Compliance Management Programs: Good Enough is NEVER Good Enough

Audit, Compliance & Ethics professionals are not generally known for settling for mediocrity or resting upon their laurels. We spend our careers focused upon identifying, documenting, and mitigating risks. We employ people, systems, and procedures to comply faithfully with laws, regulations, and corporate policies. After decades of building and reporting on our detailed processes, we may confidently conclude to our colleagues that we are operating a best-in-class audit, compliance and ethics programs.

But every once in a while we get a reminder that our compliance management program may require a little refreshment. Like a well-intentioned home gym gathering dust in the corner of your basement, your program becomes increasingly less relevant when it is not subjected to frequent and ongoing maintenance. When I am speaking with colleagues about this topic, I hear consistent two consistent themes emerge: (1) we developed a state-of-the-art program back in 19xx, and then we got busy as the organization grew; or (2) we thought that [insert department or title] was watching over that part of the program and keeping it updated. “Best-in-class” became diluted by other competing priorities until it came to rest at “good enough” to keep the organization out of trouble with the board, the auditors, and the regulators.

Then the other shoe drops. At one time or another many of us will be faced with the realization that our compliance program has developed cob webs. Perhaps you can recall a moment of truth…a request from a board member in light of a recent penalty received by a competitor?…a finding in an internal audit report?…an observation made by a prudential regulator? Regardless of the source, having to admit that maintaining the currency and accuracy of our program may have lagged as a priority is an uncomfortable spot to find ourselves in. In the words of President Harry S. Truman, “The buck stops here,” when you’re the Chief Compliance Officer.

Your CEO and your board do not want to hear how busy you’ve been overseeing the increasingly complex regulatory compliance environment. If that is your best response when cracks in your program have been publicized, then you had better clean out your office to make way for your successor who will be up to the task. No, if you find yourself having to admit you’ve neglected the care and feeding of your compliance management program, then will be well advised to also come armed with your contingency plan to remediate your program gaps and a schedule of ongoing review and updating that will take place thereafter.

Before it gets to the point of asking for that mea culpa from your board, CEO, and regultor, perhaps it would be easier to gather the team, risk-rank elements of the compliance management program, and schedule a review of each element. While this may be a bit time-consuming in the initial phase, each subsequent periodic review should be shorter, especially if also paired with an ongoing monitoring of emerging legislation, regulation, and policy changes.

We’ve spent our entire careers getting out in front of the risks. Maybe we became complacent. Let’s return to the basics and declare boldly that “good enough” just isn’t good enough anymore.