Flawless Compliance

How to Build Innovation into your Compliance Program

How much innovation do you have built into your compliance program? It may initially sound counter-intuitive, but you should consider innovation as a vital component of your overall attitude to compliance. In the absence of innovation, your compliance program will grow complacent and stale.

Obviously, Steve Jobs gets the importance of innovation. According to the Wall Street Journal, Apple recently announced plans to begin producing iPhones that will work on the CDMA network. This would allow them to run on carriers other than AT&T. In addition, the new iPhones, scheduled for a summer release, are likely to be thinner and have a faster processing speed. Apple could leave the iPhone just as it is for a year or so and do just fine in the market, but that’s not good enough. In spite of the iPhone’s huge success, Apple will not be complacent in its product development. Compliance is your product, and you should take the same attitude of constant and never ending improvement.

You may not consider lack of innovation a problem. Regulations and standards are clearly spelled out, and a good compliance program will acknowledge these standards, build policy and controls to ensure compliance and a system of evidence tracking that will prove your innocence. If you build a flexible program, as standards and regulations change you can adapt quickly. So what’s the dire need for innovation?

You won’t see the need until you step back from the regulations and address the risks that these regulations are trying to mitigate. I’ve written several times about the need to address governance, risk, and compliance from a holistic point of view. This is the critical thinking necessary to uncover the need for innovation. If your goal is to minimize your company’s exposure, you cannot stop at compliance. If you’re still in doubt, just ask Toyota. They claim they are fully compliant with all safety procedures—does it really matter?

The process of compliance innovation involves constantly improving your risk profile, to reduce your company’s exposure. Since this exposure can never be reduced to zero, this should be an evergreen effort. As difficult as it is for anal-retentive compliance professionals to be creative, you must periodically put on your thinking caps and explore what else could go wrong. Try to keep a healthy attitude about it, as it seems like a somewhat cynical way to view the world. You’re not suspicious or paranoid, but open-minded and inventive in spirit.

Let’s take a look at PCI compliance as an example. If you process credit cards, you must comply with Payment Card Industry’s Data Security Standard (PCI DSS).The first PCI DSS requirement is to install and maintain a firewall configuration to protect cardholder data. You could just put up a firewall and call it a day. After all you are in compliance, right?

The astute and innovative compliance manager won’t stop there. In a proactive and organized manner, this compliance manager will assemble a team to start brainstorming some critical ideas around the risks associated with this requirement. What risk is this requirement attempting to control? It seems like the prevention of unauthorized people accessing your data over a network. Can evil people get to your cardholder data through a network even if you have a firewall? Absolutely!

So, why not start taking extra measures to prevent hackers from coming into your company over the network. You could monitor network traffic for suspicious activity and / or setup traps and decoy data similar to the way banks have dye packs. This is just the tip of the iceberg. Use your collective creative talent to explore other ways to prevent hackers from stealing sensitive cardholder data.

You won’t start thinking in this direction until you start considering the risks associated with the compliance requirement. This is over and above compliance, but goes to the heart of keeping innovation in your compliance program. Start today by assembling your compliance team for an all important innovation brainstorming session.

How to Build an Effective Compliance Strategy

Setting your compliance strategy is the most imporant thing you can do this year. Have you addressed it yet?

Wow, can you believe one month of the year has already come and gone? Didn’t that go by quick? So, my question is, have you addressed your compliance strategy yet this year? If not, it’s about time!

Strategy is one of the most important things you can do for your compliance program, but it’s often overlooked. Reason being, compliance always seems to be an after-thought in the organization—a follower. The astute compliance officer however, will recognize that effective strategic planning is the hallmark of a compliance program that’s proactive, and in control.

There’s a lot of confusion, even at the C-level, over exactly what strategy is. Let’s get that clear now.

Compliance strategy is the framework used to guide the decision making process for the entire program. Strategy is not planning, although it’s closely related. A good strategy is built by asking powerful questions. When your strategy is complete, you’ll be able to answer the following questions:

• What are the current economic trends, and what risks will they introduce? For instance, what new risks will this less-than-flourishing economy bring on the horizon?
• What are the current social trends, and what risks will they introduce? The baby boomers are getting older and retiring, while Generation Y is migrating into the workforce. What sort of risks will they bring with them?
• What are the current government trends, and what risks will they introduce? This is a somewhat obvious one, but what do you think the current administration will do with its continued focus on increased oversight and regulation? How will that affect your compliance efforts in the coming months?
• What are the current technological trends, and what risks will they introduce? The rapid popularity of social media is continuing to introduce new and improved privacy concerns. How do you think that will affect you in the coming year?
• Are we anticipating any changes in our supply chain, and are there any new risks associated with that? A new supplier might bring a new set of compliance standards to deal with. Have you considered this?
• Are we targeting any new customer segments, or perhaps large customers? Will those customers come with any risks?
• What is the corporate strategy, and what risks will it introduce? This is perhaps the most important question you need to ask yourself. Get intimate with your corporate strategy. Your job is to protect them for what they are not considering. Are they moving into government sales? If so, you have a lot of compliance ahead of you! Are they planning to leverage cloud computing? If so, what kinds of risks does that introduce?
  

Answering the right questions for your compliance program will put you in proactive mode, instead of reactive mode. Proactive compliance organizations are more resilient, have the opportunity to install preventive controls instead of adaptive or corrective controls, and significantly reduce the exposure for their parent organization. If you haven’t yet addressed your compliance strategy, take some time today to answer these questions. It’s not too late to start the year off on the right foot, with a good compliance strategy.

This article comes from the January 2009 issue, in which I collaborated with one of my colleagues and image expert Ms. Angie Katselianos, who runs her consultance out of Milan, Italy. Learn in this article how to keep your cool when you find yourself in a hot audit situation.

How to Control your Image in an Audit

Picture Source

The next time you find yourself facing an audit think about this. A famous New York University established that when someone casts their eyes on you 11 major decisions are made based on your image within 7 seconds. Whether you realize it or not, your image is an asset or a liability that can either make you or break you. What impressions are you giving to your auditors?

If you don’t think it matters too much, think again. If an auditor suspects that something’s fishy, or things don’t seem right, your audit can quickly turn into an investigation. For instance, did you know that government contract auditors are trained by the government as investigators? If you show up for an audit projecting the wrong image, and an auditor senses wrongdoing, even if you’re not doing anything wrong, you could find yourself in the middle of something you don’t need to be in. Costly fees for lawyers and eDiscovery can be avoided if you just pay attention to what I call your "audit presence."

A while back I wrote an article for California Executive entitled, “Four Secrets to Passing Any Business Audit.” In it, I detail my fourth secret as “Make Sure You Control the Audit.” Most people don’t know they can control their own audit, because they assume the auditor should be running the show. This simply isn’t true. And since your image plays a huge part in controlling the audit, I turned to image expert Angie Katselianos for some additional advice. Ms. Katselianos is an image consultant in Italy that assists clients in improving individual and organizational performance. According to Angie,

” Developing a magnetic style and personal brand that conveys confidence, competence, and credibility goes more than skin-deep – it's an inside out job.

It starts with:

• Recognizing who you are;
• Building upon your distinct inner qualities and values;
• Aligning these with your professional goals and target market's values;
• and ultimately, Reflecting that integration in your personal appearance and style.”

Applying this to an audit situation brings us to my first and most critical piece of advice:

Audit Presence Tip #1: Know that You Are Acting Ethically and In Control

When Ms. Katselianos says it’s an inside out job, it means that you have to know within yourself that two things are absolutely true; you are ethical and have nothing to hide, and you are in complete control of your processes. There are subtle things about the projection of your image that you cannot control, but can absolutely be perceived by an auditor. This should come as words of warning to people that are trying to hide something, like the person who hides behind his defense lawyer knowing he’s guilty. You cannot cover up unethical behavior, even with the best training and tactics. In the game of Poker, when a person subconsciously signals to players what he’s thinking, it’s called a “tell,” something even professional players fall victim to. Walking the ethical route is the only way.

To know that you’re in control is a matter of audit intelligence, practice, and attitude. You must have the proper data systems in place to inform you of your compliance status, and you must practice different audit situations to know how you will handle them. After that, stop second guessing yourself. You have all the information you need to be in control.

Audit Presence Tip #2: Dress for Success

It’s no secret that the way you dress says a lot about how you feel, and vice versa. In Italy, when an auditor shows up at your doorstep, you would think they just walked off the catwalk at a fashion show. This is no accident; they obviously know the effect that image has on an audit. Ms. Katselianos states:

“The way you look affects the way you feel, and the way you feel affects how you behave. Dressing carelessly impacts your demeanor and influence to the same extent as when you present an impeccable outward appearance that projects indisputable leadership qualities.”

You need to dress sharply in an audit. If your auditor is wearing something business casual, you should be dressed in a suit. If your auditor is wearing a suit, you should be dressed in a better suit. The point is not to intimidate (which is probably what your auditor is trying to do), but exert power and control. This leads to my final tip.

Audit Presence Tip #3: Act Confident but Not Arrogant

There is a fine line between confidence and arrogance, so before we go any further lets highlight the difference. Dr. Alan Weiss taught me that confidence is the honest to God belief that you can help someone, and arrogance is the honest to God belief that you don’t have anything left to learn. You need to walk right up to the confidence line without crossing over the arrogance line. If you get arrogant, you and the auditor will be on opposing sides. This is not what you want.

Make direct eye contact, and stand up straight with your shoulders back. Smile, but do not smirk; this signals contempt. The easiest way to do this is to keep your thoughts in the right place. You are there to help the auditor understand that you have everything under control.

The path your next audit takes will be determined within the first seven seconds of meeting your auditor. In improper image can actually lead to a costly and time consuming investigation. You can avoid all this by first being the person the auditor wants to see: ethical and in control. Without this first component nothing else matters. Then, when the auditor arrives dress for success, and act confident but not arrogant. Take some time today to talk to an image expert like Ms. Angie Katselianos. One free consultation may save a lot of money and grief.

Building Cognitive Consonance

Wouldn’t you agree that in order for your compliance efforts to be successful in your company, your leadership must be taken seriously? Did you know that you could be undermining your own credibility by simply communicating the wrong message?

I get the opportunity to work with a lot of leaders, not just compliance officers, and I’ve picked up on a pattern where leaders and managers tend to address their organization with a series of platitudes that eventually don’t ring true with their actions. For some reason, it’s more acceptable when politicians do this, but when a leader does this, their credibility instantly goes out the window for me, and I’m not the only one.

Especially when addressing a group for the first time, it seems like there’s a standard template that leaders tap into. They talk about “open and honest communication,” and “open door policies,” yet the minute someone in the organization raises a concern, they’re stoned like a heretic. When leaders do this (and it happens a lot), they create a cognitive dissonance within the organization. In other words, what’s being said is not what’s being observed. The byproduct of this is leader who is not respected or influential, and they won’t be effective in the achievement of their goals. What leaders should strive for is just the opposite—cognitive consonance.

This is especially true within the compliance organization. The advantage other leaders have, is that it’s typically easier to tie in the corporate strategy with each individual’s best interest. If the organization does well, the individuals within the organization prosper. Once a leader issues an empty statement, their credibility may dissipate, however the individuals may still behave in a way conducive to supporting the leader’s goals, purely because it’s in their best interest. Compliance leaders don’t have this luxury.

Most likely, a compliance leader’s goals have nothing apparently to do with the individuals’ self interest. In fact, it usually takes away from the “real work” that everybody needs to get done. Every year at PayPal, just around this time, most of the people I know are required to recertify on their compliance training (including consultants!). It’s a breeze for me because I’m familiar with the space, but for others it can be challenging to get this done in tangent with meeting promised dates for deliverables.

Therefore, it’s vitally important that what you declare publically actually resonates well with your actions. If the organization perceives that there’s no meaning behind your words, they will not take you seriously, and it will jeopardize you chances of success, exposing your organization to unnecessary risk. Here are some things to keep in mind to help create cognitive consonance:

1. Choose your communications carefully. Don’t say something just because it “sounds good,” say things you know you can follow through on. For instance, if you make a statement that tailgating (people walking in behind another person to gain access to a controlled building) will be policed, take decisive and visible actions to make sure it happens. I consulted for a company that installed special sensors to catch tailgaters, which would trip alarms if somebody tried to sneak in behind somebody else.
   
2. Follow through on communicated dates. You will no doubt have plans that will involve the organization’s cooperation. Make sure there’s little risk in the project plans, and execute on them without fail. Don’t let dates slip. One way to do this is by making sure you have plenty of time to get done what needs to get done before the date that’s communicated. The timeframe doesn’t really matter, what matters most is that the date communicated is met.
   
3. Document your communication, and periodically assess your own efficacy. People in the organization are not going to approach you to tell you that you’re not following through. They’ll just start ignoring you. It’s important to assess your own performance and make adjustments if necessary. If you notice that things were said that are not happening, publically acknowledge your shortcomings, and make a renewed commitment to the organization for follow-through. This is much better than sweeping things under the rug, and hoping everybody forgets.

Platitudes are the enemy of trust, and as a leader you must steer clear from empty promises, especially the banal ones that people have heard over and over again. Choose your communication carefully, and make it a point to follow through on absolutely everything you say. Meet project dates, and assess your own efficacy periodically. Create cognitive consonance, not dissonance, and the respect your organization gives you, will make your life that much easier.

10 Ways to Improve Communication on your Compliance Program

Communication problems are at the root of 90% of compliance program implosions. Most of these problems are easy to remediate, once you have the proper awareness and take the appropriate actions. Here are 10 of my favorite tips for boosting communication on your compliance program:

1. Create a Communication Plan. Seems to make sense, but surprisingly most compliance programs that I see don’t have one. Planning in any form, pays dividends and a communication plan is no exception. I find it easiest to use a spreadsheet and keep it simple. Record who will be communicated to, when, and in what format. Make sure you cover all the parties that will be affected.
2. Execute the Communication Plan! This seems to make sense also, but you’d be surprised how many times I step into a situation where a communication plan has been created, but it’s not being executed. Why go through the trouble if you’re not going to follow through? It actually makes sense to have a control and audit plan in place for your communication plan. This is territory that is already familiar to you, so why not leverage it to improve your communication efforts?
3. Avoid a “Need to Know” Mentality. Compliance tends to be a subject area where companies try to control and spin information. This is a very bad idea. Communication should be immediate, straight-forward and honest to all people affected. This is the only way to get full commitment and cooperation from the resources that are necessary to make your compliance program work properly.
4. Validate Understanding. Proper communication involves you sending information, them receiving information, and you verifying the understanding of the information. This last step is important. It’s not good enough to just “push” information out without testing for understanding. Periodically poll your communication targets to see if they’ve received and understand your message.
5. Avoid the “Telephone Game.” This is an old game we used to play as children, where someone starts with a message whispered into someone’s ear, and it makes itself around the room until the final person announces what they finally heard. Invariably it has nothing to do with the original message. Make sure you’re communicating directly with your targets, and there’s no second hand information passing around. For instance, instead of communicating only to managers with the assumption that they’ll carry that message to their direct reports, communicate directly to all people on the front line, including their managers.
6. Communicate Frequently. Do not setup a communication program where you only communicate with people once a month, once a quarter, or Heaven forbid once a year! You should have weekly or even daily communication with most of your targets. Things are constantly changing on your end—people need to be informed.
7. Be Pithy in Your Communication. Get straight to the point, do not use a lot of words. How do you feel when you receive an email or letter that’s the length of a novel? Nobody will read this. Learn how to communicate your message in as few words as possible.
8. Create Graphics for your Communication. A picture is worth 1000 words, so it’s very effective. In addition to making your communication lively and interesting, a graphical model is able to communicate a lot of information in a relatively small amount time. Take advantage of this leverage in your communication. For instance, if you’re trying to communicate compliance violation effectiveness, a nice graph would be a good choice over a lengthy report.
9. Do more than Email. For some reason, when people think of format for communication, they start and stop with email. Email is fine, but there are a number of other ways to communicate your message that are much more effective. Consider a lunch festival, radio show, or print newsletter. Be creative, your audience will appreciate it.
10. Get Feedback. Talk to your audience about what works for them, and adjust as necessary. In this information age we’ve been bombarded with information from all angles. Everybody has learned to adjust in their own way. You won’t know what you audience likes, until you ask them.

Communication is one of the most important things to get right on your compliance program. I hope this gives you some ideas on improving its effectiveness. You don’t need to implement all 10 to get good results. Out of this list, think of 3 that you can do right away and get them in place by the end of next week. This will give you good momentum for following up on the rest.

How to Manage Agreements on your Compliance Program

Have you ever had an auditor give you friendly guidance in one direction, then completely deny it in a follow up visit? If it hasn’t happened to you yet, don’t say I didn’t warn you. Or maybe you’re trying to partner with legal only to be whiplashed around by counsel always changing their mind but never admitting it?

The grim reality on all projects and programs is that stakeholders will sometimes alter or go back on something they said but to avoid taking responsibility for the impact of the change will deny that you ever had a previous agreement. Unfortunately, this happens to be especially true in compliance programs.

It seems odd to make a statement like that about compliance programs; because if you didn’t know better you would think just the opposite. Compliance is about following laws, and laws don’t change so why do requirements? Actually laws do change, but that’s not the real problem because they don’t change that often. Your requirement is not based on the law, it’s based on a policy which is in turn based on the interpretation of a law. Laws are notoriously vague and ambiguous so in order to construct a policy you must have somebody try to interpret what the law really means. Of course, every time somebody looks at it a different way, there’s a different interpretation and subsequently different rules built into the policy. And just when you get more than one lawyer to agree on the interpretation, the law gets challenged in court with a surprising outcome (of course), and the interpretation changes again.

Okay fine, then if things change and we all know it, why is it so hard for stakeholders to admit that the change is being caused by them? This question is actually being approached from the wrong angle to see the truth. You should be asking, “why is it so easy for stakeholders to deny what they said in the past.”

Honestly, you’re at the base of your own problem and that’s actually a good thing. Unless you’re running a highly evolved project or program (and I haven’t seen too many in my lifetime), change is painful and nobody wants to be accountable for causing pain. Let’s face it. We’re all just trying to get it done, whatever it is. Change is just going to cause delays and cost more money, so why would anybody want to take ownership of that? It’s much easier to just stay in denial.

Correcting this problem is pretty easy; jus t install an agreements registry on your project or program. An agreements registry is just a log of all the agreements, formal or informal, that were made during the course of progress, from the initial kickoff meeting forward. When you setup each meeting, think about any agreements that need to be reached in the meeting, and announce them in the agenda. In the meeting minutes, simply record what was agreed to. Make sure when you send out the minutes, you call special attention to the agreements section and give stakeholders the opportunity to correct any misunderstanding. This is called negative assurance, meaning if nobody says anything the agreements stand.

Now you’re covered. When the stakeholders pull the old Alzheimer’s bit on you, gently remind them of the documented agreement that was previously made. Don’t be antagonistic; you don’t want to break down the relationship. Just refresh everybody’s memory as to what was agreed.

Please note that this doesn’t give you a clean pass on never having to deal with people backing out of an agreement, it just makes it harder to lie about it. I was on a very high-profile project when a VP flat out refused to honor an agreement that was documented in my agreements registry. What can you do? Well, at least they couldn’t say they never agreed to it in the first place.

I find it ironic that we deal with contracts all day long, but we don’t take care of the most important contracts—the contracts, formal or informal, between us and our stakeholders. A simple agreements registry will do the trick, so why not install one today.

The One-Day Record Retention Policy

For some reason, people obsess over creating their record retention policy. I’ve seen common mistakes made and not so common mistakes made, but in the end it always takes longer than it should. I’ll show you today how to create an email retention policy in just one day—and have fun doing it!

Step 1: Get Everybody’s Attention

One of the key reasons why creating a retention policy takes a long time, is because organizations don’t make it a high enough priority. So the responsibility gets handed to some newbie as a sort of hazing exercise. This newbie now has to corral people from all corners of the organization gathering information from people who would rather be getting their teeth pulled at the dentist than talking to this freshman about policy.

It shouldn’t work this way. As with any policy, record retention policy should be a primary target, and of prime interest to any company’s board and the executive management that services it. It’s very easy to create, and without one you can forget about surviving any sort of litigation. The documents you don’t have on hand will make you look guilty, the documents you do have on hand will incriminate you, and the mere fact that you don’t have a record retention policy will announce to the courts that you’re irresponsible. Let’s see you try to win that case.

So, to get everybody’s attention start with the board and executive management. Once you have their attention, you’ll have everybody else’s attention.

Step 2: Get Clear on What the Policy Will Look Like

Let me give you my best piece of advice when understanding what the final policy will look like—keep it very simple and easy to modify. Your policy shouldn’t be more than some introductory language and a table. Your table is a summary of all the different types of documents you have, and what their retention length should be. In addition, you may want to include some notes and reference information (i.e. what regulation or guideline drives the retention policy).

Make sure your policy system is flexible enough to make changes at will with little or no pain. You will need a good change management system in place that can document changes as your policy evolves over time. Instead of obsessing over getting everything perfect the first time, just make sure it’s good enough and easily adjustable as you find ways to make improvements. I suggest you involve your IT department to help setup a policy management database.

Step 3: Go Away For the Day

Get all the key people together, and go away for the day. You will need representation from legal, finance, IT, the business units, and most importantly executive management. Once executive management is involved, all the right people will want to be there. Don’t settle for middle managers that just want to brown-nose. Get the right people, no matter where they are in the organization. The right people are the people that know the regulations, standards, and how the business runs.

Organize a one-day offsite that will be fun for everyone. There’s work to do, but that doesn’t mean it needs to be arduous. Have it in a nice place with great food and scenery. Here’s how the schedule will look.

The schedule for the day can be light. The actual work to be done won’t take a full 8 or 10 hours. Start the day with a light breakfast combined with a vision session. Explain to everybody what needs to be accomplished, and why it’s important to the company. Take a short break, then open things up for an uninhibited brainstorm / data dump. Have several recorders on hand, and just let everybody fire away with what’s in their head. Focus the session purely on different types of documents that are produced. Consider not only typed documents, but email, instant messages, anything that could be considered a record. Don’t try to solve or adjust anything, and don’t try to create systems at this point, just let the information flow freely from people’s heads to the board (I prefer using large sticky-pads). The brainstorming session should go a good 2-3 hours with one or two breaks in between. After that, take a long and enjoyable lunch break.

After lunch, bring everybody together to assemble the information. All this data needs to be organized into document types. Don’t worry about retention guidelines at this point, just try to logically organize all the different documents into groups. A company typically has a lot of different documents, so this exercise may take a while. Once a first pass at organization is complete, make a second pass with the retention lens on. Think about how long each document group needs to be retained at different stages of its retention period (e.g. readily available, onsite, archived offsite, destroyed). When considering retention periods, consider regulations, standards, guidelines, and also availability for good business operation. The key is not to over-think this, just get it most of the way there. Remember, you can always come back to adjust it when you need to. Take another break, we’re almost done.

Back from break, we just need to have a short agreement session. There will undoubtedly be some disagreement between groups of document types and retention periods. That’s very normal; however, the outcome of this session is a consensus on the contents of the policy. It’s good if everybody agrees, but if they don’t that’s okay also. We just need everybody to concede that this is a policy that’s good enough for now. The hard work is done, enjoy the rest of the day.

Step 4: Create the Policy

As a final last step, just record the policy that everyone has agreed to and publish it as record. Do not entertain adjustments in any way, shape or form. You may have a stroke of brilliance after the offsite, or you may have people still trying to sell their point privately after consensus was reached. Forget it, you’ll just go backwards. Create the policy and publish it—that’s it.

Creating policy is easy and can be fun when you take the right approach. If you don’t have a record retention policy in place, start planning a fun offsite today. You’ll be surprised how quickly things will come together.