In our capacity as Compliance & Ethics professionals, we
are invited daily by business line management to provide guidance on diverse
topics. Because we are managing compliance and ethics across an entire organization,
each topic must be reviewed with multiple internal stakeholder interests in
mind. Externally, we are subject to scrutiny by our customers, our regulators,
our industry, and the press. Thus, no review is undertaken in a theoretical
vacuum, nor is any resulting guidance intended to provide a one-size-fits-all
solution to all similarly-situated topics. Business line management doesn’t
always understand those underpinnings when receiving guidance from us.
A frequent question heard by many C&E professionals upon
delivering compliance guidance or an ethics opinion is, “So, is this a requirement…or merely a recommendation?” Management attaches
very different treatment to our response to that question. Requirements may
entail additional cost—whether an opportunity cost of a forgone initiative or a
hard cost like implementing additional information system controls.
Recommendations may at first blush appear to be optional activities that can be
ignored and forgotten. The seasoned C&E professional knows that she must
not leave management with any ambiguity about the risks of alternative future
courses of action. We only add value to our organizations when we can achieve
alignment between management’s risk appetites and our own governance, risk
management and control frameworks.
A little confession here…at the onset of my career as an
internal auditor, I wrote my recommendations as if they were self-evident
edicts born of a brilliant mind. Fortunately I was also paired with managers
and mentors who were equipped to deliver humbling learning opportunities to me,
for which I have been ever grateful. Those formative leaders challenged me to
support my assertions with specific corporate policies, statutes, or
regulations. If my assertion was one supported by a matter less well-defined,
such as fair trade practices or a matter of public policy, then I was urged to
develop recommendations that objectively balanced the strategic interests of
the business with the external interests, so as to allow management to make
fully-informed decisions. These distinctions served me well. Perhaps you can
relate to this transformation from your own career path.
Today I continue to improve my craft. I take great care in
drafting compliance memoranda and ethics opinions that ensure
well-substantiated transparency. I employ the word “require” when I seek to
guide management away from the
expedient pitfalls that ultimately lead to reputational loss, fines, lawsuits, or
jail time for corporate officers. I employ the word “recommend” when I seek to
guide management toward actions that
will improve the customer experience; enhance the value of the brand; or reduce
aggregate regulatory risk. To overuse “require” when “recommend” would suffice is
to invite the “Chicken Little” effect and diminish Compliance & Ethics’
effectiveness. To overuse “recommend” when “require” is truly appropriate is to
dilute our own integrity as C&E professionals and ignore our fiduciary duty
to our organizations.
As such, when providing compliance and ethics guidance to
management, I recommend (but not require) that we choose our words purposefully
and substantiate objectively.
