Whether you are building a compliance program or revamping an existing one, it makes good business sense to examine the models used by companies with successful track records. Five strategies stand out as common to businesses that have avoided compliance missteps and thereby minimized their risk of running afoul of regulatory authorities or potentially worse, a vigilant plaintiffs class action bar with a track record of filing potentially company-crippling class actions based on sometimes minor compliance mistakes.
The 5 things companies are doing right include compliance programs that are driven (and owned) by top management, clear compliance goals that exceed legal minimums, simplicity of message, hardwiring compliance into the entire organization, and designing compliance programs that can withstand challenge by proactive class action attorneys. Here are the strategies of successful companies:
Top Management Sets the Tone
The foundation for any successful compliance program is commitment from the top. Without that commitment – in resources, staff, and messaging – employees will not take a compliance mandate seriously, looking at it as just another “box to be checked.” Corners will be cut. Shortcuts will be taken. And the result, more often than not, will be noncompliance, with all its negative consequences.
Senior management must convey (through words and their own conduct) that employees who do not adhere to appropriate standards will be held liable for their failure. Impermissible actions will lead to meaningful sanctions, including loss of compensation, demotion, suspension or termination.
The board must convey this same message. The board should make it clear within the corporation and to shareholders that it is an independent body with ultimate authority of compliance success and failure. Board members must demonstrate that they are engaged, knowledge and available and are taking compliance issues with the utmost seriousness.
The Goal Isn’t Just Compliance, It’s Compliance Plus
What is your company’s compliance goal? Is it simply to do the bare minimum that is clearly required by the law? Or is there a way to use compliance initiatives to distinguish your company from the competition?
Successful companies are clear about their compliance goals. And they don’t just do the minimum amount required to be “compliant.” They set the bar higher. They figure that, if a regulator has gone to the trouble of enacting a new regulation or guideline, some pretty important people have decided this is a good idea. Agree or not, successful companies take the new standard and run with it.
If the regulator wants transparency in data-collection practices, the company ensures its customers receive clear disclosures and options about what information is being gathered and shared. With their own house in order, they might decide to inform others (regulators, journalists and perhaps customers) when competitors fall short.
Why do successful companies do this? Because they recognize the full magnitude of risk presented by compliance issues. Some less successful companies will attempt to skirt edges of a new regulation, arguing that certain issues are “unclear.” Successful companies recognize these same ambiguities, but stay a safe distance from the line. They understand that unclear legal requirements are the playground of activist regulators, public interest groups and, worse yet, the plaintiff’s tort bar. Today’s “ambiguity” may be tomorrow’s multi-million dollar class action (and public relations) headache.
The Compliance Message is Clear and Simple
You may be surprised how many different answers you get if you ask any given business what compliance means. Some would point to HR. Some might point to financial reporting. Others might say corporate ethics, and still others would point to the legal department.
In truth, “compliance” encompasses all these things. Successful companies are clear about this. They understand that “compliance” means ensuring that the company is meeting (if not exceeding) all of its legal, regulatory and ethical obligations. They also are clear about who is in charge of each category of compliance.
Successful companies also focus on keeping the compliance message clear and simple. A compliance program is only as good as its implementation. If employees don’t know what is expected of them or don’t know where to turn for help, there is a huge hole.
In successful companies, employees are made aware of what is expected of them. Clear standards of conduct, policies and procedures are readily available. Standards state the rule, the basis for the rule and provide examples of conduct that break the rules. Information as to where advice regarding the standards may be obtained and how violations may be reported is made clear.
Integrated Compliance, Across All Activities
Companies with successful compliance programs focus on integrating those programs into the business processes and incentive structures of the company. One example is product development. Rather than reaching the end of a product development process and having a quick “compliance review,” successful companies embed compliance professionals within the process, so potential issues are identified and resolved early, with limited expense.
Another example is compensation. You can tell a lot about a company by its executive compensation program. A company may tout its “compliance culture,” but if executives have financial incentives at odds with compliance, you have to question the company’s commitment. A great new business idea may produce immediate revenue, but if the idea creates compliance problems two or three years down the road, how is the executive compensated? Successful companies often integrate compliance considerations into the compensation system so executives have their eye on short-term gain, as well as long-term compliance.
The Biggest Risk May Not be the Regulators
Many compliance professionals are, understandably, “regulator focused.” They believe that, as long as they keep the regulators happy, they are doing their jobs.
Successful companies have a different mindset. They understand that keeping regulators happy is only the start. Regulators are all too eager to tell you how they are underfunded and understaffed. They have to pick their targets, and their battles. They often rely heavily on (and sometimes work with) the private plaintiff’s bar to manage the tension between aggressive enforcement goals and budget realities.
In many industries (the financial services and food & beverage industries are good examples), there are groups of extremely active plaintiff’s lawyers filing class action after class action, even for relatively minor technical violations. They take advantage of broad consumer protection laws like those in California, New Jersey and Florida to threaten a company with potentially massive exposure and cost, with the goal of creating sufficient pressure that a business will change its practices and settle. Smart companies are adopting compliance and risk management programs that focus not only on the regulators, but also on the plaintiff’s trial bar, which, in many cases, presents a greater risk.
Companies that “do compliance right” by following these five strategies can reduce their financial risks and regulatory exposure while firewalling their firms against outside legal challenge based on alleged noncompliance.