Everyone knows the old saying about how tough cases make bad law. What we’ve also discovered in recent years is that daunting business conditions make for desperate—and ultimately ineffective—compliance. The problem that continues to plague U.S. and global companies is that we have essentially swung from one perilous extreme to another.
We began during the early part of this century in a business environment where compliance programs were often window dressing. There was little if any effort to actually educate key business operatives as to what was required of them to ensure that a culture of compliance would prevail. No one much cared, really, until, to paraphrase Warren Buffet, “the tide went out, so we found out who was swimming naked.” Compliance was often the missing swimsuit. At the turn of this century, some public companies did not even have compliance programs.
Then came incessant corporate scandals that would rock the marketplace. Many companies rushed toward instituting some sort of compliance program as a quick fix to hopefully placate regulators and presumably indemnify themselves from the actions of a “few bad apples.” But some important elements were missing. In many ways, the compliance framework was created, but there was no one minding the store to make sure that the protocols were actually implemented and followed on a daily basis.
Happily, the compliance mindset is changing and it now seems as if more companies are finding ways to tailor their compliance programs to their own risk cultures. Consider a few of the forces transforming the compliance landscape.
First and foremost, the chief compliance officer (CCO) has emerged, not as a titled bureaucrat but as a true strategic advisor to C-suites and boards. CCOs are participating in business conversations with an eye toward implementing, not just articulating, compliance mandates. They are raising issues and asking questions before problems arise and, because they are doing so, compliance considerations now get taken into account early in the business decision-making process, at a point when solutions and alternatives are more readily available.
Far from boilerplate, risk-based training is now sensitively keyed to the corporate risk culture. Today’s training includes live, person-to-person interaction as well as subject-matter specific tailored programs. Delicate, troubling questions from employees are encouraged, as is training feedback. Independent hotlines are administered, and every complaint is addressed.
Third-party due diligence has skyrocketed. A few years ago, no one was doing due diligence on perhaps all but its most important trading partners, and much of that due diligence was financial in nature, to make sure the investment or partnership would be economically sound. Now, due diligence has taken on an altogether different meaning. Companies are now looking to see whether their partners and subcontractors are compliant with laws and regulations, both with U.S. as well as local law.
For all the progress that has been made to sail a safe course between the twin devils of “no compliance” and “boilerplate compliance,” challenges remain, particularly because the compliance department is still often perceived as a burden to business. The solution is in the numbers themselves. It has been proven that businesses that lack a strong compliance framework tend to be less profitable than ones with a strong compliance backbone. In addition, CCOs can point to litigation avoidance as well as their role in preventing the increasingly astronomical fines levied by regulators on other companies as evidence of incalculable bottom-line benefits. But the cost-benefit of compliance is not limited to just deterrence; indeed, more awareness can be generated out of the compliance department’s contribution to business opportunities.
After all, business by nature comes with an inevitable amount of risk. In order to be successful, a company must be willing to take on new endeavors and challenges. But, as companies have come to learn, risk is also something that has to be resolutely managed. And compliance must be at the forefront of managing that risk.