Enforcing Corporate Compliance Policies and Controls
The government has emphasized the dangers of a paper compliance program, meaning a compliance program that is written down but not implemented. We all have seen programs that fit this bill, and they are discouraging. They are exhilarating when written out because they are usually comprehensive and ambitious. But such positive feelings can quickly turn negative when you start to kick the tires and find nothing under the hood.
A paper program, however, is an extreme situation. Today, I want to focus on something short of a paper program – a paper policy (or even multiple policies).
What happen when a company has a written policy, and has controls that are embedded in the company designed to implement the policy, and nonetheless, employees ignore the policy?
This is an interesting situation, especially when managers and even senior staff note that the policy is not being followed, nor is it being enforced. Despite the government’s perception, no set of compliance controls is perfect. If employees want to avoid a policy, there are situations where they can avoid (or circumvent) the policy. I often hear about this issue when it comes to gifts, meals, hospitality and expense/credit card reimbursement.
This is where you will often hear the phrase “slippery slope.” A compliance officer has to prioritize his or her work and when a compliance policy or procedure is not being followed, the compliance professional has to decide when to intervene or address the issue.
The danger here is fairly obvious. If employees perceive that a compliance policy or procedure is not followed nor enforced, there is likely to be an impact on the company’s culture and its commitment to ethics and compliance. A compliance officer is unable, by definition, to put out every fire in a company, so there has to be a consideration of whether to address a particular issue, when to address it and how to address it.
A compliance officer loses an important trait when he or she ignores this kind of problem — organizational credibility. A CCO should never seek to encourage a perception of himself or herself as the company’s “sheriff.” To the contrary, a CCO’s primary appeal is to the company’s “better angels,” meaning to inspire and reward ethical behaviors.
However, there comes a time when the CCO has to be the enforcer. The CCO has to ensure that policies are not just for policies’ sake, but for ensuring conduct and preventing misconduct. In this respect, the CCO has to communicate within the organization that the company expects employees to follow the rules and comply with its procedures.
Please do not misunderstand my point – a CCO has to prosecute those cases using intelligence, compassion and discretion. An inflexible policy one way or the other is guaranteed to fail. But organizational credibility requires consistency and commitment. Avoiding issues because they are difficult or may be unpopular is not a way to instill organization credibility.
A company has to have policies and procedures that are developed through consensus, supported by leadership, embedded in the business, and enforced appropriately when violated or ignored. Of course, a CCO has to pick and choose his or her battles in the corporate governance world, but this process requires CCOs to ensure that the message is clear – senior leadership, managers and employees have to follow the rules.