What does an effective compliance program look like? CEOs read this question and think about it from the perspective of, “What do we need to do to maintain customer and shareholder confidence while satisfying regulators (and keep me out of jail?) Chief Compliance Officers read it and think, “Is someone finally going to tell me what I can take to the CEO and the management team that answers the age-old question, ‘What do we need to do to maintain customer and shareholder confidence while satisfying regulators?’” Regulators look at this and think, “Oh boy, yet another request to do the equivalent of defining the characteristics of a perfect piece of art!”
I read this question from the perspective of a data analysis software provider and wonder why everyone else doesn’t see the obvious.
Tom Fox, in his recap of Andrew Ceresney’s (SEC Director of the Division of Enforcement) Compliance 2014 keynote address. In it, Ceresney mentions past thoughts from SEC and DOJ luminaries. Fox mentions three questions that former US Deputy Attorney General, and current Baler & McKenzie LLP partner Paul McNulty mentioned as his three general areas of inquiry when he would assess an enforcement action when he was at DOJ. They are:
- What did you do to stay out of trouble?
- What did you do when you found out?
- What remedial action did you take?
Fox also mentions what McNulty’s former partner, Stephen Martin, would ask:
First he would ask…what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest into their compliance program.
Both McNulty’s and Martin’s questions are great links to my “software guy’s” perspective on a lot of compliance and business professionals missing the obvious. Automated monitoring and analysis of business transactions generally costs less than $100,000 per year for all but the largest organizations, and the level of effort required to act on the results is always less than the level of effort associated with a sample-based manual audit (see why this is true). The cost of “inspecting what you expect” from business transactions and employee actions certainly hits Martin’s Post-It Notes comparison. And when it comes to McNulty’s questions, my “software guy” questions really come into play:
- What did you do to stay out of trouble? (I implemented an automated monitoring and analysis program that helped us review 100% of our T&E [or purchase card or accounts payable transactions] to identify the highest risk transactions so we could take action.)
- What did you do when you found out? (We used the results of the automated analysis to focus review and investigative resources on identifying the highest risk transactions types, highest risk employees requiring further training, censure, or dismissal, and identified the root cause of the high risk transactions.)
- What remedial action did you take? (Based on the root causes identified through our automated monitoring and analysis system and subsequent confirmation by our compliance and investigations teams, we took the following steps to prevent similar activities from recurring.)
Some may argue that I have oversimplified the compliance process, and that may be true. I can just as readily argue that companies routinely overcomplicate the compliance process when it could really benefit from a simple execution of a simple philosophy – inspect what you expect.