Tips for conducting compliance investigations

The task of a compliance officer is not to “set it and forget it.” Apart from planning and advising on risk management strategies, and monitoring business implementation of the attendant policies and procedures, compliance professionals must remain vigilant about the potential for violations. Internal compliance violations can run the causal gamut – they could be because of internal controls failures, unwitting omissions due to lack of awareness, or outright misconduct and malfeasance.

Compliance officers should approach an investigation into a compliance exception thoughtfully and with careful preparation. If the planning for or administration of the investigation is flawed from the beginning then the investigation results will not be reliable. In many fields, such as scientific research, planning investigation tactics and strategy is a discipline all of its own, demanding special expertise in statistical methodology standards.

For purposes of the internal investigations of compliance officers, a common-sense approach, focused on fairness and transparency, can take the place of technical expertise in conducting informal internal investigations that will still generate reliable and meaningful results. Compliance professionals should keep the following fundamental themes in mind when designing an investigation effort:

  • Reject foregone conclusions: Compliance investigation inquiries can be sensitive and intimidating. Most people do not want to do the wrong thing and will be worried or even frightened by the possibility that they have broken rules or regulations. They will fear that their jobs are at risk or worry about the reputation of the company due to the misconduct. Therefore, take the investigation seriously, even if its scope is limited or it’s routine. Don’t decide the outcome before the information is gathered. Investigations should be motivated by intellectual curiosity, in the case of annual or planned investigations, or, in the case of ad-hoc or event-driven investigations, an objective desire to protect and promote integrity, which knows no master.
  • Work carefully: Sloppiness and poor preparation will doom an investigation from the beginning. Compliance professionals should work carefully and check their work as they go along. Simple errors such as directing queries to the wrong recipients or asking for information that is out of scope of the investigation can cause a terrible impression with stakeholders and disrupt the efforts of the investigation.   Communication is key, and information communicated to all parties throughout the investigation should be accurate, clear, and appropriate at all times.
  • Give support, not interference: Compliance often collaborates with other functions such as HR, Legal, and Risk; this collaboration should be encouraged, not complicated or avoided. In planning investigation strategy, work together with partners and stakeholders whenever possible (legal privilege and confidentiality, where it applies, must of course always be respected). Sharing information helps to make conclusions stronger and to avoid inefficient duplication of efforts.
  • Follow through with enforcement when misconduct is evidenced: Investigations are toothless when the results are just put on a shelf and forgotten. Enforcement action must come next, and in every outcome, there is appropriate follow-up. In instances where misconduct is discovered, whether it is from negligence or intentional wrongdoing, disciplinary action should be taken with concrete consequences. Substantive structural changes should be made also the risk control framework to seek to prevent or identify earlier the non-compliant behaviour whenever possible. Punishing the wrongdoer is not enough; addressing the root causes of the wrong-doing has to happen too.
  • Feed-forward when no malpractice is discovered: Not every investigation will be an open and shut case where there are good people and bad people and everything wraps up neatly. It may be that the investigation yields no evidence that anything material happened. It’s also possible that the investigation would show some unrelated deficiencies, such as in communication strategies or employee awareness. Finally, the investigation could produce inadvertent lessons for the compliance officer him or herself to take back to a future risk assessment and planning session. Whatever these conclusions are, don’t discard them just because they don’t lead to a punitive action. Feed them forward into risk controls improvements and future compliance program efforts.

Compliance officers who consider the above suggestions in planning their own investigation strategy will be focused on obtaining neutral, credible information. They will communicate clearly and engage stakeholders supportively. Enforcement actions stemming from the investigation efforts will be pro-active and productive. With these approaches, compliance officers can establish credibility and effectiveness in conducting internal investigations.

The moral hazard of “future-proofing” your business

Corporate buzzwords are famously annoying. While they’re often intended to convey a positive or progressive intent, this business jargon can often becoming meaningless on its own, standing mostly for whatever management trend has caught senior leadership’s attention for that moment. “Outside the box”; “That’s in my wheelhouse”; “Have a dialog around”; “Agile”; “Lean and Mean”; “Operationalize” “Gap analysis” – anyone who works in an office has heard and, probably eventually been aggravated by, these words and phrases.

From a compliance perspective, there is one corporate buzzword which is enjoying current prominence that is more harmful than others: “future-proof.” This term describes the aspiration of businesses to stay focused on improving today’s practices in order to be ready for tomorrow’s risks. It aspires toward a proactive, strategic model of compliance risk management. Thinking differently about compliance risks in trying to prevent or mitigate future problems instead of just responding to past ones is a more rigorous, assertive approach.

However, the concept of future-proofing is intrinsically flawed and worse yet, dangerous to rely upon. The idea that absolute certainty can be brought to compliance risk management is a moral hazard in the discipline. Responding to and anticipating risks can be dynamic and forward-looking. A crucial part of the practice of compliance is bridging the gap between what individuals and organizations must do or not do, and what they may, but claiming to predict future results sets an unrealistic business expectation. A robust compliance program is not an insurance policy, nor does a heightened awareness of compliance risk allow an organization to read the tea leaves and assure management and stakeholders that only calm seas lay ahead due to preparing a controls framework.

Rather than suggesting perfect immunity against changes in regulations and law and emerging risks, compliance officers should set realistic expectations with the businesses they serve. No one can tell the future, though of course for the right price any person will offer a guess. The allure of the unknown should not distract from concrete compliance demands.

The future will show what it holds in due time, and before that happens the best approach is to meet the current standards and exceed them in specific areas where the organization has shown vulnerability or seeks more risk and exposure. Complete compliance with current regulations and laws and a governance structure which supports and promotes all of an organization’s policies, procedures, and most importantly philosophies are non-negotiables. Companies cannot fail to get this part right before concerning themselves with what may be out of view over the horizon.

Let’s also not focus on the future at the expense of the past – real lessons should be learned from mistakes and experiences. Instead of just forgiving and forgetting, use what happened yesterday to derive a more informed assessment of the as-is situation and design a compliance program that capably responds to this instead of being overly formal and stale. Making a commitment to the practice of compliance as an ongoing function means that as the business evolves so does compliance, along with it instead of blindly ahead of it.

Certainty cannot be promised – indeed, this reality is one of the reasons why a responsive, strategic compliance advisory program is essential to any organization’s risk management efforts. Avoid making undeliverable assertions about future perfection and instead, focus on learning humbly from yesterday’s mistakes, out-performing the present’s expectations, and remaining open for the insights and challenges which are yet to come. Instead of future-proofing – focus on future-sustaining.