What is the purpose of an internal audit? The purpose of an internal audit is to ensure that the...
Compliance programs are designed to prevent, detect, and remediate compliance risks within an organization. Despite these noble objectives, many compliance programs fail to live up to their potential, leaving organizations vulnerable to a range of legal and reputational risks.
There are a number of reasons why compliance programs fail:
One common reason is that the program is not designed or implemented correctly from the start: it may be too narrowly focused, lack clear objectives, or fail to take into account the specific risks faced by the organization.
Another reason for failure is that the program is not adequately resourced, either in terms of funding or personnel. This can lead to a lack of buy-in from employees, who see the compliance function as a burdensome imposition rather than a valuable resource.
Compliance programs can also fail due to a lack of ongoing monitoring and evaluation. Without regular check-ins and updates, it is difficult to identify problems early on and make necessary course corrections.
Compliance Metrics Can Go Astray
To be effective, compliance programs must be tailored to the specific risks faced by an organization. One size does not fit all: what works for a small company in a regulated industry will not necessarily work for a large multinational corporation. And yet, many organizations take a one-size-fits-all approach to compliance, using the same metrics and benchmarks regardless of context.
This can lead to a number of problems. First, it creates a false sense of security, as the organization believes it is in compliance when in reality it is not. Second, it can lead to over-compliance, as the organization tries to meet all the metrics without regard for whether they are actually relevant to its risks. Third, and perhaps most importantly, it can divert attention and resources away from the areas that pose the greatest risks, leading to a situation where the organization is compliant in name only.
Mistaking legal accountability for compliance effectiveness.
Compliance guidelines have important legal purposes, but forcing them into rigid regulations may limit their ability to improve employee conduct.
Take this question: "How has the firm determined if these rules and procedures have been properly implemented?"
Often, when an employee violates a rule, companies will try to pacify the situation by showing that the said worker signed a document claiming they had read and understood the workplace's policies and codes of conduct. Although this may hold true in a court of law, it says nothing about whether or not this person actually practiced what they preached every day on the job.
How many times do we all reflexively assent to the legal terms of an agreement, especially those that we have no power to negotiate? Employees may sign an acknowledgment of corporate policies without actually having read or understood the terms.
In addition, the policies may be incomprehensible because they are worded in legalese, technical terms, or just plain obtuse language. There might also be an unspoken agreement among employees that the policies don’t need to followed too closely or that best practices can made up on the spot.
Because of this, counting employees' legally enforceable assents to policies is a poor measurement tool for evaluating a compliance program's success.
Self-reporting and self-selection bias.
To get an accurate pulse of their program's performance, compliance managers will often give out surveys. For example, to see how willing employees are to utilize the company's reporting mechanisms, a manager might ask: “Are you confident in your ability to know when it is appropriate seek compliance advice? Would you feel comfortable doing so?”
The downside of deploying surveys is that self-reporting and self-selection by respondents has the potential to skew results and lead decision makers astray.
Employees who have witnessed unethical behavior, for example, may be hesitant to “out” their coworkers and may choose not to respond to survey questions that would bias the results toward those who haven't seen anything wrong. Similarly, individuals in higher positions and those who actually engage in wrongdoing might be less inclined to participate. As a result, when analyzing metrics, bias must be taken into account.
Linking Compliance Initiatives to Objectives:
So how do you create models that can credibly evaluate the impact of a compliance program?
The first step is understanding that compliance isn't an end in and of itself, but rather a tool to achieve specific organizational objectives. Once these objectives are clear, you can set up metrics to track progress.
For example, if the objective is to reduce corruption, then you would want to track the number of reported incidents of bribery and corruption, as well as the number of employees who have completed anti-corruption training.
If the objective is to improve safety, you would want to track the number of accidents, near misses, and injuries. And if the objective is to improve ethical behavior, you would want to track the number of employees who have received ethics training, as well as the number of reported ethical violations.
Of course, these are just a few examples – the important thing is to select metrics that are directly linked to your organization's specific objectives.
Compliance Engineering
Some businesses may be more inclined to devote significant effort and resources to compliance and ethics programs since they believe them to be essential for the company's long-term success. But we're practical people. We recognize that with so many additional competing demands on a firm's limited resources, regulatory and liability concerns constantly become the driving force behind compliance efforts.
Therefore, it is essential to become diligent in measuring outcomes if we want our compliance programs to meet the stronger regulatory standards of today. In other words, if all that can be said for an anti-corruption training course is that employees completed it, prosecutors, courts, and regulators are not going give a company credit for having an effective program.
While many businesses still see ensuring compliance as a legal thing, it is actually a lot more of a behavioral science. That may make attorneys uncomfortable, but for compliance efforts to be effective, managers need to try things out. This will necessitate firms to engage in some testing and invention.
A company's codes of conduct should highlight the policies that are most important to its success. Hotlines can also help employees resolve issues before they cause any damage. If firms assess the effectiveness of their programs more carefully, they may be able to implement more ambitious and creative initiatives.
With all of today's stringent corporate rules, it's no surprise that businesses find it difficult to comprehend and fulfill their legal and moral obligations. It would be ideal if there were a one-size-fits-all yardstick to determine whether or not a compliance program is on track. However, simple univariate metrics will not adequately assess the success of a policy. To accurately quantify outcomes, successful compliance engineering necessitates some creativity, testing, and careful model building.
Many companies are wasting money on compliance programs that aren't effective. Better measurement can help identify which initiatives need to be scrapped or improved to save resources and make the company more efficient.
The Solution: A Risk-Based Approach
To be truly effective, compliance programs must take a risk-based approach. This means understanding the specific risks faced by the organization and designing the program accordingly. It also means monitoring and evaluating the program on an ongoing basis to ensure that it is still relevant and effective.
Risk-based compliance programs are not easy to design or implement, but they are essential to protecting organizations from compliance risks. With the right approach, organizations can create compliance programs that are tailored to their specific needs and that evolve as the risks change.
There are a number of practical steps you can take to fix the problem:
First, conduct a comprehensive review of your compliance program to identify any weaknesses or deficiencies:
- Is the program well designed and implemented?
- Is there sufficient funding and staffing for the program?
- Is the program tailored to the specific risks faced by your organization?
- Does senior management support the program?
Next, develop and implement a plan to address these deficiencies:
- If the program is poorly designed or implemented, develop a plan to improve it.
- If the program is not well resourced, seek additional funding or staffing.
- If the program is not tailored to the specific risks faced by your organization, revise it to better address those risks.
- If senior management does not support the program, engage them in discussions about its importance and seek their buy-in.
Additionally, monitor and evaluate the effectiveness of your compliance program on an ongoing basis:
- Regularly review compliance risks and update the program accordingly.
- Evaluate the program’s effectiveness at preventing, detecting, and remedying compliance risks.
- Make changes to the program as needed to improve its effectiveness.
Finally, ensure that your program is adequately resourced, with sufficient funding and staffing to effectively carry out its objectives:
- Review the program’s budget and staffing levels on an ongoing basis.
- seek additional funding or staffing as needed to support the program.
- Make sure that all staff responsible for compliance are properly trained and have the resources they need to do their jobs effectively.
By taking these steps, you can improve the effectiveness of your compliance program and help to protect your organization from a range of legal and reputational risks.
