The Danger of Compliance Overkill
Government prosecutors spend time promoting enforcement programs and encouraging companies to design and implement effective ethics and compliance programs. The blogosphere is filled with articles, surveys, studies, warnings, and marketing efforts all directed to encourage companies to increase compliance programs and resources.
Companies have responded by increasing attention and resources to ethics and compliance programs. In particular, regulated industries are spending vast sums to enhance, improve, expand, and out-perform their competitors when it comes to compliance programs and technologies.
All of these trends are positive, except for one big question:
Are compliance programs and procedures effectively tailored to the nature of the risk? Or to put it another way, are compliance requirements adequately proportionate to the nature of the underlying risk?
When reviewing individual functions of a compliance program, it is important to ask the following questions:
- What is the purpose of this requirement?
- What is the nature of the underlying risk?
- Are the requirements tailored to the underlying risk?
This may sound overly theoretical but it is an important inquiry. For example, in reviewing a company’s third-party due diligence program, a company may require a site visit for every third-party agent , irrespective of the specific risk profile. Does that make sense? Is it a good expenditure of resources?
Another area where these questions may be relevant is oversight of gifts and hospitality. For example, should an employee be required to obtain prior approval for an expenditure exceeding $100? What is the surrounding risk to gifts and hospitality expenditures and requiring pre-approval for every item that exceeds $100?
There is a counter-balance to tailoring every procedure to the underlying risk – it is the cost of designing and enforcing policies and procedures that vary across an organization depending on the region, the nature of the business and the extent of a risk. In some cases, the design of a control has to be tailored to the overall risk – in some areas, it could be overkill, and in others it could be deficient in responding to a risk. These are normal tradeoffs in a compliance program – efficiency and accuracy are always balanced when it comes to administrative costs and burdens.
CCOs have to be open-minded to tinker with compliance program requirements where feasible to address underlying risks. A compliance program is ineffective, by definition, if it is not adequately tailored to company risks, especially in geographic areas or in specific lines of business.
Sometimes it is feasible to “cut back” on compliance program requirements, make intelligent risk-based cuts, and reallocate those resources to higher risk activities. A CCO has to document this reallocation, the reasons for it, and the good faith determination underlying the discounting of certain risks and the refocus on higher risk activities.
Frankly, I consider this an essential aspect of a “continuous” improvement function; a way to demonstrate that a CCO is monitoring a compliance program, taking into account such information and then modifying the compliance program to account for new information and concerns.
CCOs have to be willing to upset the apple cart, make changes, and acknowledge the need for improvements. These actions reflect an underlying confidence and ability to address changing circumstances.