“A ‘Compliance Program’ is an Organization’s Internal Systems and Procedures”


Post By: Joe Murphy, CCEP

What is a compliance program? The UK’s Serious Fraud Office says this:

“A ‘compliance program’ is an organization’s internal systems and procedures for helping to ensure that the organization – and those working there – comply with legal requirements and internal policies and procedures.”

Well, how could any reasonable person disagree with the authority of the UK’s Serious Fraud Office, or the reasonableness of such a proposition? What more could you ask for, “systems and procedures”?

Actually one could ask for much more. One could ask for a definition that got results. If all you have is “systems and procedures” you are not really talking effective management. You are not talking about what actually works in organizations. You are talking about bureaucracy, which is notoriously Ineffective.

I do not mean to insult my friends at the SFO or those who come up with similar definitions. They seem to make sense. But they are missing the heart of what really works. And this definition is very similar to many others issued by enforcers, regulators, and NGOs and endorsed by many serious academics describing our field.

Unlike my friends in enforcement, academia, and the NGOs, I start at a very different point. Here is my definition of an effective compliance and ethics program:

  1. A management commitment to do the right thing; and
  2. Management steps to make that commitment happen.

If you did not have the first step, you are starting on the wrong path. A compliance program is not a set of “systems, policies, procedures,” or any other bureaucratic items. It is not something you can bolt on from outside, not a siloed function that you can put on an organizational chart, not something that you can contract out. It is a full-scale commitment by the management to do the right thing. It is also all the other management steps that one would use in an organization to get results. Thus, in my work over the decades, instead of simply settling for policies, preaching and bureaucracy, I have always included key management elements like incentives as core elements of compliance programs.

If you start with my definition, it can lead you to a clear analysis of why compliance programs fail. First and foremost is the failure to see senior management as the highest risk group. But if you recognize that management commitment is the first element of a compliance program then you will always start by looking where the greatest risk it – the C-suite

If you start with management commitment, and then look at core management steps, you are immediately looking to see who is leading the compliance and ethics program, and what power does this person have. This will lead you to discussions about the Chief Ethics and Compliance Officer (CECO).  Again, “procedures, practices, management systems,” and similar terms do not get you there. Instead, you have to look at power dynamics. All the procedures, policies, and systems in the world will not work if the CECO is underpowered and compromised, and senior management is free to do whatever it wants and lacks the commitment to compliance.

And what about incentives? How can you have a program worth the name if you do not address incentives? Here is my challenge. Let’s suppose we have a contest. You control all the “systems, procedures and policies” that you would like to have. Just let me control all the incentives, compensation, rewards, and promotions and let’s see at the end of one year who is more successful in driving conduct and influencing the culture. (For more on how the absence of these key elements weakens compliance programs, see Joseph E. Murphy, Policies in conflict: Undermining corporate self-policing, 69 Rutgers U.L. Rev. 421, 468-76 (2017).

Definitions based on “policies, procedures, systems” etc. are one of the reasons that people will sometimes very mistakenly suggest that an organization could outsource all of its compliance functions. Of course, if you see a compliance program as just a bunch of bureaucratic steps, it could all be outsourced. (And it can just as easily be ignored by employees, managers and executives.) But the whole idea of outsourcing management commitment is patently absurd. Similarly, the idea that you could outsource core management steps, like the incentive system, is equally misplaced.

What is a compliance program?  The answer depends on whether you actually want it to work.  If you want it to work, then it needs to encompass what actually drives organizational behavior.  Anything less will continue to lead us to heartbreak.