Webinar: Top 10 Compliance Tips I Wish I Had Known

August 19, 2022

Do you ever wish you could go back to give yourself advice? Do you wonder if you’re making mistakes with your program and its management?

Fear not, the daring duo of Kristy Grant-Hart and Nick Gallo are here to explore the top ten things they wish they’d known about effective compliance program creation and management, plus how to know if you’re making these mistakes now, and how to fix them. Join us as we give expert feedback to optimize your program. You don’t want to miss this fast-paced, information-packed webinar with tangible advice and easy-to-implement takeaways.

Transcript for Top 10 Compliance Tips I Wish I Had Known

Nick Gallo: Hello, everybody. Welcome to the ComplianceLine Webinar with Kristy Grant-Hart. We got a bunch of people loading into the room right now, so we’ll give them a couple minutes to get going. Hope everybody had a safe and sequestered Thanksgiving. I hope your holiday season is off to a good start. How are you doing today, Kristy?

Kristy Grant-Hart: I’m fantastic. I’m so excited to be here.

Nick: Me too. I’m pretty excited for this one. This is the third one we’ve done over the last few months. Well, what was the first one? The first one was top 10…

Kristy: Risk assessments, Mistakes Made in Risk Assessments and we did Nightmares with Your Third-Party Due Diligence Program. The Halloween one.

Nick: Yeah, that was, like, a Halloween fun-themed one. That’s right. That’s right. And then this one is just the Top 10 Tips That I Wish I Had Known. So we’ll kind of get moving now. So as always, we have a great set of content for you today. Kristy has a lot of great tips. Some of these are going to be lightbulb moments, some of these are going to be things that you may be doing already, but each one of these have some nice nuance that I think can help us elevate our roles.

Before we get into everything I just want to remind everybody, we want to keep our trend going of the great participation that we’ve had. These webinars have turned into kind of a nice, sort of almost a quasi-roundtable where, you know, we can kind of turn this into a bit more of a discussion. So please keep those questions coming. And as usual, our world-famous ComplianceLine book giveaway is in full effect today. So you can 3x your chance for a win by participating in the chat, asking questions. You also can 3x it again by responding to the email from our team that comes afterward.

And this time, you’re gonna get a pick from the entire pallet, the entire bouquet of Kristy’s book. She has three phenomenal books. Each one have a little bit of a different angle to them. I endorsed them all with three big thumbs up. And so, you know, you can let us know. So please keep those questions coming. And with that, why don’t we jump on into The Top 10 Tips I Wish I Had Known?

So I’m here today of course with the famous Kristy Grant-Hart. Kristy runs Spark Compliance Consulting. She is a well-known thought leader in the compliance space. If you don’t know her, please get familiar, follow her on LinkedIn, follow her blogs, and so forth. So much I’ve learned from her over the last couple of years. A former adjunct professor, best-selling author of the “Wildly Effective Compliance Officer,” which, again, will be one of your three. So again, thank you so much for joining us today, Kristy. I’m pretty pumped if you can tell.

Kristy: Absolutely. Absolutely. This is gonna be great.

Nick: Yeah, so let’s dive right in here.

Kristy: Let’s do it. Okay. So these are all things that I wish I had known. So I was the In-House Director of Compliance for Europe, the Middle East, and Africa at Carlson Wagonlit Travel in charge of 100 countries. And then ultimately, the Chief Compliance Officer at United International Pictures, which is a joint venture of Paramount and Universal, again, 65 countries globally. And these are all things that I got wrong or have seen go wrong with our clients. And I think it’s really important to get this stuff right. Because like you said, Nick, some of it’s nuanced, but some of it is critical.

And number one is critical, which is to get alignment on your three-year plan from the board. So a lot of times I see compliance officers just jump in, they start doing stuff, or they prioritize whatever they think is important without getting that vision in front of the board. So what I did was I created and I create now with clients, three-year plans that look through the different elements of the compliance program and say, “Board, do you like this?”

And here’s why it’s so important. If they don’t, you want to know right now. You do not want to know a year from now, or two years from now, or three years from now. They’re looking at it going, “Well, I’m really disappointed. This isn’t what I expected.” If you don’t set their expectations, they will set them for you and they will probably all be different. So if you have eight people on your ARC, on your audit and risk committee, they all have a different idea of what you should be doing. So if you don’t get that alignment, and that, “Yes,” then you are acting toward expectations that you haven’t even heard. And it’s a problem.

Nick: Yeah, and you don’t hear them until you present the dish, and they say, “Well, I didn’t want that dish. I’m a vegetarian,” or something. So, like, let’s bring this down tactically. How would you kind of prescribe someone achieve this? Do you send a draft to the board at a one-quarter board work meeting? Or do you do a bit of a more collaboration? Like, how do you get that buy-in on kind of a boots on the ground level?

Kristy: Sure. So usually, there is either a year-end or a year-beginning, so this is a really good time to do it if you haven’t done it already. Coming in and saying, “I want to give you instead of a one-year plan, I want a three-year vision.” Because a lot of times they expect the one-year plan. If you can do the three-year vision, and what I do is I have it on a PowerPoint, basically. It’s one slide because God knows boards want one slide, that’s a table that basically breaks out the seven elements of an effective compliance program, and says, “This is my three-year vision.”

And then I’ll have the second slide with my one-year goals that will align with that vision. So once you have that three-year vision, here’s my top tip, make your one-year goals things you know you can achieve, so that you look like a rock star. And if you overachieve, then you’ve done better for year two. Particularly this year, you really don’t want to overpromise because we have so much disruption that’s potential for 2021.

So I think that by presenting this as, “I want you guys to see the vision with me, and if I haven’t met what you’re expecting, I can revise it and send it to you again.” And then it’s not a thing you need to keep updating with them. You want to update them on your one-year progress. But that three-year vision will guide your ability to tell them where you’re going, which is helpful.

Nick: Yeah, and it helps to kind of frame it out, at least to your point, and it pulls forward some of that potential, you know, pain or friction or conflict or debate. It pulls it forward, so you don’t, to your point, spend a bunch of time running down a path that you’re going to get roasted for a year later when you say, “Look at what I did.” And they’re like, “Well, why did you waste time on that?” Getting that buy-in early is critical.

How, though, do we navigate sort of the two different levels, right? We have the board up here. And then we have the C-suite. How would… This is a great question that somebody asked. Would you suggest sort of getting that C-suite buy-in before you bring it to the board? Does it matter? Does it depend?

Kristy: I think it depends on the cadence of your relationship. A lot of the boards have the CEO on them regardless. So I think that it’s always good to have that person on board. But sometimes they have a very different set of expectations or experiences. So we have a couple of clients that are just post-IPO. And their CEOs, you know, they’re still in the startup mindset, they haven’t had compliance in any meaningful way. And they’ll end up with people on the board that have been at, you know, major pharmaceutical companies, or that have been in publicly traded companies that have a much more mature sense of what compliance should look like.

So if you just go with the CEO, they may not really have the vision that somebody with a broader experience and more experience would have for what compliance should look like. So I think you need to gauge that really carefully. It’s a personality and a political thing as well. But if I can get the full board first, that tends to be something that I would prefer.

And let me take this down a level too, because I know we’re gonna have some compliance managers and directors that aren’t talking to boards or CEOs all the time. It’s the same thing. You want to align with your boss on his or her sort of three-year vision, if they haven’t got one, maybe talk about where it’s going. And that you’re planning matches their vision for where they will be in a year and how you’re supporting it. So that you get that alignment, and you can deliver their vision. Because, again, a lot of times we kind of go off in our own direction without pleasing the person we need to please.

Nick: Because if you think you did a great job, it actually doesn’t really matter. It matters what the company thinks or what your boss thinks or what the board thinks about your job. So that alignment can really help you deliver at the year end that they think you did your job well.

Kristy: Yeah. You know, that theme of managing up and recognizing that kind of, there’s multiple facets to our job. It’s not just keeping ourselves out of trouble. It’s also keeping our jobs and it’s also keeping our bosses comfortable with the jobs that we’re doing. Like, it’s a nuance thing, for sure. And I love that advice that you said that this principle kind of applies regardless of where you are in this sort of hierarchical stack. You know what I’m saying? These tendencies are these, you know, our eye toward minute managing up and keeping those stakeholders that we’re serving directly happy.

Nick: The sooner we can start doing that and getting into that habit, then when you are having those board conversations, those are just going to be natural. Like, that’s just how you’re naturally going to kind of navigate the world. You know what I mean?

Kristy: Yeah.

Nick: What do you think prevents people from doing this? What do you think… Like, why is it so hard to even talk about a three-year plan? Why is this not just basic?

Kristy: I think that there’s a fear of rejection that comes into it, there’s a human element to it that it’s easier to just want to go and do, do, do, do. I think that also it feels better to be successfully doing something as opposed to planning something. And I think that it’s an easy thing to get trapped in. Instead of actually sharing the vision and building it, it’s easy to feel like you’re doing something. And I think there’s a natural tendency to be like, “Okay, guess what? I am delivering training.”

I can tell them I’m doing something as opposed to, you know, thinking about it. Setting a vision doesn’t feel like doing and I can say that I’ve done six investigations and three training sessions and, oh, my gosh, they’re gonna be so proud of me for doing as opposed to planning. And I think that’s backwards.

Nick: Great point. Okay, so thank you for that one. Let’s go to number two here, please.

Kristy: Number two is about…

Nick: …I wish I had known to use their language. What do you mean by this tip?

Kristy: So this really comes from a book that I read years ago that I absolutely loved called How to Make Anybody Fall in Love with You. And it was talking about using the language of the person that you want to date. So if you’re dating a lawyer and they talk about going to the firm, if you talk about going to work or their organization or going to the company, they’re not going to feel like you get them. So using their language means when you go to the shop floor, trying to speak like them, when you go to meetings, trying to use the same words.

How do people talk about their job? Do they talk about it going to their work, going to the organization, going to the company, going to the firm? Do they talk about a canteen or a lunchroom? These simple little things really change how people see you. Is it the water cooler? Is it the coffee station? Is it the coffee bar? Is it the… Use the same words because people feel like you understand them.

And another variation of this is a lot of compliance officers are much more educated than the people, particularly if they have like a big manufacturing plant, or if they have shop floors, retail stores, all of that. You don’t want people to feel like you’re talking down to them. And it’s very easy to do that unconsciously. So you really want to pay attention to the language you use and to use their language back to them so they feel like you understand them.

Nick: Who do you think this applies to?

Kristy: Everyone.

Nick: Every interaction?

Kristy: Yeah, I mean, look, it takes conscious thought.

Nick: I’m not trying to be obnoxious, of course, yeah. Okay.

Kristy: It takes some conscious thought. But the other thing you can do is pick out those words that you hear commonly and adopt them so that it becomes natural for you to say shop or floor or coffee bar or whatever it is, that becomes your vernacular that is the same as theirs. So by paying close attention to it, to that type of word choice, you can make that natural for you and not quite as staid, I suppose.

Nick: So, you know, what I love about this tip is that, you know, this is pulling from that softer side, that sort of influence side, which, you know, over this next decade, if we’re truly going to elevate into the strategic lever that I think we can and should be, that some organizations utilize compliance for, thankfully, then we need to be incorporating this kind of stuff. And what a simple little tweak, and what an easy way to sort of, like, at least increase your perception of self-awareness and make those connections a lot quicker.

What do you think the psychology is behind it? And how do you think doing this helps to address this broader sort of compliance brand problem that, you know, everybody is alluding to right now?

Kristy: I think that the psychology behind it is that people want to feel understood and that language is our way of communicating. You can mirror body language too. Most people know that if you mirror body language, it makes people feel comfortable. And it’s so funny because I know almost no one who does it. But, you know, since I wrote a book on it, I try really hard to do these kinds of things and to mirror their pace. If they’re speaking quickly, then to mirror that. If they’re speaking slowly, it’s the hardest one in the world for me because I talk too fast to, like, slow down. But ultimately, you’re wanting to make the other person comfortable.

And so if your intention is to make the other person comfortable, and to feel heard, even that energy will translate, and that you care about how they’re feeling will be felt. And that can improve a relationship immediately.

Nick: Yeah, it allows for that connection. And I think you alluded to this other thing about the potential, this is probably the wrong word, but, like, a classism that we could bring with us. And we have a perception many times in an organization that, you know, we’re just here to tell people no, we’re here to just kind of thwart everyone’s dreams. You know what I’m saying? I’m being dramatic, of course. But I’m meeting people where they’re at and being approachable is not only how we can knock down some of those walls and have that authentic connection, but begin to also open the door for, you know, us being that trusted adviser for them. Right?

If we’re…like, if you’re not approachable, no one’s gonna ever come to you, obviously. Right? But speaking that language and, you know, to your point, that mirroring thing is extremely powerful. But it’s interesting how people kind of stop at the body language piece, and don’t put it to the actual sort of language piece. You know what I mean?

Kristy: Absolutely.

Nick: Let’s check the next one out, please.

Kristy: So this is, I wish I’d known to start with a risk assessment, what basically everybody hears and thinks. And I’m telling you, we have global clients that do not have their risk assessment done or in order. So if you don’t, please know you’re in excellent company. This is kind of the same thing as the three-year vision. It feels better to do something. It feels better to say, “Oh, I think I know that privacy is our biggest problem.” Well, it may be, but what part of privacy is your biggest problem? And are you sure that the bribery situation isn’t also a pressing priority? Some of you do some privacy, and then you pull in some bribery. And then you do some more privacy.

If you haven’t done your risk assessment, your program is on shaky ground, and you will invariably not be able to defend it the way you want to if you’re investigated. But more importantly, there aren’t that many investigations in the world. And so yes, you need to be prepared for a regulator, but you need to be more prepared to defend why you’re spending resources the way you are? Why are you using human resources the way you are? Why are you using technology the way you are? Why are you investing your time the way that you are?

And if that isn’t being taken from a risk-based approach that’s based on something you’ve written, you’re really out in the weeds. And I do think that people don’t do this because they want to just get the next thing done. So they can check it off their list. But it’s critical to start with a risk assessment.

Nick: Yeah, you know, you… What’s kind of interesting about this tip is that there’s kind of a positive-negative to it, right? Like, it increases your defensibility for sure, right? Like, if I have a risk assessment, now I have…you know, I can defend why I made this decision, or I made that decision, or why I looked under this rock over that rock. But, you know, to your, I think, broader point… I don’t know if it’s more important. But your broader point is that it also has a positive aspect to it. Because you get more bang for your buck. Like, you’re more effective.

Like, if your job is to really kind of reduce, you know, extinguish risks, well, now you can identify those, and your efforts are being put towards something that you can actually move the needle on, versus just kind of haphazardly… Maybe that’s the wrong word. I don’t think it is. Kind of haphazardly kind of attacking compliance with tangible things that I can show, you know, “Look, mom, hang this on the fridge,” right? Like, if we’re gonna elevate, we need to start thinking and, you know, again, incorporating a vision, incorporating some effectiveness. Not just moving a bunch of rocks back and forth across the yard every day. You know what I mean?

Kristy: Yeah, absolutely. The risk assessment piece is critical. And people overcomplicate these so much. I had one client whose process went for a year to finish their risk assessment, and I just went, “What are you doing? Like, you can finish… A basic one can be done, a very high-level one in a week.” Just do some research and understand what your impact and potentials can be. I think that full-blown risk assessments are great. You know, ours take three months. We go to the whole company, we do 25 interviews, whatever. Like, professional ones are fantastic. But if you don’t have that resource, do something, and just get it done. Yeah.

Nick: Get it going, get it started. And to your point. I mean, I’ve seen them done in literal Google, you know, spreadsheets, where you’re just doing a one to five rating across a few different criteria and a few different high-level areas. But I mean, to your point, that in itself is going to be orders of magnitude better and provide orders of magnitude more defensibility. Because there’s at least some evidence of some thought and some framework behind the efforts that were taken. And again, which rocks were looking under.

Kristy: Yeah.

Nick: Why is this such a hard thing for folks to do? Do you think it’s… I mean, I know you mentioned, hey, they just want to kind of get in and start knocking things off the list. Do you think it’s they perceive it to be this insurmountable thing, and, “I just need to kind of get moving on something, I need to show some progress, I don’t want to show…you know, I don’t want my boss to think I’m just kind of navel-gazing for three months, you know, planning to plan,” so to speak?

Kristy: There’s definitely that element of it. I think there’s also discomfort with methodology. In our risk assessment webinar that we did, the top 10 mistakes, one of them is just insecurity about how to do it. And it’s an art, not a science. And particularly if you’re a lawyer, or if you come from an audit background, you want complete science, right? Like, this is the risk level, because it’s the risk level. And ultimately, you know, you can put in bands of likely fines and things. But it’s still subjective. And I think people are really uncomfortable with that, if that’s where you come from, in terms of very analytical backgrounds. And compliance attracts analytical people.

So that sort of relative insecurity, I think, makes getting your e-learning provider a lot more sexy and to feel like it’s done. “I can do this, I need a vendor, I picked a vendor, we implemented a vendor, I sent out my training.” Whereas this feels less comfortable, and it may make you less confident.

Nick: So that’s a great point. And, you know, what I’ve found works is just crowdsourcing some of this stuff. So, like, if you’re not comfortable saying, “I’m going to put the one through five numbers…” Again, I’m just kind of saying, let’s start from scratch. Let’s just do it on a simple level. If you’re not comfortable, you yourself, putting the one through five on each of these criteria across, you know, a couple of different feasibility things or whatever, just getting a couple of more folks in the room and doing a little brainstorming session about it and just kind of talking through it, you’re going to get kind of close to what, you know, the handful of biggest areas to look in are I think when you crowdsource those things. And that can help evaporate some of that insecurity that comes from something that’s just so inherently subjective, you know.

Kristy: Absolutely.

Nick: I’ve got a great question here. “So, do you have any tips on creating a high-level risk assessment? And do you know of any templates that you found that can be helpful to help minimize the effort for somebody who’s really new to this and is just really getting started?”

Kristy: So I have an eBook. If you email me, I will send it to you. I’m at kgranthart@sparkcompliance.com. It’s 38 pages, and it’s got all kinds of templates and things in it that can really help you start.

Nick: See, there you go. We’re solving the world’s problems right here. One more question on the risk assessment assessments, before we move on. “Risk assessments on all assets and all…exchanges of the company…” Or, I’m sorry. “On all end to end of the company.” Like, I think this is a… I’m doing my best here. So this is perhaps a scope question. Like, “Should our risk assessment just incorporate everything? How should we sort of look at it? Should it just be the top tips of the mountains?”

Kristy: Yeah. That’s what I mean pick your battles. When you’re going to do this, you need to scope it properly. It is literally the most important piece, and it’s the part that people don’t think about. Number one tip, don’t go outside of your personal scope. So if you’re talking about doing the whole dang company, try really hard, that’s enterprise risk. That’s a whole other animal. You do not probably have cybersecurity expertise in the way that the security team does, you probably don’t have fraud expertise in the way the internal audit team does.

If you are in charge of bribery, sanctions, and privacy, try to keep it to bribery, sanctions, and privacy. If you’re doing a bribery review by itself, look at the way that cases have been brought. So you’re looking at hospitality, you’re looking at charitable donations. Which of these are our highest level? Scoping is critical and try very hard to keep it in your realm because your recommendations will need to be implemented by you. So you don’t want to do this incorrectly.

Nick: Very good point. Okay. So we’ll make sure that we send around the email again to everyone so that you can get that eBook. It’s actually pretty good. Okay, let’s jump over to the next one, please, number four.

Kristy: Yeah, I wish I’d known to…

Nick: Number four.

Kristy: Go ahead, Nick. Yeah.

Nick: Yeah. To specifically define the scope of compliances responsibilities. You know, great segue. So what do you mean by this? Let’s kind of dive into it. Because I think there is a ton of chaos that’s created when people don’t do this. And a ton of anxiety that people live with when they don’t do this. And, frankly, a ton of missed expectations that probably could have been, you know, controlled a little better.

Kristy: So when I became the chief compliance officer, I didn’t understand the need for a charter for the program, or for a definition of it. And now that I’ve been doing this for a decade, it’s thing number one for me. When you start a new program, you need to define what you’re responsible for, what you have joint responsibility for. And even in the joint responsibility, what’s your sub-responsibility in that. And that is because the word compliance means nothing. It means that you’re complying with something.

Nick: Something.

Kristy: And if you haven’t defined what that something is specifically, you will be blamed for everything. I know you and I were chatting yesterday. I mean, if there is a violation of the permitting law in India, they’re like, “Well, aren’t you in charge of compliance?” Like, “Well, yeah, but I don’t know anything about India permitting law, and it’s not in my scope.” And if you haven’t defined your scope, how do you know that it’s not in your scope?

So it’s one of those get people to agree, particularly your board, or try to get it in writing. That’s why the charter is so useful to say, “Here are the things that I am in charge of, I do investigations, I do the code of conduct, I do bribery, and, you know, prevention,” etc. Get that list done. You don’t want to leave it open-ended, it’s not worth it.

Nick: And how important…so when you’ve seen…I’m sure you’ve seen clients at different ends of the spectrum. Some, just, they’re going to iterate every…you know, they’re going to list out a litany of just these very specific things. And some people are more vague. What do you think prevents people from getting super specific? Is there a fear that’s involved in this?

Kristy: I think, frankly, that either way can work as long as you properly define. So we have one client that’s got a two-page charter. That CEO was like, “I don’t want long documents.” It was actually one of the startup CEOs, that’s now an IPO. Like, “Just give me the quick and dirty. I don’t want it.” You know, and that is as effective or can be as effective depending on your corporate culture. Do you normally see policies that are 400 pages long? Your charter should be more in-depth.

If you normally see a very light touch, it’s new, make it light. Whatever it is, as long as it defines your parameters, it can be successful.

Nick: And how important is getting the buy-in for that? Or maybe not even buy-in. But just, like, what benefits does doing this have on the job that you do as light bulbs are turned on with respect to other people in the organization, understanding what your job is?

Kristy: Well, that’s just it. It’s understanding what your job is. And so I think that in terms of buy-in, it’s more alignment than buy-in. It’s making sure that people understand, especially at the highest levels, what it is you do. We are still a new function. And tons of companies I work with… I’ve got one client that, God bless him, the person in charge is the corporate secretary, the general counsel, and the chief compliance officer, one person, global, right? Like, I don’t know how he sleeps.

But just, if that isn’t defined, and people don’t understand what it is, you have no defensibility. Also for when people come to you and say…let’s say that you don’t run diversity and inclusion, right? Well, you know, “Can you do this diversity and inclusion program?” “Well, no, I can’t, because I’m charged with doing the anti-bribery program, and I’m charged with the trade sanctions program. And if you want me to take that on, that’s fine. But I need to expand my scope and reduce my scope with other things I’m doing.”

And that’s the kind of thing where you can take on other projects, but you really want alignment, so people, if they’re asking for something else, it’s not this broad base, “I don’t know what you do your compliance with Indian permitting law.”

Nick: Do you think there’s some reticence to do this because people don’t want to limit themselves by those things? Or do you… Do you know what I’m saying?

Kristy: Yeah, I think a little bit. I think they also don’t want to feel like… Yeah, I think that’s probably right. I think it’s a limitation, but also, again, not wanting to say, “This is all my territory,” especially if there’s turf wars that have existed, that can be difficult to define as well.

Nick: And I mean, I think a good thing to remember, I think you said this yesterday, but like, many of our spouses and partners don’t even know what we do. How can you expect the guy in purchasing or the salesperson in the Middle East to know what it is you do? Like, if the person that you go home to every day doesn’t, can’t articulate it as well, you need to really kind of overcompensate for that in the professional setting to make sure people understand where the perimeters of your responsibilities are and aren’t.

And then again, you know, so much of what we’re seeing here is kind of this framework of pulling forward the tough conversation or pulling forward the tough work, so that down the road, you know, I’m not dealing with that pain, right? Pulling forward that tough conversation with the board to get the buy-in for what the three-year vision is versus running for three years and then getting slapped on the wrist because you didn’t do what they wanted, right? Run toward that problem. And in doing this, you’re running toward a potential kind of misalignment or a misunderstanding with respect to a responsibilities problem by articulating those things.

And again, once that document is signed off on, and once those things are kind of in place, then you can sort of run within those tracks that are established, you know.

Kristy: It is so much easier to have this conversation when it’s no big deal than when you’re suddenly faced with a violation for Indian permitting law, and you’re trying to explain why it isn’t your problem. It’s so much easier to have this conversation when it’s neutral.

Nick: Love it. The next one, please. Number five. So I wish I’d known to update my plan publicly when new challenges hit.

Kristy: Yeah. So nobody’s 2020 plan included COVID. Or if it did, congratulations, you are prescient. I think that when we have, whether it’s COVID, whether it’s a regulatory investigation, whether it’s an unscheduled audit that you didn’t expect, whether it’s something comes up and you suddenly have to totally shift gears, a major investigation internally, it’s a huge problem. You need to update your plan with your board or your manager. Because oftentimes, by the end of the year, guess what? They forgot how much time and effort that regulatory investigation, that internal investigation, that, oh my gosh, COVID. They don’t remember. They’re judging you against the KPIs or against the deliverables that you said in minute one, right, that you’re going to get to deliver. And it can actually really work against you.

They can hold that to, “Why didn’t you finish these things? You said you were going to.” “Yes, but I was busy with…” “Uh-huh. But you said you were going to.” So when something hits and you go holy heck, this is going to be crazy for the next two months, and I can’t get anything else done. I can’t push out my eLearning when everybody’s suddenly trying to learn how to work from home, and they can’t get on the LMS system, and the VPN doesn’t work. Right.

So I think that when you have a crisis, you need to realign your annual plan and resubmit it or send it or talk to your manager and say, “These are my realigned goals. This is what I should be able to accomplish as well as managing this crisis.” If you don’t do that, it really can come back to bite you.

Nick: Yeah, and I think when we recognize that our value to an organization is not the plan. Yes, you need a plan. But your value is not the plan. It’s your ability to plan and it’s your ability to navigate the waters as they change. Then our reticence to change that plan gets diminished and we can understand that this is written in paper and we’re going to be kind of changing things as we need to.

But I think it’s a really hard thing to do. Like, this is a great tip because I think it’s a very difficult thing to do. Like, we are all, to some level, kind of victims of the sort of curse of knowledge, right? Like, if you’re in the weeds every day, it’s hard to recognize that somebody who’s not in those weeds, you know, doesn’t know what it’s like, right? And so the example we give on this is, like, if you’re a gold medal downhill skier, and you’ve been skiing for your entire life, imagine if you have to go and teach the bunny slopes one day. Like, it’s been so far…you know, it’s been so long since you gotta know how to make pizzas with your skis. You know what I’m saying? It’s hard to kind of truly empathize with that person that you’re trying to influence.

And when there are these changes, you know, when COVID hits, and we’re just trying to keep our head above water, you know, and we’re constantly reshuffling our day-to-day plans, as things come up, and so forth, it’s hard to remember what somebody who nine, 12 months ago is anchored to. So going back and managing those expectations along the way, just, again, pulling that stuff forward, clears up a lot of potential conflict or trouble down the road. Talk to me about how this kind of lays into what our plan for next year should be.

Kristy: Oh my gosh. Do not over overstate what you can do. There is so much room for disruption, so much room. If you can scale back what it was you were planning on doing or what you would like to have accomplished and plan that you’re going to have two months sucked out because we don’t know what’s going to happen, that will help you. You can always overperform and overdeliver. When you underperform and underdeliver, it is not a good outcome.

So I really think that 2021 should be a year that you just kind of get through and you try to deliver what you can, but making it a really aggressive year, unless you are in a very different position than most companies, is problematic.

Nick: So this is…so part of that, like, I find… So a lot of this happens in corporate budgeting, right? I mean, I’m just going to use this analogy because I’m a little bit more, you know, adept over on that side of things. You see a company come forward to their board and say, “Here’s our budget for the year,” and it’s a knockdown, you know, it’s a bang-out budget, right? And then throughout the year, they don’t hit it. And then, you know, the other side of that coin is to totally sandbag it and say, “Hey, we’re not going to grow at all this year.” And then you’re going to have a little bit of an arm-wrestling match with the button with the board saying like, “Well, what are you doing? Like, what are we paying for?” Right?

So there’s some kind of thing in the middle. But I think your advice to err on sort of the downside, err on the side where you have a higher confidence interval of achieving it, that’s probably the place you want to be. You can have your own stretch goals, to your point, offline, or with your team to overachieve that goal. But again, from a managing up perspective and from a managing expectations perspective, you just want to be right around that floor, especially in the context of so much chaos and so much new risks that have popped up over the last 12 months.

Kristy: Yeah.

Nick: So we have a great question here that I think feeds into what you’re talking about. “When COVID hit, would you start with redoing a risk assessment to understand what is critical before updating a plan? Is that just an iterative process?”

Kristy: Yes, it is. And it’s iterative whether it’s COVID or an investigation, or you haven’t done it in three years. Absolutely, you always do a risk assessment or update your risk assessment on a time schedule. So that’s usually every two to three years, what we recommend. And when the business expands into somewhere new, or it’s got a new product line or something has significantly changed, and the significantly changed can include things like COVID. So your risk assessment may shift dramatically.

Certainly, fraud risk, bribery risk has gone up. People who are in desperate times do desperate things, people who don’t want to be fired, who can’t make their bonuses, there is all kinds of stuff that COVID brought up. And privacy concerns. Maybe your privacy concerns weren’t very big before, and now they’re gigantic. So I think that that is the type of thing you need to evaluate and redo your plan based on the risk assessment.

Nick: And doing that really does also send…you know, I’m kind of uber focused on the organization’s view of compliance because I think turning those light bulbs on and then seeing what we can actually do really opens up a lot of, you know, blue sky for us to really kind of elevate and so forth. And I just think just the practice of doing this, just the practice of keeping people apprised of what’s going on and what’s changing in your piece of the business puts a gold star next to your name about somebody who’s a good thinker, who’s somebody who’s reliable. This whole department has kind of got it, I don’t have to worry about these folks.

And those are all deposits in the sort of equity bank of, you know, when it’s time to spend that and ask for that extra budget, to really push for this thing, you now have some assets in that bank account that can be sort of, you know, considered in the ask. So I love this tip. I think this is a super-critical tip and it’s an easy one to kind of incorporate to get some wins over next year which this has been probably the hardest. For us, it’s been one of the hardest years on record. So why don’t we jump to number six, please? Number six, I wish I had known to use metrics that actually matter. What do you mean?

Kristy: Yeah. This is the gold standard of activity versus actually doing things that matter. There are two things you need to think about. The first one is, what does your board or your CEO, or your manager care about? Okay, that’s number one. Do they actually care about what you’re telling them? Number two, they need to have a KPI or a goal or a story. And number three, they should prove that what you’re doing is effective. And that is the hardest one. That effectiveness piece is really challenging. The DOJ updated guidance was all over effectiveness versus activity. So this is becoming the absolute standard.

And effectiveness can be proven, particularly by follow-up. So if you’ve done your training, three months later, can we look and see if a certain percentage can still get the questions right? If you had an investigation, six months later, one year later, look in on the retaliation, look at the person, whether they feel retaliated against, whether or not their performance reviews have declined. We need to use metrics that matter.

So it’s two different things. The first one is, giving the metrics that matter to the board and the CEO. And the second is really evaluating your metrics to see if they prove effectiveness. And if you can meet the goals and the KPIs. I guess that’s three things. You need to tell the story through the goals and the KPIs. You need to make sure you’re telling people what they want to hear or what’s important to them, your leaders, managing up, as we keep talking about. And to measure effectiveness so that you have that defensibility and that you’ve got your own story in context for whether you’re doing well or not.

Nick: So tell me some more about what you mean by telling the story. And where do you see people falling flat on that thing, which I think is maybe the biggest, like, area for explosive influence growth?

Kristy: Sure. So my favorite example of this is we had a client that had a data privacy metrics dashboard. And one of them was number of subject access requests. Another one was the number of PIA, the privacy impact assessment. And the board looked at it and went, “Okay, it’s two good or bad? Is three good? Is three off? Are really shooting for five? Like, what is this, you know?” And ultimately, the story was, how much resources that person needed. Because if you had six subject access requests and had gone up by two, that is a huge amount of work and maybe needs outside counsel to help him with looking for privileged documents or trying to find redactions.

Like, there are stories to be told. My story there is, I need more help, or I need to reduce my other capacities, right? If my training scores are going down significantly, there’s a story to tell about that. Why is that happening? What can we do about it? So I think that if you don’t have a sense of goal or KPI, you don’t frame it in what is happening. And ultimately, numbers don’t matter, outcomes matter, and stories matter.

So your metrics are there to tell the story of your program and to tell the story of your culture and the experience that people have of it. So that’s what you’re looking for. You’re not looking for numbers, you’re looking for stories that are supported by the numbers you’ve got.

Nick: That is the key. That’s exactly the key because they’re not going to be able to look at your dashboard that you’re intimate with and even know what a PIA is, to your point.

Kristy: Right.

Nick: So what we tell folks is, every meeting should have an X. And X is, by the end of this meeting, I want the people…you know, by the end of this meeting, we should be able to do X or the decision about X should be made. That same kind of X-framework can be to the slides that you present to the board to say, “Listen, after they look at these numbers, and after they see these metrics, I want them to know this.” “Well, what is it?” “I need some more help,” or, “We have too many of these requests.” But framing your destination out in the context of what you’re going to be presenting can help you devise whatever story that you need to allow those numbers to support it in pursuit of where you’re trying to go.

Kristy: I want to extrapolate on that because it’s so critical what you just said. One of the tips, this is a top tip for handling boards and/or CEOs, know what the ask is. Every time, what is the ask? I see people go into board meetings and they talk all about the big training, how much they’ve done. We’re back to activities. What is the ask? Do I need you to give me approval? Do I need more resources? Do I need you to understand the program’s going well? Do I need you to understand you to understand it’s going badly, and I need help? What is the ask? Don’t focus on what you care about, focus on what they care about.

Nick: And the last thing you ever want a board or a CEO whatever to be thinking while you’re talking is, “Why the heck is this person talking about this?”

Kristy: Yes. “Why am I here and wasting my time?”

Nick: “Why am I…” Exactly. So I love it. And there’s probably some more we could talk about there, but I want to make sure that we get this next one because this is a good one. Let’s jump to number seven, please. I wish I had known that private support of the program isn’t enough. What do you mean by that?

Kristy: So I hear a lot of people say to me, “Oh, my CEO is great. You know she’s super supportive of the program.” And I say, “Great. What kind of communications is she making?” “Oh, well, the health and safety is really important right now. We’re not supporting the program publicly in that way,” etc. It’s like, if nobody knows that the CEO or the board or the managers are on board, it doesn’t matter. It may as well not exist. So obviously, you need it to come from the top. You need people doing the right things. But you also need that to be public and focused and people to hear it.

Nick: Yeah, if it’s just the CEO, you run into them in the washroom, and they’re like, “Love what you’re doing.” Like, no, we need that yelled from the rooftops. Right?

Kristy: Yeah.

Nick: So I think this is, perhaps…you know, where’s the strong force with respect to getting the push in the organization? Is it the yell from the top? Is it the buy-in from the bottom? Is it the voice in the middle? I don’t know. It’s kind of all of them. And it changes at different levels. But with respect to getting, you know, perhaps the most important one to at least get it going, that voice from the top, let’s kind of talk about a couple of different tactics for someone who doesn’t have the endorsement yet.

And then separately, they do have the endorsement, but they don’t…you know, it’s not meeting the level of kind of public endorsement that they feel they need to get those true tailwinds behind the program to keep it moving forward. So with that first one, where you don’t even really have it yet, how do you kind of attack that?

Kristy: I think that the answer is the same for both, which is, make it easy. Make it as simple as possible. “I’ve written this for you. Can your admin send it out with your name? Like, you don’t even need to send it. Can your admin send it out? I have a 30-second video on my iPhone. Can I film you? Will you just say, you know, ‘Everybody, have a great compliance and ethics week’? Just say that, can I…30 seconds,” right?

Try to make this as simple as possible, right? The, you know, intro letters, obviously, to the code of conduct, write a blog post that they can…that maybe you pre-comment. “Would you like to comment on this? Can I have your assistant post it in your name?” Whatever you can do to… “Can I use your picture on the communication about the helpline?” Like, they don’t even need to do anything other than say yes, that you can use the picture. So try to find the simplest, easiest, least time-consuming wins, and you’re much more likely to get a yes.

Nick: But it takes a certain kind of…I don’t even know if it’s persistence. But it takes an action, right? You have to go and do it. And you have to go and get it. Like, that endorsement is there for you. Let me say it this way. In many cases, that endorsement is there for folks, if they can go and get it and employ a couple of the five things that you just brought up, right? Like, there’s probably not a lot of CEOs who are against compliance. Do you know what I’m saying?

Kristy: Yeah, I’ve met some. But I think that…

Nick: I’m sure. But I’m saying publicly, they’re not gonna say…

Kristy: Right. No. And most of them are not going to say no to a 30-second video, or, “Can my admin send the email that I wrote?” I mean because they don’t want to be seen as publicly negative even if they are.

Nick: That’s right. That’s exactly my point. Exactly my point. Let’s jump to number eight, please. This is a good one. Number eight, I wish I’d known contemporaneous documentation was so important. So for those of us who don’t know what contemporaneous means, what do you mean by that?

Kristy: Right. I’m like, now I’m using crazy words. Contemporaneous documentation means at the time. At the time that it’s done, it’s been written down. So this was so highlighted in the DOJ update. I was so fascinated by it. In the June update, they really focused on this idea of writing things down as they happen. So if you have your risk assessment, the person who asked that question about updating the risk assessment for COVID, write down what you did because of that. Like, write down why you changed your program. Which, by the way, can be supported by that whole publicly shift your priorities. You actually are creating contemporaneous documentation simply by doing that.

If you are changing or creating the scope of your third-party program and you are excluding distributors who have less than $10,000 of sales, write down why you did that. If you’re hiring more people and assigning them to Africa because it’s been a mess there, then write down why you’re focusing on Africa rather than, say, some of the other regions. Because I always think about this as if I were on a jury, right? If I’m on a jury, and I’ve got somebody who is defending themselves saying, “No, I was at the ice cream store on January 4th,” if they tell me that they were at the ice cream store on January 4th, that’s one thing. If they can pull out their day planner or diary and be like, “I was here, and the mint chocolate chip was amazing.” You know, that is going to be so much better in terms of evidence.

And so getting this contemporaneous documentation, getting in the habit of it as you make changes and decisions, can make a huge difference for your program. It’s defensibility long term.

Nick: So what do you think prevents people from doing this? Is it a form over function thing? I mean this, again, makes a lot of sense. If you have a diary, that in itself is obviously kind of an example of what we’re talking about. Why don’t people keep that sort of compliance diary, so to speak?

Kristy: They’re busy, they think they’ll remember forever, and they don’t realize that if they leave, that somebody else has to try to pick up the pieces and figure it out. So the idea that most people have is, “I’m going to be in this job a long time, or maybe forever, I’ll just keep getting promoted. It’s unimportant. I already know why I think this way, and it’s a waste of time.” So unless you have the frame and the mindset that these things matter longer term, then it feels like a waste of time, kind of like the planning does.

But it doesn’t have to be fancy. It can be an email to yourself. It can be notes that you take somewhere that are in the system. Let’s say your third-party system changes, write yourself a note in Word and put it into the audit system, or add it as a new file. It really… Or maybe you do something like akin to a risk register, where you’re just writing what it is you see, and why you change it. I think that it doesn’t have to be fancy. But the more you can do this and get in the habit of it, the better.

Nick: So again, you know, I’m seeing a theme here, right of, you know, its function over form, we need to do stuff that works. Let’s get started with something small. We don’t need to get started with a massive tool. So you’re saying even just a Google Doc of a bunch of just jotted down notes is fine, as long as you can search it and find it. And it’s going to provide some of that context for you should you get audited or should you… I mean, this is not just, again, defensibility. This is also learnings, right?

Like, if you’re hiring somebody, I mean, we try to do this. Whenever we make a big decision, we try to list out what were our assumptions and what were we concerned about. And then we can go back to those decisions over time to say, like, “Well, what did I miss?” You know what I’m saying? Like, you’re not going to improve unless you’re, you know, practicing and trying to get better. And I think just getting into this contemporaneous note, you know, habit allows you a lot of fodder to get better should you spend the time to go back and look, when you can, you know, pick your head up above water.

So quick question about this. Does…you know, in number seven, when you’re trying to get that sort of public support. Somebody had this question. Does your example for number seven show that the CEO really doesn’t care even though he/she is sending messages?

Kristy: Look, actions always speak louder than words. To a certain degree, you can’t control how the CEO really behaves. And that I have seen. We’ve had one client that had a CEO that was super into compliance, everything worked great. They got a new CEO because they got in trouble. The new CEO was only about numbers, publicly said, “Yes, compliant, sure.” And the culture shifted so fast. I mean, it just shifted…like, it really did. Because follow the leader’s example.

If you don’t have an example, at least you have the capacity to try to show an example. Because not everyone sees the CEO. Let’s remember that in big organizations…one of our clients has 110,000 employees. Well, that perception of the CEO becomes a lot more for most of the manufacturing people on the floor from the communications and from what they see from those communications rather than the actual activity. So will it fool the senior vice presidents that somehow the CEO was super into this because their pictures on the poster? No. But if you can affect the sensibility of the broader workforce, then that is better than nothing.

Nick: And so I think that’s right, for sure. And then also, you know, in case this person’s question was about, “Well, if I have to type the letter for the CEO to send out as an endorsement of my program, is that in itself, a sign that they just don’t care about it?” And if that’s your angle, I would say this is just probably a best practice regardless. Like, if you’re looking for a letter of recommendation from somebody that you used to work with, they do like you, obviously, if you’re going to them, right?

Unless you just have no self-awareness. It’s, again, just common courtesy to like say, “Hey, I’ve kind of sketched out a letter, you can change this if you want.” Like, if you want them to do that letter, because again, you don’t know what’s on people’s plates. Everyone is overloaded. And I just think, you know…so I think I can let that go. I think…

Kristy: Yeah. I also think that the message may be slightly skewed or not what you meant it to say if you let them say it.

Nick: Correct, correct. Right.

Kristy: Sometimes they just get the vernacular wrong… You know, this isn’t the world they live in. And so that support I think is great. That example is perfect, the one of the letters of recommendation, absolutely.

Nick: Let’s jump to this next one. This is number nine. I wish I had known to pitch hard for tech solutions. Keep pitching. I love this tip. This is a good one.

Kristy: So we have a client who’s very forward-thinking, who had just become the person to start the compliance program. He asked me to create a list of all the technology solutions he might need as the company grows because it’s growing very fast, and how much they cost. So I put in conflicts of interest manager, policy managers, third-party due diligence, like, platforms, plus consulting fees, plus legal, I mean all of it. And it came out to, like, a quarter-million dollars.

And he took it to the board and said, “Look, this is where we’re going.” And that sticker shock is real. If you haven’t had a program, or you’ve never said, “This is $50,000, no, really it is,” there is a lot of acclimating to that you have to do. So you need to anchor that price, you need to let them understand it. And even if they don’t say yes, the first time, when you keep asking for what you need, you’re more likely to get it. There’s great behavioral science research and social science research on people not liking saying no repeatedly.

Nick: Correct.

Kristy: When I was a kid, I employed this strategy. My parents that I couldn’t get my ears pierced till I was 12. And I asked them, basically, every time we passed the station at the mall, and eventually, at 10, they finally were like, “Oh my God, yes, whatever. Just please stop asking me.”

Nick: It worked.

Kristy: It worked, see.

Nick: Bingo.

Kristy: Do ask. You want to pitch hard for technology also. It’s not always obvious to people who aren’t in your role, that, “Look, I can’t manage this on Excel anymore. I can’t.” And they don’t understand the difference between an Excel sheet and a third-party platform that holds all that data. So keep pitching for those technology solutions. Even this year, when you know your budgets getting cut, ask because maybe in 2022, you’ve got a better capacity to say, “I need this, I needed it last year, I really need it this year.” So don’t give up, keep trying.

Nick: And I like the idea of really going for that sticker shock because that sticker shock, that jolt is the sound of a new anchor being established. And to your point, people don’t know what things cost, right? And I love that. You know, talk about what a great example of that kind of framework I was talking about, about pulling that pain forward. Like, I’m sure they’re not spending a quarter-million right now. They probably won’t spend it next year, but you’re starting to do the pre-suasion, what we call. We call that pre-suasion.

Kristy: I love that.

Nick: You’re starting to pre-suade for the vision that we need down the road by anchoring them to something. So that when you bring up the thing that cost 50 grand or that cost 80 grand, they’re not freaked out by it, because they’ve already seen a number bigger than that.

Kristy: Love it.

Nick: Quick question for Kristy. So this question is for Kristy. “To uproot financial corruptions and money laundering and other financial mismanagement, a compliance officer should be equipped with forensic accounting? Or do you think there are specific courses that they could follow?” Like, is there a course that someone could take to get a cursory knowledge to be able to kind of attack this stuff? Or do you think they must be sort of born and bred forensic accountant?

Kristy: I think it depends on how complex your business is and what you’re actually dealing with. I mean, if your investigation is super deep in the weeds, you need to call forensic accountants. If it’s a basic, you know, we broke the $10,000 threshold that we need to report or do an investigation, then you can do that.

Nick: Good point. All right, let’s jump to number 10, the last tip. I love this number nine, man, that’s such a good one and just playing that longer game. I mean, there’s such a great cohesion with your tips. Like, these aren’t point solutions. These are different, you know, facets of this sort of complex shape of what an effective compliance officer is. You might want to think about writing a book about it. Number 10, I wish I’d known to leverage the power of outsiders. What do you mean by that?

Kristy: I mean, it is amazing the number of people…when we do compliance program evaluations, the first thing I do is have the compliance officer do a self-evaluation or the self-evaluation. They always point out the top two things that are wrong. And then I go to their board and say, “These top two things are wrong.” And the board goes, “Wow, no kidding, those are wrong?” And the client, she’s sitting there next to me going, “I told them this xix times.”

You know, somehow, when a lawyer or an expert comes in and says something, it has more weight. Use that to your advantage. Use your experts, use your outside lawyers, use your consultants, use your technology gurus, use even compliance officers in other organizations that can speak to what they do to benchmark. When you use outside power it is more influential, whether that is rational, no.

Nick: It doesn’t matter.

Kristy: It doesn’t matter. That’s how it is.

Nick: Yeah, and I guess instead of sort of, like, wringing our hands over the irrationality of it, just see it as an opportunity. Like, you’re probably going to hit that. You know, what you can probably do is lay a little bit of that groundwork. How much more powerful? You know, it’s a, again, a gold star for you if you’ve told your boss five things and then the pro comes in and they say the five things, you don’t even have to say I told you so. They’ve heard those things already.

But to your point, getting that other endorsement or getting that outside person to come in, I don’t know what it is. It’s a different level of credibility. Whatever it is, it’s there. Use it to your advantage to accelerate, to elevate your position to that more strategic lever. What do you think it is?

Kristy: I think people are afraid that if they bring in an expert that they won’t look as smart, or as put together. Sometimes it’s budget, right? I can’t bring in a lawyer, consultant, whatever. But a lot of times, it’s simply they’re just gonna say the same thing and no one will listen. As opposed to people will listen more if they say the same thing.

Nick: Right. I love that. Okay. So we’re doing pretty good on time. Let’s jump to the end. We’ve got a couple of other questions here. So this is a great comment about number nine.

Kristy: Oh, I think we just missed one slide before. Go back.

Nick: Oh, can you go back, please?

Kristy: We have been talking about the risk assessments. And I know, I’m very happy to send out the eBook. If you want a lot more help, we do have a “Risk Assessments Made Easy” course. It has literally 17 modules and 48 templates, downloadable tools. It’s all done by video and downloads. That’s the link, 20% off everyone watching. The code is CL.

Nick: Anybody who has taken this course has told us how phenomenal it is. It’s very…like, this is well…if this was double the price with no ComplianceLine discount, I would say freaking do this. It’s gonna save you so much time, it’s going to save you probably a ton of money. And it’s going to truly derisk you in a material way. So that the efforts that you’re spending are actually moving the needle. That’s what…you know, no one is lacking work in the compliance game, right? So where we focus our efforts are critical. And this course is really phenomenal. So we will send this link around, as well. But I really encourage everyone to give this thing a shot. Again, even just for the templates, it’s phenomenal.

So let me ask, So I’m gonna…we have a couple of minutes, I’d like to talk to you about a couple of more questions. One is, well, this is just a comment. Someone said, “Number nine is, in my opinion, the best tip. It makes so much sense. And it can be applied to so many other areas as well.” I agree. Again, we are playing a persuasion game here. Our entire game is a persuasion game. It’s a hearts and minds game. Obviously, we need to know the regulations and the legalese and understand where these risks are. But so much of it is translation. And so much of it is telling someone why they should care about this.

And asking for things over a long term and pitching hard and pushing for things, that persistence is really what’s going to allow us to increase our own sort of persuasion muscles if we start engaging in that, you know?

Kristy: Absolutely.

Nick: So this is just kind of a general question. Do compliance officers have rights to investigations over financial mismanagement, unfair treatment to some partners, unfair, under-the-table games, etc.? Does that depend?

Kristy: Look at your charter. Look at your charter. Look at your scope. You should…you’ll know the answer to that based on what the scope is that you’ve been given. I’ve absolutely seen compliance officers with all those things. I’ve not seen it frequently. So I think that that really depends on your business. If you aren’t sure, whether that is in your scope, the word, “Right,” is not the one I would choose. I would choose, “Is it intelligent for me to have this? Is somebody else in charge of it? Is audit?” Usually, audit is doing those kinds of investigations or outside audit firms, if they’re really in-depth. But look, if you have the expertise, and you can bring it into your scope and you want it, for sure.

Nick: Okay. And then, so this is kind of a related question. Do you think that compliance departments should have an auditing team as well or do you think that those should be separate things?

Kristy: Oh, it’s great if you can. So, okay. Internal audit is separate, right? They look much more at, like, financials and things like that, and they can have compliance elements. If you have a compliance audit team, I mean, that’s golden. You’ve got somebody to actually test controls and look at effectiveness and bring you better metrics. I mean, that’s awesome. I don’t see it a lot. But when I do, it’s so exciting.

Nick: Yeah. It’s just such a nice resource to have to get that. I mean, again, as effectiveness becomes a bigger piece of the puzzle, how can you confirm effectiveness without kind of going back and doing some analysis that this type of an audit, you know, person could do? Last question, which we can probably spend an hour talking about so I will ask it here in the last minute. Why… So this is not directly related to the webinar. So if people need to hop off, by all means, go ahead. But I would like to know why almost every sector has compliance officers with different titles. However, no one can stop financial corruption, money laundering, safe havens, etc., using any of the methodologies existing with us today. How would you answer that?

Kristy: I would say that every business is different and that every risk profile is different. So that is what we need compliance to do, it’s one of the reasons our roles are so misunderstood is because they are different. There are different names, there are different titles, there are different meanings to what it is that we do.

And in one place, import/export compliance is totally separate. It’s its own department. In some places, the compliance officers got data privacy, some, they don’t. I never worked in-depth with anti-money laundering. It was not something that was a risk at any of the companies that I worked at, where we’ve worked with companies where it’s a really big deal. I think that that is a question of a maturing of our industry, and also the broader business community understanding what we do and having us be able to make the case for what should be in our scope and what shouldn’t be in our scope.

Nick: That’s a really good answer. Much better than my answer. My answer, you know, I can re-ask this question, why every… You know, every building has fire extinguishers and fire alarms and running water and every city has fire departments. How come we still have fires? Well, there’s always gonna be fires, all we can do is help. You know, there’s always going to be the propensity to be unethical in humans, right. There’s always going to be the propensity for people to put their own self-interest over what’s right. Our job is to help kind of mitigate that, reduce as much of that as possible. But I don’t think it’s ever going to go away. We’re still going to have, you know, warehouse fires in 2025, I’m sure. You know what I mean?

Kristy: And fires in the business mean we’re employed. So I’d like to avoid warehouse fires but fires in the compliance world, golden.

Nick: Good point. Here is our contact information. If anybody has any questions, please reach out to either of us anytime. Really enjoyed this, Kristy. As usual, these are always so much fun, and I always walk away with so many great quotables and takeaways. So if you do hear me quoting you, please understand there is an implied citation for any of the words of yours…Okay?

Kristy: Brilliant, I love it.

Nick: All right. Thanks, everyone. Thank you, Kristy.

Kristy: Take care guys. Bye.