Confession: I am a sucker for New Year’s resolutions. I make several every year, and some (eating salads more often) have even managed to stick the whole 12 months and beyond. Others (reading the NIST framework for cybersecurity) we don’t need to discuss here.
So, what resolutions could compliance officers make in 2019?
First, some ground rules. A good resolution should be tangible and specific: “read one new book every month” rather than “read more often.” It should also require discipline, that (ideally) leads to a better quality of living: “stop eating red meat,” rather than “visit that new vegetarian restaurant down the street.”
So, as we look at the issues and challenges clamoring for a compliance officer’s attention this year, how do those ground rules lead to New Year’s resolutions that can help your compliance program and your career? Consider these three resolutions.
1. Learn more about data integration issues in your enterprise
Compliance officers talk constantly about the importance of bringing operational data into the compliance function so you can analyze it. From that analysis, you can then make important judgments about the company’s compliance risks and understand which policies are or aren’t working.
That all makes sense at an abstract level, but it assumes that other parts of the enterprise already govern their data well. Here in the real world, organizations large and small struggle all the time to groom the data they generate for easy consumption by others. And in this scenario, you’re the other.
Resolve to spend more time with other parts of the enterprise learning about their own data governance issues. Talk with them about the systems they use, the data they generate, the formats that data exists in, and even the spreadsheets they still use. Find better ways to integrate your data systems into theirs, to make your own compliance program more responsive to what’s really going on in the business.
2. Sharpen your arguments for self-disclosure of trouble
If one thing has become clear in the last two years, it’s that the Justice Department will forgive a vast array of FCPA sins if the company discloses, cooperates, and remediates.
That puts two stark choices in front of a company that discovers an FCPA issue. It can disclose the trouble and definitely incur some costs since investigations don’t come cheap. Or it can remain silent and possibly incur more costs if regulators somehow discover the trouble anyway.
Arguing that your company should disclose and take a financial punch because that’s the right thing to do is not necessarily easy. Many companies still won’t do it. But as the public and other stakeholders keep putting a higher premium on the ethical reputation of a company, and as whistleblower risk keeps rising anyway, the ability to make that argument to superiors will become a useful career skill.
Resolve to work on those arguments, with hard data and ethical imperatives alike. Besides, once senior management comes around to the wisdom of disclosing misconduct that has happened, convincing them of investing in ethics and compliance to prevent trouble before it happens gets easier.
3. Improve your ability to monitor third parties
Compliance officers already know that third parties are a huge source of risk and that risk-based due diligence is crucial when onboarding third parties.
In 2019, resolve to work harder at the next challenge: monitoring third parties after they’ve become part of your extended enterprise, so you can detect questionable conduct that happens long after the first due diligence and onboarding are done. Speedy response to new risk is going to be crucial for effective compliance from here forward.
First, you need to ask: what events or circumstances might change that third party’s risk profile, including actions that your own company undertakes? (For example, when employees start asking a long-time third party to provide new services.)
Then you need to ask: how could we detect those changes? Do you need new policies for employees hiring third parties, that they do the monitoring? More disclosure clauses in contracts? More frequent media searches or screenings for politically exposed persons? And how does that information reach the compliance officer, so that you can actually see the red flag that gets raised?
Those are three resolutions you can try in 2019. Even better: none of them involve going to the gym at 6 a.m.