An enforcer’s view of
» A robust compliance program is one that not only identifies issues but also addresses the nature, extent, cause, duration,
and mitigating activities that must be completed to prevent recurrence.
» Strong internal controls reduce the risk of non‑compliance.
» Compliance programs must emphasize finding issues and reporting them quickly and accurately.
» A company can only solve a problem if it understands what caused it.
» Mitigation should address these questions: How did this happen? How can it be prevented from happening again?
Finding a problem, assessing the risk and cause of that problem, and addressing and preventing recurrence of that
problem are key factors in establishing an
effective compliance program. I have had
a unique perspective on internal
controls related to compliance
at the end of the life cycle of
non-compliance. Although I have
personally reviewed thousands of
instances of non-compliance, few
of these have posed a serious risk.
Companies with robust internal
controls find problems early, address
those problems, and prevent repeat issues,
thereby — most importantly — reducing the
risk those problems may pose.
“Sense and deal with problems in their smallest
state, before they grow bigger and become fatal.”
― Pearl Zhu
When considering an internal compliance
program, the first question I ask is always,
“How did the company discover there was
an issue?” If an entity’s internal compliance
program cannot find a problem, then how
good of a program is it? Compliance programs
must put an emphasis on finding issues and
encourage company employees to report
non-compliance quickly and accurately. If
a culture does not encourage identifying
issues, or inadvertently incentivizes hiding
non-compliance to protect financial gain or for
other reasons, there can be only bad results.
A company that truly wants to create
a culture of compliance will encourage its
employees to proactively identify potential
issues. A program could include a variety
of methods of detection. These may include
regular internal reviews, hiring external
compliance professionals, or performing spot
checks of records and procedural documents
to identify areas of concern. Many companies
perform internal reviews when they know
a regulator audit is approaching, but the
companies that review on a regular basis,
regardless of audit schedule, receive the
greatest benefit — both in improving culture
and, potentially, from reduction or elimination
of regulator sanctions.
by Leigh Faugust, Esq., CCEP
Leigh Faugust ( email@example.com) is Enforcement Counsel at a not-for-profit
international regulatory authority in Washington DC.