A compliance program is a continuously evolving process. The lifeblood of a compliance program is its ability to refresh itself, to incorporate new information and data, and adjust to meet new challenges.
The culture and compliance loop requires discipline – a company refreshes its risk assessment, designs and implement new policies and procedures to address the risk, adopts new compliance controls, monitors the performance of the new initiative, collects data on program performance, reviews the program, and identifies areas in which to improve and remediate. That is a very general shorthand of the steps involved. Each part of this equation or process has to operate relatively smoothly without delay and mistakes.
As a living and ongoing process, a compliance program can suffer a slowdown or slow-moving opposition or frustration. A CEO, for example, can slow a compliance program down by a series of small actions – relatively minor decisions that individually do not indicate a real problem but collectively cast the compliance program adrift.
A compliance program engine that stalls can quickly become adrift, meaning the program needs to evolve with changes in the company’s business but does not have the support, the resources, or other important resources needed to operate effectively. Frankly, there are infinite ways in which senior management can derail a compliance program with few fingerprints of responsibility. Senior management has the ability to undermine compliance because of personal prejudices, resource needs or personnel conflicts. It takes very little opposition to suppress a compliance program.
The telltale signs of a compliance program that is adrift include:
- Rejection of resource requests for basic automation or employees justified by a significant change in the business;
- Change in CCOs reporting relationship to the board or board committee;
- Senior management change in overall status and contact with chief compliance officer, both structurally and informally on day-to-day basis;
- Failure to address meaningfully new risks and responsibilities such as new sanctions regulations, General Data Protection Rule, or beneficial ownership regulations;
- Over-reliance on business ownership of compliance program responsibilities; and
- Unexplained changes in compliance priorities without adequate consultation with chief compliance officer.
A compliance program is a finely-tuned machine and it takes very little to slow it down and eventually undermine the overall purpose and effectiveness of the program. It is difficult for a CCO to respond to death by a thousand cuts because each cut, by itself, can be explained as a scratch, nothing more, and senior management can maintain deniability and evade accountability for the compliance program.
In these circumstances, the company and senior management will eventually suffer the consequences for their actions or failures to act. One thing you can always count on – a deficient compliance program will usually be exposed and when it happens, the company and senior managers will undergo a searing review and questioning of their actions or inaction. If the CCO documents the events, requests for resources, inexplicable changes to the compliance program, and failures to act in the face of clear warnings and communications, senior management will be held accountable – whether by the government or major stakeholders.