Compliance is often practiced best outside of the office
Early in my career, I was working at the Mayo Clinic in Rochester, Minnesota. I was being trained in to a new department by a fellow I will call Bob. Bob and I met with a physician who listened to Bob describe his work on a billing form. Apparently this was not their first discussion about this form. The form was intended to reduce billing fraud. I noticed the physician was starting to shake. His face was turning a very unnatural color of red. I wasn’t quite sure what was happening; however, I was sure whatever was about to happen wasn’t going to be good.
The doctor finally blurted out ‘Analysis paralysis. Let’s just get it done.’ Bob was dumfounded. He was trying so hard to do the right thing and get it right. However, the doctor was absolutely right. I had been watching Bob tweak this form for weeks. He would move something over to the left, then up, then down, and then back again. What does this have to do with compliance? Everything. Compliance is fraught with people like Bob.
We have people that have spent years writing dozens of policies and procedures because policies are important. I had one colleague who wrote policies, a code of conduct, and a compliance manual for a year and a half before ever coming out of his office to do anything else. While we write, new court cases and settlements are happening. Most settlements involve problems that a child could tell you were wrong. Nobody needed a policy to tell us it was wrong. So what is the answer? Stop writing and go find, then fix, a problem.
While performing my duties as a compliance officer at the University of Wisconsin, I received a call from a compliance officer from another organization. She wanted me to come speak to all of their compliance officers who were assembling in Minneapolis. She wanted me to speak on compliance as a verb. I told her that I would love to speak; however, there was one problem. I had no idea what she was talking about.
A little less conversation
She explained that my outside counsel had told her that I practiced compliance outside the confines of my office, meaning that I would walk around and ask people if they were aware of any problems. She had heard I would go talk to the people in charge of the area with a problem and work to get it resolved. She wanted me to tell her people how to ‘do’ compliance rather than to just talk and write about it. I also coordinated auditing and monitoring, analyzed risk, wrote a (short) code of conduct, and performed all of the other essential elements of an effective compliance program, but she was interested in the active or more direct components of our activities. I told her I understood what she meant and would be glad to speak to her group. My frustration is that there is still an overwhelming propensity for people to write, talk and analyze and that it is hurting compliance.
We have people who insist that education, codes of conduct, and an ethics video from the CEO (much like Ken Lay’s at Enron) is all you need. They spend hours producing, writing and preaching. One organization fired two CEOs while they continued to tell people to ‘do the right thing.’ The second CEO to lose his job was caught having an affair with an employee. Ironically, he was brought in specifically because of his outstanding character and the lack of character of the previous CEO. All this time their ‘compliance professional’ was speaking all over the country about their tremendous ethics efforts. When asked, ‘What about compliance?’ their response included a wave of the hand and a shake of the head, saying, ‘We let the departments do that.’
Ethics is important, but it can’t be all you do. Telling people to do the right thing is appropriate, but it’s not enough. It doesn’t help those who think they are doing the right thing, but aren’t. It doesn’t help find people who are doing the wrong thing until they get caught. Stop preaching and start actually doing something about the problems.
Risk managers spend endless hours arranging and rearranging spreadsheets. Columns are added, and there is more rearranging. Meetings are held, and there is more rearranging. Down the hall from this risk-swapping meeting, a complaint is registered by a concerned employee. The problem is standing out naked in the field for everyone to see. But, we are too busy writing our policies, doing our ethics video, or rearranging our risks to spend time resolving a problem.
Standards are very helpful. However, standards don’t find and fix problems. We have people who have spent years determining what elements should be in a compliance program. They have met and met and met repeatedly. They have argued and argued and argued. Hundreds of pages of documents have been created describing what to do; thousands of words, describing in excruciating detail, what should be included in a compliance program. On top of all that, each compliance program is unique to each organization and should be adjusted to its size, industry, culture and specific risks. Maybe we should simplify the standard into four words: find and fix problems.
Sending the wrong message
Legal analysis is important to be sure. However, problems occur when the legal analysis becomes an endless theoretical discussion about the grayness of laws. Why not just walk down the hall and ask the person who is close to the edge of the law to back off a few steps? Oddly enough, this suggestion is often followed by, ‘We have to calculate our business risks.’ It seems to me we are often multiplying our business risks when we try to calculate the odds/penalty of getting caught and what we lose if we follow the law. And what about the message we send to our staff when we ‘calculate our business risk.’
We rewrite the laws into policies. We toil over documents to get them ‘just right’ from a legal perspective. We reword our wording and then reword that. Some employees have no chance of understanding what problem the legal analyst is asking them to prevent. What the legal analysts claim is that if the document doesn’t pass ‘legal muster’, we will have legal risk. Ironically, while everyone is arguing and rewriting the documents, another problem goes unresolved because some employee has no idea what the document says.
The world is full of people who lead us to analysis paralysis. They typically don’t cause too much harm. The software is developed a little behind schedule. The marketing plan is delivered a little slower, but no real damage is done. In compliance, it doesn’t work that way. If you don’t find and fix problems, real damage is done. If you don’t find and fix the problem, it can cost people their jobs, their freedom and millions of dollars.
Education, policies, legal analysis, ethics, risk analysis and standards are all important parts of compliance programs. They are, however, not enough and are often over-engineered. They are a precursor to finding and fixing problems. They are the means to an end. They are not a solution to a problem.
Have you ever watched the Enron, Tyco or HealthSouth congressional hearings? The congressmen interview people from legal, audit, ethics, risk and a myriad of other players. Everybody tells Congress how busy they were. Then they are asked what they were doing while this problem went unresolved. Their answer includes a description of all the work they did analyzing, writing, teaching ethics and creating a standard. The congressman then asks, ‘You knew about this problem and did nothing?’ Therein lies the problem.
These people think they are doing compliance. The most poignant moment in all of the compliance-related Congressional hearings was when the Enron audit committee chairman said something to the effect of, ‘I just don’t know how this could happen. We had the best set of policies in the world.’