Operationalizing compliance: how to get started.

April 17, 2017 7:19:38 AM CDT / by Ricardo Pellafone

OK, let’s review: 

You’ve read the DOJ’s “Evaluation of Corporate Compliance Programs.”

You’ve accepted that the DOJ is going to hold you accountable for results.

You’re on board with the fact that getting operational means letting go of a lot of silly things that sound like compliance, but aren’t.

Cool.

doj-eccp.png

Wait, you haven't read the Evaluation of Corporate Compliance Programs? Download this—it makes it easy for you.

Download the Roadmap now

Now what?

You actually have to do it.

And this is where a lot of people freeze up and end up going back to doing goofball compliance fluff, reading yet another blog post about tone-at-the-top instead of actually fixing stuff.

That happens for a few bad reasons and one good one.

Here are the bad reasons:

"I'm too busy."

If you are too busy doing “not compliance” to handle “actual compliance,” you’re doing it wrong.

"I have bad HR data."

Of course you do. Everyone does.

But let’s say that “bad HR data” means you miss 40% of the people who do something risky at your company. That's a lot—but tackling 60% of your risky people with controls, monitoring, and operational compliance training is way better than not even trying. 

"I already have all this policy-level stuff, so I have to use it."

This is like saying “I accidentally bought drain cleaner instead of milk, so I guess I have to put drain cleaner on my cereal.” 

And here is the good reason:

"I’m overwhelmed."

This doesn’t get you out of doing it, but it’s honest and legit and we can work with it. And here's how.

get-started-operationalizing-compliance2.png

To start operationalizing your compliance program, you are going to pick one thing that will have a big impact and do the minimum amount of work necessary to get it done.

That is it.

If that sounds jarring to you, it’s because our industry is obsessed with best practices, which inevitably involve doing more and more. And that's because “best practices” are mainly a way for vendors to sell you new things that you don’t need. 

Don't fall into that trap.

Instead, run your compliance team like a business. Start by getting a big win, and do the minimum amount of work to try and get it. 

Let's break that down.

First, get a big win.

Pick your biggest risk, and then pick the single business process or task that will make the biggest difference in mitigating that risk.

Don't overthink this.

If you accidentally pick the second-most-impactful task, who cares? Just decide and go with it. Don't turn it into a committee meeting.

And here's a hint: a "big win" task is almost always an approval. 

If your risk is anti-corruption, it could be how third-party invoices get approved by finance. 

If your risk is trade compliance, it could be how overseas shipments get approved by logistics.

If your risk is privacy, it could be how customer data collection gets approved by marketing.

Or whatever. Those are examples; your mileage may vary.

Just remember that we are talking about "corporate compliance" and not "absolutely perfect compliance." Tackle corporate liability first by tightening down your approvals, then get to the front-line stuff. 

 

Second, do the minimum amount of work.

Just focus on what you can accomplish this quarter.

Not because you are lazy, but because you are smart. And you recognize that spending more than a quarter on a project before checking if it is working is a terrible idea.

Do what you can to improve how your program impacts that business task this quarter, then see if it worked.  

Exactly what you need to do here depends on your business.

It could be adding in a new control to your finance system that requires compliance approval for payments to specific third parties.

It could be having your vendor system send you an alert whenever a new pay-to account is registered in a high-risk country.

It could be training your managers on what to look for in third-party invoices before sending them for payments.

Or all of that. Because we've scoped this to a single process, you can do a lot in a quarter—and then you can sit with audit or check your monitoring systems and see if it worked.

If it did, great. Move on to the next big win. 

If not, figure out what went wrong, adjust, and try again. And then take that lesson to the next big win, operationalizing compliance one piece at a time.

Eventually, your program will be fully operationalized, and at each stage your business will be able to see value, because you've continually tested and validated without making everyone suffer through some massive change management nightmare.

But don't worry about the "fully operationalized" state of the world. It's overwhelming.

Just worry about the first thing, and go from there.

Ricardo Pellafone

Written by

Ricardo Pellafone

Ricardo used to be in-house compliance, leading investigations for a sovereign wealth company in Abu Dhabi and a Fortune 200 tech company in California. He has degrees in psychology and law.