Compliance and Ethics: Ideas & Answers. Edition 28
Dear friends,
Welcome to the 28th edition of Compliance and Ethics: Ideas & Answers!
Today, we start with an in-depth piece from Rebecca Walker on managing third-party compliance risks followed by an interesting piece from Caroline Popper M.D. MPH J.D. on why young companies need mature compliance, before we wrap with advice for graduates from four seasoned experts.
I am also really excited to announce the launch of our YouTube channel where we'll be releasing videos on Compliance & Ethics regularly. So, make sure you subscribe to keep up to date.
And as always, there's more content on our website so please do?visit us there?to read our other articles.
Thank you, Joe.
Managing Third-Party Compliance Risks
There is something exhaustingly daunting about third party compliance. As one client confided in me two decades ago, “Managing compliance for 20,000 internal employees is hard enough. How am I supposed to extend this to the employees of all our business partners?” The reality is, our business partners indeed introduce compliance risks. So what can compliance officers feasibly do, and what measures are genuinely effective?
The Expanding Web of Third-Party Relationships
In today's interconnected global economy, reliance on suppliers and external service providers is a business imperative. This necessary reliance presents a myriad of risks, including the potential for suppliers to fall short of a company's ethical and compliance standards, resulting in both legal ramifications and reputational damage.
Strategies for Third-Party Compliance
In an effort to mitigate these risks, organizations have deployed a range of third-party compliance controls, such as due diligence protocols, supplier codes of conduct, contractual obligations, third-party reporting mechanisms, and specialized training programs. From my experience, one of the most effective controls is training your internal team (your third-party relationship “gatekeepers”) to monitor for and identify compliance violations by third parties. Training those who interact with third parties not only augments continuous monitoring capabilities but also serves as a supplementary compliance training opportunity. This aligns with the Department of Justice’s memorandum on Evaluation of Corporate Compliance Programs, which emphasize training third-party relationship managers to identify and manage compliance risks.
Young companies need mature compliance
Caroline Popper, MD, MPH is a health care executive currently pursuing her Juris Doctor at American University Washington College of Law ('24). Experienced as a manager and ?CEO, she has led public and private healthcare and life science companies from start-up through maturity. She is excited to combine her strategic and operational perspective with the legal and corporate compliance training she is receiving as a law student. In this piece, she draws on insights gained from Professor Asha Scielzo’s Corporate Compliance and Ethics Spring 2023 course.
In many dimensions, various elements of start-up or even slightly “older” companies are predictable and align with their stage: e.g., technical risk is still high and products or services immature, management may be relatively new, market pull may be theoretical and not yet converted into revenue. Investors and other stakeholders are motivated to retire these risks and drive growth as fast as possible.
Often there is a drive to create a “minimally viable product” or “MVP”, the first commercially viable incarnation of the company’s intellectual property. This naturally makes good business sense as it is almost always important to generate revenue and prove market adoption as soon as possible. While this is entirely appropriate in the product development and market entry setting, it is not advisable that an organization take the same approach to corporate compliance strategy. There is a tendency to take the same minimalist approach to compliance, however, “minimally viable compliance” will not serve the company in the near term and is definitively not recommended in the long run.
Young companies must proceed proactively and with intentionality in every aspect of their enterprise – including compliance. Compliance isn’t effective if it is siloed or executed as an exercise in “box-checking”. Compliance extends to research and development, sales and marketing, business development, finance, governance, and people management. Compliance processes, embodied in SOPs and documents, by themselves are insufficient. We all appreciate that the cultural context in which these processes are executed (of course using the requisite compliant documentation) is what really matters.
Small companies can save significant resources and avoid pitfalls in the long term by handling compliance matters in their infancy. Creating, nurturing, and monitoring effective compliance, and bringing these matters to the board, takes dedicated and independent resources. Young companies, however, are usually very resource-constrained. Typically, every incremental dollar is focused on development and marketing, while compliance and associated risks are neglected, notwithstanding the reality that it is quite possible to implement cost-effective compliance programs[1]. And thus, in the absence of such relatively modest investment, that compliance risk -- be it from inadequately documented and inconsistent development, bad accounting, or poor human resource management -- continues to grow, compounded by new and emerging risks, such as cybersecurity and privacy concerns. The result is a company that is more mature in terms of products, services, revenues, and the like, but is way behind the compliance curve. At this stage, compliance because more urgent, more expensive, and more difficult to engrain in the fabric of the company. Hindsight sharpens and companies bemoan not making the investment sooner.?
领英推荐
Further, thoughtful investors in today’s environment are considering compliance risks when making investment decisions. Start-up founders and management who are savvy about compliance at the outset are attractive to investors. In addition to reducing certain elements of risk, compliance contributes to real value creation over the longer term, particularly in subsequent financing rounds.
So, what is a young company to do?
Watch: Live vs Online Training
Advice for Graduates - 4 experts perspectives
“I am a student at college / university / graduate school and interested in learning more about ethics and compliance.??What advice do you have for me as a student on how to learn more about this area?? Do you have any career advice for someone about to graduate and whether I would?be best suited trying to get a job for a company, government, a law firm or another type of employer (perhaps a non-profit)?”
Adam Balfour’s Advice:
The type of employer you work for is important, but I think more important is who will be your manager (and what can they teach you) and what type of work will you get to do.??If you go to a big and well-known employer, you will likely enhance your professional brand; however, a smaller organization might provide you with more hands-on experience and a broader range of matters that you might get to work on.??The first few years of your career are important for what you will learn and who you will meet - this is an important time to invest for your professional future and not simply to pick the highest paying job or job that looks best on paper.??
Joe Murphy’s Advice:
For those who are still in school, I have some definite advice.? While people generally think only of “corporate” compliance, there is another huge area of compliance:? colleges and universities.? Whatever college or university you are at, it will almost certainly have a compliance program; the range of compliance risks they have is extraordinary. Take some time and find out about that office and what it does. Talk with people in that program.? Then see if you can volunteer to help them. What better way to learn about compliance than by actually doing it? Plus you could add a resume item that shows you are truly interested in this field.? ??
I also recommend active research.? Do some reading of the compliance literature, including both print and online.? When you find an interesting piece, engage with the author.? Ask questions and let the author know where you think their piece hits the mark. This is a way to network with others in the field.? As an author I certainly appreciate knowing that someone read my work and was interested in the topic.? If any of your own faculty have written in the field you can do the same thing at that level.? Just make sure your comments reflect serious thinking and genuine interest.
Rebecca Walker’s Advice:
One of the great things about working in the compliance field is that people come from so many different backgrounds. You will have the opportunity to gain valuable experience whether you work with the government, a law firm, a company or a non-profit.? I would suggest seeking out a position that will afford you the greatest breadth of experiences. Compliance has a number of different facets and involves a large range of activities, from writing, to training, to interviewing, investigating, project management, legal analysis, and more. Try to find a position where you will have the chance to try your hand at as many compliance activities as possible. You may ultimately decide to specialize in a particular sub-area or to be a generalist, but it’s good to try your hand at all aspects of the field before you make that decision.
You can begin these explorations while you’re still in school.? Consider connecting with compliance professionals on LinkedIn, and asking professors and mentors for introductions. If feasible, it may be helpful to attend compliance conferences in order to meet people and get a better sense for the different types of jobs available.? One of my favorite things about the field of compliance is the willingness of compliance professionals to share their knowledge and expertise.? People will be happy to talk with you about their experiences and offer advice.
Jeff Kaplan's Advice:
Finally, those considering C&E as a career need to be aware of the field’s ”dark side.” That is, while nearly all business and professional fields presumably carry some risk of suffering based on doing the wrong thing such risk for doing the right thing is to some extent a particular feature of C&E. This is not, to my mind, a reason to avoid working in C&E. But it is something to be aware of in considering where specifically to work.
For example, it is possible for a Compliance Counsel to be pushed out of the company for challenging the sales practices of a “big producer.’ if the culture of that company is to put profitability over compliance.
I hope you found today's journal valuable and, if you would like more analysis and insight?please visit and bookmark our website.
Congratulations on the 28th edition, Joe Murphy, CCEP! The addition of a YouTube channel is a fantastic idea for sharing insights on Compliance & Ethics. Looking forward to it!