The Three Lines of Compliance Offense Versus The Three Lines of Compliance Defense
People crave simple solutions to complex problems. No, this is not a political statement, nor do I intend to wade into politics. This statement applies across the board – to business, compliance, government, and other institutions. We all want to understand difficult issues and to gain that understanding without the hard work that is required to learn a complex issue, consider alternatives, and develop possible solutions.
In the compliance arena, we often hear about the “three lines of defense.”
The first line is the business, meaning that business actors have to take responsibility for compliance as part of their activities on the “front line” of risky business interactions. This makes sense – the business actor has the risky interaction with the foreign government official, the healthcare professional, or possibly a competitor in the same industry. To the extent the business actor owns the compliance function, he or she can protect the company by avoiding risky interactions or navigating the risks to avoid potential problems.
The second line of defense is the compliance and legal functions that operate to ensure that the company complies with the law and the company’s code of conduct. Compliance professionals promote employee reporting through hotlines and other mechanisms to learn about specific activities that may raise compliance risks. Similarly, legal officers have to analyze legal risks and provide guidance and documentation to mitigate those risks.
Finally, the third line of defense is the auditing function that carries out post hoc reviews of business conduct to make sure that internal controls are operating effectively. To the extent the internal auditor identifies weaknesses in the business’ operations, the auditor sets out remediation requirements and then enforces deadlines to implement specific solutions prescribed by the auditor.
The three lines of defense is all well and good in explaining compliance program operations. But words matter in the compliance arena (and many other arenas as well). We cannot ignore the fact that the so-called three lines are built on defense. A compliance system, in today’s environment, is not a defense, and it should not be characterized as a defensive function.
To the contrary, ethics and compliance is an offensive strategy. If you consider that ethics and compliance is fundamental to the company’s culture and its values and principles, a compliance program is a proactive means by which to instill a set of values and behavioral norms for the board, senior executives, managers and employees.
In the same way that a company establishes its corporate structure, mission, innovative product and/or service, and overall business plan, the company’s ethics and compliance program should be designed and baked into the initial formulation of the company.
A company has to answer basic questions about its corporate culture when it first is created: What is our objective? What is our plan? What kind of company do we want to create?
These basic questions require consideration of the company’s culture, and this is where ethics and compliance can help to develop basic behavioral norms – how do we want to conduct ourselves? How will we interact with others outside the company? What is our culture and how will we implement it?
If we start with a company’s culture and what is expected, other pieces of the compliance puzzle fall into place. In this model, the compliance function will play an important role in creating and monitoring the company’s culture. The human resources function will be an important partner in this effort. A system starting with culture will quickly fall into place.
Corporate values and principles are relatively easy to translate into compliance functions. A company committed to trust and excellence, for example, would not bribe anyone for business but would compete for contracts and engagements with customers. Trust would become a selling point within the organization and to its customers, third parties and other constituents.
Taking a defensive approach and turning it into offense is an easy way to ensure that compliance is allocated a seat at the business table where it can demonstrate the competitive advantage to compliance, the importance of culture, and the translation of such principles into marketplace success.