We talk all the time on this blog about how corporate compliance works. Today we’re going to take a step back and answer the most fundamental question of all: What is corporate compliance, and how does it impact business?
In the broadest definition, corporate compliance is the ability to lead large groups of people toward achieving certain standards of conduct. You have a body of people somehow affiliated with one enterprise (the “corporate” part) who must obey certain rules (the “compliance” part).
That’s it, really.
Sure, we can refine that broad idea into several more precise definitions; and we should explore what goes into those individual “corporate” and “compliance” parts because a lot goes into each one but always keep in mind the basic concept of leading people to behave in certain ways. Everything about corporate compliance can be summarized in those seven words.
Now let’s deconstruct that concept into more precise components, and examine each one.
Difference Between External and Internal Compliance
The most common perception of corporate compliance is compliance with regulations—the laws, rules, and other regulations from a government that spell out how an organization should conduct itself. We can call that external compliance.
For example, all publicly traded businesses must publish quarterly financial statements; those statements must include certain financial data, calculated according to certain financial standards. Another example: no company can bribe officials of foreign governments to win business; that violates the Foreign Corrupt Practices Act (FCPA). Or, any company that loses the personal information of customers who are EU citizens must disclose that breach within 72 hours, according to the General Data Protection Regulation (GDPR).
Those laws don’t care how a business complies with the law, so long as the company does. So compliance officers will design compliance programs to develop the “how” part. Then employees must comply with those internal policies and procedures. We can call that internal compliance.
For example, the FCPA prohibits bribing foreign government officials as we mentioned. So companies develop internal policies for employees that, say, forbid paying for luxurious travel for foreign officials, or donating to charities that those officials operate. Then companies develop procedures for submitting expense reports to identify any suspicious payments employees might be trying to make anyway. All of that is still a compliance exercise, even though the FCPA doesn’t dictate any of those details.
Different Types of Compliance Risks
The point of compliance programs is to reduce the company’s compliance risk — the potential for regulatory enforcement or other financial losses because the company isn’t in compliance with laws or regulations.
We can define compliance risks in several ways.
First, we can define compliance risk by subject. Regulators enact rules to address all sorts of subjects, and companies need compliance programs to address those issues somehow. The main compliance risks include:
- Corruption: companies must work to prevent bribery, bid-rigging, and other improper business practices.
- Reporting: companies may need to file financial statements, liquidity data, and other reports to regulators, at required times and in specified formats.
- Data Protection: companies must try to keep customer and employee personal data secure, and disclose any breaches of privacy according to various deadlines.
- Environmental, Health, and Safety: companies need to obey rules for environmental pollution, worker safety, and related issues.
- Employment: companies need to maintain ethical workplace practices, including wage-and-hour issues, anti-discrimination, anti-harassment, and more.
We can also define compliance risk by capability. That is, every compliance program first needs to understand what its regulatory obligations are—which is not always easy. Especially for global corporations, regulations change constantly, and even the task of knowing which regulations exist and apply to your firm can be challenging.
And when companies do know which regulations apply to them, there’s also the risk that your compliance program can’t meet those requirements. For example, your due diligence program may overlook too many third parties, or your HR department doesn’t collect sufficient data to study pay equity across gender or race.
All of that is part of the compliance risk that a company’s compliance program must address: knowing which regulatory requirements apply to your organization, and knowing how well the company is (or is not) poised to meet them.
How to Maintain Corporate Compliance
Compliance officers can maintain corporate compliance through several means.
First, as mentioned above, companies need to adopt policies and procedures to fulfill their regulatory obligations. Those policies need to relate to what the regulations want a company to do, and the procedures need to reflect how employees actually go about their daily routines.
Second, companies need to manage their compliance programs—that is, to assess their performance at regular intervals, to be sure the program works well. That can involve testing controls, auditing employees’ adherence to policy and procedure, reviewing reports, and more.
Third, compliance officers need to perform risk assessments at regular intervals, too. Assessments can include a review of which regulations do or don’t apply to the company given its business activities, and how well the company’s compliance program works given all those regulatory requirements.
How Corporate Compliance Impacts Businesses
First, compliance can keep a company on the right side of the law. Even when a company does violate the rules (which is bound to happen eventually), the existence of a compliance program will demonstrate to regulators and prosecutors that the company is trying to do the right thing. That can lead to shorter investigations, smaller regulatory fines (or no fines at all), and fewer company resources spent responding to regulators’ inquiries.
Second, compliance can preserve a company’s reputation. The arrival of social media has brought about two things: unparalleled visibility into a company’s operations; and the new ability for others to hold companies accountable for their mistakes. Together, those forces mean that companies can suffer brutal consequences for misconduct—bad headlines, consumer boycotts, business partners canceling contracts, and more.
An effective compliance program reduces the risk of those outcomes. Corporate compliance can improve a company’s ethical posture, which has all sorts of benefits beyond avoiding regulatory punishments.
Third, and to that point, compliance can make a company a better competitor in the marketplace. A company with strong compliance makes fewer mistakes and therefore is distracted less often with fixing those mistakes. A strong compliance program can also help a company identify emerging risks earlier, which gives it more time to respond.
Above all, effective compliance programs make your business a more attractive partner to other businesses. Remember: we are all someone else’s third party. The more effective our ethics and compliance is, the less of a risk we are to others.
So as challenging as compliance may be—when done well, compliance becomes a massive strategic advantage.