You want a robust compliance program?

The annals of corporate compliance are filled with terms of art. “Whistleblower hotline,” “policies and procedures,” “risk-based approach,” and many more — we use those phrases all the time, as verbal shorthand for much more nuanced ideas.

Perhaps none of those terms, however, are as common and important as this one: a “robust corporate compliance program.”

Well, what does that phrase actually mean? Of all the adjectives in the world, why is robust such an important thing for your compliance program to be?

For a compliance officer’s purpose, however, a more apt definition might be the secondary meaning of the word: “capable of performing without failure under a wide range of conditions.”

That’s what compliance officers need to achieve.

The “without failure” part is a bit misleading; no compliance program will be flawless and foolproof at all times. Rather, a robust compliance program delivers reasonable, risk-based assurance of regulatory compliance at all times, under a wide range of conditions.

So what becomes important for success, if that’s the standard a robust compliance program should meet? Several priorities come to mind:

1. A Commitment to Ethical Culture

First, a strong commitment to ethical culture is essential because the widest range of conditions are the people working within your enterprise. As new employees arrive, or existing employees take new roles, they need to understand that commitment to ethical conduct is a constant at the organization, not a variable.

That could mean anything from strong, clear statements about ethics by senior leadership; to training materials that discuss ethics and values, as well as policy and procedure. Regardless, a robust compliance program works to keep employees ethically aware, no matter what they do on any particular day. It should be along the lines

• we don’t bribe,

• we pay the right tax,

• we comply with the labor and environmental laws,

• we don’t smuggle,

• we protect personal and sensitive data, and so on.

2. Effective Risk Assessments

To achieve a robust program you will also need to execute effective risk assessments — since that’s the exercise that tells a compliance officer what conditions have changed. Capability in risk assessment includes keeping abreast of new regulations, being aware of new systems or processes other business functions launch, and even changes in market strategy senior leaders want to pursue.

3. Procedures That Work

Next, procedures that actually work drive robust programs. Notice, we didn’t say “policies and procedures” here – some of the worst compliance failures in history came from companies with great policies; the companies simply lacked the will or ability to execute procedures that enforced those policies.

What procedures matter most? Due diligence, of course; also access controls, investigation protocols, disciplinary measures, and more. Compliance officers can never forget that what matters is an ability to get things done, just as much as a clear vision of what to do.

4. Measurement and documentation

Finally, measurement and documentation will help you build a robust program. Measurement helps you assess how well your program is working, as conditions change.. At any moment, your program probably works better in some ways more than others. Compliance officers need a way to identify those performance gaps (measurement), and then plan what should happen next to address those gaps, if anything at all (documentation).

Fundamentally, regulators, business partners, consumers, shareholders — they don’t dwell on the structure of the compliance program. They dwell on whether the program reduces the risk of misconduct or non-compliance.

Meanwhile, your compliance program exists as part of a larger corporate enterprise, and the conditions of that enterprise change constantly. Every business launches new products, adopts new IT systems, expands into new markets. Every business increases its budget sometimes and trims it at other times.

Those are conditions a compliance program must weather, day after day. If your compliance program can do this effectively, then you can call it robust. And, it will be super-robust if it is automated. There is software available to assist in the compliance management and consequently protect the company and its stakeholders (and the management can sleep better).

Feedback is appreciated; email me at [email protected]