Search

Editors

Harry Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Richard L. Cassin Editor at Large

Elizabeth K. Spahn Editor Emeritus 

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

FCPA Blog Daily News

« Five ‘stupid’ ideas about trust in business | Main | UK Bribery Act: 2018 in review, and a few predictions »
Wednesday
Jan232019

Should some parts of a compliance program be kept secret?

Most big companies publish their ethics and compliance programs online. Anyone can read them and know what goals the company has set and how it hopes to achieve them.

That sounds like the right approach. Totally transparent. Accountable. And fair to everyone.

But does full disclosure about compliance programs always make sense?

Internal controls, for example, share some DNA with corporate security systems. The controls must be there, according to the FCPA and securities laws, so that management knows where all the company's assets are, who's handling them, and for what purpose. That's a way to stop the company assets from being used to pay bribes.

But from a corporate security perspective, the internal controls are there to stop people from stealing from the company, or using the assets to commit fraud or other crimes. Internal controls, then, are something like the security system around a bank vault.

Most vaults are protected by a combination of visible and invisible security. You can see a guard standing nearby, and security cameras jut down from the ceiling. There's a big lock on the vault's thick door and a touch pad beside it.

But there might also be invisable features -- hidden cameras, invisible motion detectors, weight sensors, perimeter doors that shut and lock automatically, silent alarms, and so on. The secret parts are there as another line of defense against the crooks.

In Israel, the defense forces say they destroy all the attack tunnels they discover. But some speculate that the IDF keeps some tunnels open. Why? To find out who might use them and for what purpose.

Does that same concept work inside corporations? Should some aspects of the internal controls be kept secret, as a way to catch bad actors in the act?

Another argument for some corporate secrecy is to avoid becoming a target. We know that whenever a company announces that its systems can't be hacked, hackers from everywhere take up the challenge and usually succeed. Does publicizing internal controls do the same thing?

Last week I wrote about AI-enhanced internal controls. Powerful new tools will be able to detect when anyone leaves a virtual fingerprint anywhere inside the company. Is it a good idea to reveal where all those new tools are embedded and how they'll work? Or will publicizing them incite devious employees to challenge the artificial intelligence embedded in the internal controls?

In an ideal world, we would always disclose all aspects of a compliance program. And that should be the aim. After all, transparency is good and secrecy is bad. But is transparency always . . . . practical? Does it always produce the result we're looking for?

If parts of a compliance program also have a role in corporate security, there's an argument to be made for secrecy. As distasteful as that outcome might be, it's probably going to become more common as AI-enhanced internal controls proliferate.

____

Richard L. Cassin, pictured above, is the publisher and editor of the FCPA Blog.

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.