We’ve had numerous posts in our Compliance 101 series exploring how corporate compliance programs can succeed including and What is the Purpose of a Corporate Compliance Program? and 4 Things to Prioritize If You Want a Robust Compliance Program. Today, however, let’s look at the flip side of the coin—reasons why compliance programs fail.
First, we should define what failure means for corporate compliance since compliance programs have so many moving parts. Your program might fail at specific tasks, such as automated monitoring of third parties or timely reporting of issues — but that only means your program is ineffective at certain things.
Failure of the whole compliance program is something larger, with different causes. We can define “compliance program failure” as persistent shortcomings across a range of tasks, despite repeated attempts to remedy those shortcomings.
For better or worse, those failures happen too. Why?
1. Lack of executive support
The plain truth is that if the board and senior management don’t take corporate compliance seriously, your program is bound to fail. The executive management team dictates corporate culture in numerous ways, from the behaviors they display that others emulate, to messages they communicate to the workforce, even to the compensation plans they design that encourage employees to strive for some objectives more than others.
If executive support for compliance is weak, nobody else will take the compliance function seriously either. Employees might follow your requests so long as those requests aren’t a burden, but as soon as striving for compliance does intrude on their “real” jobs, they won’t. Senior executives must show and tell them that strong ethics and compliance matters.
Now, even with executive buy-in, a compliance officer might still have a corporate culture that’s not interested in ethics and compliance — but that’s a challenge you can address, with enough planning and collective will among senior executives. When senior executives and the board don’t want to embrace compliance, you may want to reconsider your commitment to the firm.
2. Ineffective use of technology
At this point, all organizations use technology to further the compliance program somehow. The real question is whether you are using technology effectively.
For example, if you still rely on spreadsheets to document due diligence or memos posted to a shared drive for policy management — that’s not wise. Spreadsheets can be wrong and word documents can be edited. Both can be overlooked, outdated, or misplaced.
Those are just two simple examples of how poor use of technology leads to poor visibility into corporate activity. Once the compliance program loses sight of how the business is really working (or never gains that insight in the first place), your risk assessments start leading to wrong conclusions. Frankly, why wouldn’t they? You don’t know what’s going on.
Wrong conclusions about risk lead to wrong judgments about how to respond to risk: policies not updated, the wrong controls tested, misconduct not disclosed, investigations out of scope. Those bad actions all spring from a flawed understanding of the company’s true risk profile; and that misunderstanding springs from an inability to keep pace with what the company is actually doing.
At the modern global corporation, only good technology, wisely configured, can do that.
3. Responding improperly to complaints
The compliance program asks employees to do things: change their work practices, follow higher standards of conduct, report suspicions of wrongdoing. Ideally, they will try to do all those things—which implicitly means that the compliance program needs a capability to respond to employees (and third parties) when they need help in those efforts.
One obvious example: compliance functions need to be able to respond to people who report suspected misconduct. Various studies have shown employees are willing to wait a few weeks for a response or might try submitting a complaint twice before giving up. Regardless of the specifics, employees are trying to interact with you. You need to interact with them back.
Sometimes those responses will be part of running the compliance program, such as investigating complaints. Other times the responses will be part of designing the program, such as involving employees when developing new policies or procedures that might affect their workflows.
Employees, and all people generally, need to feel like they are being heard. Which brings us to…
4. Overlooking employee engagement
This mistake is a sibling to the one above. Not only does the compliance program need to respond to employees wisely; it needs to engage with them wisely even before the compliance program is truly up and running.
You may have seen the mess that can happen otherwise. A new compliance officer toils away in his or her office for weeks, developing a program that looks great on paper. Then he or she storms the enterprise, policies and procedures blazing—and everyone either stares silently, or roars back that the program won’t work, or just smiles politely and ignores the CCO. Any executive support the CCO might have had has vanished.
How to have a successful compliance program
Successful compliance programs gain the trust of the workforce—because good compliance can sometimes be a painstaking ordeal, where the CCO asks others to make sacrifices. Those sacrifices are ultimately worth it, but success depends on building alliances, winning support, and working together. Compliance programs fail when the CCO does the opposite.
Remember, failure doesn’t come from poor performance at specific tasks, such as imperfect due diligence or data analytics that isn’t the latest or coolest. Improving performance on those specific tasks is why the compliance program exists.
Compliance programs fail when they don’t engage with the larger organization in a productive manner. It’s about seeing the big picture, and winning support for a better big picture. That’s what makes the compliance program succeed.