Compliance Week recently analyzed the academic paper, “In Search of Effective Ethics & Compliance Programs,” published last month by University of Tennessee law professor Maurice Stucke. The importance of the paper is noted by Compliance Week’s editor-in-chief Matt Kelly, who wrote: “If you ever wanted to confirm that nagging feeling you have that maybe our approach to building compliance programs and deeming them effective isn't quite right, read this 88-page paper immediately.”
The paper provides evidence that there is no reward for getting an “A” in compliance. I agree with Stucke’s premise that the extrinsic nature of the compliance ecosystem, i.e., imposing externally derived compliance demands backed by the threat of punishment if the resulting program is ineffective, is at the root of the problem. Companies invest as little as they possibly can to achieve compliance to the letter of regulations. There is no benefit to spending more. Regulators have a habit of looking at the compliance cup as half-empty. If a compliance issue is discovered, regulators focus on what they believe is missing, rather than offer credit for what is present. There are few object lessons for the next companies to learn when it comes to understanding where compliance investments and results will be rewarded. I believe this results in companies ticking the boxes to meet annual compliance requirements and effectively self-insuring for potential fines, penalties, and remediation expenses that may result from a finding.
Kelly cites two good examples of approaches to audit and compliance, the risk-based approach where close attention is paid to the most troublesome parts of the business, and a tone-based approach where management sends a message regarding the importance of compliance by auditing something relatively small in percentage of spend, but high in visibility like travel and expense. Many companies view these approaches as mutually exclusive. But focusing on high-risk areas of the business and monitoring 100% of employees’ expense reports are not mutually exclusive activities. This is particularly true when highly efficient and effective systems for monitoring transactions are available at a relatively low cost. Many of our customers are leveraging these systems for both operational performance objectives and compliance risk monitoring. Identifying risk is not something that needs to be done by determining in advance the highest risk areas in which to focus. Leading companies are using automated monitoring and analysis systems to review everything in order to identify the areas of greatest risk.
Stucke is critical of monitoring and the impact monitoring has on employee trust in the organization. Stucke’s claim that research proves that trusting employees to behave and reminding them of that trust leads to a decline in misconduct. The research that Stucke cites is largely specific to video and direct observational surveillance and not the monitoring of business transactions related to individuals. Leading companies leverage transaction monitoring systems to help inspect what they expect in relation to policy and regulatory compliance. These systems can help identify training opportunities, policy reminders, and other positive reinforcement activities that encourage appropriate behavior, provide opportunities to correct inappropriate behavior, and stop the habitual, highest-risk actors.
Stucke cites the use of Honor Codes and the impact of reminders of the responsibilities related to these codes prior to an event where the codes might be violated as evidence regarding the positive impact that integrity-based systems can have on corporate compliance. There are certainly lessons to be learned from integrity-based systems like Honor Codes. But integrity-based systems and so-called “command and control” systems are not mutually exclusive. The reality is that regulators are not going to be any more forgiving for lapses in integrity-based systems than they will be for “pass/fail” command and control programs.
In a perfect world, regulators will provide clear guidance that focuses on intrinsic programs that organizations can deploy to full effect. The reality of the world in which we live is that organizations need to deploy programs that borrow from a number of different examples and disciplines. But in order to have the greatest confidence in your compliance reality, organizations need to inspect what they expect.