Recently, I have been asked to offer my thoughts on where compliance is going. I see the proliferation of risk areas, the arrival of Big Data, the need to measure outcome, and the polarization of our societies as key challenges and shaping forces of our businesses and profession.
Thus, I see the following features as driving considerations of the next generation compliance.
Integration of Risk Areas
Anti-bribery, antitrust, trade sanctions, anti-money-laundering, privacy, harassment, market manipulation: These are just some of the risk areas that demand attention. Globalization and technology have created ever-evolving possibilities for both misconduct and enforcement. As risk areas proliferate, corporate employees have come under an increasing assault by their compliance subject matter experts: For each risk area, there are separate sets of policies and procedures, repetitive due diligence processes, stand-alone training sessions, ad nauseam.
One global company, for example, subjects its new employees to more than 90 different training modules upon onboarding!
The 90+ training requirement is a result of a subject-matter-centric approach: Every risk area with its own set of activities, imposed on its own schedule, with no regard on their cumulative effect on the audience. Better integration requires reframing our approach from a subject-matter-oriented to a process-oriented one.
The concept of just-in-time training is an excellent example. Instead of making employees step away from their work to be trained on entire topic areas, deliver training as concrete actions that are part of their everyday process. Take a look at this example of how multiple compliance issues are incorporated into one workflow checkpoint for accounts payable.
Integration of Data
In a prior post, I pointed out the gap between how businesses use data to know their customers, and how they fail to use data to monitor their own activities. Compliance, legal, finance, human resource, sales, marketing all have their own data sets, and these sets don’t talk to each other. Once, when I suggested to a compliance officer that her platform of distributor diligence and investigation records may benefit from an overlay of revenue and marketing spend data of these third parties, she insisted that such data did not exist.
It did, in finance.
It is critical for compliance to develop the ability to extract data from various internal systems, harmonize them to enable meaningful comparison, and then visualize the comparison to monitor trends and anomalies. Businesses have already proven this ability when applied to revenue-generating uses. The expectation is that the same ability can be applied towards efficiency and transparency of business operations.
Compliance programs have moved from proving its own existence to proving its effectiveness. The next question is: effective at what? My prior post calls out compliance as the odd profession where we only measure how hard we tried (efforts) but not what we have accomplished (outcome). The stated goal of compliance program is to prevent and detect violation of law: We will need to learn how to measure “effectiveness” in achieving those goals.
Some say is “impossible” to measure prevention; yet the fields of crime prevention, public health, and aviation safety—among others—have been measuring prevention for decades. Public health programs, example, measure not just how many vaccinations are delivered, but the rise and fall of infectious diseases. As companies’ ability to track and monitor internal activities improve, we will have more data—and higher corresponding expectations—to be able to measure the rise of fall of violations and near-misses and the time it takes for a misconduct to be detected and interrupted.
Struggling with Ethics in Polarized Societies
As our societies become increasingly polarized, collisions of moral principles occur in our work places. Flammable issues such as gun control, immigration, and LGBT rights force companies to make decisions on whether to revoke discounts to NRA members, how to treat their immigrant employees, what benefits to confer, which customers to serve.
Every side of these tension-generating issues is motivated by ethics: moral principles and beliefs. When I hear of people talking about “ethics” I often ask: “Whose ethics?” While some observers may applaud Salesforce’s decision to prohibit the use of its software by customers who sell certain types of guns, for example, there may be some employees or shareholders who did not cheer that decision.
Not everyone will like every decisions or actions, but it would go a long way for those who disagree to believe their viewpoints have been heard with sincerity and considered with seriousness. Our role as ethics and compliance professionals is to enable and facilitate that listening process. We do so not just with surveys and helplines: we can model our attention by proactively seeking stakeholder input before we roll out policies and procedures, by equipping leaders and managers with listening and communications skills.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Hui Chen is an independent ethics and compliance consultant and was the Justice Department’s first-ever compliance counsel expert. She has served in global senior compliance lead positions at Microsoft, Pfizer, and Standard Chartered Bank.