BUILDING EFFECTIVE COMPLIANCE PROGRAMS: It Takes a Village

“No member of a crew is praised for the rugged individuality of his rowing” ~Ralph Waldo Emerson

“If everyone is moving forward together, then success takes care of itself” ~Henry Ford

I had recently been contacted by an individual who had been tapped by her organization to launch a corporate compliance program. My colleague approached me with that perennial question, “How did you build your program?...” I paused to consider my response.

Despite the mythology to which some may wish to subscribe, individuals don’t design, build or improve corporate compliance programs alone. While certainly individuals contribute significant leadership, ideas, and work product to a successful compliance program, it is truly the efforts of interconnected contributors that weaves the fabric of the program.

From scoping and documenting the program charter through defining and populating a comprehensive compliance risk universe, it takes a village of invested professionals to build the program. Since a compliance program likely encompasses several lines of business and diverse operating functions spread across multiple locations, personal interaction with a variety of leaders and staff is necessary to identify, quantify, and rank risks across an organization. I don’t know about you, but I certainly have experiential limitations regarding various functions outside my areas of expertise. Without those subject matter experts, my program would be neither comprehensive nor effective.

Thus, while it would have been terribly tempting to my ego to lead my fellow professional colorfully through an anecdotal reprisal of my rugged journey to locate the holy grail of corporate compliance on a lonely mountaintop, my better angels prevailed. “Katherine, I’d be pleased to share with you how we built our program, and the lessons we’ve learned…” And with that discussion, another member was added to the compliance program “village.”

EXPOSING MY DIRTY LAUNDRY: Responding to Ethical Incidents in Advance

“Ethics is knowing the difference between what you have a right to do and what is right to do.”

~Potter Stewart, former U.S. Supreme Court Justice

“The time is always right to do what is right.”

~Martin Luther King, Jr., U.S. civil rights leader

Today’s revelation that former Olympus Corporation Chairman Tsuyoshi Kikukawa had received a suspended sentence for his role in a $1.7 billion accounting fraud is a reminder that neither business ethics courses nor prior real-world examples have stemmed the tide of high-profile executive wrongdoing.  In addition to former Olympus Executive Vice President Hisashi Mori, Hideo Yamada, the former auditing officer, also received a suspended sentence, debunking any myths that corporate audit and compliance professionals are above temptation.

Sufficient ink has been dedicated to detailing the corporate, government, and NGO ethical downfalls throughout the modern age. Fraud observes no geographical, political or industry boundaries. Ethical lapses remain pervasive and persistent, but I believe they are preventable.

What are you doing within your organization currently to acknowledge and mitigate the risks posed by executive ethical lapses?

Tone at the top is more than an email, a poster, or even a video distributed by your chief executive officer expounding the importance and benefits of maintaining an ethical cultural. Real ethical leadership takes root within an organization when the board of directors and senior leadership infuse the culture with relevant actions.

·         Strategic planning conferences and periodic governance meetings should include ethics discussions on the agenda.

·         Tabletop exercises should be built around current ethical lapse events in your industry.

·         Internal metrics should be tracked and benchmarked against other like organizations.

·         Employees at all levels must be encouraged to ask questions and report observed ethical lapses in good faith without fear of retaliation.

What are you doing when a significant ethical lapse strikes from within your own organization?

At one time or another nearly every organization, be it for-profit, government agency, faith-based, etc., will need to address an ethical incident that emanates from within its own walls. More than just the fear of negative publicity or criminal prosecution should drive the organization’s response. Many a relatively minor ethical incident has morphed into fodder for bloggers and 24/7 cable news outlets simply due to senior level fumbling and obfuscation amidst embarrassing revelations.

In fact, the best time to publicly address ethical lapses within your organization is before one has emerged.

·         Plan, document and test your organization’s Ethical Incident Response Plan (E-IRP).

·         Educate senior leadership regarding effective and transparent communication strategy, obtaining communication training in advance where needs dictate.

·         Communicate in a coordinated, transparent and timely manner both internally and externally to your organization, erring on the side of humility and candor.

Organizations are governed and led by human beings. Men and women, regardless of demographic variables across cultures, shun the humiliation and ridicule that scandal generates. Applying an objective E-IRP model in advance of ethical lapses will mitigate the risk that my dirty laundry—or yours—will hang too long on the proverbial corporate clothesline.

Why I Love Regulatory Examinations

“The superior man understands what is right; the inferior man understands what will sell.”

~Confucius

“Happiness does not come from doing easy work but from the afterglow of satisfaction that comes after the achievement of a difficult task that demanded our best.”

~Theodore Isaac Rubin

To this day, I enjoy going to the dentist. Almost nothing feels as good as that squeaky-clean sensation after the hygienist completes a thorough cleaning. When I was a child and others feared that periodic visit to the reclining chair, I looked forward to the cleaning, fluoride, and constructive criticism about my brush I received as I sat there. While not cavity-free, I have experienced far fewer than I otherwise would have.

Similarly, I’ve never experienced an unfavorable regulatory examination, though my experiences haven’t been “cavity-free.” Jokes comparing audits to root canal aside, I believe the same lessons learned in the dentist’s chair apply equally well amidst the increasingly complex regulatory landscape we face in our organizations. We each lead our organizations with our mission top of mind, but those of us who achieve the greatest success know that we must continuously improve our products/services, our processes, and our people. That is where our regulatory examinations and internal audits come into play.

But some of us have also led in organizations where government regulators were regarded by some of our colleagues as the barbarians at the gate. Those doomsayers would have us believe that examiners and auditors are the malicious brainchild of fiendish state and federal bureaucrats committed to descending our state or nation into communism. 

I’m not a fan of senseless or redundant government regulation by any means, but even Ronald Reagan retained most aspects of the federal regulatory infrastructure throughout his tenure. Judicious regulation has its rightful place in the untamed marketplace, and thus serves to balance the interests of fair-minded consumers and businesses against the carelessness of the few.

A fair-minded organization operates with a high-degree of transparency and employs efficient controls and feedback mechanisms to drive improvement. While operational metrics, financial reporting, and focus groups can provide much important data, the superior organization incorporates the findings and observations of its internal auditors, external information security auditors, and state & federal government regulators into its continuous improvement mechanisms.

I have had the pleasure to speak with countless committed regulatory professionals throughout my career. Well-educated, knowledgeable about their industries, insatiably curious—these men and women have provided me and my colleagues with great insight not only into our own organizations, but have also previewed industry trends before they became regulatory mandates.

Because we were willing to listen, anticipate and prepare, we were able to adapt practices, install or modify systems, and educate our employees and customers in a manner that displayed our genuine integrity as an organization. While I’ve led at organizations that have garnered awards and praise, I am pleased not to have worked at organizations that have headlined the scandal pages.

The truth is…regulatory professionals care deeply about their respective agencies’ missions. As within our own organizations, they are also subject to the ambiguity and uncertainty that new laws, regulations, and political battles entail. Without speaking ill of a rule, regulation or politician, a forthright regulatory professional will admit when the landscape is rocky, shifting or unstable. A wise leader walks that rocky road with the regulator, listening closely, communicating openly, and seeking clarity where clarity may be had. And even when we must agree to disagree on a matter, the relationship remains strong well into the future.

A forward-leaning organization positioned to succeed well into the future expands itself atop a firm foundation build solidly into the regulatory landscape. When regulatory examinations and internal audits inevitably occur, the transparent integrity and compliant processes we employ will carry the day. Importantly, our ability to humbly accept and evaluate the findings, recommendations and observations that are shared with us (formally or informally) may well drive adaptions or improvements that our stubborn competitors will be unwilling to receive. Hubris begets truth decay.

COMPLIANCE & ETHICS: STAND YOUR GROUND OR STAND DOWN?

“When restraint and courtesy are added to strength, the latter becomes irresistible.”  --Mahatma Gandhi

Building upon the topic of my last article, I want to explore how you respond when called upon for your compliance or ethics perspective.

On the one hand, as the cliché goes, to him whose only tool is a hammer, every issue is a nail. At some phase of our own careers we may have found ourselves expounding first and asking critical questions later. At the very least we have encountered compliance professionals who may have operated from this viewpoint. As I recall one individual saying to me years ago, “If he didn’t want my honest opinion, then he shouldn’t have come to me for compliance advice!” At this end of the spectrum, every situation that arises, every request that is received, is met with an oft-detailed compliance laundry list that can bog down many a promising business initiative.

At the other end of the spectrum is the laissez-faire attitude toward compliance and ethics. In such an environment the duty of care is subjugated to the operational imperatives of running the business. Time is money. Rules were made to be broken. What they don’t know won’t hurt them. And so forth. Where compliance has become a reactionary repair mechanism and ethics don’t weigh into substantive decision-making, an organization will eventually find itself on a collision course with the U.S. Federal Sentencing Guidelines and other civil and criminal laws. The wise compliance and ethics professional attempts to improve this culture, but if unsuccessful may best be advised to exit amidst a noisy withdrawal.

Between the Compliance Overlord and the Compliance Pushover models described above do we find the middle ground upon which the majority of us practice our profession. As we often must confess, the black-and-white scenarios aren’t the ones we’re generally called in to decide. Management can make those clear-cut calls on their own with ease.

When management encounters the Overlord too frequently, then management will avoid consulting compliance and ethics professionals. A resulting pattern of inconsistent and self-serving decision-making increases in this environment, exposing the organization to decreased morale, employee confusion, and potential litigation.

When management encounters the Pushover too frequently, then management will only seek out compliance and ethics professionals to rubber-stamp otherwise questionable or insubstantial decisions. A resulting pattern of patchwork compliance counsel that largely misses the breadth of business line decision-making spreads in this environment, exposing the organization to rogue players, overly-confident self-assessments, and potential litigation or criminal prosecution.

In short, know when to stand your ground and know when to stand down and let management carry on.

When our organization’s compliance & ethics culture is strong, visible, and active, then management and employees know that they can rely upon us to exercise good judgment in the face of ambiguity. Your good judgment is best understood within and across your organization when exercised judiciously. When you get to know your management colleagues, truly understand their business strategies and objectives, and defer to their expertise when compliance and ethical standards are being substantially met, you will earn that reputation for wise and judicious counsel.

When you weigh in on matters sparingly and appropriately, your organization will prosper ethically in your stead.

Your Compliance & Ethics Function: Aligned, Not Maligned

Today, more than ever, your organization needs you. As a Chief Compliance & Ethics Officer navigating the increasingly complex regulatory landscape, your objectivity and expertise provide your board and senior leadership team with a beacon to guide them. Oftentimes you are viewed as the guardian at the gate.

While your colleagues and directors will likely embrace and support your role, your precautionary observations, and your recommendations, that enthusiasm does not always translate vertically throughout the organization. Members of your team may already have encountered the resistance that emerges when raising regulatory compliance, ethics or internal control concerns in the midst of deadline-driven projects. Not often do the profit center managers in our organization stand up and cheer our scrutiny and counsel when we review their proposed product and service offerings, marketing materials, and incentive compensation plans.

We do not further the compliance & ethics mission in our organization when our role is viewed in isolation as too far removed from the day-to-day goals and objectives of our organization. Let’s face it—our organization was most likely founded to obtain a for-profit or not-for-profit objective, not to support our compliance & ethics function.

Over the years I have identified some key steps that allow own compliance & ethics role to align tightly with the growth strategies and objectives that our organizations strive to implement. I refer to these steps as getting down into the MUD:

·         Meet as many key managers at all levels in your organization as feasible. The more colleagues you become familiar with, the greater likelihood that your involvement will be sought out earlier in the planning, development, and execution of new programs, products, and initiatives.

·         Understand genuinely the plans, imperatives, and metrics that drive key managers in your organization in their respective roles. When you truly understand the why, what and how of each division and department, then you will be better able to anticipate and address potential regulatory compliance, ethical, or internal control exposures.

·         Defer to your operational colleagues when a decision does not require approval from you. Your credibility as Chief Compliance & Ethics Officer is strengthened when you resist the urge to exert your will upon every decision in a project, program, or product launch.

When we take the time to get to know our operational colleagues, understand their roles more fully, and defer to their subject-matter expertise, we will find that those same colleagues are much more likely to invite us to advise them regarding regulatory compliance, ethics, and internal control matters. Instead of being maligned as the killjoys at headquarters, let us become aligned with our shared organizational mission as we serve to safeguard it from foreseeable risks.

Enterprise Risk Management: Captain Kirk Confronts the Final Frontier

When faced with the regulatory mandate to incorporate or improve your organization's enterprise (or enterprise-wide) risk management (ERM) process, we can sometimes feel like a Klingon confronting Tribbles. To succeed with ERM within our organization, we must instead adopt the attitude expressed by Captain James Kirk in the'Day of the Dove episode: "There's another way to survive. Mutual trust...and help."

Several years ago, the federal banking regulators set off on a mission to bring Enterprise Risk Management (ERM) to the forefront of financial institution governance expectations. In the ensuing years, state insurance regulators have joined the mission through the National Association of Insurance Commissioners (NAIC) Own Risk and Solvency Assessment (ORSA) model act. The topic continues to get considerable attention in recent regulatory guidance, including Federal Reserve Board (FRB) supervisory letters 12-7 and 08-8. The Federal Reserve Bank of Chicago (FRB-C) devoted considerable attention to the topic at its 2011 conference.

What appeared to be a distant risk management galaxy in the late 1990s has certainly become an oft-discovered governance imperative for financial institutions. As a financial industry executive, you know that you have been charged with the responsibility “to boldly go where no man has gone before.” Much like the voyage of the storied U.S.S. Enterprise, your voyage has taken you to strange new worlds as you have sought to develop or improve your ERM model.

When you have set out to build a robust risk management infrastructure to integrate, coordinate and facilitate forward-looking risk management throughout the enterprise, you invariable have encountered (or will encounter) skeptics. Captain Kirk addressed this challenge in the 'A Private Little War' episode: "The only solution is...a balance of power. We arm our side with exactly that much more. A balance of power...the trickiest, most difficult, dirtiest game of them all. But the only one that preserves both sides."

But make no mistake about it—ERM is not optional and is here to stay. Thus, we often will find ourselves educating senior leadership colleagues and independent directors about ERM, in parallel with obtaining the necessary data to build, enhance, and report upon our ERM model. ERM cannot simply become a once-and-done exercise that ends up on a binder on your credenza.

Building a culture around ERM involves acclimating leadership throughout the organization to a continuous reporting system that identifies and addresses emerging risks. Strategic initiatives and ongoing business planning are evaluated in light of current and emerging risks and incorporated into analysis and leadership and board decision-making. ERM becomes a discussion item on at least a weekly basis within the leadership team, and a standing agenda item for your board, often through an ERM committee. Reports are designed to be condensed, accurate and meaningful for decision-making.

Internal Audit and Compliance play key roles in the ERM process. The periodic review and validation of the model through targeted risk assessments must be conducted under the direction of the organization’s senior leadership to support the organization’s risk appetite.

Occasionally, Captain Kirk and his officers would find themselves enmeshed in a scene from Earth's pre-space travel history, yet the episode always ended with our beloved travelers safely back aboard the U.S.S. Enterprise. As your ERM model and methodology evolve, it is likely that the organization will also never return by the way that it arrived, because external variables will continually infiltrate the ERM model. Most notably, your organization’s ERM will remain under the scrutiny and be subject to the recommendations of your prudential regulator. There simply is no going back.

Continue to be the evangelist for sound enterprise risk management in your organization, devoting yourself to encouraging, educating and embracing your colleagues as you faithfully fulfill the ERM governance role entrusted to you. Much like Kir, may you live long and prosper in your role.

Forecasting the Digital Future: Avoiding a “Friend Request” from the FTC

The regulatory burden upon corporate social media strategy was further increased when the Federal Trade Commission (FTC) issued its revised .com Disclosures guidelines on March 12, 2013 (http://ftc.gov/os/2013/03/130312dotcomdisclosures.pdf). The original guidelines had been published in 2000, long before “dot com,” “smartphone,” and “social media” became household terms. This highly anticipated revision of the original document had been underway since May 2011, and appears to have been closely timed with the recent FFIEC social media rulemaking.

Guidelines are often drawn from successful FTC administrative actions against violators. While guidelines do not carry the weight of formal law, guidelines do define norms that will often trigger subsequent FTC regulatory investigations, and thus must be regarded by industry within the advertising risk management framework. That being said, the FTC admits that there is no set formula for a clear and conspicuous advertising disclosure. Don’t you relish ambiguity amidst federal regulation and potential for fines?

The FTC reiterates that general principles of advertising law apply online, but new issues arise almost as fast as technology develops and new issues have arisen concerning space constrained screens and social media platforms. No one would deny that most organizations intend for all of their advertising to fairly and accurately portray their products and services.

Complying with advertising law within the four corners of a typical print advertisement or within the storyboards of a video advertisement present a more limited range of challenges. The digital marketing frontier has introduced an infinite number of complex issues, including the more rapid evolution and retirement of technology hardware and software platforms. For example, many of us have become familiar with the rise of Apple and Android apps, even as app makers have decreased or eliminated the creation of BlackBerry apps.

Against this backdrop, the FTC places the burden of understanding and complying with the technological limitations of burgeoning online and mobile platforms upon the advertiser. Compliance monitoring and periodic internal audits should be embedded into your social media risk management strategy.

The major takeaways from this revised guidance as they apply to social media are:

·         The FTC Act’s prohibition on “unfair or deceptive acts or practices” encompasses online advertising, marketing, and sales.

·         Required disclosures must be clear and conspicuous.

·         If an ad is viewable on a particular device or platform, any necessary disclosures should be sufficient to prevent the ad from being misleading when viewed on that particular device or platform.

·         If a particular platform does not provide an opportunity to make clear and conspicuous disclosures, then that platform should not be used to disseminate advertisements that require disclosures.

The prescriptive and restrictive nature of the FTC’s guidance requires advertisers to develop and test advertisements across the rapidly-evolving landscape of mobile devices, including tablets and smartphones. Ignorance of emerging technologies will provide no corporate defense to an FTC-initiated action in light of the explicit expectations expressed in the March 2013 guidelines.

The guidelines are well-written and provide a robust appendix of sample advertisement do’s and don’ts. But social media strategists will need to maintain a constant technological vigilance as new web-enabled technologies come to market. Otherwise, don’t be surprised if you receive a “Friend Request” from a new friend at the Federal Trade Commission and learn an entirely new definition of “clear, conspicuous, and proximate”.