by Andrew Leigh, Featured Contributor
WEARABLE GADGETS that track your heart rate, temperature or some other measure of health such as blood pressure are currently proving popular.
If only we could have one that gives a quick reading on the health of company compliance programs.
Too often the main health check of programs is an occasional heavy weight audit. This is sometimes conducted by an internal financial service and occasionally by an external resource. These examine certain books, records and data. They help identify incidences of non-compliance and increase confidence in the integrity of the information, systems and processes under review.
The scope of the heavy-weight audit programme varies, depending on both the company and the industry. But general guidelines suggest there should be complete coverage, which includes testing the firm’s compliance with specific legal requirements and its own internal compliance policies and procedures. This involves checking on the adequacy of the compliance program itself.
If a firm has conducted comprehensive risk assessments, it should have identified the most significant compliance risks and installed suitable controls. These assessments can provide a detailed road map of where to focus audit testing resources.
If there has been no thorough risk assessment, then the audit planning would normally start with the company’s code of conduct and compliance policies to identify the risk areas to target. Other factors influencing the audit program would include the firm’s industry, the size of the organization, the geographic locations of operations, any recent regulatory litigation, and any complaints from employees or customers.
Such audits though, are equivalent to having a comprehensive MRA scan, rather than glancing at some wearable monitoring device and drawing rapid conclusions. Like financial audits, compliance audits they have a fundamental weakness—they focus mainly on the past. They’re a look in a rear view mirror.
“Compliance programs are too often behind the curve, effectively guarding against yesterday’s corporate problem but failing to identify and prevent tomorrow’s scandals”
Leslie Caldwell, Asst Attorney General, at Compliance Week Conference, Washington, May 19th 2015
Others too are suggesting changes if these burgeoning programs are to ever to deliver value for money. J.P.Morgan’s finance chief for example, recently spoke spoken about the need for “optimising compliance spending.” [1]
Citi bank too has recently admitted that half its hard-earned expenses savings are being “consumed by additional investments that we’re making in regulatory and compliance activities.” [2]
The widespread tendency in financial services to hire a bevy of external people to help check out a program or fix a problem when a new compliance issue surfaces, also concern many insiders. More than a few regard existing programs as too costly.
Further, the frequent knee jerk reaction of hiring yet more compliance externals mainly seems to occur because corporate leaders think they must be seen to be taking compliance seriously, to be observed actively moving to minimise breaches of regulations.
Yet as Caldwell warned, such programs “need to be proactive, not just reactive” and she suggested at least ten hallmarks of effective ones.
These include for example, making sure senior executives are responsible for the implementation and oversight of compliance, with authority to report directly to independent monitoring bodies.
Attempts to do just that though, have not always proved easy, as Barclays learned when Sir Hector Sants, one of the most senior figures in the City during the banking crisis, quit his high-profile role as head of compliance at the bank just weeks after being signed off sick with exhaustion and stress. [3]
Another weakness of many existing compliance programs is they reflect a tendency for leaders to limit their thinking to the bottom line in the traditional way and not look beyond the numbers. Their motive for investing in programs is not grounded in the intention to encourage people to do the right thing, but rather to mitigate risks. [4]
To be more than just a process of box ticking and narrow risk avoidance, programs must not only be proactive as Caldwell argues. They should also play an important part in creating ethical engagement, or as anthropologist Steven Sampson puts it: “make it natural, to make it part of the air we breathe.” [5]
When it comes to determining the success of compliance programs company many executives are still making the mistake of relying solely on the number of reports coming into their whistle-blower hotlines.
This is like using a wearable health gadget to reveal how many steps you’ve walked today without adding anything useful about how fast, or whether you raised your heart rate to any extent.
The metrics from whistleblowing hot lines provide little insight into how successful compliance programs really are. In fact less that 10% of incident reporting happens through hotlines.
In taking the temperature of a compliance program it’s worth considering how much time the team or individual responsible for it spends in preparing reports for the board. Spending less than an hour a week on this important task for example, suggests a need to reconsider the approach to the relationship with the board. [6]
Finally, it makes sense to continue to review the whole rationale of these programs as currently implemented. Programs do not create ethically concerned or engaged employees. That requires a more holistic approach that uses programs merely as background support. More important are the essentials of creating a culture in which doing what’s right permeates all decisions, influencing thinking everywhere in the organisation.
The notorious GM ignition switch scandal which has done immense damage to the motor firm for instance, has shown how despite all kinds of codes and programs people will still make seriously bad ethical choices if the culture is wrong.
Reliance on compliance technology—the science of algorithms—is advancing rapidly. Such systems will soon be able to digest millions of documents and emails, extract correlations and patterns that humans can’t detect. Who needs judgement when an algorithm will tell you where the risks are and who is likely to be about to commit a regulatory indiscretion? As one commentator recently put it:
The era of “human-machine co-operation is soon to be a reality…” [7]
In practice of course, the more the technology advances the more we’re going to need a climate in which employees live and breath doing what’s right.
Sources
- L. Noonan, Cost of taming the watchdogs mount for banks, FT 29.5.15
- See note 1 above
- J. Treanor, Hector Sants resigns from Barclays, Guardian, 13 November 2013
- F.Tabba, Measuring Ethics, Ethikos, March/April 2015
- S.Sampson, Culture and compliance, an anthropologist’s view, Ethikos March/April 2015
- Cost of Compliance Survey 2013, Thomson Reuters
- Technologies on the horizon, Fraud Edge, Fraud Magazine, March/April 2015
