Donna Boehme – The Compliance & Ethics Blog – February 1, 2019
Sometimes you just have to state the Blindingly Obvious. We’ve been spending the last decade defining Compliance as a separate profession and subject matter expertise (SME) that needs independence, empowerment, line of sight, seat at the table and adequate resources to do its job well. We have tracked the momentum away from the failed legacy model of Compliance 1.0 (Compliance as a captive arm of Legal) and towards better Compliance 2.0 outcomes. As the rapidly evolving compliance profession increasingly takes its rightful place in the corporate CSuite, compliance professionals must continue to seek independent and empowered positions to build strong programs that are structured for success, and to successfully achieve their important mandates. Now is the building stage when the compliance profession is finally being understood and acknowledged by Boards, regulators, prosecutors and other key gatekeepers as the new and independent SME needed at the management table to lead organizations’ approaches to their legal compliance, ethical, cultural and reputational risks. Thus we are at the tipping point when the compliance profession needs to continuously demonstrate its unique and independent SME by building and managing strong and successful programs that achieve their unique mandates. The indicia of this tipping point can be seen in the innumerable Compliance 1.0 scandal headlines, recent survey results reflecting the momentum for independent and empowered CCO roles (DLA Piper and Deloitte), independent research about the compliance field, noteworthy settlement agreements over the past decade, and increasing recognition by regulators and policymakers in the U.S. and around the world.
The auto industry, in particular, has some vivid lessons for any Board Chair or Audit Chair paying attention over the last few years. That’s because a number of the big auto companies with their problems in the scandal headlines have struggled with their Compliance 1.0 models. And the common failing of so many of these Compliance 1.0 failures is the absence of true Compliance SME, the foundational element of any Compliance 2.0 program. That’s what happens when managers without true Compliance SME earned in the trenches or with the profession in the field attempt to design and manage compliance. And if GM’s “69 Naughty Words” debacle was not enough of a cautionary tale, we also have the long, messy saga of Wells Fargo and its fake accounts fraud and consumer abuse as a very recent Compliance 1.0 trainwreck. Insertion of some true Compliance SME into each of these companies could have enabled each of them to build and operationalize the right kind of reporting mechanisms, investigation support, and ethical leadership culture that was needed to detect and remediate their widespread problems before they each exploded into the crisis zone. It’s even more regrettable that in each case, employees and others had tried to raise concerns to management, but the companies’ respective programs failed to give their companies the opportunity to detect and remediate their problems- the primary goal of self-governance envisaged by Chapter 8 of the Federal Sentencing Guidelines! Even media giant CBS could have benefitted from a Compliance 2.0 program with true compliance SME sufficient to detect and remediate its culture of sexual harassment and better manage the resolution of its existential #MeToo problems and the ultimate separation from its Chairman/CEO in a manner that could have demonstrated some defining ethical leadership to the world. And the CSuite is not the only company level in dire need of Compliance SME- as recently recognized by the Department of Justice in its latest guidance “Evaluation of Corporate Compliance Programs” has not only acknowledged the significance of Compliance SME in the compliance personnel, but also at the Board level, asking:
“What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?”
Meanwhile, it’s becoming clear to Boards, regulators, prosecutors and other gatekeepers that Compliance 2.0 is the new profession and independent SME needed by senior management to address the increasingly complex legal, regulatory, cultural and reputational risks of the modern corporate landscape. Two case studies and three sets of guidelines from U.S. government gatekeepers demonstrate the unstoppable momentum to this tipping point:
Pharmaceutical giant Novartis has elevated its approach to compliance, culture and trust to rock star status since 2014! First, by elevating its chief compliance officer to a CEO direct report, and giving the role a seat on the Executive Committee, the company made a clear statement of serious management support to an independent, empowered compliance program that meets the highest standards in the modern field. Similarly, tying bonus compensation to an ethics metric is a world class step that deserves applause from the governance profession. The compliance profession has long championed this type of incentive link as the ultimate step that most encourages and drives role-modelling by management of ethical leadership, trust, and a culture of ethical leadership, trust and accountability.
Similarly, it is notable that CitiGroup responded to a 2012 Consent Order from one of its regulators by appointing an independent and empowered chief compliance officer, reporting to its CEO, to oversee enhancements to its anti-moneylaundering program. This continues the momentum for Compliance 2.0 and the independent Compliance SME that is needed to drive this culture.
It is also encouraging and exciting to see government gatekeepers now incorporating an understanding of compliance as an independent profession into their thinking. Two examples of this in the U.S. are indicative of a progressive policymaking approach now being seen on a worldwide basis:
The 2017 DOJ Guidance on Corporate Compliance Programs
Recent DOJ Guidance on corporate compliance programs reflects the steady hand of the DOJ’s compliance expert with true Compliance SME earned in the field and in the trenches. Many thoughtleaders in the field took notice of this as a positive sign that government gatekeepers were beginning to comprehend the value of true Compliance SME in compliance policymaking and decisonmaking. The unmistakeable references in that guidance to the CCO’s independence, empowerment, seat at the table, line of sight and resources are further indicia of the clear momentum to the modern Compliance 2.0 model.
HHS OIG and Industry Leaders Release Joint Guidance for Health Care Boards.
Meanwhile, the 2015 Joint Guidance for Health Care Boards by the Inspector General of the Department of Health and Human Services (HHS OIG) and industry leaders, makes it clear that an independent and empowered Compliance SME is viewed as mandatory policy for this industry, a message which Novartis has clearly taken on board, repeating the sentiment once set out so vividly by Sen. Grassley in his September 5, 2003 letter to Tenet Healthcare, in which he stated that “You don’t have to be a pig farmer from Iowa to smell the stench of conflict in that arrangement” (in a reference to Tenet Healthcare’s initial Compliance 1.0 approach). Scrutiny on the compliance profession as an indispensable independent SME is also reflected in a number of legal and regulatory developments on a global basis: The following government policies and guidance reflecting scrutiny on the profession as an independent profession and SME, were recently among those noted by the Advisory Board of the RAND Center for Corporate Ethics and Governance:
- Guidelines – Competition Compliance Programs – Guidelines on the Structuring and Benefits of Adopting Competition Compliance Programs, CADE (2016)
- Corporate Compliance Programs, Canadian Competition Bureau (2015)
- Good Practice Guidance on Internal Controls, Ethics, and Compliance, OECD (2010)
- Anti-Corruption Ethics and Compliance Handbook for Business, OECD, UNODC, & The World Bank (2013)
- General Data Protection Regulation (GDPR), European Union (2018)
So back to the Blindingly Obvious, based on the foregoing, even a casual observer should be able to detect the rise of the compliance and ethics profession as an independent SME and critical management tool now taking its appropriate spot in the CSuite and at Board level – which can now be fully expected to deliver better Compliance 2.0 outcomes on the corporate landscape. As more and more Boards and other gatekeepers begin to understand and adopt the modern Compliance 2.0 model, those better outcomes will be increasingly in reach. Tipping Point, achieved.