(Want to get articles like this one by email? Here is the sign-up!)
Bad things sometimes happen to good companies. Many Chief Compliance Officers (CCOs) find themselves in the position of having put blood, sweat and tears into creating and operating an objectively sound compliance program, only to find one day that a creative salesperson or agent veered outside prescribed boundaries in a significant way.
The resulting investigation is expensive and time-consuming. Outside counsel, forensic accountants and other professional advisors are involved. Management time is taken up with interviews and status meetings. Employee discipline and/or termination of contractual relationships is necessary. And even in those situations where law enforcement or regulators are not involved, and there is no official determination of “systemic failure”, there is usually the residual feeling at the senior management and board levels that “the incident happened, something went wrong, and that brings the strength of the compliance program into question.”
Experienced CCOs know that one does not want to be at the receiving end of a communication containing that expression of concern. Instead, the CCO should recognize the natural feelings of doubt that flow from a significant incident and preemptively take action. At an appropriate time, s/he should proactively inform senior management and the board that s/he is not going to limit the incident outcome to dealing with the specific compliance violation at hand. A full program assessment and review will also be conducted. The scope will include a root cause analysis to identify and remedy the particular programmatic weaknesses that contributed to the incident. It will also include an overall gap assessment to determine if other compliance program areas need attention, with particular attention to the controls in high compliance risk operational areas. Go straight at the real (and perhaps unstated) issue: how good is our program?
After taking that affirmative step, and as the CCO then steps back to assess the overall situation and to consider how best to conduct the assessment, s/he may reach an interesting and not necessarily intuitive conclusion: this is actually a great time to “make lemonade out of lemons” and to take advantage of the compliance crisis to make positive programmatic changes.
Tactically, there may be new program tools, such as an automated compliance system, or emerging themes, such as the US Department of Justice’s increasing emphases on “building a culture of compliance” and “operationalizing compliance” that did not generate much interest (or funding) when first discussed with the CEO, but that now can be revisited.
It may be that the occurrence of an incident is not a surprise to the CCO; the only surprise is that something didn’t happen sooner – given the low funding levels and limited “tone from the top” management support provided to the compliance function prior to the incident. Strategically, the episode may now provide the necessary impetus for what the CCO has wanted to have done for some time: an independent assessment of the program by a qualified third party. The findings and recommendations of such a firm, on top of the incident, will be harder for management to discount or dismiss than the CCO’s prior communications about needed program changes and improvements.
Significant compliance events will absolutely get the attention of decision-makers (including those who control the purse strings) at a company. And that focus, if creatively leveraged by the CCO, can result in positive changes for the program. Never let a good compliance incident go to waste!