Since Halloween is upon us, let’s talk about ghosts that haunt your compliance program.
Ghosts are supposed to be spectral things — definitely there, visible to the eye; but lacking physical form. They also tend to haunt the same area time and again. They linger. They unnerve.
Compliance programs have ghosts of their own: wisps of bad practice that hover around the organization, cropping up time and again. A compliance officer sees them and can’t help but think, “This again? Didn’t we solve this?”
For example, failure to talk about corporate ethical values haunts many companies. The problem isn’t so much that senior leaders disapprove of ethical values or dismiss their importance. Rather, they don’t mention ethical values often enough, as the backdrop to whatever business questions occupy the organization at the moment.
Corporate executives might talk up the importance of ethical business practices for specific risks that arise: moving from “we don’t pay bribes” one year, to “vet all our third parties for human trafficking risk” the next, to “no workplace bullying” the year after that.
Those are all good steps to take, but they respond to events and circumstances. They can lead to “compliance program accretion” as one new policy is added after the next. Lurking in the shadows is that ghost between them all: not making ethical business practices part of the daily conversation nearly as much as it should be.
Another ghost is relying on uniform due diligence, rather than risk-based due diligence. Too many companies still do it, applying one standard of due diligence to all third parties.
Sometimes I almost can’t blame them, since risk-based due diligence can be hard. Even if you automate much of the work (which companies should), weighing the risk factors requires judgment. Judgment can be tricky, involving different people within your organization (sales, compliance, legal, security, more) who might not always agree on how much risk exists and how much due diligence is proper.
So sure, relying on uniform due diligence standards might seem like a short-cut through that frustration — especially if the organization is moving into new markets where risk-based due diligence might be hard to define. Hence this ghost either crops up from time to time; or if you still haven’t built a modern due diligence program, it’s a ghost that lingers.
Chase it away. Uniform due diligence leads to under-compliance, where you miss important third-party risks; or over-compliance, where you devote time and resources to a third-party risk that isn’t there. Neither practice serves you well.
Then there’s the ghost of incomplete or inaccurate reports. And the better corporate governance and compliance relies on analysis of data in the future, the scarier this ghost will become.
Inaccurate reports are foremost a technology problem: if you ask employees or third parties to submit data on spreadsheets, you always run the risk of false data, old data, missing spreadsheets, and the like. So as much as possible, companies should move to systems that drive people to submit data into GRC software. The fewer spreadsheets your data collection processes need to generate, the better.
Incomplete reports, however, are also partly due to weak policy and procedure: employees slacking off their internal reporting duties. You can ward off that ghost with training and exhortations from management, plus the occasional subtle threat — perhaps tying compensation to fulfilling compliance duties, or blocking access to certain systems if the employee doesn’t respond to reporting duties promptly.
Good luck. Now that we’re in budgeting season for 2019, sprinkle yourself with holy water and push for the resources to dispel these ghosts for good.