Lions and Tigers and Bears – Certifications, Checklists and Standards
The compliance profession continues to rise in importance. Companies are paying more attention to corporate culture and devoting resources to enhance existing compliance operations. This approach is reinforced with each week as new enforcement actions are announced.
Just like every other success story, the rise of compliance brings out dangerous “innovations,” which are promoted as the magic solution to compliance technology needs. Compliance professionals have to be skeptical of those offering quick and easy solutions to complex problems.
Technology can be a helpful solution, allowing CCOs to leverage resources, collect data and create a documented record of compliance efforts.
Anyone who tells you they have the magic bullet for a compliance program is leading you down a dangerous road. The design of an effective compliance program is by definition dependent on the individual risk profile of a company. There are too many variables and they cannot be standardized into some formula or recipe for success.
People always look for shortcuts as a weak replacement for efficiency. My concern is that compliance practitioners, vendors, standard setting organizations, and non-profit organizations are offering a range of tools that divert important attention and resources from more important compliance priorities. Here is my quick review of the dangers of each:
Certifications: In the due diligence space, companies are offering certifications of third-party agents and distributors. Companies that rely on certifications as part of their due diligence process do so at their own peril.
There are numerous dangers from relying on such certifications. Prosecutors will never embrace certification as a substitute for real and meaningful due diligence. That may sound like a controversial statement but if a company relies on such certifications it is blindly going forward in the face of a potential risk.
A company’s due diligence program has to look behind any certification to verify the information and the process. All too often, I have seen occasions when due diligence certification organizations have blessed a third-party in the face of obvious red flags that were inadequately addressed. Sometimes the due diligence red flags are resolved with only a follow-up inquiry of the third-party without seeking corroborating evidence. All of these practices create risk for a company relying on a certification.
The certifying on-profit represents itself as providing an objective certification. However, the important question is who certifies the certifying company? What standards are they applying? How do we know that they are being done appropriately and consistent with the company’s risk appetite?
These are basic questions and reflect my continuing concern with certifying companies.
Checklists: Companies look for checklists as quick guides to navigate difficult issues. A checklist, as one part of an overall process, can be valuable. On the other hand, if a CCO relies on a checklist alone to analyze an issue or complete a process, the CCO is asking for trouble. Checklists are not a panacea but can help to structure the CCOs tasks.
A checklist is like a task list – there are many related questions and subjects that have to be addressed, prioritized and reviewed. If used in this fashion, a checklist can be very helpful.
Standards: Compliance work cannot be standardized. No matter how often people and professionals attempt to standardize a compliance program requirements there is no way standards can take into account all of the possible variables. International ISO standard setting organizations are barking up the wrong tree by advocating for adoption of ISO standards in the compliance field.
Aside from this obvious and significant problem, standards can have a negative impact on compliance performance by creating lowest common denominator requirements or ineffective safe harbors. In the end, compliance is a function that will always have subjective aspects to performance and measurement.
Contrary to these dangerous “solutions,” compliance professionals should focus on best practices and benchmarking. Both of these sources provide important guides and practical suggestions for compliance professionals. A CCO can use best practices and benchmarking to learn how other professionals have approached certain issues, and then adapt those solutions to reflect the CCO’s unique situation.
In particular, best practices are mere suggestions and not requirements nor the basis for a certification. Compliance is a function that involves educated risk mitigation strategies and cost minimization. Best practices and benchmarking can provide quick insights and reality checks for a CCO.