Over this three-part series, I will be visiting with Ben Locwin on how to more fully operationalize your compliance program. In Part I, we consider how embedding compliance as a key component of the business equation and the role of forecasting can aide in operationalizing compliance. 

The Benefits of Embedding Compliance

It all begins with setting up a process which is fully documented and is fully auditable. While many businesses will use their first available dollars on Research and Development (R&D), new product or service offerings, QA/QC or a similar exercise, I believe that by operationalizing compliance you can achieve many significant stakeholder goals. This is short-sighted as many compliance issues can grind businesses to a halt as expeditiously as a safety hazard or on-site workplace injury. However, the landscape is changing from traditional and omni-present corporate scandals to more cross-cultural movements such as #MeToo. Now the unfortunate thing about this reality is that the landscape is unlikely to change unless we, the participants and practitioners of this, make the change.

Locwin drove the point closer to home when he related the all-too-often story about the homeowner who purchases flood insurance after a hurricane hits his hometown. Yet the insurance industry exists in order to  insulate yourself from risk. Yet the all too human reaction of waiting until after the event to purchase the insurance to protect you from the event is  absolutely contrary to the whole notion of how insurance works. Locwin noted this is the same for a compliance program. If you are not operationalizing compliance and making it a key part of the business equation you are simply planning to fail. On “average there will be a compliance gap of note, whether it’s relatively small or absolutely critical, there’s something that’s going to happen and making compliance non-discretionary prevents these issues from rearing their heads.”

On the practical level, Locwin believes you need to move compliance down into all the levels of the organization; from the lowest levels to the highest levels and across all the verticals. This provides the compliance function with its greatest visibility and impact because if you do embed compliance,  you will see a lot of different things coming from different levels in the organization. This will work to expand the reach of your compliance function so compliance is not just the job of a Chief Compliance Officer (CCO) or just a handful of people in the corporate office trying to scan across the business, which may operate in many countries.

Embedding compliance acts as a key means to expand the reach of your program in other ways as well. Locwin stated, “detectability is one of the key problems within compliance. You simply cannot possibly detect all of the issues you need to know about and be aware of from the corporate office. For multinational companies, there is a great likelihood that many of the things that are potentially going wrong do not have adequate detectability. By embedding compliance across all the functions and down into the levels, it provides you, the CCO, with a mechanism where you are able to uncover issues when they happen and hopefully earlier than you ever would have uncovered them before.”

Another reason for embedding compliance is the professional backgrounds of many compliance professionals, who came out of the General Counsel’s office. While their training was legal, it did not focus on the more quantitative components of business processes. By embedding compliance at the operational level, you can draw on not only the process experience of your front-line troops but also quantitative nature of your sales team. Your front-line people not only do compliance, but by embedding it makes their business processes more efficient. This can be a key part of the business equation of operationalizing compliance not only embedded but actually a business positive for the organization.

Locwin agreed, noting that in addition to the corporate office not having the “bandwidth to be able to see everything that needs to be seen and uncover everything that needs to be uncovered, after you embed the process closer to the front line of the business and you train those persons in doing compliance; the entire process will become more efficient.” Embedding compliance allows the front lines of an organization to assess and manage risks more closely and take the information from risk-based monitoring and loop it back into your compliance process. I have found that by embedding compliance more closely to the business frontline, you actually have the ability to be more agile and nimble to manage risk more efficiently at the end of the day.

The Role of Forecasting in Operationalizing Compliance

Most compliance practitioners understand the roles of risk assessments and risk-based monitoring in a holistic risk management strategy. However, they often miss the first prong of the three parts, forecasting. Moreover, without forecasting it can be difficult to more fully operationalize your compliance program.

Dwight Eisenhower once said, “Planning is everything, in the plan is nothing.” The verb of planning is the important aspect full of cognitive horsepower, the piece of paper with a plan on it. The problem is that not everyone can take the paper plan and operationalize it to make it do what it was designed to do, but all the people in the planning session who sweated the details could explain the context of the risk they are seeking to manage. The intersection of planning as a verb and forecasting is assessing certain events which may well occur and continuously adjust your plan.

Locwin believes the reason forecasting is so important is because forecasting identifies events which are likely to occur in the business environment and this can be in the next couple of weeks, month, quarter, year or further down the road. It is important to realize that forecasting is not 100% accurate because if it was, we could call it prediction. Locwin stated, “I think it’s important to realize that when we do strategic planning, we should not come at it from a point of saying we can’t possibly know what’s going to happen next month, so therefore I don’t have any sort of plan in place.”

The forecasting process should start with what Simon Sinek, author of “Start With Why.” This means you need to first understand what it is you are trying to solve. According to Locwin, you should “come at it from a perspective of we’re looking to detect, find, solve, de-risk the organization in the following areas.” Data inputs and metrics at this point are obviously useful as well as a second set of eyes from a third party not associated with the forecasting team.

The Department of Justice (DOJ), in its Evaluation of Corporate Compliance Programs (Evaluation), emphasized the need for a feedback loop of information throughout the risk management process. This means that after forecasting and risk assessment comes risk-based monitoring and the information secured should be looped back into your forecasting to update and refresh it. The quicker you can get real time information and feed it back through this loop, the better. Locwin stated, “The idea is the faster you can accelerate a current state results back into the process to say “let’s course correct now” the less of a lag time there is, the more likely you are to have an important and meaningful impact on future iterations of the process design and what you’re detecting.”

It is the final component, the feedback loop, which the regulators are placing greater focus on. Yet through this feedback loop, you not only more fully operationalize your compliance program but make it more efficient, moving from detect to prevent to prescriptive. From the process perspective, Locwin said, “I think the most important feature there is make sure you have accurate and timely data which you are feeding back into the process as quickly as possible so that you can keep up with the ever-changing external environment. If you need to change the process, the sooner you know you need to change it, the more quickly and effectively can make those changes.” This means that if you are not making the changes in a timely way there is the potential for higher risks to the organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018