It has been eight years since I started to truly be in the ethics and compliance business. Before that I was an in-house counsel, and before that an external counsel. The last eight years have surely been a blast; a great time for an industry that has truly shaped itself and grown to what it is today. However, I feel that the industry needs to think differently. In fact, I wish the industry changed altogether. The very word ‘compliance’ annoys me. It is not what our industry should be about. It certainly shouldn’t be about GRC.
Eight years ago, it was all about tone at the top, and how critical that was for success. We heard this time and time again from every pulpit and every regulator at yet another conference.
Like everybody else, over time, practitioners started to push back and suggest it was all about tone at the middle. Better … much better. That was three or four years ago. Where is it at now?
Well, tone at the top is key, but what CEO wouldn’t give some kind of tone? Tone at the middle is okay, but again, that’s pretty clear in most companies, particularly if you have a line to the top. Anyone can give a tone – even a condescending ‘I wake up every morning and think about how to be compliant’ attitude is a ‘tone’.
At the risk of creating another conference buzzword, it is not really tone that matters. It is all about the confines of business. Businesses need to operate within a set of confines: rules, regulations, standards, ethics and best practices. Every business has some form of ‘confines’. What they are just depends on how complex the business is and how many countries it operates in.
Working within the confines of business is about making that business work better in the confines of what you have been dealt with by the government, the community and your standard of values. In some markets your confines of business might be different; in some they may be more restrictive and in others very open. The confines of business are constantly changing.
Too many people focus on the word ‘compliance’. This tends to bring negativity to what we are all trying to achieve. Its very definition seems to place restrictions on people and businesses to ‘comply’. It is also seen as a group of people trying to restrict the movements of the company to make it harder to operate by checking and auditing every transaction to make sure that they all ‘comply’.
Working within the confines of business isn’t about compliance per se; it is more about helping the business navigate the edges of how it operates. It is more consultative than restrictive. More importantly, when explaining to someone what ‘compliance’ means, it would be much easier to gain their input and buy in if we talked about helping them work within the confines of business – first, defining them, and second, managing within them.
To really advise someone about how to operate within the confines of business you would need to look at every aspect of running a business, including some or all of the following, to define the actual confines.
It is important to understand which confines the government has placed you in. This would include the applicable laws and regulations, and which reporting obligations you have to the regulators. It may also include other industry benchmarks and codes of conduct that are imposed based on membership to a particular organisation. Knowing all these and knowing which ones are applicable will be essential for working out the confines of business. Too many times this is described in compliance books or standards as making an ‘obligations register’. However, to the layperson it is just about finding out the landscape that the law and industry have set for them so they know where to work within. It is the map of the lakes and rivers that make up our environment. Listing them all on one page (such as an obligations register does) isn’t much use; however, creating a legislative map on what we need to manage against and how we do it is far more interesting.
In a similar concept to ethics, understanding the confines of your community is equally important. The confines imposed by the government might suggest it is entirely acceptable to discriminate across job candidates; however, when it comes to social acceptance, the confines of business say ‘We just won’t do it’. These social confines are significant in many non-Western jurisdictions and are often at odds with each other. To manage a global company and define the confines of business, it is frequently necessary to have a global standard. It is in these situations where you need to work locally with the local employees and management to explain that you have defined their local confines of business differently to what they may have expected from social norms.
Your competitors also define the confines of business. They set out the way in which you might sell your products to be competitive, your pricing strategy, your go-to market strategy, and the way you use channels or other ways to reach customers. Understanding the competitive environment and defining the confines that your customers have placed on you is vital. An example of where this might happen is that every other competitor is offering a refund or an exchange policy, or providing warranties and guarantees for products, even though the legal system may not require such a policy.
Internal capital risks
One of the confines of business is your capital structure and the way that you operate from a cash perspective. It might be fantastic for a very large company to build programmes and understand how to manage compliance, but for many other companies that is just not realistic. We constantly hear companies saying that they want a ‘Ford’ compliance programme instead of a ‘Rolls-Royce’ compliance programme. That is simply a line being drawn by the company to mark a confine to which they have to work within. The compliance officer needs to understand that confine and then draw up the mechanism to allow the company to work within it. This sort of situation is sometimes called a ‘tolerance for risk’, however it is generally just as simple as whatever you can afford to do.
Your employees also set the confines of business. They are the ones that work every day in the confines. They are the ones that need support to understand the boundaries of the confines of business, but also need to understand the value of working within the confines. They need to be educated about why the confines are in place and how they were created. They need to have the confines explained to them in a way that makes sense. Typically we list the confines in a compliance programme by listing a bunch of do’s and don’ts. Or, even worse, we start to explain the confines to people by teaching them the laws and regulations – a totally irrelevant concept. The employees need to buy into the idea that the confines of business are the universe in which we operate. They are engaged to understand the confines and to work within them.
Standards and ethics
From time to time there will be confines that are adopted by the business that are not directly attributable to a law or a regulation, but just ‘the way we do things’. Often this is a preference of the CEO or the leadership team or is based on some view of ‘what is right’. In current-day ethics programmes, these are really the value system or the code of conduct. However, like all of the above, they are just some more confines of business that have been drawn by the CEO or the leadership team.
Working within the confines of business is what compliance is about. Knowing what these confines are is simple for any senior person in business. You can argue about the subjective ones, like standards and ethics, however, they are normally set by the CEO or the leader that we are all supposed to follow. The leaders and managers of the business define the confines and then help the business and its employees work within those confines.
The trick in managing the confines of business is actually defining the confines that are relevant to you, working out what the business does that is outside those confines, and knowing how to handle those situations.
Determining the edges of the confines of business is all about values and risk. The confines of business, if defined well, articulated clearly and communicated effectively, will go a long way to making sure that ‘compliance’ as we now know it will be more effective.