We often talk about designing a compliance program that’s proportional to your company’s risks. The concept makes sense, but still strikes me as vague: what, exactly, does a “proportional” compliance program look like?
A better way to frame the idea is in terms of under-compliance or over-compliance. You can easily do too little to manage your compliance risks — or do too much, a point we don’t note often enough. Compliance officers must find the balance that manages risk well and keeps senior executives, business units, and regulators happy.
A great example of the challenge can be found in SOC 2 audits: the reports that companies commission on IT service providers to assess those vendors’ data security controls.
SOC 2 audits can be tailored to assess a wide range of security practices, and they’re derived from five basic “trust principles:” security, availability, processing integrity, confidentiality, and privacy.
Could you commission a SOC 2 report for a data storage provider that addresses all five principles? Sure. But if you never store any personally identifiable information with that vendor, the privacy and processing integrity principles are superfluous; you’re over-compliant, and paying for an audit beyond your needs.
Conversely, if you’re contracting with a payroll processor and omit availability or process integrity from the SOC 2, you’re under-compliant. That may come back to haunt you with a system failures or corrupted payroll results.
We can see similar dynamics in anti-corruption compliance. You don’t need to perform due diligence on every third party, since that would include many with no exposure to foreign governments and no ability to curry their favor. You do need to monitor some third parties aggressively, since their ownership or business models might change frequently, or in hard-to-detect ways.
A compliance officer can start simply by asking: does this employee or third party pose a regulatory risk to the company? If so, what risk? And what are the worst consequences of a “non-compliant” event?
From there you can start to reverse-engineer the policies and controls you need to fit those risks. For example, all employees theoretically can pose harassment or fraud risk, so all employees need at least some training on them. They also need to certify that they’ve read and understood anti-harassment and anti-fraud policies in the Code of Conduct.
Do some employees need more than that? You bet. Finance employees pose a much higher fraud risk; so they need segregation of duties, and the finance function needs regular audits. Senior managers pose higher harassment risk, so they might need policies (such as no dating subordinates) in addition to training.
Likewise, with third parties: what risks do they pose, and what is the most cost-effective way to control those risks? Vendors with no history of bribery and no politically exposed persons on staff, working in low-corruption countries, might suffice with annual certifications that they have read and will follow your anti-corruption policy. On-site visits and business practice audits, in contrast, might be over-compliance that isn’t necessary for them — but might be vital for others.
Some of this challenge can be automated: due diligence checks, for example; or using risk libraries so you understand what your compliance risks are, and when they change due to new regulation.
Above all, however, finding the right level of compliance for your company’s risk is a balancing act. It will take time and practice, and possibly some trial and error, until you get to the right place.