The Critical Path to Make Your Case for Compliance Resources
To reduce expenses, organizations may limit compliance resources or delegate compliance duties to another role or function, particularly if there have been no recent serious incidents and other control functions are in place (e.g., internal audit, human resources and legal services). This approach fails to recognize the positive influence of an independent compliance program on the organization’s performance. Without a compliance program focused on building an ethical culture and avoiding risk, the organization can drift down a slippery slope to significantly greater compliance risk. Enron provides an enduring lesson of this principle. Once a recognized example of a mission-driven, prosperous, and innovative company, Enron fell into ruin in just days when its unethical accounting practices defrauded investors and employees alike. Other examples include Arthur Andersen, Uber, Livestrong Foundation, HealthSouth, Wal-Mart, Wells Fargo Bank, Volkswagen, General Motors, Deutsche Bank, and Facebook, to name just a few. To protect the organization and reduce risks of non-compliance, the compliance program must be supported from the top with adequate resources and integrated into the organization as an independent function.
NOW: Perform a thorough assessment of compliance effectiveness, including necessary resources (budget, technology, and staffing) for the size and complexity of the organization, focusing on government expectations that would be applied in the event of a compliance investigation. For example, the US Department of Justice (DOJ) 2019 Compliance Guidance expects commitment by the board, senior, and middle management to effective compliance, shown in part by adequate staffing and resources and timely investments in – and improvements to – the compliance program. The Office of the Inspector General of Health and Human Services (OIG) expects compliance programs to have adequate resources and to measure and monitor effectiveness. Both DOJ and OIG expect good faith reporting without fear of retaliation, prompt investigation and correction of reported issues, and responsive interaction with government stakeholders.
NEXT WEEK: Develop a plan to maintain effectiveness and independence of the compliance function, with measurable goals, objectives, costs and benefits for the compliance program. Submit the plan to the organization’s Compliance Committee for review, recommendations, and approval at least every two years or more frequently, as appropriate. The plan should also receive approval from the Audit (or Audit and Compliance) Committee of the Board. Committees at the top can recognize the need for independence, endorse additional resources – personnel, tech, or budget – and validate the benefit of these to the organization.
NEXT: Be accountable. Document and report about when and how promised benefits are achieved, and if possible, quantify them. Benefits can include increased efficiency; more proactivity; privacy and security of data; a risk-based audit plan; more – and more effective – outreach; decision making with data (through tech); staffing bench strength and increased expertise in the team; ability to meet operational needs; ability to collaborate with other control functions; and faster and more targeted response to hotline reports, for just some examples. Quantification of compliance activities will demonstrate the benefits of an effective compliance program exceed its cost.