CEP Magazine – November 2022. Two sides of the coin: Proactive versus reactive compliance management | Society of Corporate Compliance and Ethics (SCCE)

Before getting into compliance management, it is opportune to consider proactive and reactive management as a process. Proactive managers control their destinies by thinking ahead and controlling both risks and results. Reactive managers only act when something happens, waiting until an event has occurred before making any changes. They consider that by waiting to perform, they are not making changes unless something is wrong.

Analyzing the pros and cons of proactive management compared to reactive management (see Table 1) demonstrates some important concepts as they apply to managing compliance programs or systems. Don’t companies want compliance managers in control, planning to mitigate disasters, minimize risks, and have a good understanding of the business?

Companies also want compliance managers that work well under pressure because there will always be demands associated with compliance and compliance programs. Thoughtful, planned decision-making must be better than spontaneous decisions regarding compliance.

Proactive compliance management

A proactive compliance manager will be fundamentally different in their approach. Recognizing that changes in regulations and standards will drive continuous improvement in compliance throughout an organization is a valuable attribute. Proactive compliance managers will review their compliance systems continually to ensure they reflect current requirements. They will conduct audits and risk assessments to find where improvement is required or where it could enhance the systems and map these back to the regulation or standard. This approach is all part of building improvement into a compliance program, which I have written about previously.

This, in turn, will mean the company has a much better chance of always being compliant, and the employees will always know the latest requirements because policies and procedures are up to date. Furthermore, you will have a trail that demonstrates you have always attempted to be compliant, even if not always successful—an important consideration in DOJ’s decisions on penalties for noncompliance.

One of the key benefits of being proactive is that senior management can be informed of their compliance status. This can work in two ways. First, conscientious and concerned executives will want to know this so that they can make educated decisions about resources and costs that might be needed to drive enhancements. Those executives who think compliance is a waste of time (and are more likely to support a reactive than a proactive approach to compliance) will not be able to hide in ignorance.

This is also an essential advancement in compliance management, especially considering the DOJ’s latest direction to hold white-collar workers more accountable.

Proactive compliance management, in essence, is about planning, prevention, and minimizing risks. By taking a forward-looking approach, teams are prepared and trust in a leader with confidence and the ability to plan around issues.

Reactive compliance management

It would be wrong to assume that there is no place for reactive management in compliance; in fact, much of compliance management is reactive. In an ideal world, reactive managers also have some beneficial attributes. If COVID-19 taught us one thing, it is that we need to be reactive sometimes because things don’t always go as planned. Compliance requires a certain degree of reaction to something: a standard, a regulation, or an audit response, for example. Focusing on whatever issues arise as soon as they emerge is also important from a compliance management perspective, as companies often face the same issues year after year.

However, there is a balance between reactive and proactive compliance management that is underpinned by learning from regulatory experiences and transitioning compliance efforts to prevent problems. This not only makes good business sense, but it can also reduce costs involved in regulatory actions or remediations to serious regulatory compliance breaches. Top-performing companies that take a more strategic and proactive approach, instead of treating compliance as a cost of doing business, extract the business value from regulatory and quality imperatives to assist in transforming to a culture of compliance.

On the one hand, companies must deal with the direct costs of compliance, developing and maintaining compliance programs and rectifying cited failures. On the other hand, in the event of citations or compliance breaches, companies must also endure the business costs that accrue from not achieving compliance—delayed approvals, potential loss of product, market share, or credibility, missed market opportunities, and reputational damage; not to mention the actual costs of expensive remediation. A conservative estimate from several years ago states that the cost of noncompliance is 2.71 times the cost of maintaining or meeting compliance requirements. The noncompliance costs come from the expenses associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.

According to a recent article in The FCPA Blog, there have been four FCPA enforcement actions totaling $865 million as of June 2022. The article goes on to say, “Since the FCPA was enacted in 1977, there have been 259 FCPA corporate enforcement actions with an average value of $95.4 million. From 1977 to 2010, total FCPA settlements amounted to $3.6 billion. From 2011 to 2022 (June), total FCPA settlements climbed to $21.2 billion.”

Often companies that have not had a structured compliance program, or have management with a disdain for compliance, run into regulatory issues. The initial response is reactive. This transpires in those companies that learn their lesson into proactive remediation under forced rebuilding, such as a deferred prosecution agreement, consent decree, or similar. For some, however, the improvement or transition takes time. Stryker, Orthofix, and Novartis are notable examples, having had at least two enforcement actions each.

A case in point is the pharmaceutical company Novartis. Novartis was prosecuted across multiple countries (China, Greece, Vietnam, and South Korea) between 2016 and 2020, with $360 million in enforcement actions.

Compliance issues have plagued Novartis: payments to lawyers of government officials, data manipulation, bribery of physicians, price-fixing, and kickbacks to healthcare professionals. When the problems are endemic from the sales force to the top executives, it is a systematic problem and takes considerable time and effort to fix.

One could easily believe that Novartis has been so heavily engaged in reactive compliance that it has not had any time for proactive compliance. Time will tell. It does raise an interesting point: How do you change from a reactive to a proactive compliance mindset?