CEP Magazine (October 2022)
In 2018, Life magazine published a special edition entitled “The World’s Most Haunted Places.”[1] This edition featured the Winchester House in San Jose, California, later renamed the Winchester Mystery House. For those of you unfamiliar with the Winchester House, it was initially purchased by Sarah Winchester in 1886 when she moved from Connecticut to California. Sarah was the widow of William Winchester, son of Oliver Winchester, the founder of the Winchester Repeating Arms company.
After the move, Sarah began to renovate the house. And renovate it. And renovate it. Additions were added and skylights, cupolas, and stairways were built. The list goes on. These renovations lasted over 35 years until her death in 1922. The house has stairways to nowhere and doors that open to walls. This—and the fact some claim it is haunted—is the primary reason the Winchester House is now called a “mystery house.” It is more like a maze than a home.[2]
What does this have to do with institutional compliance? In a recent compliance presentation, Andrew Neblett, co-founder of informed360 and chief operating officer at Ethisphere, pointed out that many institutional compliance programs today can end up looking like the floorplans of the Winchester House.[3]
Here is how that can happen. Several years ago, the 17 “shalls” in the United States Federal Sentencing Guidelines’s “Effective Compliance and Ethics Program” were synthesized into what is commonly referred to today in the compliance industry as “the seven elements.” In addition, some regulations have comparable elements embedded into their requirements. As a result, many compliance programs in many industries are based on these (or similar) elements.
As a hypothetical example, let’s say a utility created a compliance program for the Sarbanes-Oxley Act (SOX); then for the Federal Energy Regulatory Commission (FERC); then for the North American Electric Reliability Corporation (NERC); then for diversity, equity, and inclusion (DEI); then for the Occupational Safety and Health Administration (OSHA); then for workers’ compensation; then for the Equal Employment Opportunity Commission (EEOC), etc. These programs combined can begin to look like a compliance Winchester House for various reasons, an important one being duplication of effort. For instance, all these programs probably have a training component, require legal research, need to assess risk and be regularly audited, require policies and procedures, etc. Are all seven of these programs going to have separate training platforms? Separate audit functions? Separate policy management? You get the idea.
Knowing this could happen, how can we create or reengineer compliance programs that are not a mystery but are effective and efficient? A few ideas are discussed below.
Strategic compliance
First, no matter the size of your organization, approaching compliance more strategically can help.[4] A few simple steps can assist in making this paradigm shift.
-
Understand your company’s entire compliance universe and the high-level requirements of each compliance area. The utility example above shows a variety of compliance requirements in all industries, and many high-level requirements overlap. Finding this overlap and addressing it holistically will help reduce duplication of effort.
-
This is a big one—almost all compliance areas require policies, procedures, training, monitoring, auditing, etc. Can any of these activities be centralized to benefit all compliance areas? Or can we reduce duplication of effort by leveraging common skill sets and existing organizational services such as legal, employee training, marketing and communications, auditing, etc.?
-
A chief compliance officer (CCO) is a must, but how many specific compliance areas require an organization to have a compliance expert on staff? Sticking with the utilities example, do we need a SOX expert? FERC? NERC? EEOC? Make sure all the high-risk areas have experts in place and that these experts communicate regularly with the CCO and with each other. Also, empower these experts to use a pared-down version of the seven elements in their subject areas. These elements can help strengthen the compliance front lines.
-
Get executive leadership on board with a more strategic approach by explaining how it will, as mentioned above, be more effective and efficient.
Leverage technology
Finally, no matter your organization’s size, many technology tools are now available to assist organizations with a more strategic approach to institutional compliance. These tools can help manage compliance risk, policies, procedures, training, action plans, hotline cases, disclosures, audits—and the list goes on—across the entire organization. These tools can also make compliance program data more organized and accessible. This will help with benchmarking and measuring key performance indicators.
The time for managing some of our compliance responsibilities and data with spreadsheets and PC databases has passed. Technology is finally catching up, and visionary compliance leaders are leveraging these products to support more effective and efficient compliance programs.[5]
Some may recognize the above as a form of business process re-engineering, and it is. But this is also in harmony with the Federal Sentencing Guidelines requirement to make “necessary modifications to the organization’s compliance and ethics program.”[6] Implied in this “shall” is continuously improving and re-engineering our programs to make them better—and less of a mystery.
Takeaways
-
Organizations with multiple, siloed compliance programs can significantly duplicate effort; evaluate your organization’s compliance universe and identify requirements that overlap.
-
Centralize activities that multiple compliance programs have in common, such as training, risk assessment, and audit to reduce duplication of effort.
-
Make sure all the high-risk compliance areas have experts in place and that these experts communicate regularly with the chief compliance officer and each other.
-
Get executive leadership involved with a more strategic approach and leverage preexisting activities that may exist in your organization, such as legal and marketing.
-
Identify technology tools that can help manage compliance risks, requirements, policies, procedures, training, action plans, disclosures, etc., across the entire organization.
1 “The World’s Most Haunted Places: Creepy, Ghostly, and Notorious Spots,” special issue, Life, September 28, 2018.
2 The Winchester Mystery House, “History,” last accessed August 1, 2022, https://www.winchestermysteryhouse.com/sarahs-story.
3 Andrew Neblett, “How Technology Can Improve Effectiveness and Deliver More Value to Our Compliance Programs,” Dallas Regional Compliance & Ethics Conference, Dallas, TX, October 22, 2021.
4 Deena King, Compliance in One Page, 2nd ed. (Dallas, Texas: self-pub, 2020) and Strategic Compliance (in pre-publication).
5 Neblett, “How Technology Can Improve Effectiveness.”
6 U.S. Sent’g Guidelines Manual § 8B2.1(b)(7) (U.S. Sent’g Comm’n 2013).
[View source.]