Are best practices good for compliance ?
In Copycat Compliance and the Ironies of “Best Practice”
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4089806
William R. Heaston of the Wharton School at the University of Pennsylvania argues:
For too long, corporate compliance “best practices” have been hiding plain sight. While they are readily invoked, compliance scholars have yet to examine them in any depth. This Comment provides a corrective, arguing that a confluence of inter- and extra-organizational forces drive in many firms to engage in copycat compliance whereby they mimic other firms’ “best practice” compliance structures. This tendency reveals two potentially problematic ironies about so-called “best practices” in the corporate compliance domain. First, they tend to reflect common practices rather than practices that are, in fact, “best.” Second, a formalistic focus on copying common practices may well undercut some of the most important or “best of the best” practices in compliance management—the promotion of ethical behavior within corporations and the customization of compliance structures so that they mesh with prevailing organizational cultures. In light of these ironies, this Comment proposes a conceptual framework that may provide a basis for identifying more fruitful types of convergence on common compliance best practices. Such best practices would trade rote mimicry for a more functional approach that permits greater variation in compliance structures and processes to suit the particular operational, cultural, and ethical needs of implementing firm.
Based on what I have seen in my 35 years working in the compliance and ethics field I tend to agree that there is too much rote activity when it comes to designing and implementing compliance programs.
I also believe what this problem is indeed likely to be remedied over the course of time as enforcement personnel and other key players in the field become more sophisticated “consumers” of compliance.
This is true of many C&E functions, but particularly so regarding risk assessment/management. Unlike many other parts of a compliance program risk assessment can leave a program with “nowhere to hide,’ when it tries to demonstrate that it has implemented all or part of a “best practice” program of the like.