One of the pieces of advice I regularly give to compliance people wanting to know “where do I start?” is to pick a place and start.  The act of starting brings its own momentum.  And there’ll be enough to do that you can start anywhere.  Like in military parlance, any action is better than none.

But that’s advice for the curious.  Advice for the serious is slightly different.  It’s not that my advice isn’t good, it’s just that, for serious people, more specifics are necessary.

So, let me pretend for a moment that I’m a new compliance officer at a new company, and tell you how I would approach things.  Here are my requests to the Chief Compliance Officer.

1. Show me the Code of Conduct and the Anti-Corruption Policy (and let me know when they were last updated).
2. Show me the most current risk assessment
3. Show me the training that we give to high-risk employees
4. Show me the due diligence process we use for third parties

Those four things will tell you a lot about the compliance program.  The policy will tell you whether the program is designed and documented by lawyers, for lawyers.  Also, you can see if the company has made the hard choices: how do they want to handle facilitation payments, to use one example.  The current risk assessment will tell you about whether the company understands its risk.  The first question is whether there’s a separate risk assessment at all.  If so, you’re already one step ahead.  Same with the training to high-risk employees.  If the company has it, you know that (a) they understand their employee base, to understand risk and (b) whether the training is any good.  If you see training that’s all about the law, the company is doing it wrong.  If the answer is that the company has one training for all employees, they don’t recognize tiered controls.

Tiered controls is the way to maximize your return on compliance investment.  You want to spend the most money on those areas that address the highest risk.  Otherwise, you’re misallocating assets.  Compliance is hard enough without the business knowing that you don’t know how to spend money effectively.  Training everyone the same way is a waste of money on some, and an underinvestment for others.

Finally, I would want to see the due diligence process.  I’m looking for one thing: how does the risk rating—there’s sure to be a risk rating—change the going-forward relationship?  If you risk-rate, and then nothing, it’s a problem.  For a lot of companies, the risk rating affects the contract provisions, maybe the need for a certification, but doesn’t really affect things going forward.  There’s no transactional due diligence, no KPIs, no single-point-of-contact.  (In case you’re wondering, “KPI” stands for key performance indicators.  They’re how you measure the performance of your third party).

So that’s my preliminary analysis.

Next, I would want to travel.  Go meet people.  Mainly, in my opinion, business people.  Talk to various levels of the organization in your riskiest markets first.  If you don’t have the budget to travel, the first people you need to talk to are your senior management.  Because talking to people—whether it be for training, or to enhance the risk assessment; which is what you’re doing—is something to spend money on.  And while you’re talking to your senior management, give them two messages: (1) anti-corruption compliance programs don’t come free and (2) they need to start asking one question, “what does compliance think about that?”  By asking that single question, you start driving compliance down into the business.  Because once people know that the question will be asked, they’ll start getting the answer through better engagement with compliance.  That’s your first ask.

Now you’re pretty deep into your program, but you’re still maybe 30 days in.

For the next 30 days, it’s all about learning the business.  Your mission is to dig into business processes.  You need to learn everything there is to know about how the business does business.  You need to learn their metrics, their language, their processes.  You need to engage with the business and let them get to know you.  Your travels should have introduced you to many of the key players.  Use those relationships—as new as they might be—to learn what their concerns are.  What keeps them up at night?  What are their pressures?  How are they measured?  Don’t make any suggestions at this point, no matter how tempted you are.  You’re just there to learn.

From day 60-90, you learn a new word, “tweak,” and you stay on message.  You’re not going to change processes, or institute new process.  You’re going to tweak processes that already exist.  The first thing you add to is the process for the ongoing evaluation of third parties.  Then the controls around paying third parties.  What you’re trying to do is answer the question: “how do I know that I’m getting what I’m paying for?”  If you have controls to address that question, you’ve significantly addressed the real risk you face.

Also, some low-hanging fruit.  Get a hotline number (either internal or through a third party), and advertise it.  Improve your training by focusing on your policies, not the law.  Find out what your existing finance policies are and link and label them into your anti-corruption program description.  For that matter, create an anti-corruption compliance program description.  You probably don’t have one.  Third, from your business “listening tour,” you should have an idea of how better to segregate your employee base by risk.  Do that.  Give some additional training—short, sweet, to the point, easy—to the highest-risk employees.  Include, at the end, a printable page with your name, email, and phone number.  Tell them to print it out, and keep it.  Follow up with an email that has the PDF of the same information.  Use that email list on a monthly basis to send around information you might want them to have, describing new cases, and what other companies did wrong.

Finally, use everything you’ve learned to sit down with the business and discuss where you want to improve the program.  This should be at least a half-day, if not a full day, activity.  At the end of the day, you should have crystal clear goals, designated resources within the business, budget, and a timeline for implementation.

Now you’re 90 days in.  You have a plan, you’ve used all your learnings to update your risk assessment, and you should start reporting out every month on your progress.  Start trumpeting your successes.  Let senior leaders know when new training has been rolled out.  Tell them why it’s better.  If you start getting calls into your hotline, let leaders know that you’ve established information chains, and are starting to see results.  Make sure to praise those business leaders who are helping you.  Be sincere, and make the praise visible.  I don’t care how senior someone is, they like seeing that their boss got an email saying how wonderful they are.

Eventually, you’re going to have to tackle the harder things: really improving your due diligence process, getting your CCO to report out to the Board, getting business-wide involvement in your risk assessment process, instituting technology fixes to your payment monitoring deficiencies (and you have payment monitoring deficiencies, I promise), getting Internal Audit involved in testing your program, and getting sufficient resources and budget to operate long term.  But those problems are the subject of another post.