Before embarking on compliance management, it is useful to consider proactive and reactive management as a process. Proactive managers control their destiny by anticipating and controlling both risk and outcome. Reactive managers take action only when something happens, waiting for an event to happen before making changes. They consider that while waiting to perform, they don’t make changes unless something goes wrong.
The analysis of the pros and cons of proactive versus reactive management (see Table 1) demonstrates some important concepts as they apply to the management of compliance programs or systems. Don’t companies want compliance officers to control, plan to mitigate disaster, minimize risk and have a good understanding of the business?
Companies also want compliance officers who work well under pressure, as there will always be demands associated with compliance and compliance programs. Thoughtful and planned decision-making should be better than spontaneous decisions about compliance.
Proactive Compliance Management
A proactive compliance officer will be fundamentally different in their approach. Recognizing that changes to regulations and standards will drive continuous improvement in compliance across an organization is a valuable attribute. Proactive compliance officers will continually review their compliance systems to ensure they reflect current requirements. They will perform audits and risk assessments to determine where improvements are needed or where improvements could be made to the systems and realign them with the regulation or standard. This approach is an integral part of incorporating improvements into a compliance program, which I have already discussed.
This, in turn, will mean that the company has a much better chance of always being compliant, and employees will always know the latest requirements because the policies and procedures are up to date. Plus, you’ll have a lead that demonstrates that you’ve always attempted to be compliant, even if not always successful — an important consideration in DOJ decisions on penalties for non-compliance.
One of the main benefits of being proactive is that senior management can be made aware of its compliance status. It can work in two ways. First, conscientious and concerned leaders will want to know so they can make informed decisions about the resources and costs that might be needed to drive improvements. Leaders who think compliance is a waste of time (and are more likely to support a reactive than proactive approach to compliance) won’t be able to hide in ignorance.
It’s also a critical step forward in compliance management, especially given the DOJ’s latest directive to make white-collar workers more accountable.
Proactive compliance management is essentially about planning, preventing and minimizing risk. By adopting a forward-looking approach, teams are prepared and trust a leader who is confident and able to plan for issues.
Reactive compliance management
It would be wrong to assume that there is no place for reactive management in compliance; in fact, much of compliance management is reactive. In an ideal world, responsive managers also have beneficial attributes. If COVID-19 has taught us anything, it’s that sometimes you have to be reactive because things don’t always go as planned. Compliance requires some degree of reaction to something: a standard, regulation or audit response, for example. It’s also important to focus on issues that arise as soon as they arise from a compliance management perspective, as companies often face the same issues year after year.
However, there is a balance between reactive and proactive compliance management that relies on learning from regulatory experiences and transitioning compliance efforts to prevent problems. This not only makes good business sense, but can also reduce the costs associated with regulatory action or corrective action in the event of serious regulatory compliance violations. High-performing companies that take a more strategic and proactive approach, instead of treating compliance as a cost of doing business, extract business value from regulatory and quality imperatives to help transform into a culture of compliance.
On the one hand, companies must meet the direct costs of compliance, by developing and maintaining compliance programs and correcting the failures cited. On the other hand, in the event of citations or compliance failures, companies must also bear the business costs associated with non-compliance: delayed approvals, potential loss of product, market share or credibility, opportunities for market failures and reputational damage; not to mention the real costs of costly remediation. A conservative estimate from several years ago indicates that the cost of non-compliance is 2.71 times the cost of maintaining or meeting compliance requirements. Non-compliance costs arise from expenses associated with business interruption, lost productivity, fines, penalties, and settlement costs, among others.
According to a recent article by The FCPA Blog, there have been four FCPA enforcement actions totaling $865 million as of June 2022. The article goes on to say, “Since the enactment of the FCPA in 1977, there have been 259 enforcement actions the FCPA with an average value of $95.4 million. From 1977 to 2010, total FCPA settlements were $3.6 billion. From 2011 to 2022 (June), total FCPA settlements soared to $21.2 billion.
Often, companies that don’t have a structured compliance program or whose management has a disregard for compliance run into regulatory issues. The initial response is reactive. This happens in companies that learn their lesson by proactively remediating under forced reconstruction, such as a deferred prosecution agreement, consent decree, or similar. For some, however, improvement or transition takes time. Stryker, Orthofix and Novartis are notable examples, having had at least two enforcement actions each.
The pharmaceutical company Novartis is a good example. Novartis was sued in several countries (China, Greece, Vietnam and South Korea) between 2016 and 2020, with $360 million in enforcement actions.
Compliance issues have plagued Novartis: payments to government officials’ attorneys, manipulation of data, bribery of doctors, price fixing and bribes to healthcare professionals. When problems are endemic from the sales force to senior management, it is a systematic problem and it takes a lot of time and effort to resolve.
One could easily believe that Novartis has become so committed to reactive compliance that it hasn’t had time to proactively comply. Time will tell us. This raises an interesting point: how do you move from a reactive mindset to a proactive mindset?