Voluntary Boundaries of Compliance: How to Draw the Line
(This article was contributed to Corporate Compliance Insights by Mr. David Childers, the CEO and President of EthicsPoint as well as a charter member of the Open Compliance and Ethics Group (OCEG). David Childers can be contacted by email at the following address: dchilders[at}ethicspoint{dot]com).
——————–
In the almost seven years since the passage of Sarbanes-Oxley, compliance and risk professionals have worked diligently to be in compliance with the law and sustain an ethical culture. You would think more than two-thirds of a decade would be sufficient time to get it right, but that assumes Sarbanes was all they had to contend with. Unfortunately, during this period of time more than 18,000 additional laws and regulations have been passed in the United States alone. Each requires either a cursory review or the direct attention of CEO’s, Boards, or compliance professionals.
Recognizing that compliance is a moving target, organizations must determine their long-range compliance strategy. Will they study and define a minimum set of standards to achieve compliance or seek to fund and refine a very broad set of initiatives to ensure minimal out-of-compliance risk –- or something in between?
Having worked closely with compliance professionals for many years, I know they will admit three things are true. First, compliance and regulatory pressures continue to grow. (If in doubt, all one needs to do is look at the most recent wave of new requirements attached to the Stimulus Act, because many of these have a rippling effect that is staggering). Second, they are currently faced with a difficult economic landscape; organizations are looking to mitigate risk while optimizing their compliance expenditures – in other words they are challenged to do more or the same with less. Finally, an organization that only develops and adheres to a minimum set of initiatives – what the Open Compliance and Ethics Group calls a “mandatory boundary” for their compliance spectrum – will find that once they realize they are approaching that mandatory boundary they are generally already out of compliance.
In order to determine the optimal compliance boundary for your organization, it’s useful to consider the complexities by following the framework outlined below. There is a direct correlation between the amount of knowledge you have access to and the unknown risk potential you face.
Organizations should start their risk boundary analysis by studying their compliance risks from both the perspective of their organization and the general industry in which they operate. These two factors frame a mandatory compliance boundary, and begin to outline the people, process, and technology initiatives necessary to gather risk feedback.
Organizational Complexity deals with operational size, scope and your existing compliance strategy. For example, what geographies do you serve? How many organizational entities do you have? Total headcount? Union or non-union? Weak culture or strong culture? And, what history does your organization have when it comes to regulatory compliance?
Observation and study of your industry forces you to consider the important fraud and risk components associated with the industry vertical(s) in which you operate. There are a number of great studies that can provide insight into the governance, risk and compliance (GRC) challenges each industry vertical faces. But we all recognize that a retail operation faces a dramatically different set of fraud risks than does a petro-chemical company.
Organizational and Vertical risk is fairly well understood, but it’s the “voluntary boundary” I want to focus on now. What you decide here – how much risk you are willing to take, what additional controls you’ll implement, how many people you’ll devote to management, etc., all add complexity and are dependent on a number of different variables. Since I don’t know a single compliance officer with an unlimited budget, understanding the return on investment potential a voluntary boundary or “risk” buffer contributes is an important concept to integrate into your GRC strategy. Once you have a good sense for the relative importance these issues play within your risk profile, you can turn your attention to creating your Voluntary Buffer.
You will want to take a hard look at the data points within your organizational complexity model and then either approximate or work from your history to estimate your potential for successful risk mitigation. You also need to consider the pace of regulatory change your organization faces. For example, the banking and finance industry, healthcare providers and assisted living centers, energy and utilities, organizations operating multinationally and others have seen a constant flow of new regulations for the past 24 months. Most recently, for example, is the myriad of new regulatory mandates around Whistleblower protection associated with TARP or ARRA payouts.
In today’s fast paced, over-exposed multimedia world in which we operate, you must also consider your social responsibility goals and how important these goals are to your brand value. Don’t overlook this step. Not only does the new Standard & Poor’s rating consider your social responsibility risk, but a recent Harvard Business Review article also showed that an organizational misstep involving a social responsibility was 7-10 times more negatively impactful to share value compared to a traditional fraud based incident.
There are other prevalent risks. For example, the DOJ’s renewed interest in the Foreign Corrupt Practice Act. If you work or have agents working multinationally the penalty associated with an FCPA infraction that historically drew a fine of $1 million to $4 million has grown 10-fold in the past 12-14 months. If your business is energy related, you know that the Federal Energy Regulatory Commission (FERC) has made it very clear they are now an “enforcement agency” and their fines start at $1 million a day per infraction. Every organization has its own set of risks such as these that need to be considered within this framework.
Finally you must evaluate your organization’s risk tolerance. This is a combination of a number of factors, not the least of which is the monetary significance and potential loss of marketplace momentum associated with the fines and penalties assessed for failure to be in compliance. Other factors include your M&A activities, regulatory history and board/investor make-up.
Once you have tackled these questions, successfully navigating a GRC boundary structure requires your organization to address two primary challenges.
The first challenge is the lack of information transparency. In most organizations, the information gathering process is inefficient or the data is stored locally with limited access by those who might benefit from the information. This information deficit is a result of organizations addressing compliance post-Sarbanes without a formal strategy. In fact, based on my observations, most organizations subscribe to a ‘whack a mole’ approach to attack each compliance or regulatory requirement with available resources.
Scott Mitchell, the CEO of the Open Compliance and Ethics Group, reported in 2008 that this approach has created anywhere from 4 to 15 compliance silos within an organization. These silos are fraught with inconsistencies, functional overlap, and protectionism. Finding a way to inspire synergy and transparency between these silos is an important step toward success.
The other challenge to success is transforming your organization from strictly tactical compliance policies to a strategy of principle-based compliance guidelines and thinking. Why? Consider these three words:
- Sub-Prime
- Madoff
- Siemens
Related to these debacles were lots of rules, no rules, or no way to build and communicate enough rules to keep the fraud or misconduct in check. My prediction for the immediate future is for even more rules. In fact, I recently attended the Ethics and Compliance Officers (ECOA) Sponsor’s Forum and found that the majority of the compliance professionals I spoke with are preparing for a tidal wave of new regulations. At the pace new regulations are likely to be promulgated post our recent economic meltdown, there is a genuine risk and high probability you will never have all the necessary processes and policies in place within your organization to be fully compliant at all times.
That is why a strategy and code of conduct based on simple principles and guidelines is essential. A principle-based approach goes beyond simply imposing a core set of rules and seeks to embed appropriate core principles within the organization’s thinking or reasoning. Developing and training to a core set of values or principles allows a decision to be made that is integrity-based rather than simply rule-based.
In this case I am talking about moving your compliance program to more than just a “Ten Commandments” guideline, because you will never have all the rules written, disseminated and trained to.
Frankly that’s I why I joined the Episcopal Church – the home of “four commandments and six suggestions.” Principled-based ethics and compliance programs, just like the Episcopal Church, expect your team and stakeholders to think about the situation and govern their actions based on the integrity of their decisions or actions. Simple value-based questions are often the norm in a principled approach. “How would you explain this to your mother?” “If this were on the cover of the morning paper (even below the fold) how would you feel?” It is also based on an expectation that decisions made on behalf of the organization are based in integrity, honesty and respect.
Working from principle-based guidelines also makes it easier to adjust to or address new regulations. In most cases you will want a specific rule, but 95% of the time your established principles will suffice until you put a new policy or control in place. Training your team to act based on a set of core principles strengthens and extends an organization’s voluntary boundary and allows a compliance program to become a sustainable process. Perhaps as important, it will significantly reduce the likelihood of criminal charges being levied against your organization and the amount of penalties incurred should you be found in violation of some regulation.
The pace in which our world runs is not slowing, nor is the number of requirements we must follow to operate and capitalize on opportunities. Organizations that seek to manage their operational fraud and compliance risks by solely imposing rule after rule will never keep pace with change and their workforce will never think for themselves. Only after we inspire our organizations, employees, and supply chain to reason through a lens of integrity, self-govern their personal actions, and influence the actions of their peers will we ever be able to achieve compliance with the law and maintain an ethical culture. By establishing an ideal risk profile and learning to live comfortably within the voluntary boundary that you construct, your organization can create a culture for sustainability and long-term business success.
Tags: Compliance, David Childers, OCEG
