make the point that compliance solutions are just a profound grasp of the obvious. It is a little simplistic.
On the other hand, compliance can become a little too complex. People like to come up with “sophisticated” techniques and phraseology to demonstrate they are “compliance thinkers.” Compliance professionals who wrap themselves in complexity are usually hiding from their own personal failings.
I approach the issue from a different angle – I measure a person’s intelligence by his or her ability to explain complex issues in simple terms, or to come up with effective solutions that are relatively simple. Not because I have a “simple” mind but because I know that the easier to understand an idea, the greater the chance that it will be adopted and implemented.
Everyone has their favorite recipes (for good food) and compliance. I tend to focus on three important compliance principles as my guiding lights for compliance programs. They are relatively straight-forward: (1) Structure; (2) Processes; and (3) Results.
Structure: A compliance program has to have an effective structure. For example a chief compliance officer cannot be exiled to the basement office while reporting to the legal officer. To the contrary, an effective structure starts with the board and the specific committee responsible for overseeing the compliance program. Senior management then has to play an important role in the management and support of the compliance program.
The chief compliance officer and his or her staff need to establish basic reporting lines to the board and to the CEO. In the absence of these structural basics, in many cases, the compliance program will be sub-optimal.
The Federal Sentencing Guidelines established basic structural rules for an “effective” compliance program, including a direct reporting relationship between the chief compliance officer and the board committee responsible for compliance. Of course, this is not always the case depending on the size and nature of the company, as well as its specific risks and operations. For the most part, the structural rules are best practices and should be applied unless there are significant countervailing considerations.
Processes: An appropriate compliance structure is meaningless if there are inadequate (or non-existent) processes to identify risks, develop compliance policies and procedures and conduct business while minimizing those risks. In the anti-corruption context, a risk assessment and tailored policies and procedures to conduct due diligence of third parties or acquisition targets or provide gifts or meals to foreign officials are important examples of compliance processes.
Results: Finally, a compliance program must be measured and “results” must be captured to evaluate the performance of the compliance program, changes in risks, and possible modifications to the compliance program to improve the performance of the program.
The FCPA Guidance suggested that a compliance program should continuously improve through monitoring, measurement and modification. This all makes sense. The trick is how and what to measure to identify meaningful results. It is always hard to measure the performance of anything by the absence of an event or the absence of a violation of company policy or the law. These issues can be solved and compliance professionals are creative when it comes to measuring the performance of their compliance programs.