Last April, the Department of Justice issued new guidance to help prosecutors evaluate corporate compliance programs. In the world that compliance officers and in-house counsel occupy, this is a little like Major League Baseball announcing it’s reinterpreting the strike zone.
How prosecutors look at compliance influences all corners of corporate governance. That may seem odd given how few companies ever come under a prosecutor’s scrutiny, but it’s part of the grand bargain between regulators and companies that is corporate compliance.
So what does this new guidance tell prosecutors, who will be undergoing new “training programs across the Criminal Division” to enhance their understanding of compliance?
The short answer is a whole lot. There are 18 pages of text incorporating roughly 100 questions that prosecutors are asked to consider.
But more important than the individual questions, in my mind, is the focus. The guidelines highlight three “fundamental questions,” and the first one asks, “Is the corporation’s compliance program well designed?” The answer, according to the DOJ, depends on how well the company understands and scrutinizes its “risk profile.” The guidelines make clear that corporate compliance programs must be risk-focused endeavors, tailored based on risk assessments that look at everything from operations, industry sector, and market pressures to business partners, foreign government involvement, and third-party payments.
This is music to my ears. I have been arguing for a risk-based approach to compliance for years. Instead of following a criminalized approach, which is reactive and tends to simply add compliance training according to the scandal of the day (training that focuses on legal rules employees don’t necessarily need to know), compliance programs should be more about conduct risk. What risky conduct are a company’s employees likely to engage in based on their position, role, skill, and interaction and influence over others? An effective compliance function does the work to determine these risks and then designs interventions to lessen them.
Those in heavily regulated industries such as finance and healthcare have been steadily moving toward this approach, but there is much work to be done, especially in other industries. For example, ABInBev recently remade its compliance program, centralizing it to be more responsive to global risk. In line with the DOJ’s new guidelines, the company began with a risk assessment, identifying its most problematic areas—including anti-corruption, anti-competition, and third-party risk—and tailored its program to them. The result was a streamlined code of conduct and new mobile app that gave employees direct access to compliance officers on these issues in a “just in time” model.
But even more innovative was ABInBev’s new analytics platform that integrated data from finance, compliance, and human resources to better understand and identify risky transactions. Essentially, the company created its own risk score for transactions that takes into account multiple risk attributes, such as how urgent is a payment request or if it is to a state-affiliated entity. Transactions with higher risk scores receive more scrutiny. Dozens of data systems from as many countries are integrated into one “cross-functional” compliance program, able to spot patterns and identify violations. This approach is not only more accurate in ferreting out wrongdoing, but it is cost effective too. As the Financial Times reported, “The potential savings are obvious: not only would the company not have to pay teams of forensic accountants or investigators, but it would be able to improve its compliance practices and thus protect itself from fraud, and the financial and reputational damage that would ensue.”
ABInBev’s story shows the promise of a risk-based compliance model, but it also highlights a way the DOJ’s new guidelines—and companies following them—can go even farther.
Nowhere in the description of a well-designed compliance program is there mention of behavioral ethics risk. While I didn’t come up with that term, I may invoke it the most. Behavioral ethics risk is compliance risk created by the unethical decision making of employees. And, to me, it’s the crux of corporate wrongdoing and the necessary focus of truly effective compliance programs.
To explain, corporate compliance turns on individual employee behavior. If directors, managers, and lower level employees act in a law-abiding and ethical manner, the company will likely avoid legal liability and significant disruption of its business practices. This means that companies’ intent on creating proactive compliance programs must develop the “skill [of] predicting human behavior.”
But here’s the difficulty: behavior is predicated on individual decision making, in this instance ethical decision making. So for companies to do compliance right, they have to understand how ethical decision making works and how to intervene to foster it.
Even for a company like ABInBev, this is a challenge. As I’ve described elsewhere, ethical decision making is a slippery concept. While we all are capable of making thoughtful ethical decisions, even under difficult circumstances, often this isn’t easy to do. Whenever we are under cognitive load, pressured by time, or otherwise fatigued, we can succumb to the automaticity of self-interest and make an unethical decision. This is more likely when we’re psychologically close to others acting unethically, such as a co-worker cutting a corner or ignoring a clear rule. Once we take a step down that path, it’s difficult to reverse course; human beings are incredibly adept at rationalizing their wrongdoing so they can continue it. And bad conduct in an organization can easily spread, creating a culture that reinforces unethical decision making and creates systemic behavioral risk.
In order to intervene before it gets this far, a company must merge data science, behavioral insights, and legal and regulatory acumen, all focused on helping employees make more ethical decisions. I’ve argued this can be done and provided the behavioral and corporate governance theory necessary to do it. Companies can take steps to foster ethical decision making throughout the life cycle of their employees, creating positive cultures in the process.
But you don’t have to take my word for it. A number of companies are using behavioral science to reimagine the workplace, and some have turned their attention to compliance. One of the best examples is a company called Starling Trust. They use data analytics and machine learning to identify groups of influence within a company and then build corresponding models of trust relationships. The company, which has already worked with at least one large bank, can predict when trust is eroding in an organization, which often correlates with other behavioral risk-based events that can lead to corporate wrongdoing. Starling is now beginning to develop “nudging” technology to prospectively intervene with employees who pose the most behavioral risk to their organizations.
This concept—using technologically-delivered behavioral science to address ethical decision making—is on the forefront of compliance initiatives and offers real promise in addressing the persistent misconduct seen in corporate America. That’s the type of guidance prosecutors and companies alike should be trained on.