Rebutting Resistance to Compliance Investments

Earlier this week I visited one of the larger compliance vendors in the market to talk with their sales staff about the pressures compliance officers face. Our discussion quickly centered on two questions. First, why do some companies decide not to invest in compliance capabilities? And second, what are some possible arguments that might change those executives’ minds?

Well, those questions are just as relevant to compliance officers as to the sales reps trying to sell you stuff. So let’s talk about what the answers might be.

First we should remember that compliance officers and sales reps are often on the same side here: you both want a strong, effective compliance function for your company. Granted, the sales rep wants that because it puts more money in his or her pocket, while you want it so you can succeed in your job — but those different motives are OK. Assuming the sales rep’s product actually works (a big assumption, I know) and fits your needs, you’re both still striving toward that same goal of a better program.

I’m more interested in what happens when you and the sales rep are aligned on a compliance investment, but more senior management doesn’t want to spend the money. Why not? What could you say to get them to change their minds?

One answer is that management won’t spend money on compliance investments if it believes that the risk of a compliance failure is low. For example, management might be confident that it has very few corrupt third parties that could pose FCPA violations, or that the odds of prosecutors discovering those violations are miniscule. So why bother investing in an expensive third-party due diligence program? Let the compliance officer keep muddling along with whatever homegrown, manual processes the team has been using for years. 

That answer might feel right to some tight-fisted executive teams out there, but it’s a narrow way of thinking that misses a bigger picture. Which brings us back to the message I delivered to the sales reps. 

Framing It as a Matter of Risk

The drawback in the thinking of those tight-fisted executives is that they ignore the larger potential of what a corporate ethics and compliance program could do — and when one considers how the business environment is evolving these days, ethics and compliance programs could do quite a lot.

To put it simply, the business environment is becoming more complicated. Companies are encountering more regulation, struggling with more uncertainty, working in more inter-dependent webs of commerce, and living under the ceaseless judgment of social media — all at the same time. Moreover, none of that is going to recede any time soon.

Now consider the capabilities that a good compliance function has:

  • Risk assessment and regulatory change management, to understand what laws and other rules do apply to your business.
  • Policy management, to map out how your workforce will obey those rules.
  • Training and communications, to teach employees what those policies and procedures are.
  • Due diligence, to assess the reliability and behavior of business partners.
  • Internal reporting, so that employees can bring concerns to management’s attention.

Well, in what future will any of those capabilities become less important? If anything, all of the above will become even more important for a global business as it strives to succeed in our highly regulated, complicated, inter-dependent, and uncertain world. 

The argument to make to tight-fisted management teams is that a strong, robust ethics and compliance program will have capabilities that can solve other problems the rest of the enterprise is going to keep on hitting. A strong compliance program, one where all of those bullet points above are tools in a complete toolkit, will sharpen the company’s overall risk management and response capabilities. That’s going to become even more of a strategic advantage in the future. 

A compliance program has lots of tools in the toolkit. Why not use them expansively?

I’m not saying that your ethics and compliance program should turn into a risk management program. Rather, a strong compliance function can be a more effective part of the team trying to solve big problems. Some of those big problems might be cultural (such as  encouraging employees to speak up about product design shortcomings); others might be operational (figuring out how much to rely on third parties for mission-critical operations). 

Regardless, management won’t do a great job of figuring out those issues without those same capabilities that an ethics and compliance function should have. So why not empower the ethics and compliance function, which can then repay the favor by empowering the company’s overall risk management abilities? 

How Does Management View Compliance?

I like the metaphor of a strong compliance function as part of the team, because it also neatly describes how short-sighted leaders might talk themselves into short-changing the compliance function: they see compliance as something they’re required to have by regulatory diktat, so they fund compliance to the minimum level necessary and then keep the function on the sidelines, away from the “real” business.

That’s the narrow view of compliance that I fear. Those leaders only see the compliance function as a necessary evil, something that exists to fulfill a specific duty imposed by some external regulation. With that view, why wouldn’t they want to keep their compliance spending as low as possible? Why wouldn’t they cut the compliance program entirely as soon as that regulation or corporate integrity agreement goes away?  

Alas, there’s no shortage of such leaders out there. Lots of you have written me privately over the years to confirm that fact, telling me some truly glum stories about management teams that simply refuse to see the potential upsides of a strong compliance function. (Then again, there are also forward-thinking leaders out there too, who do see that a strong ethics and compliance function can help them in all sorts of ways.) 

My analogy is that a strong ethics and compliance program — a culture of ethics and compliance, if you will — is a lot like regular exercise. Exercise is not free. It costs time and money. Over the long term, however, the benefits of exercise are clear and compelling. You’ll be stronger and healthier. You’ll live longer. You’ll be more likely to avoid illnesses such as diabetes, cancer, and heart disease.

Regular exercise doesn’t guarantee that you’ll never get those illnesses, in the same way that a strong culture of compliance doesn’t guarantee that you’ll never have an FCPA violation or an internal controls failure. But regular exercise does make it more likely that you can endure the illness and recover more quickly. 

By the same token, a strong culture of ethics compliance will be able to help your company avoid many compliance and risk management failures in the first place, or help you recover more quickly when some missteps inevitably do happen.

That’s one way to argue the importance of a strong compliance program to skeptical management, and to reframe their thinking. It’s the same one I told those sales reps I met earlier this week; when you hear them use it with you on the next sales call, at least you’ll know to blame me.

Leave a Comment

You must be logged in to post a comment.