By Roy Snell
Let me tell you a completely fabricated compliance story.
A company of 250 employees had a compliance and ethics program. They had brought in independent experts and anonymously surveyed all the employees. The survey revealed that every employee felt free to share issues with their supervisor, HR, compliance officer and CEO. Anything any employee felt they needed to report was reported without any concern. They felt good about the follow-up. The culture was one of the finest in the world. But there was a problem. They did a little work internationally and hired a subcontractor to do $15,000 of work for them. Despite being a conscientious subcontractor he unfortunately broke a law he didn’t know existed. He was investigated which led to an investigation of the firm that hired him, our culturally idealistic company. It was deemed that the subcontractor was indeed wrong and that the firm that hired him was also to be held responsible.
The enforcement community used a compliance program standard to determine if the little company’s compliance efforts warranted a large or small penalty. The standard said you are responsible for your subcontractors. The standard went one step further though, and also said that if you did not have a hotline phone number you could not pass the compliance program standard no matter what else you had done. Our little company had an anonymous drop box but not a hotline number. Actually they had something better than a hotline; they had an ethical, transparent and open culture. They worked hard at education, conducting audits, investigating issues, performing risk assessments and implemented all the other elements of a compliance program to the best of their ability. Even the investigators said they had never seen anything like it. But unfortunately the compliance program standard said that a hotline phone number was mandatory. A one size fits all kind of thing.
Note: The standards body did not have a requirement for a hotline number in the original standard. The first version of the standard stated, “All compliance programs must have an anonymous reporting mechanism, such as a phone number or drop box.” However, a company that was deemed to have met the standard got caught in a 25 million dollar bribery scheme. They had several methods for reporting issues but not a hotline number. The response was immediate and extremely negative. “How could you have a standard that didn’t mandate a hotline regardless of how they scored?” There was huge pressure to make several components of the standard mandatory regardless of how you scored.
To continue with our completely fabricated story…. While all this was going on there were several big settlements. The press, public and politicians were very upset. The fact that this other company had passed the standard and was later found guilty of committing 25 million dollars in bribes… made matters worse. Because the little company with a remarkable culture didn’t “check the box” of having a hotline, they failed the standard. The company was forced to pay treble damages. The enforcement community was under a great deal of pressure. They were getting hammered in the press for not being tough enough. They were forced into a position of including a Corporate Integrity Agreement as a part of the settlement with our little company. The CIA included 5 years of oversight by a Federal Monitor. The Federal Monitor was required to use the standard to help the company improve and maintain their compliance program over the 5 year period of the agreement.
Because the standard was by definition, “A one size fits all approach,” the standard was built to cover every conceivable company. It was built to include 100,000 employee multinational companies. Our little company was forced to spend millions of dollars to improve their compliance program over the course of the CIA. Even the Federal Monitor felt it was excessive but his hands were tied. The enforcement community felt their hands were tied because of the pressure they were under from the press, politicians and the public. The standard was also under a great deal of pressure.
Unfortunately for the standard, the risk, ethics, audit, and legal professionals were also making demands that their section of the compliance program should be more comprehensive. And the people representing each profession seemed to be particularly animated supporters of their profession’s role in compliance. They were neither patient nor understanding. I do believe the hair of a couple people making demands burst into flames when there was a little pushback about how big the standard was getting. If they got their way the standard could be hundreds of pages long. Those that created the standard wanted to make it reasonable for everyone but some groups got upset and said, “This is what we want added or we will not support your standard.” It was a tough position to be in. The standard grew and grew.
The story about our little ethical company hit the press. The standard was hammered. The Wall Street Gazette, Washington Pillar and the New London Times all did stories about what happened to the little company. Their report included a list of the increased costs, the reason the costs were incurred and the fact that the little company with the idealistic culture had gone out of business. There was a complete frenzy on social media. Feeling the pressure, the people maintaining the standard went back to work.
The standards body said they would make three versions of the standard; one for small, medium and large size companies. But people were still upset because nonprofits were different than privately held and publicly traded companies. So the standards body said they would set up three more standards. Actually it turned out to be 9 standards so they could cover small publically traded, privately held and nonprofits, medium sized publically traded companies…..and so on, and so forth. All was well for a while until….
Companies that were not multinationals said it was an unfair burden to them. They pointed out that multinational company’s compliance programs had to deal with dozens of different sets of laws, cultures, geographic locations and many more languages. “Our compliance program requirements were far less complicated than some of those covered in the standard.” So the standards body said they would create just one more version for single-nation companies. Well, it wasn’t exactly one more version because they had to create a standard for single-nation companies that were small/medium/large, for-profit/nonprofit/publically traded, etc. There were now well over a dozen standards and they were getting worried about the cost of effectively maintaining so many versions of the standard. They wondered how many standards you could have before a standard really wasn’t a standard. Before they could sort it all out they got a panicked call from healthcare.
Healthcare said that they believed they have more invested in compliance than all other industries combined. They provided a great deal of credible data to support their claim. They pointed out that there were hundreds of laws specific only to healthcare. And they believed that it was not possible to measure effectiveness of education and audit if the standard wasn’t specific to the laws in their industry. “How can you say education was effective if you don’t check to see if the most relevant laws were being taught? How can you verify healthcare audits if you don’t check to see if we are auditing laws specific to our industry?” The standards body could not have the largest industry in the country unsupportive of the standard so they developed yet another version. Shortly thereafter, transportation, defense, financial services, utilities and other industries were at their doorstep saying the standard was not specific enough for them. “How can you develop a standard specifically for healthcare and not develop one for our industries?”
The standards body decided that things had gone too far. They were concerned about keeping up with so many standards. They began to realize that even keeping one standard up to date was going to be a challenge. They realized that the standard had to be changed as best practices changed. Compliance programs were relatively new. Best practices in audit, risk, education, etc. were being discovered on a regular basis. Laws were changing on a weekly basis. If they didn’t update the standard regularly it would surely fall behind best practices. If the standard fell behind best practices, then companies might be tempted to just meet the now outdated standard. They did not want the standard to retard growth; they wanted it to improve compliance programs. They were worried that the standard could actually discourage companies from doing more than just meet the minimum standard.
The standards body met. They recapped all the problems they had encountered. Someone said, “Despite the fact that the legal, audit, risk, HR and many other departments have been around as long as 100 years, none of them have a detailed standard like ours. Surely they must have tried. A standard is such a logical idea. Maybe they ran into the same problems we have run into.” They concluded there were so many differences between organizations that a single standard with this much detail was not practical. So they decided to go the other way.
They changed the standard to a simple seven elements. And they created a short description that would apply to everyone. It was not too specific and yet it was very meaningful. It was excellent guidance and it provided a framework that everyone would benefit from. It fit every size and type of organization. They were thrilled that they had found a solid solution to everyone’s problem.
Because of the vast improvements they decided they needed to change the name of the standard. They thought and they thought. They consulted the best and the brightest in the industry. Then one day someone said, “Let’s call it Chapter 8 of the United States Federal Sentencing Guidelines.” The group cheered the decision and then released their new standard. And all was right with the compliance world again.
Despite the fact this was a completely fabricated story… everyone lived happily ever after.
[bctt tweet=”#Compliance Fiction @RoySnellSCCE” via=”no”]
Roy…you probably didn’t have to emphasize the fabrication aspects of your story nearly as much as you did. I think when you wrote in your opening:
“The survey revealed that every employee felt free to share issues with their supervisor, HR, compliance officer and CEO. Anything any employee felt they needed to report was reported without any concern”
That was enough to put most if not everyone on alert that this MUST be a fabricated story.
Many thanks for sharing!
It could happen. The rest of the story is a little more terrifying.
Sure…and it could happen that I win the Lottery….TWICE!
Well…if we are going to take a holiday and go down the path of Fictitious Lane…I found that the story also highlights (and actually I think unintentionally) something that is very subtle and so often overlooked frame of reference that is used by many compliance professionals, particularly when trying to justify their existence. And to your point, even more “terrifying” than the story with all of its twists and turns, in my view. However, I am going to hold this observation a bit close to the vest until I see what others have to share about the initial posting.
I mean if we are going to accept such a premise which if it does exists is such an exceptional state of affairs than what many if not all of us who actually deal day in day out with the staff that would actually do any reporting or would be those who shared their concerns with management…then why would any subsequent conclusions or points of consideration have any validity given the context from which they are based.
Again…it is not my intent to change anyone one’s mind or to try to say why one person may be right and another wrong…but rather as is my operating philosophy…just sharing my opinions and comments to “compare and contrast” with others that may wish to contribute.
Nothing more…nothing less.
Roy’s story raises the issue of the difference between a rule (e.g., stop at all intersections) and a standard or principle (e.g., intersections should be negotiated with caution). The former is largely inflexible and requires no judgment; the latter is designed to apply to different circumstances differently and requires people to exercise judgment.
It appears that the compliance community in this story relied on rule-based governance and did not understand the importance of articulating true standards (such as those set forth in the FSGO).
I take this opportunity to remind everyone that setting up an organizational ombuds office helps companies deal with many issues, including the needs of whistleblowers, better than a hotline. The two can, of course, complement each other. For details, see Charles L. Howard, The Organizational Ombusman.
Have a great 2016, everyone.
Easy read but harsh reality!
Comments are closed.