By Adam Turteltaub
adam.turteltaub@corporatecompliance.org
I’m tired of hearing about “check the box” compliance programs.
I’m sure that there are some out there. I’m sure that there are some people who, either out of a lack of desire or coercion, do the least they possibly can. But for all the talk about avoiding “check the box” compliance programs, I wonder how many of them there really are. I also wonder if we’re doing ourselves more harm than good by suggesting that the business world is full of “check the box” programs.
Also, I’m not sure how to create a “check the box” program, given how complex some of the boxes are.
Often the concept of a “check the box” program is brought up by an individual or organization that is offering a product or service, or advocating for a set of standards or practices that do more than meet the existing requirements. A recent report on recommended best practices on compliance contained the phrase “check the box” five separate times. Among the things it said was, “…if all organizations adopted the principles and practices described in this report, ‘check the box’ programs would fade away and far fewer headlines would report the kind of organizational wrongdoing that jeopardizes public trust.”
That may be. But it’s also convenient to suggest that any program that doesn’t do what the authors or vendor advocate is somehow just going through the motions.
The corollary to these claims about going “beyond checking the box” is that checking the box isn’t good enough. The same report says that top compliance programs “…are not satisfied with the mere compliance or ‘check the box’ efforts.”
The fact is, though, that in some areas, checking the box, or mere compliance, is just fine. Driving at 65 in a 65 zone is a pretty “check the box” approach and about all that you need to do to stay in compliance with the speed limit. So are countless other rules and regulations that are pretty darn complex. If you make sure your sales people know that they can’t talk pricing with competitors, and they don’t, is that just checking the box? If so, what’s the problem? Should we be teaching them to run screaming from the room to go beyond check the box?
Other areas of compliance make checking the box really hard, mostly because it’s a hard box to fill. Take the area of rewarding good behavior and penalizing bad behavior. It has proven to be a surprisingly difficult part of the Sentencing Guidelines to follow. Many honorable institutions have struggled mightily with it, and not for reasons most outsiders would think.
The discipline part has proven relatively easy, although not always so. The reward part has been the complex issue, with many wondering what’s the right way to reward people for what they should be doing in the first place.
Using the driving analogy again, as a society we’re all generally comfortable with pulling people over for speeding and giving them a ticket. It’s the person who’s driving the speed limit that’s the problem: should we be rewarding her for doing so? Many think not.
But the biggest issue is that every time someone talks about “check the box” programs it suggests that the presence of these programs is a big problem that the compliance community faces.
That’s not the problem I see being faced by the vast majority of the thousands and thousands of attendees at SCCE and HCCA meetings.
To my experience there are two key challenges. The first is understanding what specific laws and regulations require and how to meet those requirements.
The other great challenge is a timeless one: getting people to act ethically and follow the rules. Sometimes the rules are complex, counterintuitive and difficult to follow. Sometimes cultures get in the way. Sometimes people don’t realize what they are doing wrong.
And, sometimes, well, people are just people. They have an alarming tendency to lie, cheat and steal if they think they can get away with it and still feel okay about themselves.
Research by Dan Ariely and others have proven that. And the never-ending stream of new laws is testament to our human tendency to try and get around all the rules we already have.
So let’s stop distracting ourselves and others with the idea of “check the box” programs, and let’s stay focused on the actual challenges at hand.
[clickToTweet tweet=”Check Your Use of “Check the Box” @AdamTurteltaub” quote=”Check Your Use of “Check the Box”” theme=”style3″]
Good article! I think that the concept of ‘check the box’ for compliance comes from two sources. The first, as you aptly note, is vendors. There are a variety of compliance products and services on the market, and it can leave the impression that it’s as simple as signing a contract and forgetting about it.
Organizational leaders are the other party who fall prey to this concept, primarily because they don’t really understand what it takes to build a compliance and ethics program. It’s not their area of expertise, and they often don’t really believe that the resources requested are necessary in order to satisfy the basic requirements.
The problem is that, as you note, the box is not so easy to check, and anyone who has ever built a program, or even managed one, knows that. It seems to me that with compliance, the more you understand it and the more experience you have, the less likely you are to be able to ‘check the box’, because you know all the issues that make that strategy infeasible.
My overarching conclusion, then, is that ‘checking the box’ is not something that a Compliance professional probably would aspire to, but rather a less knowledgeable person who hasn’t actually run a Compliance Program. Once you have been in that role, especially when you’ve been in it multiple times, you know full well that the box is never really capable of becoming fully ‘checked’….just my two cents!
Susan Walberg
Susan,
Your comments are 100% on the mark.
Ethics and compliance as a professional practice remains relatively ‘young’ vs. functions such as finance and legal. There are plenty of signs of increasing maturity. For example, increasing number of discussions within the profession on issues such as what constitutes excellent practice. Regulators are also playing a significant role in pressing for greater effectiveness in the work that compliance professionals do.
That said, I continue to encounter too many examples where compliance professionals focus primarily on completing a task (e.g. training, writing SOPs or doing a 3rd party ‘due diligence’) without any effort to question the outcome, impact or effectiveness of what they are doing. This approach is often either not challenged or (even worse) encouraged by the business leaders for whom compliance is a ‘necessary evil’ rather than a value added activity.
Whilst I understand and appreciate the point that Adam is making in his excellent article I believe that we, as a profession, must continue to challenge what we do and how we do it. The use of the ‘check the box’ phrase is a way of highlighting that whilst compliance professionals and their organisations may be consuming a tremendous amount of energy and resource, the impact of the work that is being done is not sufficient to address an underlying risk. Here is an example: it is rare to find a company today that does not do due diligence on their third parties. However, I come across many companies whose due diligence exercise is based on a questionnaire filled in by the third party plus an online search for articles mentioning the company. Sometimes a credit report is used in lieu of the external search. A business decision is then based on this level of information. Clearly the chances of picking up red flags (especially those associated with owners or directors of the third party) are slim. The risk remains un-addressed. Yet the company feels that they have met the regulator’ expectations by going through the due diligence process.
We should not underestimate the effort and resource needed to meet any one element of an effective compliance program. Compliance professionals must confront the challenge that often they do not have the required resources to do a thorough job. This fact has to be surfaced to management to avoid any illusions. In the face of limited resources and increased demands we have to become more effective in assessing overall risk and prioritising activities that carry the biggest impact.
Abdul
Susan! 100% on the money! I was ready to add these points which you did so articulately! I get Adam’s MetaPoint but this applies directly to inexperienced CCOs or those without real SME who are practicing “DIY Compliance” consisting of going through the FSG checklist and racing to throw Training, Hotlines etc at the wall to see how much sticks. The art and science consists of knowing how to design each element and ensuring they all “work” together, as do the subject matter experts, risk owners and other interconnected actors who must understand their responsibilities and be managed to avoid gaps and unnecessary risks and achieve the purpose of the program ! BestPractice Matters!!This is often the missing sauce I see when evaluating company programs.We’re talkin’ Compliance 1.0 vs Compliance2.0! Both VW and GM are headline examples of this(many others). I’ll post links to my columns on both of these. Some of the biggest practitioners of this are lawyers, GCs and law firm partners who assume that a reading of the FSG is a substitute for real experience and SME. oh yeah- ex regulators and ex prosecutors too. There is no Substitute! Today at CW2016 is the second time I’ve heard the DOJ say “We are ex-prosecutors, not compliance experts” in a nod to #HuiChen! #IndianaJonesCompliance #Barclay’s “Check the Box” is a shorthand for this unfortunate Compliance1.0 “DIY Compliance” phenomenon. Compliance2.0=>True SME structured to succeed with Independence, Empowerment, Line of Sight, Seat at the Table and Resources to do the job well! And I’ve heard plenty from SEC and DOJ here @CW2016 to believe they’ve got the memo too.
Perfect analogy from both Adam and Susan. Having a few years under my compliance belt, I feel more comfortable in my ability to recognize the difference between a check-the-box program and a more robust and mature program. But it hasn’t been so long ago that I was a brand-new compliance officer and grasped onto anything that helped me feel like I had SOMETHING covered and I probably would have latched onto a check-the-box program, if I could.
What we owe to our new(er) colleagues is an explanation, such as the one that Adam and Susan offer. We should help them know that a simple checklist is a step in the right direction, but before checking the box, train our colleagues to test the compliance by pulling the little frayed end of the string that is barely visible on the surface to see what else can be learned. A perfect way to pull that string is to engage individuals responsible for that area and ask probing questions like “Why?” “How?” “When?” “How often?” several times. What unravels may expose less than full compliance and is a more thorough review of the compliance objective. If nothing unravels, then check the box (speed limit=actual speed, check). As a compliance professional grows and matures, so does his/her understanding of the rest of the story (think Paul Harvey). There is always more to compliance than meets the eye (or ear).
It is always tempting to equate a checklist with minimal effort. However, it doesn’t have to be that way. A checklist can be a guide, with the substance being the nuts and bolts of your compliance program. I think you can recognize a “check the box” program when you have a compliance program that isn’t risk-based and isn’t specific to the needs of your organization. Good article and good comments.
Just remember where we would be as passengers if airplane pilots didn’t “check the box” (i.e., run their checklist) before they took off.
It’s OK to “check the box” as long as you can provide documented evidence to back-up why you were able to apply your check mark!
Thanks all for your comments. I really appreciate knowing I’m not the only one who was tired of hearing about “check the box” programs. Hopefully we can encourage others to stop using the phrase.
Yes, Adam, “check the box” has become a pat phrase some use to get you to buy into their approach vs. someone else’s approach. Quite frankly, if you have enough boxes, a “check the box” program could be a best practices program!
As a profession, we should be beyond such rote descriptions of ethics and compliance programs and have a more informed discussion of the issues. I’m all for a more informed discussion about effective ethics and compliance management and how to achieve it!
Agree 100% Jason. Some great analogies here The plane/pilot-excellent. Also love Deborah’s “frayed end of the string” Gonne borrow that one someday! All great comments everyone!
Comments are closed.