Warning: Keeping Compliance Simple
If you can’t explain it to a six-year-old, you don’t understand it yourself. — Albert Einstein
Compliance professionals are in a heady state these days. Their stock is rising; they are gaining influence and authority, and even some additional resources. When given the time, compliance professionals can come up with new and innovative strategies for compliance programs.
But I see a danger lurking in the horizon (how is that for a picture?). CCOs have to avoid something that comes with influence and authority – making compliance programs too complex. Why do I worry about this?
Compliance depends on simplicity and accessibility. It does not depend on self-actualizing theories and designs of wordy compliance concepts. Take one example – (and I apologize to advocates of this) the so-called “three-lines of defense” (“TLOD”) or other compliance program acronyms and theories.
This is a perfect example of what I mean – we do not need complex ideas, acronyms and other obfuscations or organizing principles around basic compliance ideas. CCOs who advocate such programs are doing the profession a disservice. We need to continue to educate our audience in the company and we need to tell a consistent and clear story. Coming up with fancy names, complex diagrams and other theories will only defeat the basic requirement for compliance – simplicity.
I am concerned that the compliance profession is going down a well-worn path traversed by other professionals, including accountants, lawyers, economists and many others. The art of compliance requires simple drawings and basic principles not colored stacks of basic corporate functions divided up into functional areas with complex groupings.
The mark of an effective compliance program is how it is embedded in a company’s business. If the ideas become too complex, valuable supporters will find the program inaccessible and wonder why they are assigned certain tasks.
Life for a CCO is already hard enough as they navigate internal controls, the new COSO framework, build relationships with valuable partners, dodge enforcement agencies and threats, and put out fires along the way. There is no need to adopt complex compliance strategies when the message should be clear – the company has an importance commitment to ethical values and compliance with the code and applicable laws. The way forward is to keep the company’s eye on the ball on this important objective and avoid the traps of complexity.
To those who want to defend TLOD and other compliance strategies, I would suggest that they answer a couple of important questions – why is this organizing principle needed? How does it further the company’s compliance program that depends on acceptance and accountability?
CCOs do not need another “unifying” theme for their important tasks. They already have one and there is no one way for them to accomplish their objectives. Of course, there are probably good ideas in every compliance theory but complexity is antithetical to effective ethics and compliance programs.
CCOs have to be confident. The mark of a confident person is sticking to important values when performing their jobs. A CCO does not need to inflate their own importance by creasing new and elaborate theories to justify their rise to the C-Suite. It reflects their own insecurities and need to pat themselves on the back.
A CCO who knows and understand their role and place in an organization is a valuable asset. They fulfill a critical function in a company. They do not need gimmicks. Instead they need to stick to hard work and simple messaging.