Effective Compliance Hallmark 6 – Enforcement and Internal Investigations
“Legal, by definition, may be more interested in protecting the organization,”
Former Department of Justice (DOJ) enforcement consultant Hui Chen says when discussing what makes an effective compliance program.
She continues:
“Sometimes that protection may be interpreted as ‘we don’t want to know too much.’ Whereas compliance always wants to know more. A good compliance function wants to know what happened, how to fix things based on what you learn about what happened and what are the system weaknesses.”
Our sixth hallmark of an effective compliance program focuses on promoting ethics within an organization, on providing processes for reporting unethical or noncompliant activities and on responding to them effectively. This is the realm of internal compliance enforcement and investigations.
According to the Federal Sentencing Guidelines for Organizations (FSGO), an organization should enforce their compliance and ethics programs by providing appropriate incentives to act ethically according to their programs’ standards and appropriate disciplinary measures for engaging in criminal conduct. They should also provide disciplinary measures for failing to take the steps necessary to prevent or detect this conduct in advance.
As Chen suggests in my recent interview with her, one of the most important aspects for a regulator reviewing compliance issues is to first look at the organization’s internal policies for handling any issues or violations. To do this, the compliance function of an organization needs to proactively protect their company by knowing exactly what’s happening, how to fix issues and learn from them and how to correct any weaknesses in the system.
Thus, the goal of legal and compliance are actually aligned, but compliance officers have the benefit of protecting an organization before an incident occurs or before an issue can get out of hand.
One way organizations can better their internal compliance enforcement is through the types of incentives they offer to their employees. It’s important to use the right types of incentives, because the wrong types, which are far too common these days, can lead to negative consequences.
Take, for instance, the recent banking fiasco in the US where employees were put under extreme pressure to meet targets, so they opened unauthorized credit cards to boost their sales records.
According to an article in the Harvard Business Review, as soon as this first unethical act happens, an outright fraudulent act is not far off. The employee’s justification for these acts can quickly move from “unethical but technically legal” to “well it’s not harming anyone” to “no one will notice” pretty quickly. When these types of oversights and behaviors are tolerated by an organization, they quickly grow more severe and can spread through the organization like an infectious disease.
While the pressure to make a profit in any business is high, companies should no longer incentivize their employees to compromise ethics and compliance codes for the sake of boosting their sales numbers. The cost of negative incentives can result in tens of millions of dollars worth of fines.
As the old compliance adage goes, the cost of noncompliance is roughly three times that of the cost of compliance. And sometimes the damage to brand reputation from a breach is almost irreversible.
Across the pond, the UK experienced the backlash from negative employee incentives in the form of the payment protection insurance (PPI) scandal. The PPI scandal involved certain banks who aggressively sold unnecessary insurance to customers once they realized how profitable those sales could be.
“We’ve always known that people were being mis-sold PPI, but we were still amazed to discover the scale of it. It appears that salespeople are chasing their commissions, their bosses are chasing profits – where’s the sense of responsibility to the customer?” personal finance campaigner Doug Taylor mentions in an interview with The Guardian.
If incentives, when misused, so often lead to compliance breaches, how do companies offer incentives that actually improve their internal compliance? That encourage their employees to make ethical decisions rather than break ethical codes?
A recent Health Care Compliance Association roundtable offers some insights into positive incentives for ethical behavior. The roundtable encourages companies to think of ways to honor and reward people for modeling integrity, and to consider making compliance and ethics certifications a condition for promotion to senior management positions.
The roundtable also suggests that companies provide incentives for reporting that helps identify specific problems and system errors that improve overall compliance. Companies should be mindful not to make these reports a type of bounty-hunt for people, but rather make them about operations and systems.
This is where a technology solution that provides a vehicle to capture reporting, resolve a reported event and gain ongoing metrics to better perform risk assessments can play a pivotal role.
According to the DOJ whitepaper on “The Evaluation of Corporate Compliance Programs,” regulators ask certain questions when they conduct investigations into a compliance breach. The first item they review is the effectiveness of a company’s reporting mechanism. They want to know how the company collects, analyzes and uses information from its reporting mechanisms.
Imagine if the DOJ came knocking and you had only a short amount of time to collect all that information, enterprise-wide, manually? Talk about a nightmare.
This is where building in a culture of compliance company-wide, paired with the right technology solutions, can provide the peace of mind a company needs to know their compliance will almost always pass a regulator’s test.
As Chen mentions, a culture of compliance involves a tone of enforcement and incentivizing from the top that starts from the bottom up. In other words, senior leadership should get to know their employees, understand their goals, needs, ethical and moral codes, and develop a compliance program that reflects both the values of regulatory restrictions and the values of their employees.
When compliance and ethics pervade an entire organization from the ground up, creating a culture of compliance, the likelihood of ethical breaches becomes much smaller.
While the ultimate goal of internal investigations and enforcement is to avoid any need for the DOJ to ever look into the effectiveness of your compliance function, if they do come knocking and you have these systems in place, they can really help save your breeches from breaches.
Be sure to read our seventh and final hallmark of effective compliance programs – remediation.
Here are some other resources you might find helpful: