Tom Fox has just finished his sixteenth book, “The Complete Compliance Handbook.” There is a treasure trove of compliance program best practices and action plans lining the pages of this compliance compendium. And for that, you will have to buy the book. Today, however, I am interested in not what we will learn from reading the book, but what was learned during the 13 months writing the book.
For those insights, we turn to a discussion with Tom Fox.
- Managing and mitigating risk has always been the compliance M.O. Is that still the case or are you seeing a shift toward an ROI of compliance.
Fox: There are a couple of things I would say. First of all, the compliance and ethics risks that you and I thought of five years ago have completely changed. It's now reputational. Name a scandal, any scandal in the past five years, and there’s a reputational hit. The final penalty is not minuscule, but certainly small compared to the overall loss of business value and loss of face. I mean, even sitting here today, the Michael Cohen consulting scandals, neither may have broken any U.S. laws, yet the reputational damage from them is quite high. So, it's a much broader categorization risk.
a robust compliance program does not slow you down. It's like brakes on a car; you don't have brakes on a car to go slow. You have brakes on a car to drive fast.
And I'm really glad you brought up the point of business value, because I view compliance as a business process. And if it's a business process, it shouldn't exist unless it adds value to the business. I contend that a robust compliance program makes your business run more efficiently and, at the end of the day, more profitably. At this year's World's Most Ethical Company Awards, we learned the companies that have won those awards over the past 15 year have a four-time greater return on profit than the S&P 500 average. And recognize – they didn't win those awards for being good-hearted – they won those awards because their ethics and compliance programs were more robust. That's what makes them more profitable. So now I think we're seeing a direct correlation. A robust compliance program does not slow you down. It's like brakes on a car; you don't have brakes on a car to go slow. You have brakes on a car to drive fast. That’s how you win. If you have a robust compliance program, it allows you to be much more nimble and respond to market conditions more quickly.
- Your book covers the 10 Hallmarks for an effective compliance program, which were released in 2012 in a joint effort between the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC). What has changed between then and now?
Fox: In 2012, tone at the top was a key. Today, it is not just tone that is required but leadership actions at the top and leadership conduct at the top. That is because our industry is maturing. Soft skills are being embedded by hard actions. This evolution is being seen in risk assessments as well. Once the cornerstone of the compliance program, a simple risk assessment is now becoming a true risk management strategy. This doesn’t stop after you have assessed the risk of a forecasted activity – it continues through risk-based monitoring to see if you've fully remediated or ameliorated the risk. You then take that information and loop it back into your risk management system in case you have a new business, new geographic market, new service, or a change in the law. I spoke with someone recently who said, "Our risk has dropped since regulators have backed off some of the consumer protection statutes." So risks can change and not always for the severe. It’s essential to monitor for both.
Download the Definitive Guide to Compliance Program Assessment
- The DOJ’s questions for evaluation focused on program effectiveness. Do you think that put a nail in the coffin for check-the-box programs?
Fox: Yes, absolutely. The check-the-box program has been dead for a long time. Unfortunately, it's had several dying legs, and I hope the information that the DOJ released in 2017 will kill it off forever. First, in the evaluation, the keyword we saw was “operationalization.” That became the buzzword. But if you think about it for a minute, operationalization simply means embedding compliance into the very fabric of your organization with the people who are at the highest risk of an FCPA, compliance or ethics violation. It's giving them the tools to do business ethically and in compliance. So, it makes sense from the business process perspective. That was carried forward in the new FCPA Corporate Enforcement Policy where I think they specifically stated what you just said. The check-the-box policy is no longer going to be defensible in any way, shape or form.
- What do compliance professionals need to be focusing on right now to protect their people, reputation and bottom line?
If you do not have a robust functioning compliance program in place, you're never going to find out about the compliance violation...That means you won't know about the issues you need to self-disclose.
Fox: Self disclosure and all the steps required to do so is a good place to start. I think with the Evaluation of Corporate Compliance Programs document and the new FCPA Corporate Enforcement Policy, compliance is going to become absolutely more critical. The new FCPA Corporate Enforcement Policy focuses on enforcement and the presumption now is that you will receive a declination if you self-disclose, if you extensively remediate, and if you pay money back through profit disgorgement. But the key, as Rod Rosenstein told us in his opening Keynote at Compliance Week, is that this requires a robust compliance program. If you do not have a robust functioning compliance program in place, you're never going to find out about the compliance violation, you're not going to be told via hotline, you're not going to pick it up during detection, and you're not going to pick it up during ongoing monitoring. That means you won't know about the issues you need to self-disclose. If you don't self-disclose it, you don't get the presumption of a declination. And if you don't self-disclose and it continues to fester, that’s when the Department of Justice comes knocking at your door saying, "We have a subpoena for you, Mr. Company." That’s going to be much worse for you.
Lastly, what would you like people to know about your new book?
Fox: It was really a journey for me, a great learning journey writing it. I did research in the areas I hadn't looked at in quite some time. I talked with top compliance practitioners, and they’re all in the book. I was able to talk to former regulators from the DOJ and SEC who are now in private practice. I talked to people who have product or services that you or I might not consider compliance-based – those who are true innovators, particularly in the use of data and analytics. That will be the cutting edge going forward in compliance. So for me, it was a great journey of discovery. It was a great way to put all of those learnings into one book. There is literally no other one-volume compendium of the current best practices – at least not until my next book comes out.
You can learn more about and purchase "The Complete Compliance Handbook" here.