The annals of corporate compliance are filled with terms of art. “Whistleblower hotline,” “policies and procedures,” “risk-based approach,” and many more — we use those phrases all the time, as verbal shorthand for much more nuanced ideas.
Perhaps none of those terms, however, are as common and important as this one: a “robust corporate compliance program.”
Well, what does that phrase actually mean? Of all the adjectives in the world, why is robust such an important thing for your compliance program to be?
Let’s begin at the dictionary. Merriam-Webster’s first definition of robust is “having or exhibiting strength or vigorous health.” That’s not wrong; most people would use words like strength, vigor, or health to define “robust” if you asked them.
For a compliance officer’s purpose, however, a more apt definition might be the secondary meaning of the word: “capable of performing without failure under a wide range of conditions.”
That’s what compliance officers need to achieve.
The “without failure” part is a bit misleading; no compliance program will be flawless and foolproof at all times. Rather, a robust compliance program delivers reasonable, risk-based assurance of regulatory compliance at all times, under a wide range of conditions.
So what becomes important for success, if that’s the standard a robust compliance program should meet? Several priorities come to mind.
1. A Commitment to Ethical Culture
First, a strong commitment to ethical culture is essential because the widest range of conditions are the people working within your enterprise. As new employees arrive, or existing employees take new roles, they need to understand that commitment to ethical conduct is a constant at the organization, not a variable.
That could mean anything from strong, clear statements about ethics by senior leadership; to training materials that discuss ethics and values, as well as policy and procedure. Regardless, a robust compliance program works to keep employees ethically aware, no matter what they do on any particular day.
2. Effective Risk Assessments
To achieve a robust program you will also need to execute effective risk assessments — since that’s the exercise that tells a compliance officer what conditions have changed. Capability in risk assessment includes keeping abreast of new regulations, being aware of new systems or processes other business functions launch, and even changes in market strategy senior leaders want to pursue.
3. Procedures That Work
Next, procedures that actually work drive robust programs. Notice, we didn’t say “policies and procedures” here – some of the worst compliance failures in history came from companies with great policies; the companies simply lacked the will or ability to execute procedures that enforced those policies.
What procedures matter most? Due diligence, of course; also access controls, investigation protocols, disciplinary measures, and more. Compliance officers can never forget that what matters is an ability to get things done, just as much as a clear vision of what to do.
4. Measurement and documentation
Finally, measurement and documentation will help you build a robust program. Measurement helps you assess how well your program is working, as conditions change from one state to another. At any moment, your program probably works better in some ways more than others. Compliance officers need a way to identify those performance gaps (measurement), and then plan what should happen next to address those gaps, if anything at all (documentation).
Fundamentally, the Justice Department, other regulators, business partners, consumers, shareholders — they don’t dwell on the structure of the compliance program. They dwell on whether the program reduces the risk of misconduct or non-compliance.
Meanwhile, your compliance program exists as part of a larger corporate enterprise, and the conditions of that enterprise change constantly. Every business launches new products, adopts new IT systems, expands into new markets. Every business increases its budget sometimes and trims it at other times.
Those are conditions a compliance program must weather, week after week. If your compliance program can do this effectively, then you can call it robust.