Much has been written regarding compliance and ethics program “effectiveness” as part of a collective effort to define what an effective compliance and ethics program actually looks like. Of course, various textbook academic definitions exist: the extent to which a compliance and ethics program or activity achieves its intended purpose; a measure of the accuracy or success of technique when carried out in an identified environment. However, these are not particularly helpful to organizations struggling first to understand compliance and ethics, then to pursue it effectively on a real, everyday operating level.
One of the reasons the reality of effectiveness is so elusive is that it is a relatively new, certainly complex, and in some cases, a subtle concept, which very few organizations have achieved. Furthermore, given that each organization is unique, using a boilerplate to create a program will not accomplish the compliance and ethics goal. This makes it difficult to recognize when a program is, in fact, effective.
From the viewpoint of a consultant, it becomes clear that although unique, the vast majority of organizations are not too terribly different from each other in terms of the elements it takes to achieve effective compliance and ethics—or the elements that are present when compliance and ethics is ineffective. Certainly the circumstances for implementation, personalities, and cultures vary; all of which affect the subtle “hows” but not necessarily the “ifs” of achieving effective compliance and ethics. Through organizational commitment and dedication to the principles of an active compliance and ethics plan, success is achievable regardless of the organization and its unique circumstances. By being able to recognize when a compliance and ethics element is ineffective, corrections can be made to improve compliance and ethics effectiveness.
Given that it is far more common in today’s environment for organizations to struggle with the essential elements of an effective compliance and ethics plan, this article will delve into the anatomy of an “ineffective” compliance and ethics program. By understanding where and how compliance and ethics programs break down, and how one weak aspect of a compliance and ethics program can affect all or many other aspects, we can begin to see more clearly how the intent of each element contributes to the overall results of effective compliance and ethics. Thereby, we also can avoid common compliance and ethics traps or pitfalls to which all organizations are vulnerable.
Ineffective Compliance and Ethics Programs
An ineffective compliance and ethics program is one that does not meet the measurable goals and objectives that it lays out. An ineffective compliance and ethics program is one that ultimately allows fraudulent, inappropriate, and/or inefficient and wasteful activities to exist unchecked or unidentified causing harm to one or more of the organization’s stakeholders (management, employees, patients, customers, investors, etc.).
Even though the majority of compliance and ethics programs are voluntary, compliance is not. With the standard for “intent” having been changed to add “reckless disregard for the truth” and “deliberate ignorance” to the prior standard of “actual knowledge,” it is imperative that organizations actively identify fraudulent and inappropriate activities on a constant basis and take the required steps to remedy them. In fact, for this reason alone, while “voluntary,” active, effective compliance and ethics programs are a must in business today, whether the organization is for-profit, not-for-profit, publicly traded, or even a charitable foundation.
Even before getting into the details, at a macro level, a perceived lack of organizational commitment to compliance and ethics in today’s environment sets the mood and the stage for a host of unpleasant consequences. An ineffective compliance and ethics program, and therefore the resulting inefficiency, inaccuracy, and unidentified inappropriate activities, makes an organization vulnerable to myriad negative consequences ranging from lowered employee morale to criminal and civil exposure, including possible exclusion from government programs.
The overarching lack of trust and confidence in an organization’s commitment to “do the right thing” builds when management, employees, and/or customers believe that the organization’s compliance and ethics program is merely a façade that lacks in substance. Many organizations do not believe that stakeholders recognize such subtleties. Experience has proven with regularity that the opposite is true. In the most extreme cases, when a program is ineffective, the sentiment that the compliance and ethics program is a cover-up for improper activities can build in key stakeholders such as employees. Thus, it is vital that organizations make a firm commitment to compliance and ethics by implementing a program that is effective.
The Seven Basic Elements Of A Compliance and Ethics Program…Gone Wrong
The concept of a compliance and ethics program relies on seven interconnected founding elements: (1) designating a compliance officer, (2) developing written standards of conduct and policies and procedures, (3) providing training and education, (4) promoting open and effective lines of communication, (5) enforcing compliance and ethics standards though disciplinary guidelines, (6) auditing and monitoring for compliance and ethics, and (7) responding appropriately to offenses.
Each compliance and ethics program element creates, stems from, and/or relies on the others to some degree. When one element is lacking to any degree, the other elements will suffer. Each element has vulnerabilities—“breaking points”—actions (or lack thereof) that render a basic element less effective or hinder it from achieving its goal. Below is a discussion of each element’s purpose and various breaking points that may impede it from serving its purpose.
The compliance officer is the leader or figurehead for an organization’s compliance and ethics program. To successfully lead any venture, to some degree a leader must possess the following characteristics: technical skills and knowledge, vision, authority, support, and charisma. This new profession (or skill set) of compliance and ethics is complicated, requiring a broad understanding of all aspects of the business while not actually being fully responsible for any one particular aspect of the business. For example, a compliance officer must be able to understand at a detailed level a company’s billing, finance, operations, and quality functions, but he or she will not actively work in billing, finance, operations, or quality assurance.
To know when an organization may be lacking in compliance and ethics or engaging in inappropriate activities, a compliance officer must possess the technical skills and knowledge of specific industry operations, rules, and regulations to appropriately investigate potentially inappropriate situations. This includes an understanding of financial statements, billing and accounts receivables, accounts payable, operations, arrangements and contracts, and industry legal requirements and regulations. The compliance officer also must have the overarching understanding of how each of these aspects of business affects the others. All too often in many organizations, the compliance officer does not have this breadth of experience or the full complement of leadership qualities demanded by the critical functions.
Compliance officers tend to rely too heavily on the individuals performing the functions being investigated; therefore, he or she may not be able to ask the right questions or explore the answers provided for truthfulness and accuracy. He or she may not know when outright fraudulent schemes are in play or when ignorance is causing inappropriate or illegal actions.
An organization must select a compliance officer who has a clear vision for and commitment to ensuring compliance and ethics, but many either do not have this vision or are unable to communicate it. This individual must inspire his or her supporting compliance and ethics committee to be creative and effective in weeding out non-compliance and encourage employees and management to act in a compliant, ethical manner. This vision and purpose must be communicated to all parties in the organization: board members, compliance and ethics committee, management, employees, and customers. If designated from within an organization, the compliance officer duties may be piled on top of an already full load. The designated individual may not have a clear vision for compliance and ethics, may not have the time or focus to make it happen, and certainly may not have the energy to inspire the organization to be compliant.
Recent experience with complete compliance and ethics plan ineffectiveness at a client organization was directly related to the compliance officer. After eight months of performing detailed compliance and ethics-related assessments, audits, and reviews for a company under corporate integrity agreement, the compliance officer had never attended a single meeting in person. On the rare occasion when he actually attended a meeting, he would call in. Moreover, as a member of upper management, he was the worst offender of specific compliance and ethics-related policies that were created to correct situations that were being investigated by the compliance and ethics committee. Worse yet, the policies were distributed to the group via memoranda that he approved and that went out under his name.
This was a small organization that had delegated the duty to a well-respected, high-level individual who already had a full plate of duties. Thus, he served more as a figurehead for compliance and ethics who would sign memos that the committee created, rather than a true leader of the effort. These or similar circumstances are not uncommon unfortunately. The problem became obvious and resulted in additional obstacles for the committee when attempting to enforce policies with any other individuals. As was recommended to the organization, a more effective individual replaced the original compliance officer, which made all compliance and ethics activities from that point on more smooth and effective.
Summary of Compliance Officer “Breaking Points”
Inadequate technical skills (auditing, verbal, and written communication), knowledge (finance, operations, reimbursement, legal requirements), compliance vision, resourcefulness
Lack of financial resources, labor support, and/or commitment from employees, vendors, management, CEO, and board of directors
Lack of authority to enforce standards, policies and procedures, disciplinary action
Lack of direct line to the CEO and board of directors
Outsourcing of compliance responsibilities to avoid accountability or integration into the organization’s operations
Conflicts of interest and/or lack of independence
Standards of Conduct and Policies and Procedures
Standards of conduct and policies and procedures are the fundamental documentation underlying a compliance and ethics program. The standards of conduct must set the tone for all employees to resolve to put forth proactive efforts to comply with the organization’s compliance and ethics program and generally act in an ethical manner. In effect, they are the mission statement of the compliance and ethics program. They do not, however, lay out detailed rules and procedures specific to certain issues or processes.
Compliance and ethics policies and procedures, on the other hand, are very specific to individuals, situations, and processes. They provide a knowledge base for the reasons behind compliance and ethics-related practices through the statement of the policy and purpose of the document. Furthermore, through the actual procedures, they serve as clear guidelines for how to fulfill the compliance and ethics directive or how to perform specific functions in compliance and ethics with rules and regulations.
Without standards of conduct or comprehensive, clear, and accurate compliance and ethics policies and procedures, a compliance and ethics program is non-existent. Policies and procedures that contain outdated, inaccurate, or misleading information may cause individuals to act inappropriately when their intentions were in fact to act appropriately. Should the policies and procedures be too theoretical or cumbersome for the average employee to use, the policies may cause accidental mistakes and compliance and ethics risks out of confusion. If accurate and current, but inaccessible or unavailable to employees due to a lack of education regarding their content or inadequate dissemination, the policies, again, are as ineffective as if they were non-existent.
Client kick-off meetings for compliance and ethics-related projects often begin with the client typically providing us with a substantial document entitled, “Compliance and Ethics Plan, Policies, and Procedures.” Usually, an employee who is no longer with the organization created the document, and no other person in the organization has read the “plan,” which was based on a boilerplate and not tailored to the operations of the specific program. It often reads like a book and not like a resource manual that is indexed and can be easily searched, and it does not identify the responsible parties for specific functions or the practical application of the policy. Furthermore and also common, the policy may be written in legalese that an average employee cannot interpret and use in a practical setting.
This form of compliance and ethics plan, or collection of policies and procedures, is a liability to an organization. It creates a false sense of security to management that someone in the organization has implemented “compliance and ethics” so that inappropriate activities could not be occurring. Moreover, if under investigation, the policies and procedures may serve as “proof” that an organization “knew” what was proper and improper but was “intentionally” acting improperly despite the policies.
Ask an employee with direct responsibility for important business functions, such as billing, if he or she can describe broadly the content of the compliance and ethics policies and procedures. If he cannot, it is time to revisit the policies and redistribute them in an alternative manner.
Summary of Policies and Procedures “Breaking Points”
Lack of, or lack of proper dissemination of, policies and procedures
Inaccurate, highly theoretical, non-tailored, out-of-date policies and procedures
Training and Education
Along with auditing and monitoring, training and education is another key to achieving successful effectiveness. It is of paramount importance to effectively communicate both the structure and substance of a compliance and ethics program to all organization stakeholders. Without communicating how the program works and what it is trying to accomplish, the program is like the sound of a tree falling in a forest with no one around to hear it.
Since all organizations are different, varying in size, function, structures, employee education level, mission, cultures, etc., different levels and forms of training and education must be employed. Whereas all employees should have some level of education in compliance and ethics, more extensive education in specific areas should be given to the appropriate employees. The training cannot be boilerplate, and it must address the risk areas specific to the organization and the employees performing different functions within the organization.
To soundly convey the compliance and ethics program’s message and capture the attention of the audience, education must be creative and accurate. Experience indicates that as much live training as is feasible increases the success of efforts. By augmenting live training with a variety of media such as seminars and conferences, memoranda, one-on-one instruction, postings, etc., the information will be more readily retained by the audience. Clearly, the content of the education must be accurate, current, and conveyed in a manner understandable to the audience. The effort of creating solid policies and procedure, conducting thorough audits, holding regular compliance and ethics meetings, etc., are futile if individuals throughout the organization do not understand the compliance and ethics efforts being put forth and their responsibilities under the program.
Clients often voice concern over the expense of recommended compliance and ethics training programs. This is due to the various types of training suggested to be given by qualified trainers geared at reaching the appropriate audiences with the right information. Clients often search for the least-expensive, non-tailored, online compliance and ethics training and hope it can serve as the complete package. Although several online training programs are very good products and can be effective, they should be supplemented with education tailored to the organization explaining how compliance and ethics has been integrated into the organization’s operations. In addition, online forums dismiss the value of a live forum for the exchange of ideas and questions. Live training programs usually lead to the discovery of compliance and ethics risks or areas of needed improvement through questions from the employees—education traveling in both directions. Taking shortcuts in training often results in higher long-term costs from re-training and poor compliance and ethics.
Summary of Training and Education “Breaking Points”
Poor/incorrect/inadequate content (in general or for the specific audience)
Unqualified trainer or train-the-trainer dilution of content
Sessions too long, over-packed with information, not made to be interesting (monotone trainer, lack of multimedia use), not required, not frequent enough
Lack of variation in education (training sessions, memos, postings, one-on-one instruction, Web-based training, etc.)
Too heavily based on online or Web-based training programs
Open Lines of Communication
Employees, agents, customers, and management should be free to express concerns, request information and education, and discuss situations without fear of retaliation. Often the most valuable information regarding compliance and ethics risks comes from an individual raising a concern in passing without fully understanding if a violation is occurring or if an issue really exists. That type of communication should be nurtured and encouraged, which is best accomplished when an anonymous reporting mechanism exists and when resolution of the situation is communicated back to those concerned. Many whistleblowers only seem to take that route after raising an issue multiple times with no apparent or communicated response from the organization. Thus, effective and open communication must have the elements of anonymity and responsiveness in return.
Communication must go both ways, which is difficult when reports of suspected violations occur anonymously. An effective compliance and ethics program will appropriately investigate reports of misconduct and resolve the issue. From time-to-time, an investigation will show that an action was appropriate even though it appeared inappropriate. (Laws and regulations are often difficult to understand, and complex safehavens may be appropriate when appearing to be in violation.) If the resolution of that issue is not communicated back to the anonymous reporter, this individual may grow disgruntled at the perceived lack of attention to the matter. Thus, broader communication to the entire organization regarding the issue and the resolution may be warranted.
Smaller organizations often have a difficult time implementing “anonymous” reporting mechanisms, sometimes due to the cost and sometimes due to the inevitable nature of knowing where information came from when an organization is very small. Thus, in addition to an anonymous reporting mechanism, the culture of openness and non-retaliation must be present.
Summary of Communication “Breaking Points”
Lack of understanding of what should be reported and the obligation to report suspected inappropriate actions
Lack of culture of openness and non-retaliation regardless of anonymity
Lack of anonymous reporting mechanisms or knowledge of the mechanisms for reporting
Fear of retaliation or retaliation itself
Lack of follow-through with information communicated or lack of feedback regarding resolution
In an ideal world, individuals would follow rules and regulations because it is the ethical thing to do. In the real world, however, consequences for violations are necessary to enforce rules and regulations. Thus, a vital element of effective compliance and ethics is disciplinary guidelines.
Disciplinary actions serve two main purposes: (1) to punish an individual or entity for violating a stated rule or regulation and (2) to deter others from future violations. Disciplinary guidelines are ineffective when they are not communicated, enforced, or not enforced in a timely manner. When misconduct is uncovered, whether intentional or due to “ignorance” of how to act when sufficient training has been provided, disciplinary actions must be enforced.
Compliance and ethics programs quickly begin to break down when the consequences of misconduct are not enforced. The individual who acted inappropriately will realize that his or her improper actions will not be punished. He or she perhaps will continue the inappropriate actions or possibly escalate the behavior to illegal actions. Moreover, this sets a negative precedence for the organization, instilling others with the idea that inappropriate behavior will go unpunished. The incentive to do the right thing is diminished, and when an individual is faced with the choice of acting improperly for his or her own gain, he or she will have a stronger temptation to act improperly.
A common practice in business, which is often the most damaging to compliance and ethics efforts, is when an upper level manager acting inappropriately is not disciplined in accordance with policy. Experience shows that administrators, managers, and other employees who worked in an environment “pre-compliance” do not easily adjust to the documentation requirements and scrutiny that compliance and ethics activities add to their daily practices. Due to their often extended tenure, these individuals are also often highly respected and in powerful positions in the organization. When they are allowed to get away with non-compliant actions, even when they are “just doing things the way they have always been done” and not intentionally trying to act illegally or inappropriately, they create a culture for permissive violations and/or unequal application of the rules based on position. This lack of enforcement may clear the way for others to purposefully violate the rules. Compliance and ethics has to be taught not only through the “classroom” but also through the actions of all employees, especially those in positions of power.
Summary of Disciplinary Guidelines “Breaking Points”
Not communicated or made clear to employees/contractors
Not enforced when necessary and as stated
Not progressive or fitting for the “crime”
Not determined on a case-by-case basis
Auditing and Monitoring
Although open lines of communication may help raise compliance and ethics violations, systematic auditing and monitoring are critical to the plan’s effectiveness. Routine, consistent auditing and monitoring is a must to find patterns of non-compliance due to system problems, human error, or actual wrong doing, which may not be reported through other channels as a violation. Hand-in-hand with the disciplinary actions, they demonstrate to employees that proactive measures are being taken to ensure that the organization is in compliance with applicable rules and regulations, including its own policies and procedures.
Auditing and monitoring presumably break down when the audit plan, schedule, and/or resources are insufficient to review all potential risk areas, are left incomplete, or are ignored. Audits must be planned and scheduled in order to ensure that all risk areas are reviewed and reviewed often enough to produce effective results. When audit schedules are not well planned or followed, simple errors that accumulate into patterns of abuse are not discovered as often or timely as necessary to ensure swift and simple resolution. Individuals acting inappropriately can gain confidence due to the lack of “policing” of their activities.
Experience in the real world teaches that audits conducted internally or externally usually do not produce error-free results. Even with vigilant efforts to comply, errors occur that must be corrected, especially when industry rules change and evolve frequently or when regular updates to software, inventory, pricing, etc., are required. Regular audits help to correct these mistakes that cannot only lead to abusive practices but simple inefficiencies and inaccuracies that can cost an organization significant dollars.
Summary of Auditing and Monitoring “Breaking Points”
Auditing and monitoring schedule not sufficient (substance/number/frequency), not followed, or not dynamic/changing to fit new situations, fraud alerts, industry developments
Auditors not trained well (in auditing techniques or content of audit), not cooperative, or not cooperated with
Lack of independence/objectivity or conflicts of interest
Responding To Offenses
When offenses are discovered, swift and appropriate actions must be taken. An adequate investigation of potential violations must be timely, and when inappropriate actions are discovered, the individuals involved must be disciplined in accordance with the compliance and ethics program, and corrective actions must be put into place. If a violation is discovered, it does not mean that a compliance and ethics program is ineffective. Rather, it demonstrates that compliance and ethics efforts are doing their job by finding offenses. Where the compliance and ethics program becomes ineffective is when the organization does not “learn” from the discovery. Understanding how the violation was allowed to occur and putting into place corrective actions to ensure that it does not occur again demonstrates an effective compliance and ethics program.
A common scenario with organizations whose audits discover inappropriate conduct demonstrates how compliance and ethics programs must have a defined process for responding to offenses to ensure that our human nature does not thwart compliance and ethics efforts. Executives usually panic first when an audit produces negative results that require corrective actions. They often spend too much time quantifying the situations and deciding how to take “immediate” corrective actions. The issue draws out for so long that the client tires of the issue and fails to implement a solid and direct corrective action plan to ensure the actions are not repeated. Immediacy and steadfastness in responding to offenses are required for effective compliance and ethics programs.
Summary of Responding to Offenses “Breaking Points”
Investigations not thorough/comprehensive/timely
Immediate remediation of problem not taken
Long-term corrective action plans not put into place
Lack of continued monitoring into areas of proven non-compliance
Lack of enforcement of disciplinary guidelines