Are your compliance programs long on policing and short on effectiveness?

This post was originally shared in the ACC Docket and is republished here with permission from the author.

As those of us who lived through it know, airport security in the U.S. in the early 2000s – post-9/11 – was a world apart from what it was previously. The American citizenry was traumatized and frightened of another attack. The U.S. government responded by implementing draconian rules significantly restricting the items that could be carried onto commercial aircraft.

Many of these new restrictions were quite sensible and overdue. For example, prior to 9/11 you could carry through security a half-gallon jug of liquid with no procedures to test whether it was water or nitroglycerin. But other restrictions clearly overshot the mark. Do you remember the days when TSA agents confiscated nail clippers, fingernail files and small pocket knives? Even the silverware in the first class cabin needed to be plastic.

These practices not only irritated the traveling public, they also reduced airline safety. At first blush, this result may seem counter-intuitive. After all, how could preventing passengers from bringing potential weapons on aircraft make flying less safe? This was exactly the question posed to the head of the TSA when he testified several years ago in front of a congressional transportation safety committee requesting support for his agency’s proposal to loosen airport screening standards.

The TSA head explained that his agents were spending an inordinate amount of time searching for and confiscating items that had little to no impact on improving airline safety. He stated that, in addition to slowing down the lines at security check points, this focus on looking for large nail clippers was distracting TSA agents from the far more important task of detecting items – like bombs – that could take aircraft down. He further explained that given the hardened cabin doors, enhanced training of airline staff and the post-9/11 response by passengers – who by then had a history of restraining anyone in the cabin who presented a threat to the aircraft – it was no longer possible to take over an airplane with a small pocket knife. Thankfully, the U.S. Congress saw the logic in these observations and allowed TSA to promulgate less restrictive regulations.

The Problem with Draconian Controls

I think the same dynamic often comes into play in corporations that experience the trauma of a government investigation or prosecution for wrong-doing. The fear and anxiety such events cause to Boards of Directors and company executives sometimes manifests itself in the implementation of new policies, procedures and internal controls that overshoot the mark.

A typical example of this might be a company that is subject to prosecution for an employee violating anti-corruption laws. In response, many companies require all employees – regardless of their role in the company – to endure lengthy live and online anti-corruption training sessions. They may supplement this with annual attestations to comply with the company code, a large collection of new policies, procedures and controls and expensive due diligence and training of all third parties who purchase and distribute their products. In addition, auditing and compliance staffs balloon in size and busy themselves by launching dozens of compliance initiatives aimed at reducing compliance risks.

The problem with this understandable response to a compliance crisis is that corporations that develop overblown compliance programs may end up becoming less rather than more able to manage their legal and ethical risks. By imposing draconian controls on businesses, thousands of employees are often required to endure training sessions on topics completely unrelated to their jobs. Others may ultimately “click through” online training classes just to tick the box and get it done – without any real learning going on. The company may place false confidence in a third-party due diligence process that checks all the boxes, but fails to alter behavior or detect corrupt business practices. Overblown compliance programs also run the risk of causing employees to avoid rather than seek out compliance professionals and creating negative attitudes toward the compliance program in general.

Needless to say, engaging in activities that cause such a response is not the optimal means of building and sustaining a strong ethical culture. To the contrary, it breeds cynicism and creates a large cadre of scofflaws who seek to avoid key compliance program elements instead of embracing them.


To avoid this fate, you might consider the following three strategies:

  1. Look for opportunities to eliminate pointless compliance-related activities. These might include such simple steps as limiting the applicability of policies and procedures to only those individuals who really need to know them and reconsidering the wisdom of your annual code of conduct training and associated attestations for all employees.
  2. Hold yourself and your compliance program accountable for being able to demonstrate a reasonable return on investment for every program element. In so doing, always be mindful of the fact that every time you think up a great new idea that might make you look good in front of senior management and the Board, you might be costing the company hundreds of thousands, if not millions of dollars by imposing it on your colleagues.
  3. Seek the voice of the customer and listen – really listen. Ask your colleagues whether the various elements of your compliance program are achieving the desired results or having the opposite effect. When you receive negative feedback, don’t get defensive; get curious. Explore with them what is working, what is not working and why. And have the courage to change course – even if it means gutting one of your pet projects.

It is true that sometimes you need to hold the patient down to administer the medicine they need to heal. But, this approach only works in the short term and should only be used in the direst circumstances. Over the long term, strive to find a flavor the patient can swallow without spitting it up. And if you really listen to what they have to say, you may find a prescription that they actually like.

Jim Nortz

Jim NortzJim Nortz is a nationally recognized expert and thought leader in the field of business ethics and compliance.

Jim spent the first 17 years of his career as a litigator trying both criminal and civil cases before becoming Crompton Corporation’s first Vice President, Business Ethics and Compliance in 2003.

Since then, Jim has served as a compliance officer at Crompton and for four other multinational corporations, as well as Corporate Compliance Director at Sutherland Global Services.  Currently he serves as Chief Compliance Officer for Carestream Health.

Mr. Nortz is a frequent guest lecturer at the University of Rochester’s Simon School of Business, RIT’s Saunders School of Business, St. John Fisher College and Nazareth College.

Jim writes the monthly business ethics columns for the Association of Corporate Counsel Docket magazine and the Rochester Business Journal and is a contributing writer for Corporate Compliance Insights and The Business Journals.

Jim served on the Board of Directors for the Ethics and Compliance Officers Association (“ECOA”) for eight years. He currently serves on the Board of the Rochester Area Business Ethics Foundation and is a member of the Rochester chapter of Conscious Capitalism.

Contact info:
[email protected]

Related Post

Got Compliance News?

We do!  Sign up for CCI’s free weekly eBlast to get GRC news, views, jobs & events delivered to your inbox once a week.  Cancel anytime.

Click to Subscribe.