“It’s not complicated – more is better,” concludes a wonderful AT&T commercial. But for many C&E officers, it’s not that simple.
In the wake of Enron/S-Ox/the Sentencing Guidelines revisions a great many companies seemingly had bottomless appetites for implementing compliance measures. That’s no longer the case. With the exception of those employed by companies that are under investigation, playing catch-up with FCPA compliance expectations or in highly regulated industries, C&E officers seem increasingly under pressure to be not only effective but also highly efficient in their work, and to steer clear of “compliance overkill.”
Note that this focus on efficiency should not be misinterpreted to mean that the need for effective C&E programs is any less powerful now than it was during the formative age of compliance. Indeed, the costs of non-compliance have, I believe, gone up since then – as reflected in (among other things) the fact that of the ten all-time highest corporate criminal fines in the U.S. five were imposed in 2012 alone. But perhaps precisely because harsh penalties have become the new normal, C&E programs in many companies seem to command a smaller portion of senior management mindshare than they did just a few years ago – and hence the growing imperative to avoid what are seen as unnecessary efforts in this area and to achieve “Goldilocks compliance.”
There are various settings in which C&E officers should be attentive to the possibility of going overboard, including but by no means limited to the following.
- Training. While many companies do too little in this regard, some actually do too much – subjecting employees to training that is unwarranted from a risk perspective. (E.g., there are not many businesses where every single employee truly needs antitrust training.) Painting with any overly broad brush here can waste not only considerable amounts time and money; it can also reflect poorly on the C&E program as a whole.
- Background checking of third parties. As with training, on the whole more companies need to do more – rather than less – with this essential compliance tool, but some have instituted background checking regimes that seem unmoored from any meaningful risk calculus. And – as with training – overkill here can trigger negative feelings toward C&E generally in a company.
- Technology. This is a particularly tricky area about which to speak generally, given the diversity of technology-related products and services now being developed in the C&E space, both by vendors and in-house resources. Similar to the case with training and background checks, on the whole, I think that there needs to be more done here, not less. But the devil is really in the details with this emerging part of the C&E world, and companies need remember that cool does not necessarily mean necessary.
Note that C&E overkill is not only about doing too much – it can also be about saying too much. For instance, C&E officers need to be careful in discussing the relevance of C&E provisions in settlement agreements to their own companies. To use a medical analogy, what’s essential for a patient who has had a heart attack is not necessarily indicated for those who merely have somewhat elevated cholesterol levels.
So how do you know when you’re going from enough to too much? In some instances it is like the famous saying about obscenity, you know it when you see it. But that won’t do in all cases, and for many reasons the better approach is to base determinations of this sort on your risk assessment.
Indeed, by identifying in a risk assessment anything that’s not needed, a program can gain greater credibility among key decision makers in a company. This, in turn, can help the program focus what is essential – and implement C&E measures that are “just right.”