The Delusion of a Barebones Compliance Program
Instead of wrestling over the definition of an “effective” ethics and compliance program, let’s take a step back and define what we all agree on is an “ineffective” compliance program. Unfortunately, when you work in the real world, some Chief Compliance Officers, along with senior management and the members of the board of directors are supervising and administering compliance programs that fall far short of the “effectiveness” objective.
Again, if you give everyone truth serum, they will admit that their compliance program falls way short of effectiveness. In other cases, the failure to recognize deficiencies in an ethics and compliance program reflects a lack of understanding or education, especially among the CEO, senior executives, and board members. In most cases, they have no clue what an effective compliance program should look like. The responsibility for this lack of education sometimes rests with the CCO who is unwilling or unable to educate and train the board and senior executives.
So what does an “ineffective” compliance program look like and why are important stakeholders deluded into thinking that their compliance program is effective?
CEOs, senior executives, and board members believe that the company’s compliance program consists of certain minimum elements – a code of conduct, a letter from the CEO supporting the code of conduct, a hotline to report employee concerns, a video statement from the CEO, which may be updated annually, an annual training program and certification of compliance with the code of conduct, and a library of policies and procedures that cover the basic risk factors, including anti-corruption, trade compliance, antitrust and other basic risks.
Now, let’s notice what is missing from this skeleton program:
- Evidence of ethical communications or conduct by a board of directors, CEO and senior management;
- A risk and compliance program assessment or continuous process to update assessments and update ethics and compliance program;
- An automated due diligence program to screen, monitor and audit third parties, including vendors and suppliers;
- Robust training program beyond basic code of conduct that is tailored to identified risks;
- Evidence that compliance program has been operationalized through coordination with legal, human resources, internal audit, finance, security, and security;
- Operational justice through timely resolution of employee concerns, and even-handed punishment and discipline for offending officers, managers and employees;
- Regular CCO reporting to senior management and board committee; and
- Mature audit and monitoring of compliance program, including detailed data collection, analysis and continuous assessment.
Many companies are lacking in many of these basic requirements for an effective compliance program. Companies that have been investigated by the government often respond and implement compliance programs. Unfortunately, reactive ethics and compliance programs are often created for the wrong purpose – as a defense against another government investigation. Companies that embrace the value of ethics and compliance programs for long-term sustainable growth are on the right path.
Board members, CEOs and CCOs have a responsibility to avoid complacency and to challenge the status quo when a company’s compliance program is deficient. To the extent the board, the CEO and senior executives are deluded in their belief that the company’s ethics and compliance program is adequate, the CCO has a responsibility to inform, educate and notify company and board officials that the company’s ethics and compliance program should be remediated. A CCO who keeps silent to get along with key leaders will eventually come to the point where he/she will question his/her own integrity. In some cases, the CCO will have to make a choice – if he/she cannot bring about change, the CCO may have to leave the company rather than continue to aid the company’s inadequate ethics and compliance program.