In my last column I asked the question whether Compliance Management is it really needed and referred to the Kobe Steel story as a tragic example how compliance failures risk the future of a company.
Admittedly, today’s business environment is highly regulated, fraught with risk, and operates with global scale and diversity. All those forces work against the goal of straightforward, effective policies that can apply across the corporate enterprise as needed.
So, companies have to have compliance officers and they must find a way to consult with business operating units to identify risks and objectives, and then create policies that are fit for the purpose. Compliance officers must systemize the creation and adoption of policies, even as the substance of those policies becomes ever more specific and granular. And compliance officers must directly report to the Supervisory Board to avoid ‘glitches’.
How to begin? The best approach for compliance officers is to understand the traits of an effective policy. And as new risks or regulatory requirement come along, they have to find their way in adjustments in the compliance management process, even if the substance of the policy might vary greatly from one risk to the next.
A policy is not a procedure – The compliance community uses “policies and procedures” as short-hand so often that one might assume they are one thing; they are not. A policy states an objective the company wants to achieve, whether that objective is rooted in regulatory compliance (pay no bribes) or good business practice (always give the customer the benefit of the doubt). The important point is that a policy tells the employee what the goal is—not how to achieve the goal. The latter is a procedure, and procedures do have an important place in your compliance program. But policies are even more important, because they fix the employee’s attention on the desired result.
Make it clear and simple – The wording of a policy should engage employees in ways they understand. The easy example of this point is to translate policies into local language (which is now a given for effective compliance programs), but it goes well beyond that. Good policies are clearly written and simply written. If a legal team is drafting your policy, they may appreciate the objective to be achieved, but smother it in technicality.
Specify what prompted it – One of the worst situations a compliance officer might confront are cynical employees, trudging through daily routines because “this is the way we’ve always done it. I don’t know why.” That attitude arises from policies that exist without any clear purpose. All policies should be tied to something: a regulatory requirement, a core value, a performance objective. Not all policies need to stem from regulatory requirements, although many do. But all policies must state why they exist (cite the relevant regulation, if one applies), and why the company wants employees to follow them. For example, an anti-discrimination policy might say: “The company’s policy is not to discriminate in hiring on the basis of race, ethnicity, gender, or physical disability. Discrimination is against the law, and offends our core values as an organization that wants to hire the best people we can find.”
Include examples – Thoughtful employees will always appreciate examples and context, so they can see a policy “in action.” An anti-bribery policy, for instance, should include examples of what is not allowed (making a donation to a charity run by a foreign government procurement officer) and what is allowed (paying a bribe to escape false imprisonment). The examples you include must be considered carefully. They should be practical, “real” examples of what an employee might encounter—and they also must reflect the core values or risks driving the need for the policy in the first place. With modern technology, including examples is easy to do. Online, interactive policy manuals can include short videos rather than written material. Innovative companies can even construct an app with a “choose your own adventure” approach, leading employees to the correct policy depending on their specific questions.
Include related materials – This is a corollary to our earlier point that a good policy specifies what prompted its creation. Again, thanks to modern technology, a policy can link back to underlying regulations, laws, a company’s own Code of Conduct, a risk the company has identified, or even performance goals— whatever circumstance prompted the policy to begin with.
Include even examples for exemption requests – Every policy should explain how an employee can seek an exemption to it, or why exceptions are not allowed. A policy should never ignore exception requests entirely—for fear that employees will simply decide not to ask about an exception at all, and violate the policy without telling you. A procedure to ask for exceptions (even if the answer is no) tells employees that they can play a role in policy implementation; that policies are not diktats from high command, where questions are hidden rather than raised.
Be more encouraging than discouraging – Many policies are “Thou Shall Not” in nature: compendiums of anti-discrimination, anti-bribery, anti-theft, anti-fraud, anti-collusion, anti-disparagement. To a certain extent, that is unavoidable; many laws are themselves prohibitive, so policies created to comply with those laws veer toward prohibitive language themselves. Still, a policy’s ultimate aim is to win the enthusiasm and support of employees, more than their blind obedience. So in a policy’s language, its objective, its tone, its examples—how can the policy emphasize what employees should do, rather than what they should not? It’s an important question to ask, because it forces executives drafting the policy to ask: Why are we doing this? How does the policy help us? In an ideal world, this exercise will also lead executives to ask how the policy helps the company achieve its main priorities and uphold its core values.
In conclusion, not surprisingly, some companies question whether or not they should invest in a full-fledged compliance program. However, while the return on investment is not always obvious, a strong program can help your company avoid fines and legal expenses. If you need support in creating effective compliance management tools, contact firstname.lastname@example.org – we can introduce experts, including GAN Integrity – www.ganintegrity.com
By: Henry J. Schumacher