In previous posts for this blog, I reviewed the purpose of a compliance program: to ensure that your organization complies with the laws and regulations that apply to it. In this post, we want to answer a nuanced question: How much effort should a company put into effective compliance?
Because those efforts do cost money, and at some point you inevitably need to say, “We’re doing enough.” Finding that point is a compliance officer’s job — and a compliance risk management framework is the tool to help you find it.
What is Compliance Risk Management?
Compliance risk management is your company’s effort to identify potential compliance risks in advance (say, poor due diligence of third parties), analyze those issues, and then take precautionary steps to reduce the likelihood that those risks come to pass.
After all, even with unlimited budget and resources (which you’ll never have anyway), no company can achieve perfect compliance with all regulatory burdens at all times. Mistakes are bound to happen eventually. The goal is to reduce the operational risk of non-compliance down to levels acceptable to your board and your regulators.
Moreover, compliance risks can evolve over time. For example, the U.S. Justice Department recently updated its guidance on effective corporate compliance programs, to include new material about a company’s disciplinary procedures and the structure of compensation programs. So compliance officers should now perform a fresh compliance risk assessment, to see how well their current compliance program compares to the Justice Department’s ideal compliance program, and then implement changes as you and your senior management team think best.
As you might guess, companies can achieve practical, effective compliance risk management in any number of ways. One doesn’t buy a standard-issue compliance risk management program that fits all firms across all industries; no such thing exists. You build one, based on your firm’s own business processes, employees, and regulatory compliance concerns.
Understanding the Risks of Non-Compliance
First, compliance officers need to understand where the risks of non-compliance for your business reside. Some risks are more prevalent or more severe than others, and those become the compliance risks your program should address first and most aggressively.
For example, two cornerstones of effective FCPA compliance are due diligence of third parties and training employees on the anti-bribery policy. A compliance program should include both, but not necessarily to the same extent; it depends upon your business model. A company that uses local agents extensively might invest heavily in due diligence, while another that uses employees in a direct sales model might spend more time on training and enforcement of gifts and entertainment policy.
So the first step in compliance risk management is to understand what your compliance risks really are, and how they come to be.
Setting Your Risk Tolerance
Second, understand what your company’s tolerance for a compliance risk is. The greater its tolerance for risk, the less exacting your compliance policies and procedures need to be.
Risk tolerance can be a fuzzy concept, so the internal control community devised a more precise phrase: “acceptable variation from a performance goal.” That’s the standard you want stuck in your head as you design policies, procedures, and internal controls: how much can company transactions or employee behavior deviate from the goal before senior management intervenes?
For example, the company might have a policy that no local distributors receive discounts or credit notes that can later be converted into cash (a common way for distributors to pay bribes). Do you want no variation from that goal, with 100 percent compliance? That’s possible, but it requires exacting corporate accounting controls and willingness to fire anyone who violates the policy. Would you live with a failure rate of 1 percent or 5 percent — or different failure rates for resellers in high- and low-risk markets?
Every company will find its own correct answer. The point is that every company must answer it, or you will not know how many compliance policies and procedures to establish.
Align Compliance Processes and Risks
Third, ensure that the compliance processes you have are on pace with compliance risks. That is the art of risk management: it is a fluid thing, where the mechanisms to manage risk change as the risk does.
For example, if your firm hardly ever sells to foreign governments, your FCPA corruption risks are low, and perhaps you could survive with a manual approach to due diligence. Then new senior management arrives, or the company acquires a new subsidiary or expands into a new product line, where selling to foreign governments becomes a priority.
Your compliance risks have increased, so you need to assure that your processes to manage that compliance risk are up to the task. A manual approach might no longer work, because you have so much due diligence to do that employees would be overwhelmed, and not do it. Suddenly an automated approach becomes more sensible.
Likewise, we could offer another example from the Justice Department’s new updates for effective compliance programs. That guidance talks at length about consistent, rigorous disciplinary enforcement against employees who engage in compliance violations. If your company ever comes under Justice Department investigation, regulators will want to see how you approach employee discipline — so you’ll need to be sure that your disciplinary procedures (to decide on punishments, to record disciplinary actions, to audit for consistency across regions and seniority levels) align with that newly heightened compliance risk.
That’s compliance risk management: ongoing, shifting, constant. The objective isn’t to eradicate all your compliance concerns forever; that’s impossible. You just need to do the best you can with the resources you have — so a keen understanding of where your company’s risks come from, and how much it wants to quell them, is essential.
Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.