The Risk of Compliance

Unless you have been under a rock for the past few days, you have probably heard about United Airline’s PR disaster. A paying customer was injured during his forced removal from a flight and videos and images of his bloodied face have gone viral all over the world. It has not helped that the passenger in question was a doctor, a generally respected profession, and that by witness accounts he was not acting belligerently or aggressively. Whether you disagree with United’s actions or believe they were justified, I think we can all agree that the publicity United has received over this incident is very damaging to their brand. They are not winning in the court of public opinion.

This particular story struck me for two reasons. The first reason is because I am very passionate about aviation. It was my first love and for about 12 years of my life between the ages of 6 and 18, I knew I was going to be an airline pilot. I still earned a pilot’s license, though I have been inactive for a few years now, but my pragmatic side decided that a career in Finance would be more lucrative over the long run. Despite that, aviation is still near and dear to my heart, and there is much to appreciate. No matter your interests, you can probably find something in aviation that resonates with you. I love indoctrinating exposing my daughters to flying and passing on my passion for it. One of my fondest memories with my oldest daughter is watching airplanes at the Miami airport while we waited for our delayed flight.

But then there are people. Surly security agents, overworked and sometimes rude representatives, customer service agents who neither focus on the customer nor provide any kind of useful service, and finally the passengers. Oh the passengers. Nowhere else in civilized society will people abandon all concept of a social contract and animalistically turn their focus solely on themselves as quickly as the doors of an airport. Flying would be nirvana if it wasn’t for the travelling public. As someone who is highly introverted, no place exhausts me so quickly and completely as an airport. The moment I take my cramped assigned seat, stare out the window, and tune out the people around me is sheer bliss. Yet, I still find ways to enjoy the experience because it involves flying. I am saddened by stories such as this because they reflect very badly on one of humanity’s most incredible accomplishments and something I find so enjoyable.

The second reason this story struck me has to do with my professional life. Let’s back up a bit and take a moment to recall the internal memorandum that was sent to United’s workforce by its CEO. Specifically, this part:

“Our employees followed established procedures for dealing with situations like this. While I deeply regret this situation arose, I also emphatically stand behind all of you, and I want to commend you for continuing to go above and beyond to ensure we fly right.”

When contextualized with the images of a bloodied and unconscious paying customer being dragged off of an airplane plastered with the United brand, the memo seems a bit surreal. Apparently, it is reasonable to assume that compliance with corporate policy can lead to an injured customer.

And that is the bit that really jarred me.

How many of you have written an audit issue similar to the one below? I know I have:

Corporate policy limits compensation for Involuntary Denied Boarding (IDB) to no more than $800 per passenger, per occurrence. Exceptions to this policy must be approved by a Director level or above.

Between January and June there were 20,000 occurrences of involuntary denied boarding. Of these, 5,000 were in excess of the $800 limit, without appropriate approval. The total value exceeding the $800 limit was $1,500,000. The average overage was $300 per occurrence.

Failure to follow policy results in a negative impact on margin.

And with that, we have added a $1.5 million feather to our cap, exposed the ghastly lack of compliance in our organization, and inadvertently helped create a culture of employees who are dissatisfied and lack empowerment. Finding after finding, the march toward compliance and checklist behavior erodes the humanity of our employees, and the customer relationship suffers. Why employ humans in a customer-facing role if they can only perform tasks that are better suited to a computer?

As auditors, we love to focus on compliance. Compliance is easy for us: it is black and white, right and wrong. There is no thinking required. We can write our issues, show our ‘value’ to the company, and be on our merry way. We do not have to think about risks and probabilities and impacts. Those things are hard. They are hard to understand, hard to audit, and hard to debate. Compliance is ‘good enough’ for our role in the organization, so why do more?

The answer, as I see it, is twofold. The overabundance of compliance initiatives strangles problem solving and creative thought. When an answer is already provided, no other correct answers can possibly exist. The extreme result is a paying customer who is injured on our property by our hands. I would posit that there were no other correct answers for the employees at United. Increasing the voucher or offering cash would require the usual bureaucratic compliance approval process. Stopping boarding would risk delaying the flight and negatively impact metric goals, which must be complied with. Finding other transportation solutions for the United flight crew who had to get to Louisville would require more work for inundated employees, and would likely also require approval. But none of that would be necessary because the answer was already provided in the reams of corporate policy. We don’t have to think, we only have to follow a checklist.

The second reason compliance is not good enough is because we miss the true value we can provide to our organizations. While we focus on compliance issues, our organizations are facing significant strategic risks. We should know what those risks are and should be able to help the business identify and mitigate the risks to its strategy. If you cannot ship product out the door or cannot complete flight segments, the importance of ‘approvals’ and other, sometimes inane, compliance items has little importance. Which has more value to a CEO: A list of transactions that were not approved at the appropriate organizational level or an analysis that identifies why products are not shipped on time and provides a recommendation to fix the offending control issues? Compliance may have a role in particular processes, especially those of a high legal risk, but we over-use it and apply it to processes where it may not be appropriate. Our organization, our employees, and our customers suffer as a result.

What does this mean for us? For auditors, perhaps the next time you identify 2 out of 25 transactions that were not properly evidenced, consider what the actual impact is to the organization before drafting an issue. Before recommending yet another layer of compliance, look for alternatives that keep employees empowered and do not involve drafting yet another policy. For data analysts, let’s put less focus on analytics that test for compliance. As I look through my department’s list of automated analytics, I am disappointed that there are so many that started from monitoring policy, many of which I created. We can do more than this. The analytics which identify strategic issues are hard; the data can be vague and the results can oftentimes be unclear. Designing an analytic that has real operational impact, one which makes the business leaders do a double-take and derive real insight into their business, that is where our value lies. We have lots of tools to do this. ACL is a very powerful application to retrieve and analyze data. Its integration with R and Python give us tremendous data science-quality tools and allow us to analyze and extract value even from our own analyses. To put the balance of focus on compliance is a waste of these tools and opportunities. Let’s take advantage of our position and capabilities so we never have to come to the realization that our efforts contributed to the destruction of our brand and the hatred of customers we are supposed to serve.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.