Do our compliance programs look like the Winchester House? | Society of Corporate Compliance and Ethics (SCCE)

CEP Magazine (October 2022)

In 2018, Life magazine published a special edition entitled “The World’s Most Haunted Places.”[1] This edition featured the Winchester House in San Jose, California, later renamed the Winchester Mystery House. For those of you unfamiliar with the Winchester House, it was initially purchased by Sarah Winchester in 1886 when she moved from Connecticut to California. Sarah was the widow of William Winchester, son of Oliver Winchester, the founder of the Winchester Repeating Arms company.

After the move, Sarah began to renovate the house. And renovate it. And renovate it. Additions were added and skylights, cupolas, and stairways were built. The list goes on. These renovations lasted over 35 years until her death in 1922. The house has stairways to nowhere and doors that open to walls. This—and the fact some claim it is haunted—is the primary reason the Winchester House is now called a “mystery house.” It is more like a maze than a home.[2]

What does this have to do with institutional compliance? In a recent compliance presentation, Andrew Neblett, co-founder of informed360 and chief operating officer at Ethisphere, pointed out that many institutional compliance programs today can end up looking like the floorplans of the Winchester House.[3]

Here is how that can happen. Several years ago, the 17 “shalls” in the United States Federal Sentencing Guidelines’s “Effective Compliance and Ethics Program” were synthesized into what is commonly referred to today in the compliance industry as “the seven elements.” In addition, some regulations have comparable elements embedded into their requirements. As a result, many compliance programs in many industries are based on these (or similar) elements.

As a hypothetical example, let’s say a utility created a compliance program for the Sarbanes-Oxley Act (SOX); then for the Federal Energy Regulatory Commission (FERC); then for the North American Electric Reliability Corporation (NERC); then for diversity, equity, and inclusion (DEI); then for the Occupational Safety and Health Administration (OSHA); then for workers’ compensation; then for the Equal Employment Opportunity Commission (EEOC), etc. These programs combined can begin to look like a compliance Winchester House for various reasons, an important one being duplication of effort. For instance, all these programs probably have a training component, require legal research, need to assess risk and be regularly audited, require policies and procedures, etc. Are all seven of these programs going to have separate training platforms? Separate audit functions? Separate policy management? You get the idea.

Knowing this could happen, how can we create or reengineer compliance programs that are not a mystery but are effective and efficient? A few ideas are discussed below.

1 “The World’s Most Haunted Places: Creepy, Ghostly, and Notorious Spots,” special issue, Life, September 28, 2018.
2 The Winchester Mystery House, “History,” last accessed August 1, 2022,
3 Andrew Neblett, “How Technology Can Improve Effectiveness and Deliver More Value to Our Compliance Programs,” Dallas Regional Compliance & Ethics Conference, Dallas, TX, October 22, 2021.
4 Deena King, Compliance in One Page, 2nd ed. (Dallas, Texas: self-pub, 2020) and Strategic Compliance (in pre-publication).
5 Neblett, “How Technology Can Improve Effectiveness.”
6 U.S. Sent’g Guidelines Manual § 8B2.1(b)(7) (U.S. Sent’g Comm’n 2013).

[View source.]