Why Compliance needs to take a chill pill sometimes

April 23, 2017

By Scott Lane and Thomas R. Fox

»» Compliance should enable business opportunities, not the reverse.
»» The Compliance department cannot be the “Land of No.”
»» Compliance must help to assess and then manage appropriate business risks.
»» Compliance must not have a knee-jerk reaction when risks appear.
»» Compliance needs to help the business units run more efficiently and more profitably.

My work in compliance is still informed by a long-ago conversation I had with an oilfield service worker about safety. He told me that if he sat in his office onshore, doing nothing, he would be quite safe, but he would not be able to make any money for the company. However, if he went offshore to oversee drilling operations, while it may be a higher risk from a safety perspective, he could bill his time and the company could make money. The point I took away was that to make a profit, a company had to take some risks. That lesson has stayed with me up to this day and is relevant in the ongoing discussions in the compliance community about risk. It also means that compliance is not only driving the business, but it serves to make a business more efficient and, at the end of the day, more profitable.

Compliance should be recognized as a business process, which enhances the business of an organization, not the other way around. A knee-jerk response to pull out of a territory simply because it is high-risk, without further consideration, serves no rational purpose.

Likewise, a decision not to sell through distributors because of corruption risks serves no rational purpose. Sure there is a risk of corruption when selling through distributors, but there is even a greater risk of corruption when you sell direct. Despite how important we all think we are in Compliance, we are nothing without the business, without sales, without a channel, without challenging (and likely corrupt) growth markets, and without business people driving the business forward based on solid business practices.

Compliance people need to be careful not to overstate the compliance risks and put their business leaders in an unenviable position of having to say “no” to compliance. Saying “no” to compliance is certainly not the “done thing” these days, but be careful to not overstep the mark with your requests and demands.

The minute that you do, it will become very apparent, the business will react against you personally, and the credibility of the Compliance department will be damaged. A great example of this situation is the way that companies have gotten into hot water under the Foreign Corrupt Practices Act (FCPA) for their sales goals and compensation structure. Just because your company sells through highly commissioned sales people does not mean that you should try and lobby your business leaders to somehow restrict sales people from doing what they do best. Yet, just as with Wells Fargo, the answer is not to scrap the sales model or modify it in a way that disincentives the sales team, but to try and tie sales and business success to your overall ethical culture and risk management process. There are many ways to incentivize a sales team, and incentives are an absolutely important part of sales. The suggestion that we need to support a removal of incentives is just plain wrong. No compliance person worth their salt should ever suggest such a course of action. There are many ways to make this less risky from a compliance perspective and to achieve the business objectives. It just requires thought and working closely with your business colleagues to get something that is a fit for your business.

There is a way forward for compliance and the business to happily work together, and it all begins with understanding your business and compliance risks. This means performing a comprehensive risk assessment and then designing your compliance program around your company’s risks. The FCPA Guidance was clear in stating “Assessment of risk is fundamental to developing a strong compliance program.” This is because there is no one-size-fits-all compliance program that will work.

Assessing your risk is only the first step. What regulators want to see in management of risk is the same thing businesses require: a well-thought out and reasoned approach. This means managing your highest risks first, in a manner appropriate to the level of the risk, down the chain to your lowest risk. All of this is a process, and it is engaging in the process of compliance that makes a company stronger, better run, and more profitable.

Every business endeavor has its risks. In the anti-corruption world, the risks increase each time there is a government touchpoint. However, simply because these risks exist does not mean they cannot be managed. Many companies derive the majority of their revenue from government customers; this is not going to change in the near future. If anything, it will continue to increase in many sectors. The government touchpoints must remain, and Compliance just needs to make sure they have the right tools and controls in place to manage those points. Removing them is not an option. The key to finding that equilibrium between compliance and business needs is to assess those risks and then manage them going forward with a practical risk managed solution.

We have also seen risks in other areas leading to ethical and cultural failures in
areas outside of anti-corruption. Wells Fargo was an example of bank staff fraudulently opening bank accounts to hit sales goals. It was largely driven by three factors, which separate and apart would not normally be associated as high-risk, yet because of the manner in which they were designed or managed, became high risk. The first was a sales goal untethered to reality. The second was that employee compensation was based on this unrealistic sales target. The third was an overall performance evaluation and continued employment based on meeting this sales target that was not tethered to an economic basis.

Many commentators and politicians called on Wells Fargo to immediately end its sales-based compensation structure. These comments are an over-reaction and are certainly not a solution from a legal or compliance perspective. If you consider each one of the prongs separately, it is clear that while there is risk involved in each prong, it can be managed. One is the sales goal, and the key inquiry is to ask if it is realistic. Are there any economic models that demonstrate why each customer should have eight separate Wells Fargo financial products? Clearly basing it on a rhyme (Eight is Great!) is not a realistic economic model.

What about sales incentives for employees? Did the employees receive the proper incentives
for making sales? Here the failure was incentivizing the branch managers with bonuses outsized in comparison to their employees, so the managers were driving their employees without any consequences to their fraudulent or even illegal actions. If the company had shared the incentives more evenly or based sales incentives on something other than simply the number of accounts and financial products opened, there would have been less risk that employees would open such fraudulent accounts.

Finally, when employees are evaluated, if the only criterion is whether they have met their numbers, they will always meet their numbers, because the consequences are too severe for not meeting those metrics. Once again, it is through evaluation and management of risk that a sales system that has led to illegal activity can be led back to an efficient process which will make the company more profitable at the end of the day.

In many ways, Safety is about 20 years ahead of Compliance in terms of culture. In my example about the offshore driller, he can now sit in his office, at an onshore location, and direct drilling operations remotely through advancements in technology that allow offshore drilling. His company’s costs are dramatically reduced, because the work can now be done remotely. Was this technology driven solely by safety issues or efficiency issues? In my mind, it really does not matter, because safety innovation made the drilling company a more efficient, better run, and more profitable.

Those commentators who continually try to instill that compliance should inform the business have it backwards. Compliance must innovate to make businesses more efficient and more profitable by managing risk going forward. This is even recognized by government regulators. In the public comments of Justice Department Compliance Counsel Hui Chen and in the Department’s FCPA Pilot Program, they both emphasized the operational requirement of compliance. In other words, how much is your compliance program burned into the fabric of your business?

As Compliance continues to evolve, it is becoming clearer that it is a business process designed to make businesses run better—not the other way around. Compliance might need to take a chill pill every now again and swallow more business risks.

Previous Article
Webinar: Third-party due diligence and remediation | How to effectively deal with red flags
Webinar: Third-party due diligence and remediation | How to effectively deal with red flags

If your due diligence assessment indicates issues that require further attention, it is important to consid...

Next Article
Risky business: How to handle due diligence renewals - A discussion with Becton Dickinson
Risky business: How to handle due diligence renewals - A discussion with Becton Dickinson

The risk profiles of your business partners change. Companies and individuals that presented a low risk a f...