Fuelled by heightened regulatory attention and recognition across Britain's boardrooms that risks must be better managed, organisations are facing greater demands for effective compliance than ever before.
However, the practical challenges of managing and auditing a complex spectrum of internal policies, require a fundamental rethink.
From the unrolling of bribery and corruption cases in the pharmaceutical sector, to the challenges facing the financial services sector in clamping down on illegal practices, the cost of such failures remain sky-high.
Last year alone, more than $730 million was paid as a result of US Foreign Corrupt Practices Act (FCPA) violations and the UK’s Serious Fraud Office is stepping up its pursuit of breaches under the Bribery Act.
>See also: Closing the software compliance gap
Preventing compliance breakdowns is more complicated than adopting a commitment to play by the rules. The reality is that compliance breakdowns are rarely caused by a deliberate corporate strategy of deceit.
Most companies that have been prosecuted or fined had legally accurate policies in place, and a management team that at least claimed to want to follow them.
Instead, more often than not, what causes compliance programmes to break down is the failure to implement and track compliance with a legally adequate policy.
In other words, the breakdown usually occurs when a company fails to make its compliance policy operationally effective. At far too many companies, static policies are left to languish on bookshelves and intranets. This approach is in urgent need of reform.
Many people see the problem of compliance failures and believe that the solution is creating not just compliance policies, but a ‘culture of compliance’.
They then state the truism that culture is set by the top of the organisation and as long as management models a culture of compliance, the company will follow.
Obviously, an ethical culture and setting a good example are absolutely necessary. There is no doubt that if employees perceive that senior management act unethically, they will follow suit.
However, this does not mean that a good example set at the top will alone be enough to ensure ethical behaviour by more junior staff.
Instead, an effective compliance framework requires systems and processes that constantly remind and encourage people to do the right thing.
A well-implemented compliance programme defines and reinforces a good culture – a good culture does not create a good programme.
As a starting point, companies must ensure their compliance policies are well written and easy to understand by their employees, and not just the lawyers who wrote them.
If the policies are written like statutes or legal documents, no one will read them – and even if they did, no one will understand them.
Once the company has an easy to understand policy, regular online and face-to-face training is crucial. Training must be engaging, interesting and relevant – not just a chore for employees.
Next, companies must ensure that employees have ready access to information necessary to apply the policies in their daily work. This means that employees need to know where the policies are kept, how they can seek approvals, and to whom questions should be directed.
But even this is not enough. Organisations must not only educate and exhort staff; they must track employee actions as well.
However, most companies do remarkably little tracking of their compliance programmes.
Smart companies have figured out how to track every aspect of their compliance programme. Who is being trained? Who is asking questions? What questions they are asking? What is being approved? From where are the questions emanating?
By tracking all of these aspects of the programme, companies can make data-driven decisions on how best to spend the compliance budget to prevent problems from erupting into investigations, prosecutions and fines.
One approach to safeguarding compliance is to introduce software applications that help simplify the day-to-day operation and implementation of specific policies.
Such tools may be available on smartphones, tablets or laptops, and make compliance come alive by promptly providing relevant answers and interactive information.
Take for example a scenario where an overseas sales representatives or third-party agent wants to give a gift to a business contact. Rather than consulting the company's entire global anti-corruption policy, a simple application can provide a clear answer to whether the rules allow him to give a gift to a particular person, and if so, what kind of gift may be appropriate. If the policy requires prior approval for the gift, the software application can make the process easy, efficient and trackable.
The software applications work by reducing a complex policy into a decision-tree. This approach allows the software to use the answers to a few simple questions to point the employee towards the relevant portions of the policy.
>See also: The battle between compliance and the cloud
It also forces companies to rethink their compliance policies to ensure that they can be subject to decision-tree analysis. This in itself assists the compliance process by ensuring that as little as possible is left to interpretation by employees, who have neither the training nor experience to make the relevant decisions.
Simply put, unless the compliance policy can be easily applied to real-life circumstances, it is unlikely to provide a regular employee the guidance needed to ensure compliance.
This strategy also allows for the creation of a central repository of compliance data that simplifies future analysis in the event of an investigation. It replaces the approach being used by most companies, where approvals are sought and granted by email.
Emails are a wonderful form of communication, but a disorganised way to store information. Any subsequent investigation requires extensive searches of archives to find in the mass of irrelevant emails the crucial question and answer that may constitute compliance approvals.
A greater focus on compliance requires a review of current policies and practices. New compliance programmes require technology-led innovation to underscore and embody a strong compliance culture.
Compliance programmes will increasing rely on IT to ensure a properly functioning, data-driven compliance culture. The initial investment in IT will pay off with a cheaper, more flexible and effective compliance programme.
Seth Berman, executive MD and UK head, Stroz Friedberg