8 Reasons Your Compliance Program Fails

What do we mean by “compliance culture”? When you think of culture in the context of work, it refers to shared values, beliefs, attitudes and behaviors within your company. And a company’s culture typically starts from the top. Leadership has to believe in its value and prioritize it across the business. The same applies to compliance culture. 

Your leadership team, C-suite and board of directors all should place a high priority on compliance. This doesn’t just mean sending out communications to all employees saying how important it is. It means allocating sufficient budget, resources, people and tools to make sure the company is complying with all regulatory requirements, while also making sure the company is thoroughly vetting every customer and supplier to make sure they aren’t violating regulations. 

These are some signs that your company has a weak compliance culture:

• Compliance isn’t allocated a significant budget, resources, tools or headcount. 
• Hiring and upskilling an in-house compliance team is a low priority. 
• Compliance is usually outsourced to part-time consultants or a 3rd party firm. The company rarely has full visibility into 3rd party compliance management.  
• There is disjointed and ineffective communication and collaboration between the leadership team and internal teams who manage compliance.
• There isn’t a clearly defined compliance policy. Issues are managed more reactively.
• There isn’t a defined set of correction actions that the business takes when various compliance issues arise. So, the team responsible for managing compliance doesn’t know what to do when issues occur and there is often internal confusion and conflict. 

More often than not, we hear companies say they only check their customers and suppliers for compliance issues at the start of the contract/relationship, or only if they suspect any issues. While managing your own company’s regulatory compliance is certainly important, it’s just as important to make sure the customers and suppliers you work with are taking compliance seriously. What they do can directly affect your business. 

Let’s say you’ve been working with a supplier for three years. You know them – their quality of work is stellar and their ability to deliver your goods on time is excellent. You trust them and plan to work with them for years to come. But trust isn’t a valid form of currency in business. You need proof. What would happen if this trusted supplier decided to source materials for one of your orders from a vendor in a country that’s on the OFAC sanctions list? But you didn’t know about it because you didn’t run a compliance check on them because you trust them. Does their sanction violation affect your business? Yes, it certainly does because they were sourcing materials for your production order. 

This example is a lesson in point – you can’t assume the businesses you work with are taking compliance seriously. If anything within your supply chain violates regulatory requirements and sanctions, your business is liable. It’s that simple

That’s why you can’t just take a haphazard approach to monitoring your customers and suppliers for compliance issues. It has to be something you’re assessing regularly – not just when you have a suspicion, hear a rumor or when the initial contract is signed. Your liability doesn’t stop after you sign the contract. 

Here’s a few tips on how you can carry out compliance due diligence on your customers and suppliers:

• Screen your suppliers and customers (and the directors in the companies) against real-time sanctions databases, global enforcement lists, adverse media, state-owned enterprises and Politically Exposed Persons profiles. 
• Build compliance workflows into your decision process with new customers and suppliers.  
• Make sure you have a digital audit trail to prove compliance with international, federal and state regulations. 

If your company is taking compliance as seriously as it should, then you will likely have a considerable budget for implementing screening tools. Compliance screening software can be a huge boon to your compliance program. 

For one, it should make it easy and quick to run checks on your customers and suppliers – we’re talking minutes. Plus, it should be easy to implement – you don’t need to be an expert in coding or tech. And if you’re using the right compliance screening software, it shouldn’t bombard you with tons of low-quality alerts. The alerts will be reliable and easy to sort through so you don’t miss potential violations and expose your business to unnecessary risks.

But if you don’t use a compliance screening tool, then you could end up with one or more of the following scenarios:

• You miss a large number of potential compliance violations for your customers and suppliers.
• Your company fails compliance audits and is subject to significant fines.
• Your company is fined for working with a customer or supplier that has violated sanctions on the OFAC list. 
• Your company is the subject of class-action lawsuits due to your lack of visibility into a supplier’s use of child labor. 
• Your company loses customer contracts because of negative publicity and backlash from being associated with unethical companies.

Did you ever play the game “broken telephone” as a kid? The one where one person whispers something in someone’s ear and the message travels around a circle. By the end of the game, that phrase has usually transformed into something completely different than how it started.

That’s kind of what it feels like when your business is lacking internal compliance controls and processes. You need to make sure everyone is on the same page. There should be no doubt as to what your compliance processes, controls and policies are. So, these should be written out in detail, shared and communicated with everyone. Most importantly, every team that’s involved with or has a hand in the compliance chain should be trained regularly. 

You might be thinking – is it really that important? Yes, it is. Here’s an analogy that will help you understand why. Just imagine a hospital that typically serves about 10,000 patients a day. What do you think would happen if that hospital had no internal controls and processes? Mayhem would ensue. Patients wouldn’t know where to go to check in and be seen by a doctor. Hospital beds would likely be unavailable and cause a backup in the waiting room. Patients could see their illnesses worsen because they can’t be seen – all because there weren’t any internal controls and processes. Get the drift? It can be just as chaotic if your company doesn’t have internal controls and processes for your compliance program. 

The purpose of a compliance policy is to protect your business. It’s as simple as that. It’s there to help you prevent missteps, catch issues and prevent losses from regulatory fines, lawsuits and more. 

But we know that relationships are also critical to running your business. You may not want to offend a longstanding customer. You may not want a trusted supplier to go to a competitor because you’ve upset them. We get it. 

But at the end of the day, you’re running a business. Deciding not to run a compliance check on a customer or supplier – no matter how long you’ve worked with them or how much trust you’ve built with them – isn’t going to do your business any good in the long run. Your compliance policy is there for a reason – don’t ignore it or let your relationships override it. 

The whole point of an effective compliance program is to anticipate and be prepared for when compliance issues arise. The last thing you want is to be caught off guard. But you also need to take the same approach to the corrective actions you use when you discover compliance issues.

You should have outlined the enforcement and correction actions you will take in your compliance policy. These should be mapped to specific scenarios that could occur, such as:

• A supplier sources materials from a vendor in a country on the OFAC sanctions list.
• A customer has 10 or more compliance alerts related to corruption, bribery, money laundering and fraud. 
• A customer is involved in a class-action lawsuit due to violations of employment/labor laws. 
• A supplier has been convicted of fraud in the last 12 months. 
• A supplier is the subject of several negative news stories about the use of child labor. 

These are just a few examples of scenarios that you should outline in your compliance policy. Then you should provide the corrective actions that your company must take if those scenarios occur. This way, you won’t be flustered or panicked when these types of situations arise. Plus, you’ll know exactly what to do about it – thereby reducing the long-term risk and damage to your company. 

Compliance training is such an important part of your compliance program. If your team doesn’t know what issues to look out for, what types of scenarios could occur and what types of corrective actions to take when issues do occur, you’re going to have a really tough time minimizing your compliance risks. It’s just that simple.

But we also know that compliance training can be time-consuming and costly. And if your team has been doing things a certain way for a long time, it can sometimes be hard to change mindsets and openness to new approaches. More often than not, employees won’t be inclined to take compliance training seriously if they don’t see the value in it. They need to see how it can help them do their jobs better, protect the business from risks and be seen as leaders in compliance.