‘Owning the Risk’ and Compliance
Compliance officers and regulators alike always love to say “the business owns the risk” — and we all know that here in the real world, those words often fall short of reality. I recently had a conversation with a compliance officer friend that reminded me just how widespread that shortcoming is. With his permission, I tell you his tale.
My compliance officer friend works at a company that manufactures industrial equipment. He had been investigating discrepancies in a sales executive’s expense reporting that pointed to embezzlement and possible corruption payments. The compliance officer then had to brief the VP of sales on the problematic sales employee.
The head of sales promptly lit into the compliance officer, complaining that…
- Issues with expense claims were below the VP’s pay grade;
- Expense claim violations are a compliance matter anyway, not a management concern;
- The VP should therefore not be part of any disciplinary action;
- Any warning letter to the offending employee should come from the compliance officer, not the VP;
- And really, wasn’t all this the compliance officer’s fault in the first place, since violations must mean that the compliance program doesn’t work?
Makes you want to scream, doesn’t it? My friend didn’t quite scream when he told me his story, although he did include more than a few expletives and ended with, “I’m not crazy, right? This guy is an [expletive] who doesn’t get what the compliance program is supposed to do?”
No, my compliance officer friend was not crazy — and his VP is pretty much the perfect example of First Line business executives not understanding what the compliance program is supposed to do.
It’s Never a ‘Compliance Matter’
We can identify numerous flaws in the VP’s thinking, but to my thinking his worst statement is the second bullet point above: that expense issues are a compliance matter, not a business matter.
Umm, no. That’s not how this is supposed to work.
Allegations of embezzlement and corruption are not “expense issues” like someone forgetting to include a receipt or exceeding a spending limit. Embezzlement and corruption are business conduct issues — and who else is supposed to be responsible for that, if not the management team?
The compliance function exists to identify deviations from the company’s standards of business conduct. Some of those deviations can be violations of law, like an FCPA violation; others might be violations of company policy, such as abusing sick days or cooking fish in the office microwave. Regardless, compliance isn’t “responsible” for business conduct issues. It is responsible for identifying violations and bringing them to management so that corrective action can be taken.
Or, imagine a world where compliance is responsible for business conduct. That would logically mean that you should also have power as necessary to prevent misconduct, such as dictating how sales executives can entertain clients or which resellers the company will or won’t use. Management would quickly tell you to buzz off, because “telling my people how to work is my job!”
Well, yes. Precisely. When we talk about management “owning the risk,” we’re really saying that management is responsible for how employees conduct themselves — including the risk that employees conduct themselves in some improper way.
Also, let’s not kid ourselves. When management decides that the compliance function is responsible for employee misconduct, it never gives the compliance function enough power and resources to handle that responsibility properly; you never even get to that hypothetical where managers say you’re intruding on their job. It’s a semantic dodge so that management doesn’t have to do the hard work of, well, managing problematic employees.
Then we’re supposed to be shocked when a serious compliance violation happens and suddenly everyone is talking about how the corporate culture was never that good anyway.
All the Other Responsibilities
From that fundamental flaw of seeing misconduct as an expense issue beneath management’s pay grade, all the other misconceptions about the proper role of compliance flow.
If expense claim issues are a only compliance matter, then of course management wouldn’t contribute to disciplinary action or fire off a warning letter. And therefore the violations would mean the compliance program doesn’t work, in the same way that poor accounting is the accounting team’s fault or a payroll mistake is the HR team’s fault.
Except, compliance isn’t like those other corporate functions. Compliance identifies departures from the company’s standards of conduct. It doesn’t own them, in the way that accounting owns numbers or HR owns payroll.
Once the compliance team does identify a problem, it should (ideally) work with management of the relevant business function — sales, in the case of my compliance officer friend — to decide the appropriate solution. Still, management is responsible for implementing that solution, whether it’s a new policy for all, a disciplinary letter for one, or a call to regulators to self-report a legal violation.
The compliance officer shouldn’t be personally responsible for any of those steps. The compliance officer is supposed to be a partner with management, assuring that whatever steps are taken align with the company’s culture of compliance. That is what regulators really want to see when they talk about a strong culture and empowered CCOs.
At least, that’s how it’s supposed to work. As my friend’s tale shows, lots of companies still have a long way to go.