In the 1983 film WarGames, young hacker David Lightman (Matthew Broderick) nearly triggers global thermonuclear war, which he and the other protagonists narrowly manage to avoid by having an artificial intelligence named Joshua play tic-tac-toe with itself.
Although largely forgotten since, two elements of the film have withstood the test of time, both delivered by Joshua: the question “shall we play a game?”, which starts the central plot of the film, is the first. The second, at the film’s climax: “A strange game. The only winning move is not to play”. A sentiment anyone who has ever played more than three games of tic-tac-toe can surely sympathize with.
In some ways, civil litigation is similar to the conundrum Joshua faces: for compliance departments, the only winning move with regards to violating regulations is not to play. Indeed, in 2020, Investopedia found that, although the cost of compliance is rising as regulations increase, non-compliance simply isn’t worth it: “despite the increases in cost for compliance, studies show that it is more costly not to meet compliance standards, by at least 2.7 times. The cost of compliance, on average, is approximately $5.5 million, whereas the cost for noncompliance is approximately $15 million.”
In order for a corporate compliance program to be successful, it is key to understand both the means and ends associated with such a program. At the same time, once set up, a corporate compliance program has to be enforced and supported by the organization.
Here's what we'll cover:
What is corporate compliance?
Why you should care about corporate compliance
Corporate compliance and internal investigations
5 steps to creating an effective corporate compliance program
Let's dive right in!
As the saying goes, the best defense is a good offense. In the context of compliance, that means the best way to defend against potential threats to the company is to ensure the company avoids exposure to said threats in the first place. Simply put, a corporate compliance program consists of a set of processes, standards and procedures that ensure the company operates ethically, responsibly, and lawfully towards its employees, competitors, customers, and regulators. A corporate compliance program typically consists of three parts: implementation, auditing, and administrating.
At the very least, compliance means a company does enough, at least, to remain in good standing with the law. In the Federal Sentencing Guidelines, §8B2.1 specifies that organizations must have in place: “an effective compliance and ethics program (…) [which] shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct.”
Stripped down to its bare bones, a compliance program has to show the company has taken steps to ensure that both the organization and its employees don’t break the law. However, corporate compliance is more than simply avoiding fines. A good corporate compliance program improves the reputation of a company: it can inspire confidence, and may even be used as a sales argument if an especially innovative or proactive approach is taken.
The person in charge of the compliance program is the aptly titled compliance officer, or (chief compliance officer for larger organizations). As the title indicates, this person is in charge of reviewing various regulations that apply to the business, come up with appropriate strategies to meet the requirements, as well as ensuring that the policies associated with the compliance program are enforced. In order for the compliance officer (and by extension, the compliance department) to do their work, they require a degree of independence from the rest of the organization. As such, compliance officers typically report directly to the top of the corporate ladder.
Even if we put aside the direct cost-benefit of compliance versus non-compliance referred to in the introduction, corporate compliance is a huge factor when it comes to both legal liability of the company, as well as the reputation of the business in general.
In 2018, Forbes noted that to many executives, “compliance is often viewed as a necessary evil that hinders business”. This view is a misconception, as the article continues to urge corporate leaders to be more invested in the activities of compliance officers, noting that the benefits of such a program far exceed the conception of compliance as a way to stay out of regulatory trouble.
A strong commitment to corporate compliance allows a company to cultivate and maintain a strong positive reputation, something which the Harvard Business Review rightly points out provides great value: “Firms with strong positive reputations attract better people. They are perceived as providing more value. (…) Their customers are more loyal and buy broader ranges of products and services.” With HBR also stating that for companies, as much as 80% of market value is derived from intangible assets (of which reputation is a huge part), putting adequate care and effort into corporate compliance is paramount.
As Keith Darcy, an independent senior advisor to Deloitte puts it: “Sometimes, all it takes is a rumor, a hint of impropriety or malfeasance, or a social media post gone viral, to negatively impact shareholder value and damage –or worse, destroy– corporate and brand reputations in an instant.”
The activities of a compliance officer or department consists of implementing (or amending), enforcing, and administrating the compliance program. For enforcement, compliance programs rely on internal audits, or internal compliance investigations, in order to make sure that what’s written down in compliance policy finds its way into the day-to-day reality of the business.
These internal investigations should not be taken lightly. Meaningful enforcement of compliance programs allow organizations to catch potential problems and issues early on, and prevent them from becoming liabilities or embarrassments. A vigilant compliance officer (or department) can mean the difference between an employee being corrected and the company getting into legal trouble, or have its name dragged through the mud publicly.
We’ve written earlier about internal investigations, detailing how they operate and what an internal investigations department may look like. In terms of compliance, the trigger for an internal investigation is typically a complaint or concern raised by an employee. At the same time, unless the matter calls for it directly, experts warn organizations against being too gung-ho with the term ‘investigation’: while it may be applicable when dealing with serious matters, such as fraud or bribery, matters which may lead to severe consequences, it is advisable to use less evocative language when it comes to following up on a compliance concern or complaint.
Regardless, if it ends up being called one or not, an internal compliance investigation does need to adhere to the same rigor as a ‘regular’ investigation. Defensibility remains important, as does the notion of completeness. If serious wrongdoings are discovered, be they interpersonal (i.e. sexual misconduct) or financial (i.e. fraud or bribery), the company is obviously incentivized by the U.S. Sentencing Commission to be forthcoming in terms of the information it provides. In the so-called Yates Memorandum, Deputy Attorney General Sally Yates reinforces the desire of the Department of Justice to primarily pursue individual perpetrators of misconduct: “one of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.” (Page 1).
In the guidance, Yates writes that in order to qualify for any cooperation credit, which is the mechanism through which leniency with regards to punishment is assessed, the company’s cooperation must be complete: not holding anything back and disclosing all relevant information including information that implicates other individuals within the company “regardless of their position, status or seniority, and provide to [the Department of Justice] all facts relating to that misconduct.” (Page 3).
Finally, the defensibility of that internal investigation is key, as the Memorandum implores the attorneys of the Department of Justice to: “…vigorously review any information provided by companies, and compare it to the results of their own investigation, in order to best ensure that the information provided is indeed complete and does not seek to minimize the behavior or role of any individual or group of individuals.” (Page 4).
Creating an effective corporate compliance program, like creating an effective Information Governance program, is certainly challenging, although less of a daunting prospect, since there is no analogue for the initial data audit that needs to take place for Information Governance. Unlike Information Governance, a corporate compliance program can be valid from the moment the policies are enacted, and needn’t be retroactively applicable. So, how does one go about creating an effective corporate compliance program?
One of the most important steps in creating a corporate compliance program is to get buy-in from the c-level executives. Without enthusiastic support without reservations from those in charge, compliance is dead in the water. A compliance program with half-hearted support will never succeed in fostering a culture of compliance within the organization as a whole. Integrity, that elusive concept that compliance programs seek to both establish and protect, begins with support from the top: “Guarding against reputational risk begins with setting the proper tone at the top, one that is aligned with organizational values and embraces a culture of integrity. (…) Ultimately, [the culture of the enterprise] is the glue that holds an organization together”, wrote Nicole Sandford.
In a similar vein, Thomson Reuters states that “Best practice standards and controls suggest that the tone and culture set by management has a trickle-down effect on employees. If top managers uphold ethics and integrity so will employees.” (Page 6).
One example of leadership structures not buying into ethical policies can be found in the video industry, where the concept of ‘crunch’ has drawn increasing amounts of criticism. ‘Crunch’ describes the culture of overwork that exists in many video game developers, that leads to employees routinely working 70-100 hour workweeks for months on end. To combat the criticism increasingly levelled at the industry, one developer, CD Projekt Red, vowed not to mandate overtime, then went back on their word when the deadline got close, and were subsequently criticized heavily for it.
Before you can even begin to write policy, it is crucial to understand the risk exposure you are trying to mitigate. Compliance risk assessments can fall into the portfolio of compliance officers or risk officers if they exist. Of course, all applicable laws with which the company ought to comply has to be inventoried.
From a compliance point of view, understanding what risks are involved in the day-to-day operations of the business are key, since those activities dictate for what activities policy needs to be written for, towards whom training has to be geared, and what aspects of the policy should be emphasized due to either frequency of occurrence or potential exposure to risk involved.
A corporate compliance program lives and dies by policy. The first document in most compliance programs is a Code of Conduct, which is meant to define how the company expects its employees to act on a day-to-day basis. It serves as an ethics constitution of sorts, and communicates the values the organization wants and expects its representatives to demonstrate. For large companies, especially ones that are not privately held, codes of conduct are made available to the public, which again illustrates how compliance can be used as a brand-building tool. Codes of conduct are usually written without legalese or complicated jargon, as they are meant to be understood by all employees as well as potential hires and investors. Furthermore, they tend to be expansive, dealing with a wide variety of subjects. The Code of Conduct for Alphabet (Google’s parent company) is a great example of a more wide-ranging code of conduct.
Following the code of conduct, the next document depends entirely on the organization’s priorities and what’s relevant to the market it serves (i.e. health care compliance, privacy statements, data security information, data retention policies, etc.) See an example of a compliance policy here.
A compliance program is worth little more than the storage cost of the document it lives in if it isn’t communicated properly to the people who are supposed to abide by it. Communication is everything, starting with the way the policy is written (which means don’t overcomplicate it), but it succeeds or fails with training. Luckily, such educative programs are generally well understood, and so long as the commitment of the organization is strong, the effort consistent and the policies clear, getting the message across shouldn’t be especially difficult.
At the same time, it should not be taken for granted. One key thing to keep in mind is to establish why the compliance program is important, not simply to foist a set of rules onto your employees and expect them to follow them. For both commercial and legal reasons, you need to make an effort in good faith to instill the norms and values included in your compliance program in your employees. Simply going through the motions of having a policy without any follow-through won’t pass muster in the court of law or public opinion.
No compliance effort is complete without follow-through. That means that in addition to a compliance policy, a plan needs to be put in place that establishes how compliance should be monitored.
In recent years, compliance reviews have been migrating towards a more data-driven approach. Such an approach means data has to be gathered regarding transactions, incident reports, employee tests, registered complaints, etc. Primarily, compliance monitoring helps ensure that the expected outcomes are occurring, while also making sure that the compliance program itself is defensible both in a court of law if need be, and in the organization’s boardroom.
According to Diligent Insights, a compliance monitoring plan:
As with anything data-driven, solutions have popped up to help manage the compliance monitoring process. These tools most generally aim to evidence the compliance program at the company level (i.e. provide a catalog of regulations to follow and permits required), as well as the individual level (i.e. trainings attended, code of conduct read, etc.). Generally speaking, compliance monitoring tools are most useful for organizations that put in place a compliance officer (or department).
When it comes to compliance, the job is never done. In more ways than one, corporate compliance programs mirror Information Governance programs, in the sense that they both take some effort to establish, consistent support from leadership, and an ongoing upkeep to maintain efficacy. It should come as no surprise that they’re sometimes grouped together with risk management into the shared topic of GRC (Governance, Risk Management, and Compliance). If all three departments exist side by side, they will need to work together in order to reach their objectives: “For success, we must consider the boundaries of laws, social mores, and uncertainties that arise with regards to potential risks and rewards. Nor can the management of risk, compliance, and ethical conduct be separated from the objective-seeking activity.”
The work of a compliance officer is never quite done. As new regulation is constantly being written, the task of interpreting new requirements into the compliance plan is also an open-ended task. Also, if an organization wishes to use its ethical practices and compliance excellence as a tool for recruitment, or even sales, the need for the compliance plan to be constantly improved is significant.
The downside to all this, of course, is that both legally and ethically, there is no such thing as a half measure. Any compliance program, regardless of its scale and expansiveness, needs attention and care not only to be effective, but also to be taken seriously by anyone inside or outside the organization. You are either compliant or you are not, an organization acts ethically or it does not. It only takes a small misstep to undo a lot of work.
From an eDiscovery point of view, tools such as our own usually only get involved when things have already gone wrong and an internal investigation or audit is launched. At the same time, tools used in document review, such as ZyLAB Insights can help both investigators and compliance officers in uncovering evidence and relevant information faster and easier. When it comes to future developments, an especially interesting one in terms of compliance is emotion mining, which allows compliance officers to detect breaches of the code of conduct when it comes to interpersonal behavior in terms of hostility. What remains true, however, is that the only way to really win when it comes to compliance breaches and internal investigations is not to play.