Welcome to Episode 7 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we focus on typical mistakes, which Compliance professionals do sometimes make in their roles and programs. We will explore this matter in a plain language and in the simple game form. Moreover, to make the podcast and text more appealing, will also illustrate today’s episode with an illustration from the Compliance Man illustrated series, created by Timur Khasanov-Batirov.
For those of our listeners who are not aware about our format, in each podcast, we take two typical concepts or more accurately misconceptions from in-house compliance reality. We check out if these concepts work in emerging jurisdictions. For each podcast, we divide roles with Timur, a 17-year compliance practitioner who focuses on embedding compliance programs in emerging and high-risk markets. One of us will advocate the concept identifying pros. The second compliance man will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners.
Tom: OK, Tim, let’s get started.
Myth #1 There is no practical way to improve Compliance program. This is just a fancy and useless statement. In corporate practice, it is just unreal. Tim, is it a mistaken position?
Tim Khasanov-Batirov: I believe it is a huge mistake:
As corporate business processes change, from time to time respective adjustments in the policies should be reflected. Thus, if this mere fact is ignored efficiency of compliance controls is getting less or in the worst-case scenario, the control mechanism becomes obsolete.
There is a classical view that Internal Audit could help a lot in improving the corporate compliance program. I fully share this position. Having said that I would also strongly recommend traditionally Compliance professionals finding common language with business leadership in order to promptly fine tune controls for existing processes and set new ones for brand new business processes.
Tom: I think, Tim that there are some cons here as well:
While the DOJ’s 10 Hallmarks of the Effective Compliance Program makes clear a ‘check-the-box’ compliance program is insufficient. It provides for monitoring and continuous improvement as vital to avoid “paper” improvements that do not address real risks. In a poorly constructed compliance program, the company is just imitating attempt to tackle the improvements box in the checklist so to say.
The second thing is about more advanced matters. It is about operationalizing and measurement of the compliance program improvement’s efficiency. Good dialogue with business on how to implement, measure and make changes to the program effective is a key to success.
Tim: Tom, I agree with you.
Tom: OK, Tim. We can formulate the next concept or maybe misconception in the following way:
Myth #2. As compliance practitioners, we should draft and amend exclusively compliance policies. The list of such policies is well known and is exhaustive like code of ethics, gifts policies and alike. There is no need spare time for reviewing corporate policies beyond our Compliance Policies List. Tim, will you agree with this concept?
Tim: I strongly disagree with this concept.
In my view, a red flags approach should be deployed. You should have a set of compliance red flags, which are duly allocated among risky business processes. Than you insert Compliance controls in the policies, which govern those risky processes. More generally, Compliance professional should pay attention to the core of the process not just a formal side. It is not about technical finding hashtag Compliance (which might not even exist in corporate jargon of particular organization), but about embedding Compliance controls in policies which regulate risky areas. We have depicted this situation in the attached issue of the Compliance Man illustrated series.
What are your views, Tom?
Tom: I agree with you, Tim. In the same time, there are some pros to support Compliance policies approach.
The list of Compliance policies or more generally Compliance policies approach could be used as a single point of reference avoiding situation when personnel need to look into various corporate documents. For instance, when we talk about gifts the rules are universal across the organization. Consequently, you just want to have a single Gifts policy rather than many operational procedures, which would repeat the very same rule in every document.
For organizations where the control environment is not yet mature, it is advisable to deploy Compliance policies approach to form a basis for further enhancements. Another benefit of such approach is that you can easily add missing policy as KYC for instance or amend the current policy without necessity to change various corporate procedures.
Tim: Agreed, Tom. As key takeaways from today discussion, I think we can mention the following:
- No matter what approach organization chooses in policy making the implemented set of Compliance controls should tackle key risks.
Tom: Fair enough, Tim. It looks to be a practical tip. Tom Fox and Tim Khasanov-Batirov were here for you.
Join us for the next episode of Compliance Man Go Global episode of FCPA Compliance Report International Edition. Let’s bust more corporate compliance myths with us.