I continue this week’s exploration of how to more effectively operationalize your compliance program. Yesterday, I wrote about forecasting to more fully burn compliance into the fabric of your organization. Today I want to expand out and discuss operationalizing your compliance program through the entire risk management process.
Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important key step as it will allow you to have full visibility of your compliance risks through a longer lifecycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you detect and those you do not know about, on an ongoing basis.
I think there are several key lessons to be considered by any CCO or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as articulated by Hallmark Four of the Ten Hallmarks of an Effective Compliance Program. From the 2012 FCPA Guidance, the DOJ and SEC said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the 2012 FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.”
As compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal requirement but a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business.
By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks.
Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Ben Locwin has noted, “Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”
These three tools tie back into process management and process improvement. Locwin has said, “There’s always this balance between what’s actually important for our business or for proper execution, versus what’s actually going on in the whole process. If you’re not measuring at a high enough resolution, you’re not capturing a lot of the environmental, market force, external factors that probably are of high leverage to your operations in business that you just don’t know about.”
This is the point that former Department of Justice compliance counsel Hui Chen has emphasized which is how did you utilize the data going forward. By incorporating the results of your risk-based monitoring back into your risk management process you can have more precise forecasting and then more focused risk assessment. This feedback loop is critical for ongoing improvement in your compliance regime.
Locwin ties them together, “There’s a 30% chance of this abject market failure happening, this product fails, this restaurant site contaminates people, this product doesn’t ship before Christmas, this phone explodes.” If you knew that in advance, the executive committee probably almost everywhere would say, “We have to act, and act now.” That’s where the rubber meets the road and you’ve got to forecast and have a contingency in place. A lot of times, there isn’t that level of forecasting done in advance to say, “We think there’s this 30% chance of it occurring, therefore not only do we need a strong contingency plan, but we should expect to have to use it in Quarter 2. It’s right there sitting on everybody’s dashboard all the time.”
In other words, it comes down to execution. This means you must use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into the process loop. From this, you will develop continuous feedback and continuous improvement.
I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a CEO, the more you can demonstrate how compliance adds to the bottom line and is not simply a cost center.
The full risk management process can act as part of your ongoing monitoring process in a best practices compliance program.Click to tweet
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2018