Where is compliance headed in the 2020’s? Certainly, technological solutions will be a big part of the future of compliance programs and controls. Compliance is rapidly emerging and being viewed as a critical business process. Moving away from the days in which it was driven by legalese and where lawyers are responsible for crafting compliance policies and procedures. These advances provide opportunity for innovation, and enable compliance to recede from being viewed as a cost center led by the “head of business denial”, to being viewed as value added function to the business. Simply put, a more effective compliance program contributes to more efficient business processes, which leads to greater profitability.
This idea of embracing compliance as a business process has been emerging for some time. In this first decade of the 21st century, when FCPA enforcement actions dramatically increased, many companies saw compliance programs, policies and procedures as responses to increased government enforcement. Hence, the legal basis for compliance; where Codes of Conduct were 30 to 50 pages long, policies written in dense legalese and often with legal citation, procedures implemented bespoke, and the results stored manually on spreadsheets. It was time consuming, incredibly costly, and considerably inefficient. Yet this is what the Department of Justice expected to see when companies under investigation came to Washington DC for meetings with the attorneys overseeing their FCPA investigations.
Through these meetings, the Department of Justice began to see the process-driven nature of compliance. This view was captured for the public in the 2012 FCPA Resource Guide, issued jointly by the DOJ and SEC, in which they provided the Ten Hallmarks of an Effective Compliance Program. Under Hallmark IX, Continuous Improvement: Periodic Testing and Review, the 2012 Resource Guide stated, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” This led to the conclusion that “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.” This standard clearly articulates that improvement relates to process improvement, which leads to continuous improvement.
Fast forward to 2020 and the release of the 2019 Guidance on Evaluation of Corporate Compliance Programs (“Guidance”), which is an evolution from the 2017 FCPA Corporate Enforcement Policy and its additions, because it emphasizes how the DOJ has embraced corporate compliance programs by applying the Guidance to the entire Criminal Division—not just the Fraud Section.
For example, the regulators have increased their focus on a company’s overall culture, which can be indicative of its compliance culture. The most effective way to promote a culture of compliance is to embed the compliance program into the fabric of the organization. The DOJ developments contribute to the operationalization of compliance programs by moving compliance performance away from the corporate compliance function, and into the business front lines where it can have the greatest impact. Continuous improvement of compliance is no longer considered a cutting edge practice or even a best practice, but simply a standard practice for every effective compliance program.
Compliance as a Business Process
This shift from compliance as a legal response to compliance as a business process requires a different set of skills that are traditionally taught to lawyers during law school, in public practice, or in-house roles. This shift requires keen business acumen and knowledge of business processes. It also requires robust data analytical skills; specifically, the use of data to make decisions that improve business processes. Most importantly, data analytics in compliance programs will cause companies to depart from their current reactive approach, in favor of a more proactive and prescriptive approach to mitigating compliance risks. This risk-based approach requires analyzing the data, interpreting the results, evaluating internal controls, understand behavior, and then using those interpretations to make continuous process improvements.
Consequently, this will mean a change in thinking. While a lawyer or legally trained professional can certainly head a corporate compliance function, it should be obvious a more diverse palette of professional skills are now required. These competencies will be required in the corporate compliance function in this decade and beyond.
Compliance professionals must have the ability to adapt to this changing world. If you are in compliance and do not currently possess the skills mentioned herein, it may behoove you to surround yourself with professionals that fill your gaps. For you may well find yourself unable to perform your role effectively, run of risk of being replaced, or the target of a regulatory inquiry.
Remember as Yogi once said, “If you don’t know where you are going, you’ll end up someplace else.
I welcome you thoughts and ideas. Feel free to contact me by clicking on the link below my picture.
Stay safe and be well!