I am in the middle of a three-part series on how to more fully operationalize your compliance program. I am joined in this exploration by Ben Locwin. Yesterday, we considered how we how embedding compliance as a key component to the business equation of operationalizing compliance. Today we discuss why prevention is a better solution than correction and how to operationalize compliance down to the staff level.
Why Prevention Beats Correction 100% of the Time
Every compliance practitioner knows the three prongs, prevent, detect and remediate,of a best practices compliance program.The detect prong is simply a system in place that will pick up a violation should it occur. However, many companies have found that by moving to prevention or even prescription mode to stop something before it becomes an internal controls violation or even worse, a legal violation, it is much more cost effective. Locwin extends that concept out further with his thoughts that prevention is always better than correction, which he labeled the CAPA process, which stands for Corrective Action, Preventative Action.
This is the situation whereby the installation of a preventive action makes an event almost impossible to occur or reoccur. You really want to get to the point where you have better processes and systems in place which essentially design out or prevent the problems. The best way to go about engineering a solution would be to take the human out of the equation entirely. Locwin explained, “the next best step would be to say, if we’ve got a system where someone’s inputting expense reports or financial calculus, they cannot move forward with the documentation until the calculations have been verified internally in the system. This prevents errors within the program that get shifted on to somebody else, which may be missed by the human eye.” This is an example of designing out problems as prevention. Locwin said, “This beats correction anytime you can have a system or a process that makes it so difficult to do something incorrectly, the higher your likelihood of doing things properly, which then means you’ve brought compliance to a point of really at the operational level, things are less likely to go wrong.” This is compliance operationalized down to a level at the front line.
Locwin cited to the Hawthorne Effect, which is a famous psychological study that showed employees change their behavior when they are being watched. The result was the more scrutiny put on the employees, the more they are going to behave as they normally would. This is an effect of stop and thinkinternal controls, such as making employees attest to their expense account reimbursement requests. Another way to put it is make it hard to do the wrong thing, easy to do the right thing. Locwin agreed with that formulation stating, “The more you can have the systems and processes do the right thing, the more that you are able to proscribe what the right answer looks like. This in turn prescribes how employees function and presents a higher likelihood of things going the right way.”
Locwin concluded by providing a prescient and relevant example of such a control (and near and dear to my heart). Newer ATM machines require you to remove your card before you can access cash you may have withdrawn. This prevents customers from taking their money and driving off. Having made this mistake more than once, I certainly appreciate the corrective action built into ATMs. But this action not only benefits the customer but also makes the bank more efficient as it does not have to replace as many debit cards. A win for everyone.
Operationalizing Compliance to the Staff Level
Next, we consider operationalizing compliance at the staff level so that everyone in the organization is a part of compliance. This is important on several fronts, beginning with the regulatory arena where the Department of Justice (DOJ) has made clear they expect more operationalized compliance. However, in moving to the corporate compliance response, it is clear that by operationalizing compliance, you make it more efficient and can drive a higher return on the investment in compliance.
Locwin believes that until you fully operationalize compliance, you are constantly fighting fires. By operationalizing compliance down to the staff level, it drives the accountability for the problem solving down to the front lines of an organization. Properly designed, an operationalized compliance program has the ability to detect issues and then have the response for dealing with them and not simply passing them along to the next step. If you can get to a position where everyone in the organization feels a responsibility for compliance, this is the place should strive to achieve. Moreover, when accountability is driven down to the staff level, it is a force multiplier for the compliance office. I have come to more fully appreciate that accountability can be driven down from a service function such as compliance to a sales component so that even if you are selling services, the accountability is still a present.
Locwin pointed to Swarm Theory to support this proposition. Under this entomology, is the concept of the hive mind. It explains how to bees know what to do, as far as work is concerned. Using Principles of Swarm Theory, one can research how collaborative insects function and arrange their work under different environmental stressors and obstacles. He pointed, for example, to “companies like DHL and UPS to determine optimum outcomes for very large arrays of activities, routes, traffic delays and so on.”
Locwin then applied it to the compliance perspective, which he believes is really at the pinnacle of thinking. “If everyone’s trained, given the tools and expected to detect and identify and either resolve or escalate the compliance issues, it’s very difficult to have even a single compliance issue slip through the cracks. In terms of operationalize, I would say empower the employees with training on what’s expected, then give them the means to pick out mistakes and misconduct within the organization on their own. They will get exceedingly good at it and make the entire compliance process more robust. I think instead it’s really a force multiplier for the compliance officer to do his or her job better.”
This is the same concept articulated by Liz Wiseman in her book Multipliers but applied to a wider group and not individual leadership. By moving compliance down to a staff function or closer to the front lines of your organization it is closer to the business unit level. You have the opportunity to really address a problem before it becomes a violation of internal company policy or a legal violation. Further, it multiplies the power of compliance, but it also works to lessen the issue before it becomes a full blown legal problem.
Locwin concluded by noting you can use this concept in the areas of Artificial Intelligence (AI) and big data. By moving that same strategy down to the staff level, it makes the compliance function at the top even more important, but, more importantly, “more efficient because you’re truly only then engaging that compliance professional for the true anomaly that can’t be fixed, that can’t be remedied, that cannot be corrected at the staff level.” And you have a subject matter expert who, when the anomaly does appear, can step in with a much more encompassing holistic compliance solution that may even be companywide.
Tomorrow I conclude this series by discussing the Holy Grail of compliance; calculating a (positive) return on investment (ROI) for your compliance program.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at email@example.com.
© Thomas R. Fox, 2018