While I grew up, and went to undergraduate school, in Texas, I went to professional schools up north, in Michigan. There I was introduced to the Mid-West rock sound. It was certainly different than the Texas or Southern rock sound that I grew up listening to. And I became a fan, even embracing REO Speedwagon, particularly after they released their iconic album, You Can Tune a Piano But You Can’t Tune a Fish in 1978. I thought about that album and some good old 4/4 Mid-Western rock and roll music when I read an article in the Compliance Week magazine by Carol Switzer, President of the Open Compliance and Ethics Group, entitled “Retuning Compliance”.

In this article Switzer addressed the issues of gaps in compliance coverage, the high risks for noncompliance, both from issues known and unknown, the self-created complexity, and wasted resources in compliance. Switzer believes that there is not “enough consistency, enough insight and, most importantly, not nearly enough confidence that we know what our compliance obligations are and that we are addressing them correctly, let alone cost effectively.” She termed this “The Disheveled State of Compliance.”

To overcome this, Switzer draws from the world of music. She wrote that, “Just like a musical composition, a well-designed approach to managing compliance obligations has many moving and interrelated parts built on a specific structure, and each piece must work in harmony with the others. While the structure of a song includes many parts—the verse, the chorus, the bridge, the hook, and so on—the structure of an effective approach to compliance similarly must be well developed and designed.” However, to pen a “harmonious tune, or orchestrate a symphony, the composer not only has to be able to identify what is wrong with each subsequent draft, he or she also needs to know what structure to put in place and how to coordinate the key elements that will fix it, to retune it if you will, and the same is true for fixing a discordant approach to management of compliance obligations.” She ends her musical metaphor with the following, “Songs that are well structured and make the best coordinated and creative use of key elements such as lyrics, melody, and harmony are the ones that flow from one part to the next almost seamlessly.” Such is the creation and maintenance of an effective compliance program.

Switzer suggests there are five steps that an organization can use to provide a synergistic approach to “retune the compliance program, mitigate risk, and satisfy regulators, auditors, directors, and other stakeholders.” They are:

1. Continuous Requirements Tracking. Under this point, Switzer says that ongoing monitoring of changes in risks, influencers and requirements is essential. She advocates the use of subject matter experts to assist a company to identify and track changes in the obligations. These can include “the mandated requirements and the voluntary commitments that each organization faces, methods for auditing and improving, and overall an integrated workflow that enables quick exchange of relevant information across and throughout the structure.” Switzer quoted Paul Liebman, Chief Compliance Officer (CCO) of the University of Texas at Austin, for the following, “Each organization should act based on its own unique geographical and operational risks and the management capabilities and preferences of its leadership. Some may concentrate their efforts on addressing regulatory requirements while others may focus on legal as well as regulatory requirements. Still others may incorporate non-legal/non-regulatory ethics in the form of institutional mission and values.”
2. Transformative Workflow. Here Switzer suggests that dynamic work­flows can automate the routing of requirements and utilize rules, conditions and permissions to provide greater efficiency and operational performance. This would allow management actions and controls that respond to address each compliance obligation as it arises. Here Switzer turned to David Childers, Chief Executive Officer (CEO) of Compli, for the following observation, “Most organizations struggle with where to start in the process of achieving an effective COM [compliance obligation management] posture…Historically organizations often believe that they can achieve this type of cross-functional data interchange and audibility through internal processes and spreadsheet-type information consolidation. Because most organizations employ a number of point solutions like, HRIS, ERM, CRM, computer-based training, records management, etc., developing an internal tool to consolidate and track the diversity of COM data is very difficult.”
3. Effective Reporting. Here Switzer recommends that companies report across business or operational units to ensure that business users can design, maintain, and publish reports to improve the organization’s ability to make strategic decisions. This will facilitate the identification and reporting of issues and potential for failures to conform before they become reportable events. Switzer quoted Scott Roney, Special Counsel for CSLG, for the following, “In addition to prioritizing risks and allocating resources, a big challenge is to determine whether the needle is moving—are the resources you are putting into risk reduction actually having the desired impact. Compliance officers tend to measure processes, like training, code certifications, etc., but connecting those processes to substantive risk reduction is a leap. That ties into the challenge of showing an ROI [return on investment] on compliance department activities. If you can’t show the data and how compliance management is adding value, then executives are reluctant to continue to make the investment.”
4. Managed Audit Process. Switzer ends her process steps by noting that any organization can improve its internal and external systems through audits. Such audits would review operational history. An added benefit is similar to the Fair Process Doctrine but under Switzer’s example she states that the “general process understanding can strengthen two-way communication and inspire teamwork based on trust. Whether it is compliance, quality, safety, environment, or data security, audit reports are necessary to improve business operations.”

In her penultimate paragraph Switzer returns to her musical metaphor for the following story, “When I was in college, I had a friend who was a harpist studying under the foremost harp teacher in the world. On her wall was a quote from her teacher that read: “Focus on technique. The notes will follow.”” Switzer believes that this means a company should “develop the skill to design, structure, and operate a compliance capability that uses the right technology that you operate to its best advantage.” At the end of the day, “the success of a piece of music is highly dependent on the synergistic skills of the composer and the group of musicians who work together to perform it.” Switzer ends by noting this is the same in the compliance management process as it is dependent on coordination of skillful people, well-designed processes and high-performing technology to make it sing. Without structure, skill, and synergy, our compliance efforts will remain badly out of tune.

So I think the musical metaphor does hold and while you can tune a piano but may not be able to tuna a fish; you certainly can tune your compliance program.

On a more solemn note, today is 9-11 so please take a minute to remember all those who lost their lives or lost loved one on this date 12 years ago.