One of the things that I sorely lacked when I worked in-house was any guidance on management practices towards the implementation of either legal or compliance initiatives. Most legal and compliance departments do not train their attorneys or compliance practitioners on management practices for compliance program implementation, enhancements or upgrades after a risk assessment. I was therefore very intrigued when I came across an article in the November issue of the Harvard Business Review, entitled “Does Management Really Work?” by Nicholas Brown, Raffaella Sadun and John Van Reenen. I found the article very useful because it gave succinct advice about what a business can do to improve its management practices and determined that this advice can be applicable to a compliance program.
The authors tested three essential practices which they believe can address even the most complex global problems. The three principles which they believe “are generally considered to be the essentials of good management” are:
- Targets: Does the organization support long term goals with tough but achievable short-term performance benchmarks?
- Incentives: Does the organization reward high performers with promotions and bonuses while retraining or moving underperformers?
- Monitoring: Does the organization rigorously collect and analyze performance data to identify opportunities for improvement?
You might read these and immediately think about Paul McNulty’s (Three) Maxims. I, however, believe that these three management practices can provide some assistance beyond McNulty’s queries. In the article the authors research showed that by the use of these three techniques businesses could not only set parameters but also measure on them, generally had more and better productivity and overall better financial health.
From the compliance perspective how can one use these three relatively straight forward techniques? Interestingly the authors revealed some of the questions used in interviews with over 8,000 manufacturers who were interviewed in this project. I have selected 10 questions which you might want to put use as a starting point for managing your compliance initiatives going forward as I believe that they are very good questions to use in formulating a plan for compliance program implementation or upgrade. I would challenge you to think about some of the answers to these questions in the context of your compliance program.
- Interconnectedness of Targets – How are compliance goals cascaded down to individual workers? Everyone recognizes the importance of ‘tone-at-the-top’ as it is enshrined in the US Federal Sentencing Guidelines, the Department of Justice’s (DOJ) minimum best practices compliance regime and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. However, as many commentators now recognize, it is also tone in the middle and at the bottom, which may equally matter. So how do you ascertain and ensure that top management’s message gets cascaded down into your organization?
- Clarity and Comparability of Goals – Does anyone complain that your compliance targets are too complex? Certainly the initial role out of a compliance program can be quite a large undertaking. Perhaps another approach might be to focus on high risk areas and remediate them by rolling out initiatives to manage those risks first and then move to other areas. Many companies have reviewed and remedied the third party sales side of their business but are only now looking at the Supply Chain or Procurement side of the equation. If you work on one such problem at a time, it can help move the overall process forward in a more orderly fashion.
- Consequence Management – How do you deal with repeated compliance failures in a specific business segment or compliance program area? This is certainly one question that you would want to consider carefully. Do you have problems with one business unit or one geographic area from the compliance perspective? Are gifts in China, for example, an ongoing issue for your company? What about travel and entertainment? Areas that show up again and again will merit more focused attention.
- Instilling a Mind-Set – How do senior managers show that attracting and developing talent who will engage in ethical business conduct is a top priority? Here you should consider bringing in your Human Resources Department for not only assistance but their expertise. If top management will make a commitment to this, you should work to create the appropriate mind-set of doing business the right way throughout your organization.
- Removing Poor Performers – How long is compliance underperforming tolerated? In many ways, this question is the flip side of number 4 above. I think that many companies would clearly say that they will discipline, up to and including discharge, any employee who engages in practices which violates the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. But this question drills deeper and forces a more rigorous analysis on not just FCPA failures by employees but poor ethical choices which may be less than full FCPA violations.
- Unique Employee Value Proposition – What makes it distinctive to work at your company? More pointedly, how can your compliance challenges be turned into business leadership opportunities? Ethisphere annually shows that its top list of the Most Ethical Companies out performs the Standard & Poor (S&P) 500. If you can turn the distinctiveness of what your company does into a compliance plus in the marketplace, it could well make your business more profitable.
- Continuous Improvement – How do compliance programs that are not working typically get exposed and fixed? There is a difference between auditing and monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. A robust program should include separate functions for auditing and monitoring. While unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For example, if you notice a trend of suspicious payments in recent monitoring reports from a country in the Far East, it may be time to conduct an audit of those operations to further investigate the issue.
- Performance Tracking – What key compliance indicators do you use for compliance tracking? Here you need to look at the metrics which you have developed. A good starting point can be with your hotline or helpline. What can you determine from the calls or reports which come in through these systems? What if you have not had any reports for several years, what should that be telling you about your communication to your employee base? Or does it mean that people have not been properly and effectively trained that a hotline or helpline exists and is available for their use or, more ominously, are afraid to make any reports for fear of retaliation or even losing their jobs? This is certainly something you should take a good look into, whichever way the metrics are going for your company.
- Performance Dialogue – For a given compliance problem, how do you identify the root cause? If you do not know what the cause of a problem is, you cannot successfully work towards remedying that problem. This does not simply mean firing any persons involved in a potential FCPA violation. You need to dig down and found out what allowed this issue to arise. I once heard that the difference between Japanese and American post-incident investigations is that in the US there is an attempt to assess blame, conversely in Japan there is an attempt to find a solution to the problem. This is the approach that I believe compliance practitioners should take, to try and find a solution by determining the root cause of a compliance failure.
- Retaining – What are you doing to retain your top employees from the compliance perspective? This is not a question that is typically asked in the compliance department. But one thing you can look at is what your company is doing to retain, promote and take to senior management those employees who do business in an ethical manner and in compliance with your company Code of Conduct.
I found the article to be very useful when applied to the compliance practitioner by not only using the triumvirate of targets, incentives and monitoring as a management practice but also the questions that the authors posed in the context of your company’s own compliance program. We continually face the challenge of keeping up with the ever evolving compliance best practices with little or no budget increase. I found that this article had points which you can ask yourself, and of your compliance program, which can facilitate a robust discussion that can highlight areas for improvement.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2012