Compliance lessons from the dawn of human history
By JIM NORTZ - 8/7/2009
In the beginning ... life was simple. According to the Bible, at the dawn of history there was one law on the books, "Don't eat the apple," and only two people who had to be trained to understand and abide by it. In a clear sign of what was to come in the succeeding millennia, the biblical parents of the human race deliberately violated this law. As a consequence, in the years that followed, God smote the world-first with government and then, to add insult to injury, with lawyers.
Over the generations, governments and lawyers got busy doing what governments and lawyers do. They made laws-lots of them. Today the world is very different from the one the Bible calls the Garden of Eden. Instead of just one law, we now have a rat's nest of billions and billions of virtually incomprehensible pages of statutes, edicts, executive orders, regulations, pronouncements, judicial opinions, constitutions, guidance documents, codes and treaties.
To make things worse, this towering mountain of rules is not standing still. Instead, it grows relentlessly at an accelerating pace as governments at the international, national, state, county, city and village level around the globe feverishly strive to make our world a better place. This never-ending explosion of legal pronouncements was best described to me years ago by an experienced corporate counsel who said just keeping up with the changes in her narrow area of expertise was like trying to "drink from a fire hose."
If our ancient ancestors could not manage to abide by one law, what hope does a modern corporation have of comprehending, let alone complying with, the mind-numbingly complex rules that governments impose on it?
To answer this question, I think it's important to begin by recognizing that "simple" compliance with the law in the modern world is not a trivial exercise for any business. Although laws are generally designed to enhance our civilization, any serious attempt to cope with them is both daunting and costly. This may seem excruciatingly obvious, but so often folks who have not devoted much time to thinking about the question flippantly say that their company "always operates in full compliance with all the laws." Nonsense! I'd wager that few, if any, companies in the history of the world have ever achieved and sustained this pinnacle of perfection.
Before you count yours among this elite group, ask yourself if anyone in your company has ever driven a company car over the speed limit, failed to pay a supplier on time, downloaded copyright materials onto a company computer, missed a government-mandated filing deadline, exceeded air or water environmental discharge limits, hired undocumented workers, breached a contract, or failed to pay all taxes owed to local, state and federal governments. I could go on, but you get the point. Compliance with the law 100 percent of the time is a laudable goal, but it is nearly impossible over the long term, even for firms committed to doing so.
This does not mean, however, that we should not keep trying. Let's discuss some of the options you might consider.
"Close the doors, turn out the lights"
Going out of business to ensure compliance with the law is extreme, but it is the only hope of reducing your firm's non-compliance risks to zero. I'm not recommending this option, but I lay it on the table to drive home the following point: If you choose to stay in business, you will have to develop a strategy for managing a "non-zero" non-compliance risk. It will never go away, as long as your doors are open and your lights are on.
"Cross your fingers"
My bet is that in businesses around the world, one of the most common approaches to compliance with the law is to rely on experts where necessary but otherwise to guide actions by the application of common sense and civility and hope for the best. The reason I suppose this approach is so common is threefold:
1. It's inexpensive (at least until things go wrong).
2. It generally works.
3. The chance of getting caught violating the law is miniscule.
Notwithstanding these advantages, the cross-your-fingers approach is fairly risky. This is especially true for U.S. firms, blessed with residence in the most litigious and enforcement-crazed country in the world. To a greater or lesser extent, depending upon the industry you are in, such a minimalist approach really is a bet that eventually will be lost.
In a highly regulated environment, such a "compliance system" is simply not reliable enough to avert catastrophe over the long term. When the bet is lost-and the fines are paid, newspaper articles are written, business is down, employees are laid off and reputations are ruined-many people inside and outside the firm will ask, "Why didn't they do more to stop this from happening?"
"Sensible risk management"
The best way to achieve a reasonable level of compliance with the law is to manage your risks with a rational plan. Some basic steps you might consider:
1. Systematically identify your firm's key legal obligations.
2. Evaluate the effectiveness of the systems you rely upon to meet these obligations.
3. Determine what, if any, additional investments must be made to improve the effectiveness of your company's compliance management systems.
4. Implement the improvement plans that you can afford and that will yield the greatest risk reduction.
5. At least annually, repeat steps 1 through 4.
Remember, the object of this exercise is not to achieve perfection. No one can afford that. Instead it is to strike a principled balance between competing priorities with the object of keeping your doors open and your company's name off the front pages of the scandal sheets over the long term.
To those who observe that this recommended approach is really nothing special and that it's just common sense, I ask the following: If that's so, why isn't your company doing it?
Despite our ancestors' rough start, I am confident that a reasonable investment in sensible risk management will help businesses cope effectively with a much more challenging legal environment.
Jim Nortz is compliance director at Bausch & Lomb Inc. and is a member of the Rochester Area Business Ethics Foundation. The opinions expressed in this article are Nortz's alone and may not reflect those of Bausch & Lomb or the RABEF. For more information about the RABEF, visit www.rochesterbusinessethics.com. Nortz can be reached at (585) 260-8960 or firstname.lastname@example.org.
08/07/09 (C) Rochester Business Journal