Skip to content

Corporate Compliance Programs: Everything You Need to Know

In this guide, we will be discussing:

  1. What is the Purpose of a Corporate Compliance Program?
  2. Why Have a Corporate Compliance Program?
  3. The Expansion of Corporate Compliance Programs
  4. How to Monitor the Effectiveness of Your Compliance Program?
  5. What Should a Compliance Monitoring Plan Look Like?
  6. Hallmarks of an Effective Compliance Program
  7. Running an Effective Compliance Program
  8. Building an Effective Compliance Program
  9. Reasons Why Compliance Programs Fail (Plus How to Avoid Them!)
  10. 4 Things to Prioritize If You Want a Robust Compliance Program
  11. 5 Ways To Give Your Compliance Program An Advantage
  12. 3 Ways Elevating A Compliance Program Can Go Wrong
  13. How to Have a Successful Compliance Program?

Let's dive right in:

A corporate compliance program exists to ensure that an organization complies with any laws or regulations that apply to it.

Corporate ethics and compliance is a complex field to master, and we can all benefit from a refresher crash course from time to time. For this reason, my next several blog posts will revisit some basics about the importance of corporate compliance, starting with the most fundamental question of all:

What is the Purpose of a Corporate Compliance Program?

The simplest definition is almost self-evident: The purpose of corporate compliance programs is to ensure that an organization complies with any laws or regulations that apply to it.

Once upon a time, that mostly meant dealing with regulatory reporting. The organization would need to file certain reports with the government from time to time — quarterly financial statements, health and safety alerts, annual billing reports for government grants or contracts, other types of reports; the list is endless — and compliance departments existed to confirm that the right data was recorded on the right forms, which were then filed with the proper agencies at the proper times.

Those basic concepts of adhering to rules, and documenting that adherence to the rules, still apply. Today, however, a corporate compliance program is much more about building and managing systems to ensure regulatory compliance all the time.

(Jump to top)

Why Have a Corporate Compliance Program?

Mostly because state, federal, and overseas prosecutors have stepped up their enforcement against corporate misconduct, including large monetary penalties. The best way for a company to avoid those penalties is to demonstrate that it genuinely was trying to obey the corporate compliance law, but a few scofflaws (either employees or other third parties working on your company’s behalf) violated the law anyway. Compliance programs generate that proof, which the company can then show prosecutors.

For example, if you train employees that bribing foreign government officials violates the Foreign Corrupt Practices Act (FCPA), and you can prove to the government: “Here are all our training records. You can see Bob took the training 12 times in 10 years. Here are our email records of him conspiring to violate the FCPA anyway” — if you can provide documentation like that, prosecutors are much more likely to pursue Bob personally, rather than sanction the company.

Failure to implement an effective compliance program would be equivalent to telling prosecutors, “Bob did what? He bribed who? Oh, uh — we had no idea. Our bad.” Suffice to say, that response rarely helps a company avoid penalties.

An effective corporate compliance program demonstrates that your organization is aware of the rules and laws that apply to it, and takes reasonable, sincere steps to stay on the right side of those rules and laws. That’s it, really.

(Jump to top)

The Expansion of Corporate Compliance Programs

In practice, corporate compliance programs have assumed many more duties over the last decade or so, because the risks to organizations have expanded. Many of those risks are still rooted in some regulatory compliance issue: trade sanctions, data privacy, labor standards, environmental, and so forth. But those risks also now spill over into threatening a company’s reputation with consumers, business partners, and other stakeholders — and preserving reputation with those groups is a high priority for boards and CEOs.

For example, the company might have several mid-level or senior managers who sexually harass entry-level employees. The risk of regulatory investigation into that misconduct exists, but it’s relatively small compared to litigation risk (employees filing lawsuits), reputation risk (consumers scorching the company on social media), or operational risk (firing executives who might have been eyed for more senior roles).

Hence companies have policies and procedures to address harassment, data privacy, onboarding for customers or third parties, and so many other issues. The compliance program exists to ensure that those policies and procedures address the company’s risks in a practical, effective manner. That could mean anything from developing new training to investigating complaints to studying data about how thousands of employees are (or are not) following policy.

You don’t just need a policy that says, “Don’t harass.” You need a system to ensure the company is trying to prevent harassment. Or bribery. Or data leaks, or trade violations, or innumerable other risks.

It’s a fascinating line of work when you think about all its challenges. And all those challenges are here to stay.

 

(Jump to top)

How to Monitor the Effectiveness of Your Compliance Program

The details of what makes up an effective compliance program have already been discussed and dissected tirelessly in the compliance community. But once the effective compliance program has been established, what’s next?

You have probably spent a lot of time designing and establishing systems, devising the right policies, figuring out the perfect due diligence, training, and whistleblowing program, selecting the right vendor and more. However, running the program is just as critical as designing it. Just as much thought and effort must be put into the monitoring and review process.

Not only does a business evolve over time, e.g. by engaging new third parties, starting operations in new markets, etc., but so do regulations and the laws that govern your industry and your business operations, thus rendering initial assessments of risks possibly obsolete. Risks constantly change and evolve as should your compliance monitoring process. All guidance released by enforcement authorities equally emphasize the above point: A stale program is a failed program, no matter how well your compliance monitoring processes were designed in the first place.

The UK Bribery Act, France’s Sapin II and the FCPA equally emphasize monitoring and review to ensure that as risks change your controls adapt accordingly. Compliance officers must adopt an evaluative approach and ensure that the objectives set out by the compliance program are achieved, and, whenever flaws or failures are detected, proactively addressed.

According to the FCPA compliance guide from 2012 “[The] DOJ and SEC evaluate whether companies regularly review and improve their compliance programs … [The] DOJ and SEC will give meaningful credit to thoughtful efforts … undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” The same goes for the UK Bribery Act, under which ‘adequate procedures’ can only be a defense if they were in place before a breach happens.

Likewise, amongst the guiding questions, the DOJ includes in its 2017 release on how to evaluate the effectiveness of compliance programs, several address continuous evaluation and improvement. This may take several forms, including, but not limited to, internal audits, control testing of relevant controls and collection and analysis of relevant data, as well as evolving updates, which mainly concerns updating risk assessments and review of internal controls. Remediation and follow-up should guide you in improving your compliance program.

(Jump to top)

What Should a Compliance Monitoring Plan Look Like?

Here are a few practical guidelines on how to monitor compliance with policies and procedures:

1. Plan

Put a plan in place and follow up on it. Set one, two or three-year goals and make sure to measure results. Whether it is to rewrite your code of conduct or provide more and better workforce training, make sure you track the progress of your initiative to figure out whether or not your compliance program is evolving and keeping up with best practices.

2. Capture Data

Collect as much data on your compliance activity as possible and consolidate that information in accurate and useful ways.

3. Be Proactive

Groom and aggregate your data. Analyze and track trends in compliance activity and report it to the right executives. One example could be tracking trends in exception request submissions: If you have a greater number of exception requests, it could attest to your success at making people understand the policy and the process, or maybe it’s a sign that you have a bigger problem.

4. Escalate

Create a clear and appropriate escalation system, so that the right managers or risk owners can quickly and adequately respond to any identified red flags or breaches.

5. Remediate

When flaws and failures are identified in the system they should be addressed through the development of internal controls to match and mitigate those risks.

6. Train

Train your employees. Remember, building a human firewall is one of the most effective defense against compliance breaches. When employees recognize a reportable event when they see it and know how to report it, then you have managed to install a sound corporate compliance culture. You can even measure that engagement through survey results

7. Document

Getting documentation in place must not be secondary. Document all your efforts and keep auditable records that prove all your compliance activities. A strong reporting system will always allow you to be prepared for any inquiry in case authorities come knocking at your door.

8. Automate

Moving from manual to automated reporting and monitoring processes will allow the flow of data to be constant and human intervention minimal, leaving less room for human error.

(Jump to top)

Hallmarks of an Effective Compliance Program

The year 2016 set the record for FCPA enforcement; 27 companies paid about USD 2.48 billion to resolve FCPA cases. Indeed, prosecutors rely on large criminal fines for companies and jail time for executives to deter corruption offenses. These direct costs, together with indirect damage to the company’s reputation and lost business opportunities, make compliance the more attractive alternative to lengthy investigations and possible criminal prosecution.

In effect, putting in place an effective compliance program would, ideally, prevent companies and their employees from committing corruption offenses. Realistically, a well-established and efficient compliance program should allow for the early detection of offenses and, in turn, allows companies to take remedial action.

But what components should chief compliance officers focus their compliance programs on?

According to the Department of Justice (DOJ) and the Securities Exchange Commission (SEC) FCPA Resource Guide; senior management support, adequate resources, clear policies, training, periodic evaluation, enforcement of policies, third party due diligence and sensitization, are hallmarks of an effective compliance program.

Ultimately, though, this boils down to one factor: corporate culture. A culture where management supports and engages the company’s compliance efforts, and where employees from the entire organization are committed to these efforts.

Commitment and engagement manifest in educating and training management, employees and third parties in compliance with the company’s anti-corruption policies and procedures. Establishing a culture of compliance also means providing a forum for feedback, regular monitoring and assessment of risk activities and regular evaluation of the compliance program. Last, but not least, establishing channels that allow for anonymous reporting and guidance about prohibited conduct without fear of retaliation.

Corporate culture typically applies (albeit quietly in most cases) to a variety of different company activities – from the benign to those decisions directly affecting the conduct of present and future business, e.g., everything from community-building social events (Friday trivia quizzes over email and employee birthday celebrations, for example) to significant commercial strategic considerations (e.g., financial and non-financial priorities when entering a new market, including the critical element of risk tolerance).

It is important to note, however, that creating a supportive corporate culture means sustaining an environment in which employees care not just about the risk of getting caught, but, even more importantly, about the importance of acting legally and ethically in the first place. Hence, establishing and sustaining a corporate culture of compliance equals endorsing all the values and beliefs that relate to the term.

(Jump to top)

Running an Effective Compliance Program: 3 Simple Upgrades

We all want an effective compliance program in our organization. As you design, implement, and operate your compliance programs, I would suggest first that our goal is to build a program around Ethics, Compliance, and Risk. I suspect this is obvious to most readers, but in a future blog post, I will explore why I think Compliance without Ethics or Risk does not make sense.

For now, I want to discuss how to improve your program, particularly in light of the April 30, 2019 US Department of Justice guidance regarding Corporate Compliance programs. I am sure we are all well aware of the DOJ guidance. For clarity of reading, I will reiterate the key principle here. The US DOJ challenges us all to answer three simple questions:

  1. Is the program well designed?
  2. Is the program effectively implemented?
  3. Does the compliance program actually work in practice?

In regard to the first two points, while they are important they are not the focus of this post. Designing a program is important, and as the leader of GAN Integrity, I am passionate about effectively implemented programs. But for now, let’s focus on the third question: Does the compliance program actually work in practice?

(Jump to top)

Building an Effective Compliance Program

As you look to craft the best possible Ethics and Compliance program that actually works in practice, it is vital to keep in mind the need to go beyond simply putting the right policies in place and urging senior leadership to lead from the top. Take a thoughtful approach to ensure that your compliance program is effective.

Are the elements of your program having the positive effect you intended? Are the concepts you are discussing with your stakeholders actually being understood? Is behavior changing? If so, how do you know?

Traditional A/B testing methodologies are not generally available in these circumstances, and at this stage, contextually meaningful benchmarks are similarly not available or of limited use. On top of that, many Compliance and Ethics programs lack robust dashboards, long-term trend analysis, regression analysis, and longitudinal studies.

While these tactics might be routine exercises for other departments in your organization, they should not be foreign to the compliance team. Let’s explore a few simple steps you can take to implement a feedback process that ensures you can assess, understand, and continuously improve the effectiveness of your Ethics and Compliance program.

Step 1: Deploy a Compliance Customer Satisfaction Survey

At the heart of every effective compliance program is stakeholder engagement. Compliance can be enforced with a heavy hand and rigorous well-designed workflows, thoughtful checklists, mandatory progressive training, and rigorous enforcement.

All of these steps are important, but I would put forward that to take a program to the next level requires engagement. What if you thought of the Ethics and Compliance function as something everyone wanted to engage with, enjoyed engaging with, and even looked forward to?

The first step in building an effective program is embracing this attitude and seeking to learn from every interaction with your stakeholders to continuously improve the experience. I suggest that a great place to start is with a Compliance Customer Satisfaction Survey that is administered after every engagement with the compliance function. A few questions, embedded in an email, that can vet the experience of the end-user—something the compliance team can use to continuously improve the program; after each e-learning session; every policy affirmation; each request to approve a 3rd party supplier; each request to clear a conflict of interest.

After each of these interactions, the stakeholder should receive a simple survey to collect insights into program effectiveness and engagement. A continuous stream of insights that can we used to tweak and adjust the program to ensure that it is constantly getting better. We all need to make sure that our respective compliance programs are easy to work with, understandable, and engaging; that they are effective.

I would contend that as in other parts of our business (like marketing or sales) the pulse check on improving engagement with a process, program, product, or offering is to survey the “customers”. In this case, the customers are our stakeholders; employees, suppliers, partners, and distributors. They should all provide feedback on improving the program. Armed with that input we are well-positioned continuously make the right changes and exceed expectations.

With simple survey data, regression analysis can show you which populations within your stakeholder base you are successfully engaging with, and where you may need to make changes. Is low engagement correlated with a particular plant or region? With a set of roles? Management vs. individual contributors? Is engagement gender-biased? Better programs are grounded in data and with better understanding, you can iterate and improve!

Step 2: Ensure Stakeholder Understanding

The next element of program effectiveness centers on understanding; ensuring that stakeholders across your enterprise understand the key concepts and principles of your policies.

Everyone takes the e-learning and reads the policy, but are they gaining an understanding of the policies? Or are they paging through your training, or running the video on their laptop while scrolling through Instagram on their phones? My suggestion here is simple. At the 3, 6, and 9-month marks following the deployment of a new policy (and the taking of the accompanying e-learning) randomly administer an anonymous short quiz to stakeholders.

The goal is not to assess an individual’s knowledge, but to assess the effectiveness of the program and how well the organization in general understands the principles of your policies.  A short five-question quiz, administered via email, at a randomly selected statistically significant cross-section of stakeholders not only gives you a snapshot but will also give you tangible and actionable feedback to improve your policy deployment and accompanying e-learning. Armed with this valuable information, you can affect real behavioral change across the organization.

Step 3: Ask a Simple Question

As the final step, I propose that each month a small but statistically significant randomly selected set of stakeholders should be asked a simple question; “Are you aware of any violation of any company policy, regulation, or law?” A simple email with an in-email question allows you to proactively check the compliance pulse of the organization.

This, of course, supplements the whistleblower program that every enterprise already runs. Instead of waiting for a brave soul to report, you should be proactively reaching out to a cross-section and probing with a single simple question. While it is unlikely that this process will uncover broad issues, it serves as another part of the program, a proactive step, and a step that will help keep Compliance and Ethics at the forefront of your enterprise’s thoughts.

No Compliance and Ethics program is perfect, and every program can be improved. I believe the three steps outlined above can supplement a traditional program to improve effectiveness and put the program on a path of continuous improvement, getting you one step closer to the elusive promise of an effective compliance program.

(Jump to top)

Reasons Why Compliance Programs Fail (Plus How to Avoid Them!)

First, we should define what failure means for corporate compliance since compliance programs have so many moving parts. Your program might fail at specific tasks, such as automated monitoring of third parties or timely reporting of issues — but that only means your program is ineffective at certain things.

Failure of the whole compliance program is something larger, with different causes. We can define “compliance program failure” as persistent shortcomings across a range of tasks, despite repeated attempts to remedy those shortcomings.

For better or worse, those failures happen too. Why?

1. Lack of executive support

The plain truth is that if the board and senior management don’t take corporate compliance seriously, your program is bound to fail. The executive management team dictates corporate culture in numerous ways, from the behaviors they display that others emulate, to messages they communicate to the workforce, even to the compensation plans they design that encourage employees to strive for some objectives more than others.

If executive support for compliance is weak, nobody else will take the compliance function seriously either. Employees might follow your requests so long as those requests aren’t a burden, but as soon as striving for compliance does intrude on their “real” jobs, they won’t. Senior executives must show and tell them that strong ethics and compliance matters.

Now, even with executive buy-in, a compliance officer might still have a corporate culture that’s not interested in ethics and compliance — but that’s a challenge you can address, with enough planning and collective will among senior executives. When senior executives and the board don’t want to embrace compliance, you may want to reconsider your commitment to the firm.

2. Ineffective use of technology

At this point, all organizations use technology to further the compliance program somehow. The real question is whether you are using technology effectively.

For example, if you still rely on spreadsheets to document due diligence or memos posted to a shared drive for policy management — that’s not wise. Spreadsheets can be wrong and word documents can be edited. Both can be overlooked, outdated, or misplaced.

Those are just two simple examples of how poor use of technology leads to poor visibility into corporate activity. Once the compliance program loses sight of how the business is really working (or never gains that insight in the first place), your risk assessments start leading to wrong conclusions. Frankly, why wouldn’t they? You don’t know what’s going on.

Wrong conclusions about risk lead to wrong judgments about how to respond to risk: policies not updated, the wrong controls tested, misconduct not disclosed, investigations out of scope. Those bad actions all spring from a flawed understanding of the company’s true risk profile; and that misunderstanding springs from an inability to keep pace with what the company is actually doing.

At the modern global corporation, only good technology, wisely configured, can do that.

3. Responding improperly to complaints

The compliance program asks employees to do things: change their work practices, follow higher standards of conduct, report suspicions of wrongdoing. Ideally, they will try to do all those things—which implicitly means that the compliance program needs a capability to respond to employees (and third parties) when they need help in those efforts.

One obvious example: compliance functions need to be able to respond to people who report suspected misconduct. Various studies have shown employees are willing to wait a few weeks for a response or might try submitting a complaint twice before giving up. Regardless of the specifics, employees are trying to interact with you. You need to interact with them back.

Sometimes those responses will be part of running the compliance program, such as investigating complaints. Other times the responses will be part of designing the program, such as involving employees when developing new policies or procedures that might affect their workflows.

Employees, and all people generally, need to feel like they are being heard. Which brings us to…

4. Overlooking employee engagement

This mistake is a sibling to the one above. Not only does the compliance program need to respond to employees wisely; it needs to engage with them wisely even before the compliance program is truly up and running.

You may have seen the mess that can happen otherwise. A new compliance officer toils away in his or her office for weeks, developing a program that looks great on paper. Then he or she storms the enterprise, policies, and procedures blazing—and everyone either stares silently, or roars back that the program won’t work, or just smiles politely and ignores the CCO. Any executive support the CCO might have had has vanished.

(Jump to top)

4 Things to Prioritize If You Want a Robust Compliance Program

The annals of corporate compliance are filled with terms of art. “Whistleblower hotline,” “policies and procedures,” “risk-based approach,” and many more — we use those phrases all the time, as verbal shorthand for much more nuanced ideas.

Perhaps none of those terms, however, are as common and important as this one: a “robust corporate compliance program.”

Well, what does that phrase actually mean? Of all the adjectives in the world, why is robust such an important thing for your compliance program to be?

Let’s begin at the dictionary. Merriam-Webster’s first definition of robust is “having or exhibiting strength or vigorous health.” That’s not wrong; most people would use words like strength, vigor, or health to define “robust” if you asked them.

For a compliance officer’s purpose, however, a more apt definition might be the secondary meaning of the word: “capable of performing without failure under a wide range of conditions.”

That’s what compliance officers need to achieve.

The “without failure” part is a bit misleading; no compliance program will be flawless and foolproof at all times. Rather, a robust compliance program delivers reasonable, risk-based assurance of regulatory compliance at all times, under a wide range of conditions.

So what becomes important for success, if that’s the standard a robust compliance program should meet? Several priorities come to mind.

1. A Commitment to Ethical Culture

First, a strong commitment to ethical culture is essential because the widest range of conditions are the people working within your enterprise. As new employees arrive, or existing employees take new roles, they need to understand that commitment to ethical conduct is a constant at the organization, not a variable.

That could mean anything from strong, clear statements about ethics by senior leadership; to training materials that discuss ethics and values, as well as policy and procedure. Regardless, a robust compliance program works to keep employees ethically aware, no matter what they do on any particular day.

2. Effective Risk Assessments

To achieve a robust program you will also need to execute effective risk assessments—since that’s the exercise that tells a compliance officer what conditions have changed. Capability in risk assessment includes keeping abreast of new regulations, being aware of new systems or processes other business functions launch, and even changes in market strategy senior leaders want to pursue.

3. Procedures That Work

Next, procedures that actually work drive robust programs. Notice, we didn’t say “policies and procedures” here – some of the worst compliance failures in history came from companies with great policies; the companies simply lacked the will or ability to execute procedures that enforced those policies.

What procedures matter most? Due diligence, of course; also access controls, investigation protocols, disciplinary measures, and more. Compliance officers can never forget that what matters is an ability to get things done, just as much as a clear vision of what to do.

4. Measurement and documentation

Finally, measurement and documentation will help you build a robust program. Measurement helps you assess how well your program is working, as conditions change from one state to another. At any moment, your program probably works better in some ways more than others. Compliance officers need a way to identify those performance gaps (measurement), and then plan what should happen next to address those gaps, if anything at all (documentation).

Fundamentally, the Justice Department, other regulators, business partners, consumers, shareholders — they don’t dwell on the structure of the compliance program. They dwell on whether the program reduces the risk of misconduct or non-compliance.

Meanwhile, your compliance program exists as part of a larger corporate enterprise, and the conditions of that enterprise change constantly. Every business launches new products, adopts new IT systems, expands into new markets. Every business increases its budget sometimes and trims it at other times.

Those are conditions a compliance program must weather, week after week. If your compliance program can do this effectively, then you can call it robust.

(Jump to top)

5 Ways To Give Your Compliance Program An Advantage

Compliance officers are regularly searching for tricks, tips, and secrets to give their compliance program an advantage. We could probably draft a long list of helpful strategies; however, it is actually most beneficial to look at it from a different angle. Compliance officers need to find force multipliers for their programs.

Force multipliers are any tools or techniques that allow someone to accomplish much more than he or she could otherwise do. A force multiplier in action is a soldier using a machine gun, or a sales executive using automated email marketing. These tactics allow soldiers or sales executives to maximize productivity and efficiency to achieve their goals.

You’re probably wondering how compliance officers find force multipliers that let them push their program’s goals more productively. We came up with five examples of how compliance officers use force multipliers to create a successful compliance program and tied each example to important tasks compliance officers do every day.

1. Start data analytics early

Data analytics helps compliance officers understand the “battlefield activity” in their organizations — what employees are really doing and which transactions are really happening. From there, compliance officers can start refining policies and procedures to change that activity.

Everyone understands the importance of data analytics, but the department might be strapped for analytics expertise or advanced visualization software.

Let’s start with spreadsheets. They can do very basic analytics and visualization. They are vehicles to collect information, making web-based systems that store data in a central repository. Once you’re confident in the dataset you have, spreadsheets can start you on your data analytics journey. Then, you can begin looking into more robust reporting and monitoring solutions.

The sooner you start analytics, the better. Your compliance program can be more responsive to actual conditions in the company, making data analytics an essential force multiplier.

2. Incorporate ethics into employee training

We’ve covered the key elements of training in our post 3 Compliance Training Elements You Should Be Addressing. As important as training on specific policies or compliance obligations may be, it’s also important to spend time talking about ethics. We all like to talk about ethics because we have an intuitive sense of right and wrong. Ethical dilemmas are usually quite relatable to our daily lives.

Moreover, a good ethical foundation helps employees with the most dangerous risk of all: the one your compliance program hasn’t anticipated. Eventually, your employees will encounter a dilemma that your Code of Conduct or policy manual doesn’t address, and that’s when they will rely on ethics to guide their decisions. So it’s important to help them build that foundation.

A compliance officer once told me, “If I can only talk about ethics or compliance, but not both, I’ll talk about ethics every time. If I get the ethics part right, the compliance part becomes a lot easier.” In other words, ethics is a force multiplier.

3. Utilize your third party contracts

Third party governance is about getting business partners to do something, whether that’s certifying your anti-corruption standards or promising to use ethical sources in their own supply chains.

Well, if your contracts with those third parties don’t include clauses allowing you to force those issues, you have no leverage to impose that governance. So, use your contracts to create that leverage for the future.

In practice, this raises important questions about policy management within your own company. Who can create and execute contracts on behalf of the business? Do they know to include these clauses? Do you have a system that prevents them from evading the third party governance issues you want to be included?

The contract is the force multiplier that allows you to push third party governance forward. Use it to full advantage.

4. Protect confidentiality in internal reports.

This seems simple, but you’d be surprised at how often confidentiality breaks down. For example, earlier this year the Government Accountability Office did an audit of the whistleblower systems at the Defense Department and found numerous ways that senior officers might share (accidentally or deliberately) the identity of a whistleblower who assumed his or her identity was protected.

Confidentiality builds trust. Even anonymity builds trust because the whistleblower gets to control when he or she might disclose their identity.

Anonymous reports are more difficult to address; and confidentiality requires lots of policy, procedure, and testing to be sure your protection protocols work. They’re still worth it because they help employees trust that the company will take their concerns seriously. That’s the force multiplier.

5. Frequently test internal controls

Testing controls is a crucial part of compliance programs. Numerous regulators have published guidance for corporate compliance programs where internal controls get extensive commentary. We have no shortage of FCPA enforcement actions where poor internal controls led to monetary penalties.

That means compliance officers need to get into the nitty-gritty of how internal controls work. If you fear resellers or local agents might offer bribes, you need to study accounting policies and sales practices at your company and see what internal controls they do (or don’t) have against that risk. You need to befriend your internal audit or accounting team and be ready to have conversations on subjects outside your comfort zone.

Strong internal controls are vital to compliance, but you won’t know whether they’re strong until you test them. Then, they can be a force multiplier that prevents a compliance failure —  rather than just letting you know promptly that you have one.

Force multipliers that multiply each other

As you improve your data analytics skills, this may inform you which internal controls to test more often. If you protect confidentiality and build trust, employees will raise the ethical issues you discuss in training more freely. That’s how a compliance program can be more than the sum of its parts.

(Jump to top)

3 Ways Elevating Your Compliance Program Can Go Wrong

So, you want to elevate your compliance program. Maybe because employees have been ignoring the latest changes you made to a policy, or maybe a leadership shift has queued up the perfect time to reinforce ethics. Either way, you’ve decided it’s time that compliance gets the respect and attention it deserves within your company.

The good news: elevating your compliance program is totally possible (with some hard work). The bad news: it’s also very possible to get off track and fail to execute on this initiative properly. What are some of the top hurdles getting in compliance officer’s way? Let’s explore the top three.

1. Not Having a Vision

It’s not an impossible mountain to climb, but raising compliance’s profile across the enterprise is a mountain nonetheless. Don’t sabotage your efforts by ignoring those important initial steps of shoring up executive support and lining up resources before you act. Don’t oversell what you can deliver to executives or support will dry up quickly. Have an overall vision of what you want to achieve, mapped in a logical and realistic sequence. Start with smaller objectives to give you proof of concept and build momentum as you tackle the larger problems.

2. Changes Lack Impact (or Add Burden)

Another pitfall: crafting policies that don’t actually cause procedures to change. There’s no point in writing up paper policies that change how you’re describing the way things should be done, but don’t result in concrete changes. It wastes time and creates an impression that new policies don’t drive meaningful impact.

You also don’t want procedures that add to employees’ burdens rather than alleviate them. Yes, sometimes new regulatory efforts make additional procedures unavoidable. As a rule, however, simplify compliance with policies and procedures, while talking about core ethical values. That’s what elevates ethics and compliance throughout the enterprise.

3. Failing to Align

Above all else, remember that employees are your allies in the fight against corruption and policy failures. It’s in their best interest to help the company succeed. Avoiding damage, whether that’s defined as actual financial sanctions or reputational harm, helps the company achieve success. Aligning with employees rather than working against them can be a pivotal perspective shift.

Ensure Elevating Your Compliance Program Goes Right

Understanding how elevating your program can be derailed is important, but equally as important is what to do in order to elevate your program. To help you navigate the road ahead, we published A Step-By-Step Guide to Elevating Your Compliance ProgramDownload the eBook and gain access to insights into when, where, and how to bring your program to the next level. Written by Matt Kelly, Editor and CEO of RadicalCompliance.com, this eBook is a must-read for compliance officers seeking to gain more visibility, respect, and impact for compliance at their organization.

guide to compliance technology

(Jump to top)

How to Have a Successful Compliance Program

Successful compliance programs gain the trust of the workforce—because good compliance can sometimes be a painstaking ordeal, where the CCO asks others to make sacrifices. Those sacrifices are ultimately worth it, but success depends on building alliances, winning support, and working together. Compliance programs fail when the CCO does the opposite.

Remember, failure doesn’t come from poor performance at specific tasks, such as imperfect due diligence or data analytics that isn’t the latest or coolest. Improving performance on those specific tasks is why the compliance program exists.

Compliance programs fail when they don’t engage with the larger organization in a productive manner. It’s about seeing the big picture, and winning support for a better big picture. That’s what makes the compliance program succeed.


Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution