Optimizing the Right Compliance Vector

A compliance officer should always be ready to take a good idea wherever you find it and figure out how it might improve your compliance program. In that spirit, today let’s talk about a nifty phrase I stumbled across in the technology world that could help compliance officers immeasurably in these tumultuous days: finding “the right vector to optimize.” 

I heard this phrase on the latest episode of the GZero World podcast, an excellent discussion of geo-political issues hosted by risk analyst Ian Bremmer. He was interviewing Nick Thompson, head of The Atlantic magazine, about the tech industry and the incoming Trump Administration. The conversation turned to regulation of artificial intelligence, and the Biden Administration’s last-minute adoption of export control rules meant to curb China’s ability to develop cutting-edge AI

What did Thompson think of those rules, Bremmer asked? 

“The entire braintrust of the Biden Administration, to the extent it was thinking about AI … was only focused on how to prevent AI from getting to China,” Thompson replied. “It was optimizing on totally the wrong vector!” 

That is, the Biden Administration could have approached the regulation of AI from many different directions. It could have focused on limiting the rise of bots that drive fraud and cybersecurity risks. It could have focused on the economic dislocation that AI might cause in the labor market. It could have focused on AI-based discrimination, the rise of deepfakes to spread disinformation, or even existential risks like people using AI to develop superweapons. 

The Administration, however, chose not to approach AI from any of those directions — or, from any of those vectors. It only chose to regulate the development and distribution of AI technology, to prevent that technology from falling into the hands of our primary geopolitical adversary. 

Was that really the best vector to optimize? I don’t know. But the idea behind the phrase — that a large, amorphous problem can be attacked from several different directions, and you need to figure out the best direction of attack to achieve your aims — has important application for compliance officers and the programs you run. 

Optimize for the Right Compliance Vector

The parallel for compliance officers is that a corporate ethics and compliance program, as a concept, is just as large and amorphous as artificial intelligence. So you need to find the right path — the right vector to optimize — for a strong compliance program that has widespread support in your organization. 

For example, you could work for a senior management team that believes the compliance program solely exists to assure compliance with specific regulations. That team provides you the minimum resources necessary to comply with those regulations, and nothing more. 

There’s nothing inherently wrong with that approach; it’s not illegal, and certainly helps the company to preserve resources for other business purposes — but is that really the wisest way to approach ethics and compliance? Has the company really chosen the right vector to optimize? 

I would argue no. The business could optimize for other vectors that might cost a bit more money, but deliver far more benefit too.

As another example, imagine a management team that believes the compliance program exists to stress the importance of ethical conduct at all times. That team gives you resources for regulatory compliance, sure; but it also provides resources for ethics training, and structures compensation to favor ethical conduct, and allocates precious CEO time to talk about ethics, and impanels cross-enterprise groups of compliance, audit, security, and operations teams to understand what new ethics and compliance risks are emerging.

Sounds like the dream, I know. But also ask, which of these two hypothetical management teams seems better positioned to navigate the complexity of today’s business and regulatory landscape? 

Why This Matters Now

Well, this matters now because the Trump Administration is clearly going to do a very big number on regulation, as our returning president likes to say. He’ll try to streamline lots of regulations (good in many instances, although not all) and roll back lots of enforcement against corporate misconduct no matter what happens with deregulation (bad in many instances, although not all). 

The key question is how corporate boards and management teams will respond to that effort. If they define corporate compliance downward — to take the view of our first management team above, that compliance programs solely exist to assure compliance with regulations, and therefore only deserve the minimum resources necessary to do that task alone — that management team is optimizing for the wrong vector. They’re taking a compliance-focused approach, when a strong ethics and compliance team can help with many more issues.

vectorFor example, a strong ethics and compliance program should be rooted in a strong anti-corruption compliance program for the Foreign Corrupt Practices Act and other anti-bribery statutes. But even if FCPA enforcement goes away (unlikely), the capabilities of a strong FCPA compliance program can help with all sorts of other situations that a company should want to avoid. 

Consider the recent fraud case at Takeda Pharmaceuticals, where an employee conspired with her boyfriend to embezzle millions from the company. The boyfriend incorporated a fake company, which entered a sham consulting agreement, and sent bogus invoices to Takeda for services never received. The employee then approved the invoices for payment without proper documentation.

That whole case is essentially identical to an FCPA scam, except that the boyfriend was a U.S. citizen rather than a foreign government official. Every other dimension of the case stinks just like an FCPA violation. (Said employee and boyfriend were eventually caught, indicted, and sent to jail. They also broke up.) 

We could come up with many other examples, too. Strong anti-harassment training reduces the risk of civil lawsuits from a handsy vice president who grabs the intern’s behind. Strong third-party due diligence capabilities can help to sniff out vendors that have weak finances, poor cybersecurity, trouble with human trafficking — and, yes, corruption and sanctions risk. 

We could keep going. My point is that many risks in the modern corporate world take multiple forms at the same time. One of those forms is compliance risk, but just because the Trump Administration might wave that specific form away with an executive order, that doesn’t mean the risk has gone away. Its other forms still lurk, waiting to trip up your company the moment it’s not paying attention. 

That’s the message compliance officers want to stress. By optimizing on a risk vector, rather than a compliance vector, you portray your ethics and compliance program capabilities in a different light. Here’s hoping management sees the value those capabilities will still bring, no matter what chaos the Trump Administration foists upon us. 

Leave a Comment

You must be logged in to post a comment.