We recently had a meeting with the FBI. They were two years into setting up their compliance program and a few industry experts were commenting on what they might do next. Some great little nuggets of advice came out of the meeting. I fear that some of this will be “the blinding statement of the obvious” however, it sometimes helps to get back to the basics to be successful in anything you do.
Tone at the middle
Although he was not at the meeting, this came from Jeff Kaplan. What he is referring to is middle management’s role in compliance and ethics. I think he has a great point in emphasizing this. We talk so much about tone at the top, but middle management has much greater contact, and often greater influence, with most employees. Compliance and ethics professionals should do what ever they can to help middle management understand their role and the impact they have on compliance and ethics.
Active vs. passive compliance
I shared my concern about the number of compliance and ethics professionals who spend too much time in their offices. Too many people write policies, do risk assessments, and audit, rather than getting out to investigate, discipline, educate, and talk to people about their concerns. The Congressional hearings of Enron, Tyco, HealthSouth and others showed that those companies all had legal, audit, and risk functions pointing to problems, but few had people willing to step up and stop fraud. Talking, writing, and analyzing can all be attractive alternatives to the sometimes difficult job of stopping wrongdoing. Be active not passive.
A company’s real code of conduct is its budget
Molly Painter Moreland, an ethicist from and professor at , believes the tremendous focus on a code of conduct can be misleading. If a company does not back up its words with action, it is difficult for them to be effective. She believes that although a code of conduct is almost always the first thing someone talks about, it may not be as important as the resources you put behind your compliance and ethics effort.
Compliance professionals are not responsible for compliance in their organization
Marjorie Doyle brought this up, and it has been emphasized by Dan Roach in the past. Compliance and ethics is the responsibility of everyone in the organization, not the compliance and ethics officer. We help people implement compliance and ethics in their departments, and they are accountable for it. Anyone who tries to take on the compliance and ethics for an entire organization is accepting an impossible task.
Compliance is not just “the Department of No”
Mike Horowitz pointed out that Compliance should get into the details and help any department that has been told they have to fix something. In other words, we should not just say, “You are not doing it right” and walk out. We should roll up our sleeves and help them find a way to do what they want, but do it in a legal and ethical manner. This would involve trying to find out what the department’s objectives are and trying to help them continue to meet those objectives while being ethical and compliant.
Most people won’t lie
Many will not share unless they are asked, and most people, if asked, will tell you the truth. You can not get a real perspective of your culture or issues by just talking to those who will complain or comment every chance they get. You may not get a good handle on the real culture or issues by talking to those who always believe it’s great. A large group of people won’t complain or call the hotline, but if you ask, they will tell you about the culture and the issues.
Compliance is not about filling out forms
Compliance is a difficult concept for many people to understand. Many people relate compliance to filling out forms. We should be careful to use the word “compliance” in context. Make an effort to say “compliance program” or “compliance officer.” The word “compliance” alone has too many definitions to be helpful.
Theories vs. experience
Marjorie Doyle made a point about how there are many people who have an opinion about what compliance programs and compliance and ethics officers are all about. But few people have suffered through the implementation of a compliance program as a compliance and ethics officer. It’s easy to pontificate about how it should be. Anyone who has ever been involved in the law, risk, audit, or any other related field seems to think they know what it is all about. Many people who have a great deal of experience in academia feel they know how things should be. However, only those who have been through it really understand what works and what is practical.
Rewards and punishment
There was a discussion about the need to celebrate efforts of employees who identify and fix regulatory problems. It is as important to discipline those who knowingly break the rules. Some do what you expect, others do what you inspect, and the rest do what you enforce. Employees become disenfranchised when there are no rewards for good behavior and penalties for inappropriate behavior.
Why people don’t report compliance issues
Some fear retaliation. Some don’t know how to report an issue. Many don’t report because they think, “Why should I stick my neck out when nothing will be done anyway.” Some believe people fear of retaliation is the biggest issue, but the real culprit is often a lack of confidence in leadership’s willingness to do something about the problem. Some believe that the lack of a commitment to correct a problem or discipline is what really deters people from bringing problems to your attention. Organizations that step up and address problems seem to get better information about where the problems are.
Why people do the wrong thing
Pressure to perform can often result in inappropriate behavior. Some people just rationalize their inappropriate behavior. Then there is always the lack of adequate controls. Controls are essentially real–time feedback for people who want to catch their mistakes as they happen. Dan Roach once said, “Trust is not an adequate control.” No matter how well intentioned an individual is, it is difficult for them to perform effectively without controls.
One of the biggest risks is change
Joe Murphy shared with the group that if you want to find problems, look for change. Many changes that look innocent have unexpected negative side effects or unintended consequences. It is generally a good practice to focus some of your compliance resources on areas of recent or upcoming change.
Accountability, authority, and responsibility
Matt Tormey shared his belief that one of the most important things a compliance and ethics professional can work on is accountability, responsibility, and authority. He believes that it is difficult to work on any of the other elements of a compliance and ethics program without it. It is something that does not come without effort, and something that should be worked on constantly.