Last week, we made a trip to Zurich, Switzerland for client work and after finishing a day early made a side trip to Stuttgart, Germany to tour the Porsche factory. Our friends at Porsche North Houston suggested we make the trip and showed us how to set it up. The trip got us thinking about our work in compliance.
Stuttgart is where Porsche builds its fabled 911 model car. There are 20 different versions of the car. The factory tour is a testament to Porsche's quality standards. We watched as 911 body shells painted in guards red, Miami blue, racing yellow, carrera white, jet black, and chalk danced along the assembly line while nimble Porsche technicians carefully attached parts to the cars. Because each 911 is different (potentially a different dashboard leather, instrument dials, interior options, engine and braking components), each part is barcoded to a particular car. Little robots move the parts to different stations where the technicians meticulously attach them to whichever car those parts belong to. Santa likely uses the Porsche factory as his benchmark. They also make the entry-level Boxter model on the same line, making the work even more complicated. At the end of the tour, a stack of merchandise at the gift shop reminds you that Porsche has won the world's greatest endurance race in Le Mans (set to begin later this month) 18 times. After the tour, the wins made perfect sense.
We were in Europe for compliance work. And as we drove back to Zurich on the Autobahn (as fast as our Fiat rental car would take us), we were reminded of the importance of defined processes and monitoring in effective compliance programs. We also learned that "ausfahrt" means exit, but that's a different column.
Modern compliance programs excel at managing data and performance. For instance, if you set up a program designed to address the e-commerce risk of consumer protection. After understanding how the organization runs and performs a particular type of activity, the program should include the right organization, a process to evaluate the risk environment the business faces in this area, policies and procedures that are mapped to different risks (for example, a policy to address the risk of access and/or sale of restricted products), training and awareness for employees who manage different aspects of this business, and a process for monitoring and auditing this program to follow up on potential compliance failures through internal investigations. This is compliance 101.
What makes the work of compliance professionals more challenging is that these processes have to fit the business—a sort of "design thinking" focused on the end-business user. And the program has to have a way to measure effectiveness and success. For our consumer protection example, this could include marketplace seller performance monitoring—evaluations of the sale of restricted products to ensure that the company is complying with its policy addressing the risk of access or sale of restricted products. This does not work if the key elements such as policies, procedures, and structure are not in place. Simplicity and efficiency are, of course, key tenets of these basic building blocks. But mature programs focus on indicators of effectiveness—ways to know the program is working. If you go back to the Porsche factory, the car parts all contain different barcodes that trace the parts to a specific car. If Porsche discovers an issue with a specific part, they can quickly identify which car has that part and trace it from the factory all the way to Porsche North Houston and the end-user customer.
And they understand their customers. Porsche is one of few auto makers to offer manual transmissions on their top-end sports cars like the new 991.2 GT3—purely because they understand this is something their customers want. Compliance programs have to understand their customers too. Porsche customers don't need to see the Porsche factory to understand that the company gets its customers. You walk into a dealer and immediately get that sense. Porsche sells 20 different model 911s to appeal to a span of different customers—from the customer who wants a track-focused GT3 to the customer who wants a convertible to drive down the Pacific Coast Highway. Customers do not need to think about different models of the same car that serve different markets, they just need to know that the company provides what works for them. Compliance programs should offer businesses the same sort of bespoke simplicity. You hear at conferences the cliché that there is no "one size fits all" compliance program. But that's obvious to anyone who has built a successful program because every business is different.
The final lesson we took from the Porsche factory is an obsession with quality improvement. The Porsche factory is obsessed with trying to make processes simpler and more robust. The factory tour guide impressed our group with the evolution of the factory and maximization of resources available on the small footprint of the Stuttgart factory. Compliance programs have the same challenge to continually evolve and mature, including finding new ways to evaluate the program through audits and data analysis. As the business changes, so should the compliance program. For our consumer protection example, this may mean analyzing data to identify restricted products and prevent them from posting on the marketplace. And adopting the monitoring process to new products and market risks.
The ultimate goal is a program that works with the business. At the end of the Porsche assembly line, the chassis (e.g., engine, brakes, and drive train) drops seamlessly onto the body and interior of the car. A compliance program should fit together with the business just as well.
Ryan McConnell and Stephanie Bustamante are lawyers at R. McConnell Group—a compliance boutique law firm in Houston, Texas with Fortune 500 clients across the globe. McConnell is a former assistant U.S. Attorney in Houston who has taught criminal procedure and corporate compliance at the University of Houston Law Center. Bustamante's work at the firm focuses on risk and compliance issues in addition to assisting clients with responding to compliance failures. Send column ideas to email@example.com. Follow the firm on Twitter @RMcConnellGroup.