Policy vs. risk-based compliance programs

In most cases, senior corporate employees request policy-based compliance programs to fulfill a regulatory requirement, or a prebid qualification or a prerequirement to receive investments from more mature or regulated countries. Budgetary constraints often result in these programs being a one-time, high-level exercise where policies define an organization’s vision, but they do not provide enough guidance to employees on what to do if a certain situation arises. For example, if an organization’s policy says, “do not bribe” and “conduct business ethically,” the employee reads and follows it. But when the same employee travels to countries where anti-money laundering, corruption, or sanctions risks are high, and they receive a bribe request during business interactions, they may not know how to respond without jeopardizing their career, causing reputational damage to their employer, or even endangering their own life. Should they say no immediately? Should they consider the demand as a way of doing business and fulfill the request? And if a bribe is paid, how should the employee report it or claim reimbursement?

This uncertainty is where policy-based compliance plans fail. For some companies, this policy-based approach might prove to be successful in the short term, but when put to the test in today’s age of technology, the Internet of Things, artificial intelligence, and the volume of data every organization processes, are these policy-based compliance programs enough to protect against a breach or violation and potential regulatory action?