Mistakes are common. We all make them. According to my teenage kids, I make mistakes every single day! Some mistakes are benign; no one gets hurt. But some mistakes are costly and can lead to potentially catastrophic results. Whereas some individuals may have the luxury of making the same mistake twice, for many a single mistake may cause irreparable harm. Nowhere is this more evident than in the compliance field.
Compliance officers are often a company’s last line of defense against the occurrence of very bad things. They are a myriad of things all rolled up into one: teacher and advisor; counselor and prosecutor; and above all champion of integrity, whether a popular choice or not! Like raising teenagers, it is oftentimes a misunderstood and thankless job. And despite all the pressure of getting it right all of the time, they too make mistakes. But unlike a simple inchoate mistake, mistakes in the compliance arena can have dire consequences.
I’ve formed, managed, and investigated numerous compliance programs over the years. There is one constant: no matter how big or small the size of the enterprise or the size and sophistication of the compliance program, bad things still tend to happen. When they do, light shines on every nook and crevice of the offending company and its compliance program. Most control failures are not readily evident; they tend to be insidious—that is, most every compliance program is built around the same set of principles and guidelines. And yet, breakdowns managed to occur. Why is that? Three fundamental yet seemingly innocent mistakes form the root cause of many compliance breakdowns: failure to build, failure to embed, and failure to teach.
Putting the cart before the horse: building the compliance program before understanding the business and culture
There is no ‘one size fits all’ approach to building a compliance program, yet many compliance officers approach it as such. There are scores of guidelines, articles, handbooks, and the like on how to build an effective compliance program according to the OIG 7 elements. Upon examination, most compliance programs look alike. The policies and standard operating procedures (SOPs) look similar, as do the compliance reporting and committee structure. Even the training materials look alike. But does it all work? Have you really built an effective compliance program tailored to the specific requirements and culture of your organization?
Most compliance programs are built from the top down, instead of from the bottom up. Policies are written, SOPs developed, and an audit and monitoring plan deployed. Most often, the program is developed within the corporate center, with compliance and legal personnel who reside at the corporate headquarters. Once packaged, the program is rolled out through the organization; training occurs, and employees are obligated to comply with the new compliance regime. But what about the folks on the ground in countries and markets in which arguably the greatest amount of risk to the enterprise is created? Do the new policies and SOPs translate well into the local business culture? Do they account for the way in which business is conducted in those markets? Most importantly, is the local infrastructure ready to accept, embrace, and fully implement the new compliance regime?
In order to build an effective compliance program, one must not only design the program tailored to the specific needs and inherent risks of the business, but one must also ensure that the company’s infrastructure is mature enough to absorb and embrace the compliance programmatic content. Too often, compliance professionals do not anticipate these structural issues and merely roll out the corporate program—approved at the center by HQ folks who perhaps lack the understanding of how the various components of the compliance program will be socialized in the multiplicity of divisions and geographies in the organization. A compliance program is only as effective as its comprehension at the point where transgressions occur. Understanding those touch points—and ensuring that the compliance program is built around them—will maximize the chance of success.
Problem solving versus lecturing
How many of you have been referred to as the sales prevention department, the business interruption department, etc. Funny? After a while, probably not. Being the enforcer of the rules in any aspect of life, be it parenting, law enforcement, or compliance enforcement, doesn’t win you any popularity contests. It’s tough being the bearer of bad tidings, especially to friends and colleagues. And yet, that is what a compliance officer is on occasion—and sometimes frequently—expected to do. While we operate in shades of gray, and every company’s appetite for taking risks tends to vary, there are occasions when “NO” is the only answer. But I submit to you that the issues we confront in our daily compliance lives are rarely that clear.
Compliance officers are not sales representatives, yet a little “selling” of their advice might go a long way in building trust and respect. It’s much easier to say “No” than to say “Yes.” “No” tends to be the path of least resistance. I always instruct my lawyers—especially the junior lawyers—that a mere “no” without more is unacceptable. After all, we are business partners and are equally invested in the success of the endeavor we collectively support. Our job is to help develop and sell solutions to our client’s problems. More often than not, there is a way to accomplish a client’s business objective that is compliant with law and company policy. Getting them to that point is our job. Instead of saying “No,” a phrase to the effect of “I see where you going with this, and while the option you propose may create problems xyz, I might suggest that you consider abc as an alternative.” Sounds simple, but a simple change in tone and approach can go a long way in establishing rapport and respect and building trust. Listen, don’t lecture. Teach, don’t preach. Above all, solve, don’t dissolve. Establishing yourself as a creative, supportive partner will earn you the runway of respect that you will need when, for very valid reasons, “No” might be the only answer.
Learning before Training
Lawyers (and I am one) are great at creating busy PowerPoint slide decks full of recitations of the black letter law, the litany of prosecutions, and the bad things that happen to companies when they run afoul of those laws—the “parade of horribles,” as we used to refer to them. Old Testament fire and brimstone stuff. In our rush to “educate”—and frankly scare—our clients into obeying (and hiring) us, we never actually took a step back to measure the effectiveness of our approach as a teaching tool. That is, we weren’t teaching, we were lecturing.
Training programs need to be designed to be effective at the lowest common denominator—the mechanic on the production line, the sales representative on the streets, the government contract manager, the supply operations manager. These are people on the front lines where the majority of risk is created. And yet, are training materials developed with their consultation? Do we truly measure the effectiveness of our training materials, or do we simply take the product that was created at Corporate HQ, translate into the local language, and roll it out? Effective? Informed? In most cases, no.
I once trained a group of sales representatives in Italy. I had our centrally created materials translated into Italian and retained a local translator to assist. Halfway through my presentation, I cast my eyes out into my glazed-over audience and saw that what I was doing was completely ineffective. A waste of my time and theirs. Try explaining to an Italian sales rep the meaning of FCPA and why they should care about it! Just another U.S. law that they could certainly not care less about (in their minds). It was clear to me that the moment I completed my training and left, they would simply go back to business as usual, as if I had never bothered to visit. Instead of droning on, I stopped and began to ask them questions. Did they understand our policies? What did the policies mean to them? How would the policies impact their daily business lives? And most importantly, how practical were these rules as applied to their business culture? In other words, I stopped lecturing and I listened. As a result, I developed an understanding of the issues they dealt with and tailored my message accordingly. They were therefore trained in a manner that they understood and could relate to.
I tend to view people and their motivations in a mostly positive light. My experience is that people for the most part want to do the right thing. They want to follow rules and act with high integrity and morality. But we must help them get there. We must clearly explain the rules, why they are important, and how these rules socialize with their daily business lives. We must make the rules and regulations meaningful to them. Teach. Don’t lecture.
Compliance executives face a daunting task, made all the more difficult by evolving laws, regulations, and politics. Avoiding these three simple mistakes won’t necessarily make your job easier, but it will make you a more effective compliance officer.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.