The enforcement stakes in the United States and beyond are increasingly high, as the bar for attracting regulatory and law enforcement scrutiny seems to be increasingly low.
But there is a balance to be struck between mitigating risks and maximizing profits. Unless and until you find that balance, even the most well-intentioned compliance efforts are at risk of failure.
In the rush to address compliance risks, one can forget that law enforcement and regulators repeatedly advise that their expectation is that companies will take risk-based steps to implement compliance programs and internal controls. Hard as it may be to believe at times, the law enforcement standard is not perfection, and it can be all too easy in managing compliance to let perfection be the enemy of the good.
But the following guidelines can help you measure and manage risk, while supporting and facilitating both business and compliance success:
- You can’t be effective if you are “Dr. No.” If the business you support knows that your answer will always be “No,” business people will eventually stop asking the questions. When challenging compliance issues arise, it is important to engage and educate the business, while partnering to try and find a workable solution that alleviates compliance concern while allowing the business to move forward. Show that you share the same goal, or you are likely to be isolated and circumvented.
- Compliance is about risk mitigation, not risk elimination. If humans are involved, you cannot eliminate all risk. If you try to do so, you will become an obstacle the business will seek to avoid, rather than an advisor the business trusts and seeks out for counsel.
- Government interactions are not a red flag, but do require thoughtfulness. Interactions with government officials are an inevitable part of any business, particularly when operating across borders. They are also high-risk from an anti-corruption perspective, and therefore merit close attention. But their presence in business activities is not a red flag in and of itself. Approach them with care, but respect that they are often part of the business as usual.
- Red flags are not by definition insurmountable. As the name suggests, a red flag is a warning sign, not a sign of surrender. The key is to examine the facts and circumstances, dig as necessary to gain the full picture, and assess whether you can move forward comfortably. In many circumstances, what at first blush may appear to be a significant issue can be easily addressed through contract terms, certifications, training, staffing decisions or other modifications that mitigate the risk in a demonstrable and well-documented manner.
- There is almost always a path to the desired result. When a legitimate business initiative conflicts with a compliance concern, there is likely some solution that can accomplish the goals of all involved. Any well-trained lawyer or compliance professional can create hard-and-fast rules or take the easy path to “No.” Those who are most effective will take the business’ goal as their own, and seek a way around the potential impasse that maintains their standards of risk aversion while supporting the success of the enterprise.
Compliance professionals, like the businesses they support, must constantly evolve and adapt as their environments change. That includes periodically assessing whether their approach to risk management is tuned appropriately to the needs, initiatives and footprints of the business at issue. That is never easy, but it is vital because overcorrecting in either direction can lead to the same result — failure of your program to prevent, detect and respond to the risks it is designed to address.
This post was originally published on the FCPA Blog.