Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

The moral hazard of “future-proofing” your business

Corporate buzzwords are famously annoying. While they’re often intended to convey a positive or progressive intent, this business jargon can often becoming meaningless on its own, standing mostly for whatever management trend has caught senior leadership’s attention for that moment. “Outside the box”; “That’s in my wheelhouse”; “Have a dialog around”; “Agile”; “Lean and Mean”; “Operationalize”; “Gap analysis” – anyone who works in an office has heard and, probably eventually been aggravated by, these words and phrases.

From a compliance perspective, there is one corporate buzzword which is enjoying current prominence that is more harmful than others: “future-proof.” This term describes the aspiration of businesses to stay focused on improving today’s practices in order to be ready for tomorrow’s risks. It aspires toward a proactive, strategic model of compliance risk management. Thinking differently about compliance risks in trying to prevent or mitigate future problems instead of just responding to past ones is a more rigorous, assertive approach.

However, the concept of future-proofing is intrinsically flawed and worse yet, dangerous to rely upon. The idea that absolute certainty can be brought to compliance risk management is a moral hazard in the discipline. Responding to and anticipating risks can be dynamic and forward-looking. A crucial part of the practice of compliance is bridging the gap between what individuals and organizations must do or not do, and what they may, but claiming to predict future results sets an unrealistic business expectation. A robust compliance program is not an insurance policy, nor does a heightened awareness of compliance risk allow an organization to read the tea leaves and assure management and stakeholders that only calm seas lay ahead due to preparing a controls framework.

Rather than suggesting perfect immunity against changes in regulations and law and emerging risks, compliance officers should set realistic expectations with the businesses they serve. No one can tell the future, though of course for the right price any person will offer a guess. The allure of the unknown should not distract from concrete compliance demands.

The future will show what it holds in due time, and before that happens the best approach is to meet the current standards and exceed them in specific areas where the organization has shown vulnerability or seeks more risk and exposure. Complete compliance with current regulations and laws and a governance structure which supports and promotes all of an organization’s policies, procedures, and most importantly philosophies are non-negotiables. Companies cannot fail to get this part right before concerning themselves with what may be out of view over the horizon.

Let’s also not focus on the future at the expense of the past – real lessons should be learned from mistakes and experiences. Instead of just forgiving and forgetting, use what happened yesterday to derive a more informed assessment of the as-is situation and design a compliance program that capably responds to this instead of being overly formal and stale. Making a commitment to the practice of compliance as an ongoing function means that as the business evolves so does compliance, along with it instead of blindly ahead of it.

Certainty cannot be promised – indeed, this reality is one of the reasons why a responsive, strategic compliance advisory program is essential to any organization’s risk management efforts. Avoid making undeliverable assertions about future perfection and instead, focus on learning humbly from yesterday’s mistakes, out-performing the present’s expectations, and remaining open for the insights and challenges which are yet to come. Instead of future-proofing – focus on future-sustaining.


Compliance challenges for start-ups in disruptive industries

In today’s fast-paced business world of innovation and advanced technologies, every company seems to offer the next in-demand disruption. Ever since the days of the dot-com boom and bust in the late 1990s and early 2000s, in the infancy of e-commerce and internet-based or networked products and services, companies have been striving to identify revolutionary items and ideas to market to consumers eagerly awaiting the next life-changing thing to buy. Start-ups in Silicon Valley and entrepreneurial communities all over the world want to develop the next iPhone that will transform every aspect of modern human life. Companies that provide services instead of making products all want to be the next Airbnb, the Uber of their industries, and so on.

But are those companies, and those goals of disruption for the sake of itself, anything to which companies should aspire? Companies in all business sectors are trying to emulate technology companies, and they may not be the best role models in terms of regulatory compliance, risk control frameworks, and business integrity fundamentals. Disruption and sustainability aren’t necessarily mutually exclusive, but many of the companies that were visible pioneers in the current wave of technological innovation and development cut ethical or foundational corners to focus on growth, sales, and branding. Companies in the new generation which seek to copy their success and single-minded commercial focus will run into legal and supervisory obstacles sooner rather than later, now that their predecessors have overstayed the honeymoon period of lax regulatory attention and are running afoul of legal, tax, and compliance concerns all over the world.

The start-up community’s response to public exposure of fraudulent or insufficient business practices – such as companies buying their own products to falsify sales success for partners and investors, or violating straightforward business operations rules like participating in mandatory state insurance programs to maintain company licensure – is to go on the defensive and blame the media. Worse yet, they want to claim stand-out corporate misconduct from their start-up peers are the exception, not the rule, and distance themselves from it, without doing any self-examination or risk assessment to feed-forward into their own continuous improvement.

However, the venture capital firms that are keeping these start-up companies striving toward their disruptive ambitions have a fiduciary duty to their funders to contain reputational risk that could stem from these companies’ public relations and legal problems. The “bad apples” theory cannot win the day in identifying why so much goes so wrong at so many start-ups that were once ambitious and backed by prestigious funders and now have failed, and are being sued by fraud, investigated for investor abuse, accused of forgery or inappropriate accounting practices, and have otherwise missed out on reaching disruption and instead fallen into disrepute.

In any business dominated by private companies getting rich quick, delving into areas which are within loopholes or blind-spots to current legal and regulatory enforcement agendas, transparency is the victim to innovation and doing things the right way, with respect to ethical concerns or compliance requirements that could pop up further down the road from the beginning, is subverted in favor of making money, attracting more investors, and bringing a product or service to market first and with the most attention. “Fake it till you make it” is a toxic approach to management and is no kind of leadership whatsoever. Ignoring legal and regulatory requirements cannot go on forever, as the many bans and service stoppages Uber has experienced in the last year well show. Companies may be able to grow quickly this way, but they cannot keep their business running or have much hope of holding onto their ill-gotten gains unless they tread carefully with regulators and supervisors from the start.

The cultural forces at work here are strong, and disconcerting. Founders with no experience as CEOs and even less experience as functional managers or ethical leaders are given millions of dollars by investors and pressured to be geniuses, redefine business and whatever it is they have to offer to the market in everything they ever do, and succeed at all costs. Liberties are taken, misrepresentations are made, and not every brilliant troublemaker with a crazy idea and a team of engineers turns out to be any good at actually running a legal, functioning, mature business.

The hope, supposedly, is that people will merely bend or flaunt the rules, and not break them, but who’s making the distinction? The moral hazard is great of creating an incentive for behavior that would even lead incrementally to a company that is not in simple compliance with the legal requirements for operating a business in the city, state, or country where it is located. Cautious onlookers assume that maybe if a few corners are cut at the beginning when things are small, it will all work out okay because by the time the company gets big, someone who likes paperwork or understands laws will stumble along and lend a hand. This is immature and short-sighted thinking.

Even if some philanthropic compliance officer did intervene, it would be too late to fix the cultural decay that grows at companies that do not have adequate business values and controls from the beginning. When people ask how it’s possible that business fraud and misconduct went on for years at some companies, or permeated every level of the organization seemingly without detection or interruption – this values void is the answer. To avoid a culture where cheating, misrepresenting, and making unethical decisions are all common, the foundations of the company must include cultural values where that conduct is expressly defined as unacceptable, and business governance structures to prevent, identify, and punish it when it happens.

For more on the challenges to ethical decision-making, and pitfalls for fraud and non-compliance, faced by start-ups, especially in the highly competitive advanced technology world of Silicon Valley, check out this article in Fortune from December 2016:  The Ugly Unethical Underside of Silicon Valley.

For further thoughts on the challenges that start-ups and emerging enterprises face with prioritizing compliance risk management, see this post on Tinder’s corporate culture and the role compliance can play in fostering professionalism in start-ups.  For practical tips, check out this post on compliance foundation must-haves for small businesses. And, check back next Wednesday, January 3, for a post on inexperienced (even if visionary) CEOs and the immature compliance cultures they cultivate by omission.


Tips for conducting compliance investigations

The task of a compliance officer is not to “set it and forget it.” Apart from planning and advising on risk management strategies, and monitoring business implementation of the attendant policies and procedures, compliance professionals must remain vigilant about the potential for violations. Internal compliance violations can run the causal gamut – they could be because of internal controls failures, unwitting omissions due to lack of awareness, or outright misconduct and malfeasance.

Compliance officers should approach an investigation into a compliance exception thoughtfully and with careful preparation. If the planning for or administration of the investigation is flawed from the beginning then the investigation results will not be reliable. In many fields, such as scientific research, planning investigation tactics and strategy is a discipline all of its own, demanding special expertise in statistical methodology standards.

For purposes of the internal investigations of compliance officers, a common-sense approach, focused on fairness and transparency, can take the place of technical expertise in conducting informal internal investigations that will still generate reliable and meaningful results. Compliance professionals should keep the following fundamental themes in mind when designing an investigation effort:

  • Reject foregone conclusions: Compliance investigation inquiries can be sensitive and intimidating. Most people do not want to do the wrong thing and will be worried or even frightened by the possibility that they have broken rules or regulations. They will fear that their jobs are at risk or worry about the reputation of the company due to the misconduct. Therefore, take the investigation seriously, even if its scope is limited or it’s routine. Don’t decide the outcome before the information is gathered. Investigations should be motivated by intellectual curiosity, in the case of annual or planned investigations, or, in the case of ad-hoc or event-driven investigations, an objective desire to protect and promote integrity, which knows no master.
  • Work carefully: Sloppiness and poor preparation will doom an investigation from the beginning. Compliance professionals should work carefully and check their work as they go along. Simple errors such as directing queries to the wrong recipients or asking for information that is out of scope of the investigation can cause a terrible impression with stakeholders and disrupt the efforts of the investigation.   Communication is key, and information communicated to all parties throughout the investigation should be accurate, clear, and appropriate at all times.
  • Give support, not interference: Compliance often collaborates with other functions such as HR, Legal, and Risk; this collaboration should be encouraged, not complicated or avoided. In planning investigation strategy, work together with partners and stakeholders whenever possible (legal privilege and confidentiality, where it applies, must of course always be respected). Sharing information helps to make conclusions stronger and to avoid inefficient duplication of efforts.
  • Follow through with enforcement when misconduct is evidenced: Investigations are toothless when the results are just put on a shelf and forgotten. Enforcement action must come next, and in every outcome, there is appropriate follow-up. In instances where misconduct is discovered, whether it is from negligence or intentional wrongdoing, disciplinary action should be taken with concrete consequences. Substantive structural changes should be made also the risk control framework to seek to prevent or identify earlier the non-compliant behaviour whenever possible. Punishing the wrongdoer is not enough; addressing the root causes of the wrong-doing has to happen too.
  • Feed-forward when no malpractice is discovered: Not every investigation will be an open and shut case where there are good people and bad people and everything wraps up neatly. It may be that the investigation yields no evidence that anything material happened. It’s also possible that the investigation would show some unrelated deficiencies, such as in communication strategies or employee awareness. Finally, the investigation could produce inadvertent lessons for the compliance officer him or herself to take back to a future risk assessment and planning session. Whatever these conclusions are, don’t discard them just because they don’t lead to a punitive action. Feed them forward into risk controls improvements and future compliance program efforts.

Compliance officers who consider the above suggestions in planning their own investigation strategy will be focused on obtaining neutral, credible information. They will communicate clearly and engage stakeholders supportively. Enforcement actions stemming from the investigation efforts will be pro-active and productive. With these approaches, compliance officers can establish credibility and effectiveness in conducting internal investigations.