An “Effective” Compliance Program is Not a Perfect One
The golden ring for every chief compliance officer is an “effective” ethics and compliance program. But if you ask a CCO if the company’s compliance program is ”effective,” they will bow their heads and reluctantly admit, “No, we need to . . . [fill in the blank].”
CCOs tend to be perfectionists. It comes with the mindset and the territory. They demand perfection from others just like they do from themselves. CCOs tend not to be egotistical, self-centered or narcissistic. They always see the power of cooperation, collaboration and inspiration. It is what attracts them to the profession.
With all this in mind, CCOs need to take a deep breath and reformulate their answers to the tough questions on their ethics and compliance program.
Point number 1 – an “effective” compliance program is not a perfect one. The definition of an “effective” program does not prevent all significant code or legal violations. That is unrealistic and no one can be measured against that standard. Unfortunately, I fear that senior executives and even board members are adopting this as a measure of success or failure.
Point Number 2 – an “effective” compliance program by definition needs improvements. What do I mean by this? An effective compliance program is continuously measuring risks, the effectiveness of company controls, and the company’s culture. These variables will constantly change because of external and internal influences – the world is constantly changing, social and economic forces will inevitably impact the company and its workforce, and ethics and compliance programs need to adapt to external and internal changes. A business is always responding to market forces and its operations have to adapt. Continuous monitoring and measurement translates into continuous change.
A CCO knows that compliance is a continuous process: there never is an end, and there never is a reason to stop and rest. To the contrary, it is a continuous loop of change, reaction, proactive planning, measurement and change again.
A CCO should have a constant list of to-do items – next issue to consider, next issue to address, and a plan for implementing change. A static ethics and compliance program is an ineffective and dead program.
The best example of this is a continuous risk assessment process. Starting with a baseline risk assessment, a CCO has to build in a continuous update to the baseline assessment. Each year that can be done with a regular survey of business leaders, or roundtable meetings with business leaders, and discussions on what is occurring on the ground.
Taking this updated risk information, the constellation of risks may change slightly each year and, within 3 to 5 years, will significantly change. In response, the CCO has to administer appropriate changes to the ethics and compliance program, reallocate resources, and modify existing controls to adapt or address new or more significant risks.
Each year the process results in changes, some years slight and other years significant changes may be required. CCOs have to educate the company stakeholders on this process, the reasons for it, and the benefits to the ethics and compliance environment. By doing so, the CCO will instill a new approach and mentality to what success looks like – not the prevention of every code and legal violation but a much more realistic picture – an ethics and compliance program that is aligned in accordance with risks, and which maximizes mitigation strategies against ever-changing constellations of risks. That is success, and that is an “effective” ethics and compliance program.