What is Compliance and how much of it is enough?
What is Compliance and how much of it is enough?
In this blog post Sergey H. unpacks what Compliance means, how much of it is enough (at least in the United States and France), and what you should know to build an adequate Compliance Program in your projects, departments, and organizations.
A little bit of a history of compliance in the USA: Compliance is an art. It is a challenging, controversial, and complex subject. Up until 1984, there were not many rules or common ways of establishing compliance or evaluating it. At that time, the world of compliance resembled the “Wild West,” with often occurring disparities in sentencing, i.e. punishment for not abiding the law. In 1984, however, the U.S. Congress formed the U.S. Sentencing Commission, charged with setting up effective and comprehensive standards to reduce those sentencing disparities and to promote transparency and proportionality in sentencing. Over time, this evolved into the ethics and compliance domain. These guidelines have since universally governed the way in which industries in the U.S. function, and provide a framework, or lens, through which compliance should be looked at. Prior to their implementation, identical cases of corporate corruption and illegal activity were being treated in very different ways. The Commission sought to remedy this problem by crafting guidelines that address the following three objectives:
1) Establishing a model for good corporate behavior.
2) Ensuring that corporate sentencing is fair, according to a set of objective criteria.
3) Establishing a model which would encourage organizations to self-regulate before any crimes occur.
The Commission later organized these objectives into seven core principles, referred to by some in the industry as “The Seven Pillars of Compliance,” to help enforce and encourage effective compliance.
To give you another example, let me take you to Paris, where in December 19, 2019, the Anti-Corruption Agency of France, Agence Française Anticorruption (AFA), released a similar set of standards under the guise of a Practical Guide on Structuring the Compliance Function. The guide, which is now an active resource, included input from several professional associations. You can read some of my earlier reflections on the guide here. Spoiler alert: AFA summarizes its principles into six groups that I have named the “Six Cores of Compliance Function".
Here in the U.S., these seven core principles, The Seven Pillars of Compliance, have been laid out as follows:
1) Standards and Procedures: One of the important things any company can do to keep an environment of integrity and legality is to develop and deploy internal standards and systems. Codes, policies and procedures can guide the organization, employees and affiliates on how to follow the laws and internal rules, and make sure that those standards are effective and appropriate to the level of their exposure and impact to the organization. These standards must clearly reflect the responsibility and accountability parameters throughout the organization where the CEO is the ultimate accountable officer in charge.
2) Oversight: While the CEO is ultimately accountable, s/he cannot be hands-on involved in everything. Part of a CEO’s responsibility is to set adequate oversight over every policy and procedure and make sure that there are senior officers/supervisors assigned to oversee rigorous and consistent application of all the set standards.
3) Education and Training: Everyone learns through repetition. Familiarity breeds contentment. Therefore, responsible officers should not only pass out information, but make sure that it is understood. The Commission recommends that regular training and reviews be used to ensure that employees have a full understanding of compliance. Business owners and chief officers should also foster an environment of openness where employees are free to ask questions or share comments.
4) Auditing and Monitoring: Every organization should have its own independent method of auditing and monitoring its systems and employees to make sure they meet the compliance standards, through officers in charge of monitoring and reporting the findings and providing assurance.
5) Reporting: When compliance standards are violated, the most important first step is to make sure that they are reported to authorities as soon as possible. All corporations should have both open and anonymous reporting mechanisms in place, which invites employees to report abuse freely and without any fear of reprisal.
6) Enforcement and Discipline: Whenever laws or rules are broken, there are consequences, on par with the severity of the violation. Just as rules should be clearly outlined and explained, so, too, should the consequences of violating those rules be carefully understood. Sentencing guidelines are a major part of compliance law(s).
7) Response and Prevention: All companies must respond in a prompt and responsible manner to all compliance violations. Though there are several laws and regulations in place, little can be expected if the employees and the officers in charge look the other way or remain willfully ignorant of waste, fraud, and abuse.
So, what do Sentencing Guidelines and The Seven Pillars have to do with organizations like ours? Well, laws are laws, and if an organization does not follow the law, intentionally or not, these parameters assist with determining the level of proactive and preventative due diligence and accountability. Even with good systems in place, it is possible for violations to take place due to negligence or other circumstances. The Seven Pillars of Compliance are a way for an organization to demonstrate effectiveness of its compliance system and identify isolated cases of deceptive, criminal or other misconduct. If an organization can diligently and consistently show institutional adherence to its compliance systems, it is less likely to be penalized for an isolated case.
When developing new, or evaluating existing, compliance programs at CRS, we use The Seven Pillars for confirming the adequacy of the system under evaluation or development. This framework is amazingly effective in both finding deficiencies in the design and/or disproportionate responses. Calibrating, balancing, and enabling efficiency are as important as establishing capability. So, do not hesitate to challenge your existing and new systems if you find disproportionate procedures, and make sure they serve their intended purpose. When balancing systems, take into account the number of staff who have a compliance function, along with their seniority levels, placement in the organizational structure/s, level of responsibility and accountability, and the role they play in managing and overseeing the effectiveness of the program.
That’s it for now, my friends! I hope this was useful to you. Please let me know in the comments below or anywhere on social what you think and what you would like to see more, or less, of. In future posts, I will take you through a journey of different reflections, concepts, approaches and effective applications of governance, risk, compliance, and ethics.
Are you a Humentum Member? join me and hundreds of Humentum-member practitioners on the Governance, Risk and Compliance Community on Humentum Connect! Learn, share, join advocacy force, ask for help and help others! The community has only two rules:
1) Humentum membership, and
2) No post goes unanswered or without a solution!