Reactive Compliance: An Oxymoron?
People make bad decisions. Companies make bad decisions. In fairness, sometimes a bad decision is the result of a failure to act, or a failure to prioritize.
We are surrounded by oxymorons in our world. I enjoy identifying them. We all know the classics – Compassionate conservatism, military intelligence, etc.
In the compliance world, my favorite oxymoron is – reactive compliance. What happened to proactive compliance? Proactive thinking is at the core of compliance – risk assessments are forward-looking in purpose; risk management systems are proactive and internal controls are designed to control future behavior.
CEOs can be odd characters. At the heart of their job is the ability to multi-task, balance simultaneous tasks and provide a broad vision to lead the company. In the end, the CEO acts like a compliance officer by weighing relative costs and benefits to decide what he or she needs to do.
CEOs can either attend to compliance and ethics in a proactive way or they can ignore compliance and ethics, and put it off for another day after a violation occurs (which may or may not result in a government enforcement action). There are a number, if not a majority of CEOs, who choose the latter course and decide to embrace reactive compliance.
When they make this “decision,” CEOs delude themselves and justify a failure to act based on on higher risks, higher priorities or too much cost. A narrow view of compliance, by definition, precludes recognition of bottom-line benefits from compliance and ethics, and instead focuses on the increased costs of the compliance and ethics program. CEOs are able to rationalize to themselves that, given the relative threats and tasks to a company, reactive compliance is the most efficient choice for the company.
A reactive compliance program is just that – reactive. The DOJ/SEC Guidance described a related concept – a paper compliance program. I can understand why DOJ and SEC attorneys are tired of seeing companies which have violated the FCPA, and which rely on their paper compliance program as demonstrating their commitment to compliance.
A paper compliance program has all the right trappings. It consists of all the right words and all the right policies. It looks good when you first read it and you feel warm and fuzzy. But once you lift the hood, a different picture appears. The company’s compliance program has a very small footprint. Ethics and compliance is not a part of the culture. A risk assessment is not conducted. On occasion, business managers follow due diligence requirements. There is very little monitoring, and the tone at the top is non-existent, except for a few statements around the company about the importance of compliance and ethics. Every paper program devotes time and attention to gifts, meals and entertainment expenses because the issue can be easily defined and addressed.
At its core, the CEO is responsible for a reactive compliance program. If the company suffers an enforcement action, the board and corporate shareholders will question the CEO why the violations occurred and why the compliance program did not work. The CEO will be held accountable. In many cases, the CEO’s tenure may end as a result of the company’s calculated compliance decision.