Over the past decade, the DOJ and SEC helped establish the value of compliance programs. Companies had a basis for quantifying enforcement risks because of the large number of FCPA enforcement actions and their high dollar value.
Using those numbers and projected professional fees and associated costs, compliance leaders could demonstrate the enormous risk potential of even an alleged FCPA violation. They could then weigh that risk against the cost of the compliance program.
That quant-heavy approach worked well during years when FCPA enforcement actions involved dozens of corporate defendants that paid two or three billion dollars or more in penalties and disgorgement. But since 2021, there’s been a much-discussed lull in FCPA enforcement (as Harry mentioned in his account of the SCCE’s recent Chicago confab).
The lull has left chief compliance officers especially vulnerable to that perennial question: Why do we need the compliance program you’re asking us to pay for?
In truth, the entire anti-corruption field — from academia to NGOs, journalism to private consulting — has always wrestled with the same problem. No one can measure corruption. And if we can’t measure it, how can anyone claim to know how to fight against it? How do we determine what works and what doesn’t? For that matter, why even talk about it since its existence is mostly theoretical and speculative?
In some areas of life — art, physics, psychology, spirituality — people routinely accept the idea of unmeasurable things being there. But the business world is different. There’s a strong prejudice against anything companies can’t measure. A quote famously attributed to pioneering management guru W. Edwards Deming sums up the mindset: “If you can’t measure it, you can’t manage it.”
Surprisingly, that’s not what Deming said. It’s a misquote of Deming’s opposite and far more nuanced thought: “It is wrong to suppose that if you can’t measure it, you can’t manage it – a costly myth.”
Because of that costly myth, the measuring continues, and CCOs live with the consequences.
That’s why the lull in FCPA enforcement is a big deal. Compliance leaders have lost their best response to the dreaded “Why compliance?” question. Without robust enforcement, what can they say?
We all get it. The DOJ and SEC are distracted — by the Russia sanctions, crypto-crime, Covid fraud, and more. But knowing what’s behind the lull doesn’t make life easier for CCOs.
Yes, there are multiple indices that show corruption risks by country and region. But critics can challenge even the most respected indices. What do they measure? Not corruption but perceived corruption risks. What are the indices based on? Only secondary sources — survey responses, enforcement activity, democratic mechanisms, pending peer-group or same-country investigations, and even the number of parking tickets NYC police issue to UN diplomats. Are any of those enough to satisfy corporate overlords? Maybe not.
There’s no easy answer or quick solution to offer CCOs. We’re heading into a time of skepticism about compliance programs and their costs, similar to the 1990s and early 2000s, when corporate bosses pointed constantly to low FCPA enforcement levels.
Tragically, corruption is real. Anyone who travels today from Singapore to Sofia or London to Lagos knows that. They can see and feel its devastating, demoralizing impact.
Despite the reality of corruption and the ethical and legal need for compliance, some compliance programs will shrink, with horrendous results only visible many years from now. As-yet unknown corporate FCPA defendants will pay the price for believing what Deming called the “costly myth” that you can only manage what you can measure.
That way is bad news for everyone, not least because it puts those companies and their under-trained employees at more risk than anyone can measure.