You Can Tune A Piano But You Can’t Tune A Fish – Fine Tuning Your Compliance Program

by Thomas Fox

While I grew up, and went to undergraduate school, in Texas, I went to professional schools up north, in Michigan. There I was introduced to the Mid-West rock sound. It was certainly different than the Texas or Southern rock sound that I grew up listening to. And I became a fan, even embracing REO Speedwagon, particularly after they released their iconic album, You Can Tune a Piano But You Can’t Tune a Fish in 1978. I thought about that album and some good old 4/4 Mid-Western rock and roll music when I read an article in the Compliance Week magazine by Carol Switzer, President of the Open Compliance and Ethics Group, entitled “Retuning Compliance”.

In this article Switzer addressed the issues of gaps in compliance coverage, the high risks for noncompliance, both from issues known and unknown, the self-created complexity, and wasted resources in compliance. Switzer believes that there is not “enough consistency, enough insight and, most importantly, not nearly enough confidence that we know what our compliance obligations are and that we are addressing them correctly, let alone cost effectively.” She termed this “The Disheveled State of Compliance.”

To overcome this, Switzer draws from the world of music. She wrote that, “Just like a musical composition, a well-designed approach to managing compliance obligations has many moving and interrelated parts built on a specific structure, and each piece must work in harmony with the others. While the structure of a song includes many parts—the verse, the chorus, the bridge, the hook, and so on—the structure of an effective approach to compliance similarly must be well developed and designed.” However, to pen a “harmonious tune, or orchestrate a symphony, the composer not only has to be able to identify what is wrong with each subsequent draft, he or she also needs to know what structure to put in place and how to coordinate the key elements that will fix it, to retune it if you will, and the same is true for fixing a discordant approach to management of compliance obligations.” She ends her musical metaphor with the following, “Songs that are well structured and make the best coordinated and creative use of key elements such as lyrics, melody, and harmony are the ones that flow from one part to the next almost seamlessly.” Such is the creation and maintenance of an effective compliance program.

Switzer suggests there are five steps that an organization can use to provide a synergistic approach to “retune the compliance program, mitigate risk, and satisfy regulators, auditors, directors, and other stakeholders.” They are:

  1. Continuous Requirements Tracking. Under this point, Switzer says that ongoing monitoring of changes in risks, influencers and requirements is essential. She advocates the use of subject matter experts to assist a company to identify and track changes in the obligations. These can include “the mandated requirements and the voluntary commitments that each organization faces, methods for auditing and improving, and overall an integrated workflow that enables quick exchange of relevant information across and throughout the structure.” Switzer quoted Paul Liebman, Chief Compliance Officer (CCO) of the University of Texas at Austin, for the following, “Each organization should act based on its own unique geographical and operational risks and the management capabilities and preferences of its leadership. Some may concentrate their efforts on addressing regulatory requirements while others may focus on legal as well as regulatory requirements. Still others may incorporate non-legal/non-regulatory ethics in the form of institutional mission and values.”
  2. Transformative Workflow. Here Switzer suggests that dynamic work­flows can automate the routing of requirements and utilize rules, conditions and permissions to provide greater efficiency and operational performance. This would allow management actions and controls that respond to address each compliance obligation as it arises. Here Switzer turned to David Childers, Chief Executive Officer (CEO) of Compli, for the following observation, “Most organizations struggle with where to start in the process of achieving an effective COM [compliance obligation management] posture…Historically organizations often believe that they can achieve this type of cross-functional data interchange and audibility through internal processes and spreadsheet-type information consolidation. Because most organizations employ a number of point solutions like, HRIS, ERM, CRM, computer-based training, records management, etc., developing an internal tool to consolidate and track the diversity of COM data is very difficult.”
  3. Effective Reporting. Here Switzer recommends that companies report across business or operational units to ensure that business users can design, maintain, and publish reports to improve the organization’s ability to make strategic decisions. This will facilitate the identification and reporting of issues and potential for failures to conform before they become reportable events. Switzer quoted Scott Roney, Special Counsel for CSLG, for the following, “In addition to prioritizing risks and allocating resources, a big challenge is to determine whether the needle is moving—are the resources you are putting into risk reduction actually having the desired impact. Compliance officers tend to measure processes, like training, code certifications, etc., but connecting those processes to substantive risk reduction is a leap. That ties into the challenge of showing an ROI [return on investment] on compliance department activities. If you can’t show the data and how compliance management is adding value, then executives are reluctant to continue to make the investment.”
  4. Managed Audit Process. Switzer ends her process steps by noting that any organization can improve its internal and external systems through audits. Such audits would review operational history. An added benefit is similar to the Fair Process Doctrine but under Switzer’s example she states that the “general process understanding can strengthen two-way communication and inspire teamwork based on trust. Whether it is compliance, quality, safety, environment, or data security, audit reports are necessary to improve business operations.”

In her penultimate paragraph Switzer returns to her musical metaphor for the following story, “When I was in college, I had a friend who was a harpist studying under the foremost harp teacher in the world. On her wall was a quote from her teacher that read: “Focus on technique. The notes will follow.”” Switzer believes that this means a company should “develop the skill to design, structure, and operate a compliance capability that uses the right technology that you operate to its best advantage.” At the end of the day, “the success of a piece of music is highly dependent on the synergistic skills of the composer and the group of musicians who work together to perform it.” Switzer ends by noting this is the same in the compliance management process as it is dependent on coordination of skillful people, well-designed processes and high-performing technology to make it sing. Without structure, skill, and synergy, our compliance efforts will remain badly out of tune.

So I think the musical metaphor does hold and while you can tune a piano but may not be able to tuna a fish; you certainly can tune your compliance program.

On a more solemn note, today is 9-11 so please take a minute to remember all those who lost their lives or lost loved one on this date 12 years ago.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.