Ever since the Department of Justice released the Evaluation of Corporate Compliance Programs, folks have been talking about the concept of “operationalizing” compliance.
And a month(ish) in, we're already running the risk of the term being so overused as to become meaningless.
It’s got me feeling like this:
Well put, 1987 Mandy Patinkin.
And look, getting this right matters.
Because operationalizing compliance is what separates “actual compliance” from “just doing a bunch of compliance-sounding stuff.”
So, let’s break this down.
What "operationalize" means.
Operationalizing something means to “put it into operation or use.”
You "operationalize compliance" by integrating it into business process—so it becomes part of how people do their job duties. That is how it gets put to use.
Getting there involves two very simple steps:
(1) Identify the things people do that create or mitigate risk, and
(2) Make sure those things are done correctly.
Simple. Not easy, but simple.
This is what the “Operational Integration” part of the Evaluation of Corporate Compliance Programs is getting at.
It's not enough to have a policy and train on it; you have to actually apply it to the operational tasks and job duties that will make or break compliance under that policy.
You can't just hope the business will figure out how your policies apply to them—because if that worked, no one would have an in-house compliance team. You'd just have a law firm refresh your policies every couple years.
To get operational, you have to get to the task level.
That's your responsibility.
Now, that's simple enough as a concept—but let's explore what it looks like in practice.
What "operationalize" looks like.
You're probably not going to like this part.
Because getting operational means focusing on the parts of compliance no one likes talking about: controls, procedures, monitoring, auditing, and super-specific training.
Boo, right? No fun.
Making a bunch of cute videos about having a speak-up culture and writing a crossword for your newsletter and doing a world tour of your company’s sites giving speeches about business ethics is fun.
But that stuff is not compliance.
(It’s not bad, of course. It’s just not compliance.)
Compliance is people doing their jobs the right way. A compliance culture is when this happens by default—and people know to speak up when they see something that doesn't jibe with that.
To get there, you have to tell people how to do their jobs the right way, and then follow-up to make sure that they’re doing it.
And that’s the domain of controls, procedures, monitoring, auditing, and super-specific compliance training.
How to tell if you're doing it.
The easiest way to see if you are "operational" is to take what you are doing and imagine what it would look like if your health & safety team did the same type of stuff.
Because "non-operational" compliance practices become very obviously ridiculous when you put them in the safety context.
So, let's do exactly that.
Here's the scenario:
Imagine that there are people in your office building who do research with a really dangerous chemical called Zomboxide. It's corrosive and the barrels you store it in have to be handled a very specific way to prevent them from rupturing.
And also it turns people into zombies.
Which is bad.
With that background, here's what the two different approaches to compliance look like.
The “non-operational” approach looks like this:
Do a risk assessment, spend 12 months refreshing your Chemical Safety Policy and training everyone at the company on it.
Have the Chief Safety Officer do a tour of all sites and talk about chemical safety.
Hire Captain Planet to give a keynote at the company's annual research meeting on the importance of handling chemicals correctly.
Join a few safety industry benchmarking groups. To keep up with best practices, adopt 3-D gamified policy training. Hire a branding agency to create a catchy safety slogan and redo your Code of Safety Conduct.
Never actually get into the specifics of how people handle Zomboxide, or any specific chemical for that matter. You have bad HR data, so you figure that since you can't identify everyone who works with Zomboxide, it's better to not go there at all.
Instead, you keep promoting the policy-level stuff and assume the research team will figure out how that applies to handling Zomboxide specifically, and if not—you hope they'll call the hotline.
Result: you win a bunch of industry awards for your best practices program. Workers still routinely mishandle Zomboxide barrels, one eventually ruptures, and the zombie apocalypse happens. :(
And the "operational" approach looks like this:
Do a risk assessment, identify Zomboxide as the riskiest chemical handled by the company. Make that your top priority.
Review the existing Chemical Safety Policy. Determine that it is ugly and old, but provides enough authority for you to do your job. Table a policy refresh until you handle the "zombie outbreak" stuff.
Realize you have bad HR data, but can still identify a few researchers who handle Zomboxide. Go meet with those researchers. The researchers help you identify more lab workers that handle Zomboxide.
Work with researchers to memorialize procedures for handling and disposing of Zomboxide safely. Train researchers and lab workers on that.
As a control, put keycard access on the door to the lab. Employees from maintenance come forward when they realize they can't get into the lab anymore. Train maintenance workers on how to handle Zomboxide safely.
Tap into purchasing, inventory, and HR systems to monitor when Zomboxide is purchased, moved, disposed of, or a new worker is hired for the lab.
Enlist internal audit to do quarterly checks of access logs to Zomboxide. Have internal audit also cycle through regular audits of the end-to-end Zomboxide acquisition, storage, and disposal process.
Move on to next highest-risk chemical, with periodic checks of Zomboxide processes.
Result: no one gives you any awards, but company stays zombie-free.
Here's the takeaway:
You do not want to work at a company where the safety team takes a non-operational approach, rolling out policies and policy-level training and then waiting for the hotline to ring.
That would be a poor decision for your health.
But that's exactly how a lot of compliance teams manage their risks. They run around doing a million things that look like compliance, but never actually address the things people do that cause or prevent risk.
Notice that everything the non-operational team was doing was good stuff—it was just the wrong stuff.
They confused the tool (a compliance program) with the job (mitigating risk). And when you mix up the tool and what you're supposed to be doing with the tool, you lose focus and bad things happen.
Like a zombie outbreak.
Or a monitor from the Department of Justice.
So keep your priorities straight, and remember what your job actually is.
Your job is not to write a Code of Conduct.
Or give training. Or do audits.
Your job is to mitigate risk.
Codes, policies, training, audits—those are tools you use to mitigate risk. But they don't mitigate risk on their own any more than just waving an icepick around will result in an ice sculpture.
Put simply, just doing stuff isn't valuable. Doing the right stuff is valuable.
And the right stuff is using the tools of your program to target the operational tasks that create or prevent risk.
You need to break the problem down into the things people actually do, and then all of those no-fun parts of compliance get easier and more achievable.
And that's what "operationalize compliance" actually means.