Over the years of designing, implementing, evaluating, and improving compliance programs, I have come to recognize indicators of what I believe to be ineffective and outdated compliance programs. I define effectiveness by a company’s ability to evidence program achievements in actually detecting and preventing misconducts and reducing conduct risks in measurable terms.
Lack of Financial Discipline. In my experience, failed compliance programs have always mirrored dysfunctional financial systems: utter lack of visibility into the financial transactions in a centralized way. These are companies with either no enterprise resource planning (ERP) tools or a multiplicity of them that are not integrated, vendor and supplier databases that are out of date, payment methods with inadequate controls, financial ledgers that are simultaneously duplicate and incomplete. In my opinion, it is impossible for an effective compliance program to exist in a company that lacks financial discipline.
Legal Dominated Compliance. Companies that treat every compliance issue as a legal maneuver, write policies like mortgage documents, and cloak everything with attorney-client privilege tend to be less interested in whether their programs actual work and more interested in what it looks as a legal defense. They are often fearful of asking questions, gathering data, analyzing root causes, sharing information, or trying new approaches, all because they are uncertain of how the findings and results might affect their legal posture. In contrast, effective compliance programs succeed at continuous improvements, often despite their legal instincts, because they are focused on behavior engineering and choice architecture rather than legal posturing.
Citing Sentencing Guidelines as the Standard. This is the organizational equivalent of asking “how good do I have to be so that, when I am caught with a crime, I won’t have to go to jail?” Effective compliance professionals think of the Sentencing Guidelines the way honor students think of passing grades: they are way past it! Effective compliance programs do not aspire to meet minimum legal standards set for convicted felons: they aspire to prevent, detect and remediate real risks in real time so their companies never have to encounter the Sentencing Guidelines.
Counting Training Completion Rate (and other invalid or incomplete metrics). If you are still counting training completion rates and pro-compliance messages of CEOs to measure your compliance, you are demonstrating only the mere existence of a program. Incomplete and invalid metrics do not constitute evidence of effectiveness. I have been humbled to see compliance programs that use scores of metrics and data to assess, monitor, investigate, and measure their risks and compliances on an ongoing basis in real time. Those are the standards being set.
Focus on Due Diligence Rather Than Management. In the Evaluation of Corporate Compliance Program document issued by the Department of Justice’s Fraud Section, the phrase “third party due diligence” is not found. Instead, there is a section on Third Party Management. Effective compliance programs recognize that real risks arise during a company’s working relationship with employees or vendors, not just when the relationship began. These programs are managing those relationships through active and continuous monitoring. A due diligence effort at onboarding tells you what the risks might be: diligent management and monitoring tells you what the risks are right now.
Single-Statute Compliance. Companies that equate compliance programs with a single statute – most frequently the Foreign Corrupt Practices Act (“FCPA”) – tend to have more compartmentalized approach that fail to drive organizational culture and controls holistically. The more effective programs recognize common elements that underlie ethical conducts across the board: transparency, respect, engagement, accountability, discipline, etc. There is growing realization that it is unlikely an anti-corruption message cannot stand alone and prevail in an organization that cheats its customers, shortchange its suppliers, or ignore signs of financial fraud.
Disproportionate Focus on Gifts-Meals-Travel-Entertainment. This is a sibling of the FCPA-focused compliance, one that demonstrates a rudimentary understanding of risks. I have never seen a company whose largest category of spending are in these categories, yet I have seen multiples of compliance hours spent on these than on million-dollar distributor discounts or hundreds of dollars on marketing funds. In immature compliance programs, the amount of time and angst sweated over these categories is disproportionate to the risk they represent.