When Compliance is wrong
As I said in my last post, I recently had the privilege of hanging out with a bunch of smart people: internal auditors.
They work for an organization with manufacturing facilities all over the world, each of which is subject to strict safety regulations. Compliance with those regulations is a major part of the internal audit plan, as it should be.
It did not surprise me to hear that the corporate offices had established similarly strict policies and standards designed to ensure compliance with the regulations.
However, these facilities produced a variety of products and were subject to different local laws and regulations.
But the corporate office valued consistency and every location was required to follow the same company standards.
What I heard was that sometimes a manufacturing plant would believe that a corporate standard was not the right practice for their specific business, in their locality.
Internal audit was expected to identify when a plant didn’t adhere to the corporate standards.
My view, which I shared with them, was that internal audit should follow a different standard: the standard of promoting what is best for the business.
That is not to say that we should not identify deviations from corporate policy, but we should not immediately call it a “finding”.
First, find out why management has not followed the corporate guidance.
Maybe there’s a good reason.
Maybe they have found a better way to ensure compliance with the laws and regulations that apply to their business.
Maybe they believe the corporate policy doesn’t need to be followed because the laws and regulations are different in their area.
Their arguments might be persuasive.
But we shouldn’t immediately agree with them either.
This is a great opportunity for us to add value.
Find out whether other facilities agree that the corporate policy is imperfect. Perhaps management of this facility has talked to them.
If several facilities have the same issue with the corporate mandate, it strengthens the notion that it should be changed.
We should discuss the deviation and the underlying corporate policy with the owners of that policy.
In fact, it might be useful to facilitate a discussion between corporate and the local management team (or teams, if several facilities believe change is needed).
Maybe there’s a great reason for the local teams to adhere to the corporate policy. A reason the local management teams are not aware of.
On the other hand, maybe the corporate policy should be revised.
We won’t know until we hear from all sides, and especially when all sides have talked – and listened – to each other.
One of the problems that we may uncover is that the corporate staff are not listening. Maybe they don’t know the business as well as they think, and there are better ways to address the risk of non-compliance.
Maybe new systems and technologies enable a better way to assure compliance, and the corporate policy should be brought up to date.
We should be careful about second-guessing either local or corporate management on such issues. They are more likely than not to be more knowledgeable both about the laws and regulations and about the business that we are.
But where we see an opportunity to add value, where there are better practices than mandated by corporate policies, we should bring that to the attention of the people best able to make an informed and intelligent decision.
I can recall a couple of situations where the corporate mandate was at least questionable.
In the first, a corporate standard required a separation of two functions (something that auditors love). But the unit my team was auditing was too small to have that separation. We determined that the underlying risk was adequately addressed by other means. I think there was after-the-fact monitoring by management. We worked with the corporate team to grant local management an exception.
In the second, the corporate procurement team had obtained an agreement with a global manufacturing company for the supply of critical components. It established prices for materials used in most of our manufacturing units around the world. However, the procurement team in Malaysia had negotiated a deal with the supplier’s local subsidiary that was far superior. Corporate wanted us to slam the local team for failing to use the global contract. Instead, we suggested that they consider renegotiating the global contract and we considered the local procurement contract a best practice that could be followed by other business units.
It is easy to audit for compliance without thinking about whether the policy or standard is the best practice for the organization, given the risk it is intended to address.
I call that “blind compliance”.
The auditors should think about what they see, listen to all sides when there is a deviation, and seize any opportunity to add value to the business.
If we don’t understand why the policy is written the way it is, we should ask, listen, and seek to obtain that understanding.
There have been times when my team has asked why the policy is the way it is and management has been surprised. They thought about it, with our help, and changed it.
Policies get out of date, and we have an opportunity to add value by bringing that to management’s attention.
Does the policy meet the needs of the business?
Let’s not encourage compliance with policies that don’t.
I welcome your thoughts.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Corporate standards/policies/mandates are effectively controls applied to the whole organisation in order to mitigate risks which threaten, it is believed by group HQ, the achievement of the group’s objectives.
As you have demonstrated above Norman, there are two problems applying policies to the whole organisation:
> Risks will not be the same throughout the organisation. Risks in some parts of the world (e.g. kidnapping) will be greater in some countries than others. There is therefore the danger that risks will be missed because corporate policy is considered ‘complete’ with no further risk identification necessary.
>The controls required to manage these risks will differ from country to country. The Malaysian procurement team mentioned above is an example.
Theoretically a proper identification of risks at operating unit level should highlight anomalies with corporate policy, since some policies will be seen as inadequate while others will be seen as irrelevant.
First class advice. Again detailed, practical, realistic. Immediately useful to real people in the real world. And deceptively self evident. Made to look so. Not many can. Reveal the self-evident-ness of the self evident. not that common, common sense.
Finding on the ground a better way of doing things than in the rule book / manual is good news, not bad, as a starting position and main element of the overall picture. In fact, by default, in principle, every Part of every Whole should strive for better than asked/prescribed, as an outlook better than assuming it cannot do better than asked of it. One can do worse, or better than expected, as well as as expected. Of the 3, the last is 2nd best. That’s how I would approach Compliance, always remembering ‘better’ and ‘best’ should be defined from the Centre, to serve the Whole’s objectives and there may well be parts of that defining process I am not aware of from my periphery/’Part’ vantage point.