Corporate Law News

INSIGHT: Strategic Planning for Your Compliance Program

Jan. 10, 2019, 9:00 AM

January is the month for resolutions. As we all know from experience, however, many resolutions fade into the background quickly as we get busy with the day-to-day. The same drop-off can happen with compliance programs.

Compliance, by its nature, fights fires: a whistle-blower reports a scandal, a dawn raid on the company subsidiary halfway across the world, a subpoena from a regulator, a colleague’s bad judgment call exposes the company to serious liability. Priorities can shift quickly in the midst of urgencies of the moment, and at the end of the year you realize that your plans for fire prevention had gathered dust, and the same fires will flare up again next year.

A strategic plan presents a vision of how a program expects to progress, a roadmap and timeline of how it will get there, and a governance framework of how the pieces fit together. It helps to maintain focus on the longer-term sustainable priorities even in the midst of distractions. Here are some considerations for your strategic planning.

Scope. The best range for strategic plans is probably 3–4 years. A multi-year strategic plan enables you to cover different levels of priorities and document your rationale behind the prioritization.

Let’s imagine, for example, that as you plan for your program today, you believe—for good reasons—that your top three priorities for 2019 are to implement a third-party monitoring program, revise your privacy policy, and build your regional teams.

Lower on your priority list are items such as revising procedures for charitable donations and trade compliance. While you focus on implementing the top priorities and fight the random daily fires in 2019, an investigation unexpectedly reveals a serious issue relating to donations, or you receive a subpoena for your trade compliance activities.

Now you have to defend your program—including why you have not updated your donation or trade procedures—to law enforcement and regulators. Having a documented strategic plan enables you to demonstrates you had in fact considered and not neglected donations or trade compliance, but had sound reasons for prioritizing them as 2020 rather than 2019 priorities. This would go a long way in the defense of your program.

Flexibility. Given the dynamic nature of compliance work, the strategic plan needs to not only plan for the longer term, but remain flexible to accommodate changing environments and realities.

I usually recommend that companies review and revise their multi-year strategic plans annually. This approach means you always have a forward-looking multi-year vision and road map from where you are standing.

Stakeholder Commitment. The strategic plan is an excellent tool for enabling stakeholders’ buy-in. When your plan presents a vision and a roadmap, it helps everyone see the big picture, and what their roles and responsibilities are.

The strategic plan should clearly designate owners for specific actions, and together with the designated timeline, becomes a buy-in and accountability document. When the board, audit committee, and executive management approve the plan, they are endorsing and signing onto their respective commitments required by the plan.

Process/Control Reviews. A common issue I have often seen in companies is the accumulation of controls. As audits, investigations and tests identify problems, controls are added; ten years of adding controls leads to the inability to do anything without multiple approvals.

Training is one of the controls that is a favorite for everyone to add: it seems to be everyone’s answer to every compliance issue. In some companies, new hires are required to take more than 50 training courses, regardless of their jobs!

A strategic plan should therefore include a holistic process or control review of at least one function or one set of controls—e.g. training, accounts payable, procurement—in an effort to streamline processes and controls, including identifying those that may be duplicative, outdated, inconsistent, or non-operational.

Health Check. Every year, I go to my doctor for a simple health check that includes measuring basic vital signs and a blood test. I do the same health check for compliance programs, based on a set of indicative data that includes metrics from employee surveys, audits exceptions, “hotline” data, third party data, etc.

It is similar to the model I used in the evaluation of compliance programs at the Fraud Section in the U.S. Department of Justice, using data to perform an initial diagnosis of compliance programs. Just like your diet and exercise plans are better informed by your physical health check, your strategic plan benefits from simple health checks.

Strategic planning helps ensure your program is both sustainable and flexible, and it allows you to evolve your program to keep pace with changing environment and expectations. More importantly, it helps you to lead your company with a vision.
Happy strategic planning, everyone!

Author Information

Hui Chen is an independent ethics and compliance consultant and was the Justice Department’s first-ever compliance counsel expert. She had served in global senior compliance lead positions at Microsoft, Pfizer, and Standard Chartered Bank.

To read more articles log in. To learn more about a subscription click here.