The Monday afternoon keynote speech by Hui Chen at Compliance Week 2019 was one of the most significant speeches I have heard recently. I thought Chen’s keynote speech summed up where compliance has been and where it is going as well as any presentation I have seen. Chen noted the emphasis is now that principals-based compliance programs are becoming the standard. For those lawyers who still argue a paper program is sufficient for an effective compliance program, those arguments have long ago fallen by the wayside and are consigned to the dustbin of history. Further, those same paper compliance programs were rules based, largely written by lawyers for lawyers, with little regard for how companies actually do business. To be effective a compliance program must be fully operationalized with documented evidence of effectiveness.
Chen also talked about some of the current challenges for compliance. The last couple of years has seen a proliferation of new risk areas or significant expansion of risk areas. From #MeTooto cyber to human trafficking and human slavery and to just who is in your supply chain are now issues that companies have to grapple with going forward. Social media amplifies all of these areas and many more. Your company’s stock price can take a big hit in only a very few days. Witness Anheuser-Busch InBev SA/NV (AB InBev) and the Bon and Viv imbroglio earlier this year is but on prominent example.
The next area Chen focused on was the arrival of big data. Companies have long held huge amounts of data but it was almost always siloed so that it would be held in only one corporate discipline. The compliance function did not have access to it so that any information the compliance function wanted on a customer, third-party sales representative or supplier had to be generated by the compliance function itself. This is hugely inefficient and costly. Now companies are making their own internal data available to the compliance function. Compliance also now has the ability to not only tap into systems to collect the data but analyze it as well.
The next area is in measuring compliance program effectiveness. This began in 2017 with the release of the 2017 Evaluation of Corporate Compliance Programs and was re-emphasized in the Evaluation of Corporate Compliance Program – 2019 Guidance released in April 2019. In areas such as training, conduct at the top, risk assessment as well as others, compliance professionals are working towards demonstrating program effectiveness.
The final area of challenge Chen identified as the polarization of society. This has led to many instances of people not communicating and literally talking past each other. In the corporate world, it can lead to a breakdown of corporate values and culture. However, it can also lead to employees raising issues on how and with whom a company does business. Here one only need to consider the employees of Google LLC objecting to millions in severance packages paid out when men accused of harassment left the company or the employees of Microsoft Corporation objecting to certain contracts the company had with the US government.
Going forward into 2020, Chen identified three key areas for compliance challenges. The first was the integration of multiple risk areas of compliance. The legal areas of corruption, antitrust, regulatory, anti-money laundering (AML), discrimination and harassment have exploded into areas such as privacy and data protection, trade and sanctions and labor issues. The compliance profession and corporate compliance function will have to expand themselves to be ready to address these risks. But it is also business risks. In addition to the Trump Trade Wars, potential armed conflict and all the legal issues, business risks are increasing through competition, new and expanding markets and regime change.
The next area is integrating these new risks through corporate and other data so that a full picture can be seen of the risk, that risk can be measured and then risk management strategies can be put in place to move forward on a business basis. This data integration will come through extraction of the data, harmonization of the data and then visualization of the data. It will allow a real time feed of information which can be tracked and if a problem or issue arises it can be dealt with before it becomes a bribe or other legal violation.
Chen identified measurement and outcomes of your compliance program as another challenge. Prior compliance programs had dealt with a legal mindset which said that I do not have to know or understand data; I do not want to learn to read a spreadsheet as such knowledge is beneath me as a lawyer. I do “the law”. That has changed and, as with paper compliance programs, is consigned to the dustbin of history. Now the more common pitfalls are incomplete and/or invalid metrics, mistaking legal accountability (I have a paper program) for compliance effectiveness and self-reporting and self-selecting bias.
The change must come through linking your compliance program to your compliance objectives. Compliance must work to link principals of your compliance program to the outcomes you obtain. It is not whether your employees take the compliance training, not even is it retained but do they use in their business operations going forward. Moreover, are you using what Chen calls “best practices or best guesses”? All of these questions will need to be answered going forward.
I have seen Chen speak several times now. She is one of the most forward-thinking and facing compliance professionals around. If you have the chance to hear her speak, run don’t walk to the presentation.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2019