Laws and regulations are “hard law,” and should be respected as such: to the extent they apply to a company’s particular facts and circumstances, they are mandatory and need to be scrupulously tracked and applied, guided by legal and compliance personnel. Conversely, certain types of standards may be prudent for a company to follow because they represent leading practice with respect to corporate behavior but are essentially voluntary, and are referred to by some as ‘soft law’. These include topical (e.g. anti-corruption, cybersecurity) or industry (e.g. healthcare, energy) standards—many of which exist to support a particular public policy direction and often represent the collective views of subject-matter experts.
General Counsel (GC) and Chief Compliance Officers (CCO) appropriately focus the company compliance function (Compliance) on hard law, but in so doing sometimes fail to recognize and capitalize upon the external and internal benefits of using soft law.
To use a sports analogy, companies that only follow hard law are essentially playing defense with respect to possible future engagement with external law enforcement or regulators: they’re doing what’s required, and no more. By contrast, companies that respect hard law while also embracing voluntary soft-law standards are playing both defense and offense, and in front of a larger audience: they’re following the letter of the law but are also going above and beyond. They’re communicating externally to the public sector and to private sector company stakeholders that the company has an understanding of, and appreciation for, the public benefits and good business reasons that frequently underlie a given standard.
Internally, GCs and/or CCOs can introduce a common language and point of alignment to operations that simultaneously provides structure to compliance activities by promoting standards such as: (a) for anti-corruption - the Transparency International Business Principles for Countering Bribery (for a macro approach), the Institute of Internal Auditors “Auditing Anti-Bribery and Anti-Corruption Programs” Practice Guide (for an accounting and program assessment approach) and the forthcoming International Standards Organization (ISO) 37001 – Anti-Bribery Management System Standard (for guidance on establishing, implementing, maintaining, and improving an anti-bribery compliance program); and (b) for cybersecurity - the National Institute of Standards and Technology (NIST) Cybersecurity Framework (for a results-based business approach based on recognized information technology (IT) and other business standards organized around a core methodology of Identify, Protect, Detect, Respond, and Recover) and the SANS Institute’s “Critical Security Controls for Effective Cyber Defense” (for more of an IT-centric approach).
External and internal engagement around standards may have positive byproducts
This type of external and internal engagement with others around standards may also produce positive byproducts: enhanced trust in the company, its compliance program and those running it. Internal colleagues appreciate the non-legalistic orientation of many of the better standards and value the fact that Compliance supports a standard that focuses on the practical aspects of business operations. To external parties, Compliance’s standards involvement, if conducted appropriately, often results in the view that the company is a good corporate citizen and is trying to do the right thing.
Many thoughtful compliance professionals follow the mantra of “never let a good crisis go to waste,” in terms of bringing sorely needed management support and resources to a corporate compliance program. Similarly, GCs and CCOs should not fail to consider the many advantages that can flow to their company and others from the voluntary adoption of leading practice standards.
