Compliance Program Evolution and Proactive Strategies (Part III of III)
Sometimes what folks label a “new idea” is not so much of a new idea as the application of an old solution to a new discipline. I do not mean to be cryptic, but I am going to explain my point by referring to an area where I have had lots of experience – criminal law enforcement.
In the wake of the terrible tragedy of 9-11, law enforcement (and in particular the FBI) had to recalibrate to a new mission: investigate and infiltrate terrorist organizations and develop proactive strategies to intervene and prevent another terrorist attack. This was a fundamental change in the FBI’s mission.
Traditionally, law enforcement operated in a “reactive” mode. In response to a crime, the FBI investigated the crime and prosecutors sought to convict and punish the criminal. Of course, part of this mission was to prevent a criminal from committing more crimes and the FBI acted to “prevent” future crimes.
But the change in the FBI’s mission was two-fold – it required the organization to merge together its intelligence and investigative functions to develop proactive strategies. While the FBI uses traditional tools (e.g. search warrants, wiretaps, FISA surveillance), its mission is to intervene prior to a terrorist attack and prevent the crime from occurring in the first instance.
In an analogous context, compliance is undergoing a change from reactive to proactive strategies. In response to misconduct, companies aggressively investigate the conduct and seek government leniency for its efforts. companies continue to rely on “historical” conduct by testing and auditing employee compliance with internal rules and controls (e.g. third-party on-boarding, gifts and hospitality). Audits and reviews are designed to identify past failures to adhere to compliance and financial controls.
New compliance technologies, data analytics and real-time (or close in time) monitoring is quickly transforming the monitoring function to permit earlier identification of potential misconduct and intervention to remediate. Usually, this does not mean catching a bad actor before he or she steals money, but it can result in earlier identification of an ongoing scheme. Just as important, however, compliance monitoring, if implemented properly, may be able to identify poor employee moral or other conditions that might result in higher risks of misconduct.
The future of compliance, therefore, is premised on proactive solutions that do not depend on reactive investigations and findings of misconduct. A traditional historical look at rule and control compliance is one thing but imagine if a compliance officer and auditor is able to sift through data to identify potential problems, i.e. anomalies, before they ripen into a more costly problem.
The same principles apply with even greater force when measuring and monitoring a company’s culture. As new strategies develop to monitor and “remediate” deficiencies in a company’s culture, whether it is in a business office or division, or specific operation, a company’s ability to monitor and measure its culture can provide important leads on remediation strategies to improve a company’s culture and thereby reduce the risk of misconduct.
These proactive strategies also have to incorporate new ideas in behavioral sciences and individual motivations. It is too simplistic to characterize these efforts as analyzing what makes people tick – instead, behavioral science provides important insights into using incentives and deterrence to improve overall corporate behavior.
This does not mean that compliance rules and financial controls are not important. To the contrary, proactive strategies are an effective way to prevent serious misconduct and harm to the organization. Compliance programs have the capability to develop new data monitoring strategies – the trick is to develop reliable indicators of compliance program performance, apply monitoring strategies, gain business acceptance and understanding of the importance of data and monitoring activities, and fully commit to a proactive compliance program strategy.
Some basic procedures have to be established.
First, a company has to identify and agree on a set of performance indicators.
Second, it has to commit to measure these performance indicators to develop trend analysis. A baseline measurement has to be conducted so that future measurements can be compared.
Third, a company has to commit to addressing potential gaps in performance, meaning indications that the compliance program performance is falling according to performance indicators.
Fourth, companies have to hold managers and employees accountable for performance.