Do As I Say, Not As I Do

I woke up today and everything was going along just fine. An uneventful early morning jog through darkness and spider webs, an easy commute. I logged on, checked the news … and then, everything changed. Suddenly, everything I knew was wrong.

Because Hello Kitty is not a cat.

Step back. Take a deep breath. Close your eyes and open them again. The words are still right there. Here, look, I’ll say it again: Hello Kitty is not a cat. That didn’t make it any easier, did it? No? Still shocked, right? Still reeling? Yeah, pretty sure that Morpheus is about to load us up with the red pill.

This all came up in an L.A. Times article. According to the article, Hello Kitty is “a cartoon character. She is a little girl. She is a friend. But she is not a cat. She’s never depicted on all fours. She walks and sits like a two-legged creature. She does have a pet cat of her own, however, and it’s called Charmmy Kitty.”

Seriously, man. Charmmy Kitty. The cat that’s not a cat has a cat that is a cat. Makes sense.

(Incidentally, according to the article, Hello Kitty is also a Scorpio and loves apple pie.” Amaze your friends with your newfound knowledge! Entertain at parties!)

Because I’m probably not quite right in the head, this made me think of other things that we take as gospel but that may not be accurate. Like the Great Wall of China being visible from space and bulls being enraged by the color red. Or the fact that having a company policy on something actually means that people know about it and people follow it.

Before you label me as some kind of corporate heretic, hear me out. In the world of FCPA investigations, for example, one thing that is materially important is not just whether a company has a compliance program, but whether it is a good, strong program that the company is committed to. According to Jeffrey Knox, principal deputy chief of DOJ’s fraud section, “in many cases where companies come in with an FCPA violation or other issues but they have strong compliance programs at the time that, for no lack of trying, just didn’t detect criminal conduct, they often walk out the door with declinations.”

Let that sink in for a second. Policies that people actually follow can make a difference.

The same principle operates to any kind of compliance program, from data security to FCPA, from anti-money laundering to antitrust. The existence of a corporate policy is groovy. The existence of a corporate policy that is demonstrably adhered to is groovy, baby. Yeah!

Think about something obvious, like data security. Presumably, your place of business has password rules that look like this. Do you follow them? Do you keep a post-it note with your password in your office somewhere? Every time Microsoft prompts you to change your password, do you just move to the next sequential number? (DespicableRutabaga01, DespicableRutabaga02, etc.) Do you use birthdates or other commonly ascertainable facts? And – heaven forbid! – is your PIN number 12345? Eeeeeeeeek. Somewhere an IT guy just lost his wings.

Now, compare how does your company enforce or encourage compliance with basic data security? Does it at all?

I’m guessing that the majority of you violate one or more of the basic password security tenets, thereby placing the data security of your entire organization at risk. (That’s not really hyperbole, by the way.) Your company’s policy might just as well be paraphrased as “do as I say, not as I do.” (Now, to the extent that any of you are frantically changing your passwords or PINs, don’t compound the error by picking something equally obvious, like NCC1701 or 8675309. I’m looking at you, Jenny: Better change that number.)

So “how now, brown cow?” as my dad used to say. It’s this: lip service ain’t gonna cut it. Think through your compliance programs. What are you trying to achieve? How does your organization commit to it? How do you enforce it? How do you make it a part of your culture? When federal investigators come knocking will they find a “strong” compliance program? Or will they find a mere fig leaf?

Hello Kitty may be dead to you now, but you have a chance to at least salvage your workplace. Walk away with your head held high, strong corporate backing, and a strong corporate compliance program.

And you’ll still always have Charmmy Kitty.