The surest sign an industry is maturing is when its practices become normalized. Compliance is currently experiencing this ascent. Around the world, multinational, national, and regional regulatory standards are converging on a set of heightened expectations for corporate compliance programs.
Countries are adopting stronger laws against corporate misconduct and providing guidance for organizations to reduce possible penalties for misconduct.
While normalization might sound inconsequential, in business it is anything but. Normalized standards make the repercussions of falling short of those standards that much more severe. This is creating numerous implications for how companies structure their compliance programs and, more importantly, for how companies structure their operations around compliance.
While global governments one after another are adopting stronger laws against corporate misconduct, they are also providing guidance for organizations to reduce possible penalties for misconduct. These reductions, declinations and cooperation benefits all hinge on a company’s ability to demonstrate its commitment and diligence toward effective compliance.
Fortunately, steps toward diligence are also normalizing. Properly screening and monitoring third parties; protecting whistleblowers from retaliation; operationalizing policies and procedures, and effectively training the workforce have become the foundation of the best practice compliance framework. These standards, while once heavily enforced in just the U.S., have now gone global. Today, there is a higher bar for compliance programs and the world is watching.
Standards once heavily enforced in just the U.S. have gone global. Today, there is a higher bar for compliance programs - and the world is watching.
We are seeing these concepts gain global traction through the U.K. Bribery Act, Sapin II in France, the Clean Companies Act in Brazil, or in Australia’s new whistleblower law. And we’ll soon see them in the European Union’s whistleblower protection laws, and the ISO 37002 standard for whistleblower protection scheduled to arrive in the early 2020s.
In one form or another, many of these global regulations trace back to the Federal Sentencing Guidelines and track toward the U.S. Department of Justice’s recently updated Evaluation of Corporate Compliance Programs. If the latter document is our baseline, we also know that defensible compliance effectiveness requires not just a program, but a program that works. As the updated guidance clearly states, one of the three questions a prosecutor will ask is, “Does the program work in practice?” More specifically, what are its outcomes?
It is business and behavioral outcomes that mature, normalized industries measure success against, not processes.
Normalizing Compliance in Your Business Operations
Executives can internalize this normalization of corporate compliance in two ways.
First, on a practical level, compliance functions will need to improve their use of technology. Normalized functions simply have more to do. As NAVEX Global's Chief Compliance Officer, Carrie Penman, says, “The sheer amount of compliance activity is increasing and programs need to demonstrate the company’s capacity for compliance.” Automation increases this capacity.
Furthermore, as companies come under more scrutiny for their conduct, they’ll need the ability to “show their homework.” That means designing business processes that are auditable. Here we see the second criteria for compliance technology: “It should not only automate processes, but also document practices in a way that the company can show results to any regulator, business partner, or consumer group that might ask to see it,” says Penman.
At a more strategic level, this normalization of ethics and compliance has other implications.
At a more strategic level, this normalization of ethics and compliance has other implications. It’s not just global regulators who want companies to strengthen their workplace culture and employee conduct – employees, consumers, shareholders, and non-governmental organizations do, too.
Being responsive to these constituencies requires transparency. They want to see sincerity in a company’s drive toward good conduct. They want to see thoughtful awareness and continuous good-faith effort, not a check-the-box program that meets minimum thresholds. In short, they want to see a corporate culture that plainly and visibly cares about ethical conduct in service of better performance.
“All of this starts with executive leadership, including the board,” says Penman. It requires investment in the messages we send, the behavior we model, and the goals we set for our employees. These intangible investments accelerate our ability to deliver on the tangible investments we make in compliance technology and programs.
Through the hard work of committed ethics and compliance professionals, our industry and standards are going global. While “effectiveness” has always been the goal, the volume of what we need to be effective on is growing exponentially. To meet these demands, compliance must maximize its capacity through technology and minimize its risk through ethics.