Understand why compliance programs fail, and where you can identify failure points and vulnerabilities before they become liabilities.
What is a compliance program?
Corporate compliance programs assure that your organization complies with any laws and regulations that apply to it. They demonstrate that your policies and procedures address your organization’s risks in a practical and effective manner, and the steps within a compliance program can range from developing new training to investigating complaints.
In addition to adhering to rules and documenting your adherence to the rules, compliance programs are also about building and managing systems to assure regulatory compliance at all times.
Over time, compliance programs have assumed more duties because the risks to organizations have increased.
While many of those risks are rooted in regulatory compliance (for example, trade sanctions, data privacy labor standards, environmental regulations, and so forth), another risk is the loss of your organization’s reputation with consumers, business partners, and other stakeholders. Preserving that reputation is a high priority for boards and management.
Why are compliance programs important?
Foremost, compliance programs are important because they’re required by law. Even though the average multinational organization spends several million dollars a year on compliance (and in highly regulated industries such as financial services, much more than that), businesses continue to invest in compliance simply because they would face even greater liability should some corporate misconduct scandal happen to them without a compliance program.
Simply put, not having an ethics and compliance program is a liability too significant for any major firm to ignore. The best way for your organization to avoid penalties imposed by state, federal, or overseas regulators is to demonstrate that you are genuinely trying to obey corporate compliance laws.
Compliance programs do just that. They generate the proof, which your organization can then show to regulators or law enforcement.
What makes a compliance program effective?
An effective compliance program demonstrates that your organization is both aware of the rules and laws that apply to it, and also that you’re taking all reasonable steps to obey those rules and laws.
Ideally, an effective compliance program would prevent companies and their employees from committing various offenses. In reality, an effective compliance program will allow for the early detection of those offenses and give your organization the chance to fix them.
According to the Department of Justice (DOJ) and the Securities Exchange Commission (SEC) FCPA Resource Guide, the hallmarks of an effective compliance program include senior management support, adequate resources, clear policies, training, periodic evaluation, enforcement of policies, third-party due diligence, and internal reporting mechanisms.
Altogether, those specific steps are a reflection of one larger concept: a strong corporate culture.
An effective compliance program creates a corporate culture where management supports and engages with your organization’s compliance efforts, and employees throughout the organization are committed to those efforts as well.
Commitment and engagement come from training management, employees, and third parties in compliance with your organization’s anti-corruption policies and procedures. It also means providing a forum for feedback, regular monitoring and assessment of risk activities, and regular evaluation of your compliance program.
An effective compliance program should also establish channels that allow for anonymous reporting and guidance about prohibited conduct without fear of retaliation.
Creating a supportive corporate culture means creating an environment where employees obey the rules not just because they fear getting caught; they obey the rules because they care about the importance of acting legally and ethically in the first place.
All that said, sometimes compliance programs fail.
Why do compliance programs fail?
Because compliance programs have so many moving parts, your compliance program might fail at specific tasks. That only means your program is ineffective at certain things.
Failure of an entire compliance program is much larger, and has different causes.
Compliance program failure can be defined as persistent shortcomings across a range of tasks, despite repeated attempts to remedy those shortcomings. Even organizations spending millions of dollars annually on compliance programs can experience a “whole program” failure.
Sometimes the failure is due to lack of substance; organizations can’t design effective compliance programs without effective measurement tools.
Other times, organizations produce what the Justice Department calls “hollow facades.” For example, an organization might rely on training completion rates as an indicator of compliance — but they don’t cite training rates because that’s the proven way to measure ethical success (it isn’t); they cite training rates simply to demonstrate to regulators that they’ve accomplished the task.
Many companies can produce large binders of policies and procedures, or count the number of controls in their financial systems. What they don’t provide is evidence of having tested those policies, procedures, and controls. Similarly, they don’t count how many breaches they have experienced.
Businesses often hire more compliance managers, buy more sophisticated software, or create more policies to strengthen their compliance programs. These actions can be redundant and wasteful. They just don’t deliver results.
Ultimately, organizations continue to invest more in compliance because they don’t have the right measures to determine what works and what doesn’t.
Below, we have compiled a list of areas on which your organization should focus its compliance spending. Use it to determine in which areas you can improve.
Areas to focus your compliance spending
It would be convenient if there were a single, uniform way to measure whether your compliance program is effective. Unfortunately, simple metrics will not capture your program’s effectiveness. Instead, examine each of these areas to determine where your compliance program has room to improve:
A successful compliance program requires senior executives to emphasize that compliance is key to good business.
“Tone at the top,” or an organization’s general ethical climate as established by its senior executives, is often upheld as the most important aspect of an effective compliance program. If the board and senior management aren’t taking compliance seriously, your program is bound to fail.
“Mood in the middle” is also a key indicator of a successful anti-corruption program. If mid-level managers don’t enforce accountability for compliance or communicating the right messages, the risk of program failure is also high.
Basically, if top and middle support for compliance isn’t strong, nobody else will take your compliance function seriously either.
Assessing and understanding risk
Many organizations get caught up in the momentum of achieving goals without taking the time to assess and understand new risks. Others identify threats to their business using intuition and experience alone. Either group can miss significant risks when they don’t use a proven process to evaluate risks.
Thorough risk assessments can create awareness around business risks, which can then be managed or avoided by strengthening controls.
Monitoring the performance of your compliance program is crucial.
Routinely checking your adherence to and effectiveness of your compliance program is a key step to continual improvement. It highlights when policies, procedures, controls, and other program elements are not being followed, or when they need to be updated.
Policies and procedures
Overly complex policies written in jargon or legalese, or those that are simply assumed to be understood, can cause confusion and result in nobody following the policies at all.
Even worse are policies without procedures. To avoid the risk that policies will not be followed, organizations must explain how simple procedures can bridge the gap between policies and effective implementation.
Enforcement and corrective actions
In most cases, procedures won’t suffice to drive employees to the standards of your code of conduct. You’ll also need corrective actions and consistent enforcement for employees who violate the rules.
After all, your compliance program requires compliance from your employees. You’re asking them to do certain things, such as change their work practices, follow higher standards of conduct, report suspicions of wrongdoing, and so forth. This implies that your compliance program requires the capability to respond to employees either when they need help in those efforts, or when they break the rules.
Employees need to feel that their voices are heard.
Your organization should encourage employees to ask questions and report anomalies via a whistleblower hotline. Your employees should feel safe knowing that your organization is protecting their confidentiality in internal reports.
Likewise, include your compliance function in staff meetings; show visible support from the C-suite (see our previous points on leadership); have middle managers talk about the importance of compliance in routine settings. All of this will contribute to the success of your compliance program.
Elevating the compliance function is essential to its success. The compliance function must be recognized as an integral part of the business to be successful.
Lack of third-party oversight is a running theme in enforcement cases from the Justice Department and Securities & Exchange Commission. Improper dealings with third-party agents, suppliers, distributors, and other middlemen can have serious consequences.
Third-party management is about prodding your business partners to do something, whether that’s promising to use ethical sources in their own supply chains, implementing strong cybersecurity hygiene, or certifying their compliance to your anti-corruption standards.
If your contracts with third parties don’t include clauses allowing you to enforce compliance, you have no leverage to impose those standards. Hence it’s crucial to use your contracts to create that leverage for the future.
Priorities and incentives
In most organizations, any number of issues might compete with your regulatory compliance or anti-corruption program for employees’ attention. Executives need to assure that, for example, incentive-based compensation doesn’t send a conflicting message about the importance of ethical conduct; or that compliance is never considered when setting strategic goals.
Compliance programs can also fail when denied adequate human and financial resources. It’s crucial to make sure that your organization spends enough time and money on your compliance efforts.
Likewise, ineffective use of technological resources can lead to failure in compliance programs. Poor use of technology leads to poor visibility into corporate activity — and once your compliance program loses sight of how your business is really working, your risk assessments will start leading to wrong conclusions.
Inaccurate conclusions about risk lead to poor judgements about how to respond to risk. Using the appropriate technology can help avoid this potential failure.
How to avoid areas of failure
Effective compliance programs require a combination of creativity, testing, and careful model design to measure desired outcomes.
Compliance officers must adopt an evaluative approach to assure that the objectives set out by the compliance program are achieved. Whenever flaws or failures are detected, address them.
First, your organization should use empirical data, pulled from various compliance activities, to gauge how well your program is meeting its objectives.
Second, focus on creating models that measure the desired output while controlling or excluding other factors. You need to do more than simply track metrics independently.
The goal here is to develop a capacity to support compliance claims with better data and models. That process is only possible when the capabilities to measure a program’s performance (and measure them accurately) are in place.
Once you do develop those better measures of effectiveness, your organization can adopt more ambitious and innovative programs that work to curb improper behavior. Better measurement can also help your organization identify redundant or ineffective initiatives that can be replaced or eliminated.
Suggestions for success
Here are some basic steps you can take to create a successful compliance program:
- Start data analytics early. The sooner you start analytics, the better. Your compliance program can be more responsive to actual conditions in the company, making data analytics essential.
- Incorporate ethics into employee training. A good ethical foundation helps employees to anticipate risk. Training programs focused on ethics will assure that when employees do encounter a dilemma, they can rely on ethics to guide their decisions.
- Use your contracts with third parties. Outlining compliance expectations when you create your third-party contracts will allow you to hold your third parties accountable.
- Protect confidentiality in internal reports. You will help your employees trust that your organization takes their concerns seriously by protecting confidentiality. Anonymity and confidentiality build trust because the whistleblower gets to control when they might disclose their identity.
- Test internal controls often. Testing controls is a crucial part of compliance programs; you won’t know whether they’re strong or not until you test them. This can ultimately prevent a compliance failure, rather than just let you know that you have one.
There are also a number of governance, risk, and compliance (GRC) tools that can help your organization execute an effective compliance program.
For example, ZenGRC, a governance, risk management, and compliance solution from Reciprocity, will help your organization manage risk and compliance with confidence.
Compliance programs and ZenGRC
As we mentioned above, using the wrong technology solutions to manage your compliance program can lead to disaster.
ZenGRC covers all your risk and compliance needs by delivering a flexible, centralized solution that eliminates tedious manual processes and the time and resources associated with them.
Pre-loaded with compliance framework content supporting more than 30 standards and regulations, ZenGRC not only saves time. It also helps identify gaps and overlaps of running multiple programs at the same time.
A powerful combination of continuous monitoring and unified control management across frameworks gives you real-time control status, and pre-built compliance dashboards provide visibility into completed tasks, open items, pending deadlines, and more.
Let us help you understand what you need for a successful compliance program, with unmatched technical capabilities including automated evidence collection, compliance dashboards that provide a holistic view into your compliance program, and GRC expertise.
Sign up for a demo today to ensure your organization has the best tools for your compliance program, the Zen way.