Audit,
Compliance & Ethics professionals are not generally known for settling for
mediocrity or resting upon their laurels. We spend our careers focused upon
identifying, documenting, and mitigating risks. We employ people, systems, and
procedures to comply faithfully with laws, regulations, and corporate policies.
After decades of building and reporting on our detailed processes, we may
confidently conclude to our colleagues that we are operating a best-in-class
audit, compliance and ethics programs.
But every
once in a while we get a reminder that our compliance management program may
require a little refreshment. Like a well-intentioned home gym gathering dust
in the corner of your basement, your program becomes increasingly less relevant
when it is not subjected to frequent and ongoing maintenance. When I am
speaking with colleagues about this topic, I hear consistent two consistent
themes emerge: (1) we developed a state-of-the-art program back in 19xx, and
then we got busy as the organization grew; or (2) we thought that [insert
department or title] was watching over that part of the program and keeping it
updated. “Best-in-class” became diluted by other competing priorities until it
came to rest at “good enough” to keep the organization out of trouble with the
board, the auditors, and the regulators.
Then the
other shoe drops. At one time or another many of us will be faced with the
realization that our compliance program has developed cob webs. Perhaps you can
recall a moment of truth…a request from a board member in light of a recent
penalty received by a competitor?…a finding in an internal audit report?…an
observation made by a prudential regulator? Regardless of the source, having to
admit that maintaining the currency and accuracy of our program may have lagged
as a priority is an uncomfortable spot to find ourselves in. In the words of
President Harry S. Truman, “The buck stops here,” when you’re the Chief
Compliance Officer.
Your CEO and
your board do not want to hear how busy you’ve been overseeing the increasingly
complex regulatory compliance environment. If that is your best response when
cracks in your program have been publicized, then you had better clean out your
office to make way for your successor who will be up to the task. No, if you
find yourself having to admit you’ve neglected the care and feeding of your
compliance management program, then will be well advised to also come armed
with your contingency plan to remediate your program gaps and a schedule of
ongoing review and updating that will take place thereafter.
Before it
gets to the point of asking for that mea culpa from your board, CEO, and
regultor, perhaps it would be easier to gather the team, risk-rank elements of
the compliance management program, and schedule a review of each element. While
this may be a bit time-consuming in the initial phase, each subsequent periodic
review should be shorter, especially if also paired with an ongoing monitoring
of emerging legislation, regulation, and policy changes.
We’ve spent
our entire careers getting out in front of the risks. Maybe we became
complacent. Let’s return to the basics and declare boldly that “good enough”
just isn’t good enough anymore.
