Growing up, I wanted to be a detective, thanks mostly to the “little grey cells” of Hercule Poirot. While I enjoyed (some of) Christie’s books, my all-time favorite version of Poirot was the ITV series, in which David Suchet prolifically portrays the famous Belgian as a bundle of contradictions—at once earnest and playful, ironic and self-important, and dedicated to the good cause and—as an almost antithesis of the Streaming Era that came after—conservative, judgmental, and at times downright homophobic. But forgive the detour.
“We are not the in-house police”—and variations on this assertion, is something I come across frequently in Compliance manifestos, often with an apologetic or self-deprecating undertone. I’ll admit that I’ve also resorted to using it myself, because I find it to be a good way of breaking the ice, and of concisely relaying the message that Compliance is here as a business partner, not to breathe down your neck. It can also be a playful way of distancing oneself from any post-traumatic stress the business might be harbouring from compliance officers who came before, and who may have conceived of their own role as policing-adjacent. (Based on my own experience, which is in no way representative, such individuals are far more likely to have come from an old-fashioned, “rules-based” (rather than a risk-based or human-centred) school of legal or compliance thought, than from a law enforcement background).
But if we take a step back from personal traumas, what’s so bad about comparing Compliance to the police?
To take a source close at hand, the Danish Ministry of Justice (Justitsministeriet) defines the role of the police as “maintaining security, peace, and order – to exercise control over the observation of laws, and to step in against violations of the law through investigation and persecution. The police also carry out administrative tasks…” [Own translation and emphasis.]
This four-pronged definition lends itself neatly to a juxtaposition with the role of Compliance in a corporate setting. According to some of the most widely-recognised compliance standards, such as the COSO Framework, or the ISO/IAC 27001 Information Security Management Standard, the most important role of internal controls, is prevention, detection, and correction.
Exercising Control = Prevention
Unless you were brought up in a police state, or you regularly engage in criminal activity, this should probably be one of the first images that come to mind when you think about the police force. You may come across police officers at large public events, during visits of foreign officials, or campaigns at your local community centre, or school.
The preventative work done by the police (alongside other government agencies) is as fundamental to the governance of the state as preventative controls are to the governance of a corporation. Think annual ethics & compliance training, ad-hoc campaigns or messages on the corporate intranet, information sessions, or roadshows with management &c.
Investigation = Detection
If you like detective stories, like I do, this is your cup of tea. In fiction, it’s almost always a gruesome murder or other violent crime—a trope my family will hear me complain about all too many times. I for one find an elaborate “heist”, fraud, or conspiracy to overthrow the president, much more enthralling and intellectually stimulating than the slaughter of a fellow human, where the investigation will all too often be reduced to the question of “who dunnit.”
In corporate compliance, the crime—or, the “wrongdoing” if it happens to fall short of criminal, or if we don’t yet know if it does—is very rarely violent; however, the methods of detection, the most important of which is the internal investigation, are comparable to the investigative methods of the police. Both are, in essence, an exercise in research design and methodology, rigorously executed in pursuit of “the truth”—and ultimately, of a person or persons responsible.
Persecution = Correction
For both Compliance and the police, corrective measures will—at least partially—involve other actors with higher levels of authority: the CEO or Board of Directors; or a judge or jury. It is these actors that will ultimately decide the necessary corrective measures, whether they be sanctions against individuals, or organisations.
An interesting and relatively recent phenonemon from the crossroads of international and criminal law warrants a brief side-bar here: corporate criminal liability. This is when a corporation can be “punished” (fined), “jailed” (suspended its operation), or “executed” (closed down) for certain criminal acts perpetrated by its directors. But hopefully more on this in an upcoming post.
Administrative tasks…
Arguably one of the common threads across law enforcement (indeed almost any bureaucratic office), and corporate compliance offices, is the vast amount of daily administration. Think various records, returns or disclosures, interest declarations, gift reports, or the incredible paper trail created by an internal investigation or compliance audit.
But none of the above are intended to be an exercise in idle bureaucracy. In fact, their purpose cuts right to the core of the compliance ethos: to document the right and the wrong, and to do so with a level of rigour that, if push comes to shove, will withstand the scrutiny of a regulator, or stand up in a court of law.
It’s evidence—not pencil pushing.
So is Compliance the police after all?
Of course not. But perhaps preventing, detecting, and correcting the wrong thing in a corporation is not all that dissimilar from preventing, detecting, and correcting the consequences of crime. And perhaps Compliance shouldn’t be put in a position of apology for doing their job, or cornered into defending themselves as “not the police”.
So—in case you do harbour an aversion of the police—maybe a question to ask yourself instead is where does this aversion come from. And once you have the answer, you could talk it through with your compliance officer: they might even have something thoughtful to offer.
The Right Thing on Tuesday 
Leave a comment