What does an effective compliance program look like? CEOs read this question and think about it from the perspective of, “What do we need to do to maintain customer and shareholder confidence while satisfying regulators (and keep me out of jail?) Chief Compliance Officers read it and think, “Is someone finally going to tell me what I can take to the CEO and the management team that answers the age-old question, ‘What do we need to do to maintain customer and shareholder confidence while satisfying regulators?’” Regulators look at this and think, “Oh boy, yet another request to do the equivalent of defining the characteristics of a perfect piece of art!”
I read this question from the perspective of a data analysis software provider and wonder why everyone else doesn’t see the obvious.
Tom Fox, in his recap of Andrew Ceresney’s (SEC Director of the Division of Enforcement) Compliance 2014 keynote address. In it, Ceresney mentions past thoughts from SEC and DOJ luminaries. Fox mentions three questions that former US Deputy Attorney General, and current Baler & McKenzie LLP partner Paul McNulty mentioned as his three general areas of inquiry when he would assess an enforcement action when he was at DOJ. They are:
Fox also mentions what McNulty’s former partner, Stephen Martin, would ask:
First he would ask…what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest into their compliance program.
Both McNulty’s and Martin’s questions are great links to my “software guy’s” perspective on a lot of compliance and business professionals missing the obvious. Automated monitoring and analysis of business transactions generally costs less than $100,000 per year for all but the largest organizations, and the level of effort required to act on the results is always less than the level of effort associated with a sample-based manual audit (see why this is true). The cost of “inspecting what you expect” from business transactions and employee actions certainly hits Martin’s Post-It Notes comparison. And when it comes to McNulty’s questions, my “software guy” questions really come into play:
Some may argue that I have oversimplified the compliance process, and that may be true. I can just as readily argue that companies routinely overcomplicate the compliance process when it could really benefit from a simple execution of a simple philosophy – inspect what you expect.