At this rate, I know, it’ll take quite a while to get through all 13 steps.  But one small step at a time.

Today’s step is all about reviewing your program on a regular basis.

I want to lay out the importance of this element first, then go into the specifics.

Not too long ago, Morgan Stanley got a bye —a total pass—because of their pre-existing compliance program.  The DOJ issued a press release on the case, and listed three things in it about Morgan Stanley’s compliance program that influenced the decision.

The first one:

“…Morgan Stanley maintained a system of internal controls meant to ensure accountability….  Morgan Stanley’s internal policies, which were updated regularly to reflect regulatory developments and specific risks, prohibited bribery….”

Now let’s turn to the language of the DPA itself, and element #5:

Alcatel-Lucent shall review its anti-corruption compliance standards and procedures, including internal controls, ethics, and compliance programs, no less than annually, and update them as appropriate, taking into account relevant developments in the field and evolving international and industry standards, and update and adapt them as necessary to ensure their continued effectiveness.

What does this mean, and how do you implement this in a real way?

Some might take a look at this and see a requirement to pull their policies off the shelf once a year, dust them off, and put a new coat of polish on them.  Then, after their “annual review” they can put their program on the shelf for another year, and check that box.

And don’t think that this description doesn’t apply to you.  I know I stated it a little more bleakly than usual, but if you’re really paying attention to this series, you are probably open-minded about the state of your program.  Think realistically about how you approach your policies and processes.  Because the annual review—and yes, you need to do an annual review—is not what this element is all about.

“Update them as appropriate” is important, and even more important is “taking into account relevant developments.”  Because this is the crucial piece of the program: the ability to be nimble.

This is something that Tom and I talk about all the time.  It’s crucial, but don’t get the impression that it’s easy.  Like all things worthwhile, this is difficult, and it’s going to take effort, willpower, and resources to get it right.  Let’s talk about the most cost-effective way to make this happen.  Because as Morgan Stanley found out, getting it right generates some huge benefits.

So what does it mean for a program to be “nimble?”

It means a few things:

1. You need lines of sight into your program so you can find information quickly.  For example, when you read new enforcement actions, and see a corrupt third party identified, you should be able to ping your program to see whether you’ve ever had dealings with that third party.  If you do find something, you need to be able to adjust to that fact.  In the case of a third party, you need to adjust your transaction monitoring of that individual, the risk ranking, and potentially start an audit.  (n.b. a lot of attorneys would tell you “terminate the relationship.”  Terminate, terminate, terminate.  That’s their answer to bad news.  I don’t think that’s always—or even usually—the right call.)  Whatever you decide, it should be a decision, not a default.
2. You need to review your policies and procedures when they fail.  This is also not so easy.  The main reaction to a failure is usually “move on.”  No one wants to dwell on—and certainly not to take ownership of—a compliance failure.  But the failures are where you learn.  And learning from failure is exactly what we’re supposed to do.  Revel in it.  Own it.  And make sure that you figure out what went wrong.  A side note: my practice is to figure out what went wrong, but I rarely dig too deeply into who went wrong.  That is, why the old process—the one that failed—was like it was.  You must find out—and potentially discipline—the employee who did something wrong.  But figuring out why the old policy was like it was is usually a wasted effort.
3. You need a line of sight into the business. If you’re doing compliance right, you are a partner to the business. I often say that 80% of compliance is “being in the room.” That is, knowing what the business is doing at any particular time. In this case, it’s knowing what the business is going to be doing. Is the business entering a new market? Developing a new product? Is there a new push toward opening new stores? (Not to think of any company in particular). If you know what the business is up to, you can anticipate new risk.

Recognizing the business priorities and the concomitant risk, and working the new issues into your risk assessment and plan, is what “nimble” is all about.

Notice, by the way, that this is an entirely different effort from the yearly review.

These three things aren’t easy. Developing a relationship with the business takes time and effort. It takes not saying “no” so much. It takes not being the “business prevention department.” Saying “yes” requires more work, on our part. You need to get creative. I used to call myself a creative solutions vendor to the business. You also need the right “ask.” Make sure you’re in the room. Get yourself invited to meetings. Don’t say anything in the meetings. Just listen. Add value where you can. Offer to help. Get one-on-one time with senior leaders. Listen to them.

Getting a line of site into your program is technology. You need the ability to interrogate the data you already have. This means payment data, contract data, salesforce.com data (or whatever CRM system you use). Plus, if you want to get advanced, you can use your eDiscovery technology to search your actual data. I love this convergence, because you already own the technology. Why not get the most out of it? That’s the essence of compliance convergence: using technology you already own in a different silo. I’m sure you have eDiscovery people: get to know them. For payments, talk to your finance people. You need to understand your finance controls to know where, and how, to interrogate your payments data. Plus, remember there are different kinds of payments: wires, ACH, checks, refunds, credits, loyalty point grants, and more.

Being willing to face your program head on takes investment of an entirely different type. Emotional investment. Or emotional humility. Either one. Both, more likely.

I heard Charles Cain at a conference. He was asked what factors in a company’s compliance program he considers important to a decision to decline prosecution. The first answer he gave was the ability of a program to be nimble.

And because I’m a fan of multi-channel return on investment, I’m happy to say that being nimble presents benefits beyond the immediate—and immense—positives for the program. There are controls that look good and there are controls that actually prevent bribery. You need both, but I’d rather have the latter. What you gain from being nimble—a partnership with the business, technology use efficiencies, and an ability to look dispassionately at your own program—actually prevents bribery. When you add value to the business, when the business knows that all you want is their success, you get something valuable: credibility.

We always talk about credibility in terms of your relationship with the DOJ. And we’re right to. It’s among the most important things.

Credibility with the business is more important.

Being nimble, going through what you need to go through to be nimble, leads to credibility, which leads to sticky advice. And that’s the endgame.

A nimble program has its priorities in order, a nimble program learns from itself, a nimble program can adapt, change, and actually works to decrease bribery across the business.