Compliance is Not “Rocket Science”
In the compliance arena, like in many others in life, we value simplicity. I have repeatedly stressed the importance of compliance initiatives that are relatively simple. Too often, lawyers and compliance professionals confuse complexity with efficacy.
We can all spin together complex compliance controls that address every possible permutation of events, contingencies and possibilities. That is not the challenge. Compliance is a delicate balance between controls and risks. Not every conceivable risk needs to be addressed by a detailed control.
The delicate balance in compliance focuses on effective strategies to mitigate risk. The effectiveness of a strategy depends on acceptance by managers and employees and their follow through on specific control requirements.
Two significant themes have to co-exist in an ethical compliance culture.
First, a company has to commit to adhere to specific values and principles – trust and integrity. Assuming that the company commits to conduct itself and promote such values, the foundation exists for building effective controls to reinforce the company’s culture.
Second, a company has to commit itself to creating, implementing and enforcing a set of compliance controls as part of its overall set of internal controls. These controls have to be clear, communicated throughout the company, and understood by everyone. As part of this overall framework, the company has to enforce these controls, adhere to them in its operational activities and make sure they are operating effectively.
I often hear from compliance professional that compliance is not “rocket science.” In a way, this is an ambiguous statement – what precisely does it mean?
My first reaction is to agree – yes, compliance is not rocket science, meaning it is not hard to figure out how to design and implement an effective compliance program. But there is more to the design of effective controls, or how to address a specific risk.
I have a different perspective on this issue. A CCO has to possess a number of important talents to bring about an effective compliance program, including creativity, intelligence, inter-personal skills, and leadership. Effective compliance, however, does not depend on the actions of one person, even the CEO. Effective compliance turns on an organization’s commitment that reflects the actions of key stakeholders and a consistent demonstration of such commitment.
While effective compliance programs do not require “rocket science,” they do require inter-dependent functions to coordinate and cooperate with each other. The inter-dependency of compliance functions is perhaps the most important aspect of a compliance program that needs to be viewed and understood from a macro-level all the way down to a micro-level understanding of specific controls and how they coexist.
While I may have garbled the last idea, my point is that compliance is a delicate operation requiring careful balances within an organization. Each culture and organizational framework is different. Once the landscape is understood, it is not so difficult (i.e. not “rocket science”) to envision an effective ethics and compliance program from this perspective.
In the end, compliance may be more difficult “in the doing” than it is in the “designing.” Common sense, inter-personal skills and leadership qualities are not something that appear out of thin air – compliance professionals have to possess those skills but more importantly understand how to use them to support and important organizational goal – effective compliance.