In the scheme of things, compliance around corruption, competition, sanctions and data privacy are relatively new areas.
Many serious compliance programs started in the mid-2000s. A few far-sighted companies were ahead of the game. Some caught up through painful lessons, costing their leaders, their reputations and their profits dearly.
Other companies have stalled, and still haven’t learnt. Their boards will have demanded that compliance is looked after. But management teams often interpret this as having policies in place and saying, “job done”. These are the companies with paper programs.
Members asking the right questions will make a huge, positive and long-term difference to their companies.
How to spot them… tell-tale signs
A ‘paper program’ is one with a set of policies unsupported by meaningful actions. You can spot them a mile away. The tell-tale signs are a mass of opinions, but a dearth of facts. A couple of examples…
Opinion: “We have good control over our agents and intermediaries, who have to go through our due diligence policy.”
Opinion: “We train our people and there's a strong compliance culture here.”
The point about both of the above examples is oversight. The policies must demonstrably be alive and implemented. They must be clearly monitored. Better answers would look like this:
Better answer: “We currently have 1574 agents, have classified 57 of them as extreme risk, have completed due diligence on 100% of them and have the following key controls operating over them, with no exceptions.”
Better answer: “We have segmented job roles into risk categories. The 2500 highest risk people have been trained in the following topics. We have completed tailored training for 87% of the entire employee base. We will reach 100% by date X. Training for external parties in joint ventures and high risk intermediaries will be undertaken by date Y. This will be repeated on a risk-basis every two years. Our ethics survey had a response rate of 78% and confirmed that employees report their concerns and recognise a clear tone at the top.”
If you've been sitting listening to opinions without facts, I've got some bad news - you may not have a compliance program at all. Worse than that, you probably have a trail of documents demonstrating a lack of control.
If the worst happens, opinions will count for nought, no matter how strongly held.
What to do?
The Board of Directors and its Audit Committee have the greatest responsibility in challenging paper programs. Members asking the right questions will make a huge, positive and long-term difference to their companies.
Is it alive?
Ask for the numbers that show a policy is alive and that executives have good oversight.
Ask when the last time was that the company took action on a policy. For example, rejecting a business partner for integrity issues.
Think about joint ventures. All of the risks in your own legal entities could be festering in often-forgotten joint ventures.
Is it adequate?
Demand that the administration gives a clear statement on the adequacy and efficiency of the compliance program once per year.
Demand an external review of the adequacy of the compliance program regularly (say, every three years). This can be independent, reporting directly to the board if you feel that is necessary.
Is it well supported?
Go for coffee or lunch with the Chief Compliance Officer. Ensure they have an opportunity to ask you questions and to discuss their work.
Does it also cover the softer sides?
Demand that ethics is part of the program. You can’t stop serious risks like corruption without tackling ethical issues like conflicts of interest.
Request a regular ethics / cultural survey that includes employees’ observations of misconduct and whether they reported it. This data is invaluable.