Joe Murphy – Compliance & Ethics Professional – October 2018
Do you know what “industry practice” is? Does it matter in your compliance program? We know that the Sentencing Guidelines set a baseline for compliance programs, and people assume they know what this standard requires. Yet often people do not fully apply the guidance it provides. One of the most commonly ignored provisions is the “industry practice” one from the Commentary:
Applicable Governmental Regulation and Industry Practice. — An organization’s failure to incorporate and follow applicable industry practice…weighs against a finding of an effective compliance and ethics program.
If your program is not as good as others in your field, this weighs against it being found to be effective. (It should be noted that “follow” really means to do no less than industry practice.) The message is that you cannot be diligent in your compliance work without constantly looking outside to be sure your work is up to date. This is an essential provision that prevents the field from stagnating or becoming complacent.
This underscores an error in the approach of some in government who mandate the details of compliance programs. Thus, while California tried to push harassment prevention by specifying that training had to be two hours every two years, the message may also be that training need be no more than two hours every two years. Government mandates ignore this ratcheting-up effect. There is also a great risk in attempting to certify compliance programs in a pass/fail approach. What is good today may no longer be good as practices evolve. Mandates and pass/fail approaches can tend to freeze development. This is especially so, given the innovative uses of technology for compliance purposes.
The industry practice element only ratchets up, not down. For example, if no one has a helpline or speak-up system in a particular industry, then none of the programs in that industry would meet the minimum standards. Industry practice is not a cover for weakness. But if everyone else has a helpline that accepts text messages, then a company without one had better have a very good reason why it does not.
As compliance professionals, we need to know our own clients. But we also need to keep up with the field. No one should develop or evaluate any compliance program without a feel for what the industry practices are in that field, and the need to improve our own efforts.