The first order of business after Spring Break and St. Patrick’s Day is to email your co-workers about the annual NCAA basketball tournament bracket. Company employees will take five minutes to fill out their bracket, playing for a cash prize or bragging rights, and then spend countless hours during the work day watching basketball streaming on their work computers. This year, as companies are revising their compliance programs to try to ensure a risk-based approach to compliance, the NCAA tournament presents a monumental opportunity. Instead of hiring some costly third party to assist in this effort, the NCAA tournament presents a free way to conduct an internal compliance assessment by creating a compliance risk assessment bracket in the style of the ones used leading up to the Final Four.
Here is an example:
The complexity of your bracket will vary depending upon the size of your operations and type of business. The model above is just a starting point, and you may consider including some non-risk areas for the business just to see how they perform. For instance, if your company is a U.S. business with no foreign operations, include the Foreign Corrupt Practices Act in your bracket to see how far it goes.
You also need some instructions to go with your compliance bracket. These can be modified and adjusted to conform to the company. A good place to start might go something like this (subject to state law governing gambling, company policies, and the like):
- Announce that the company has officially sanctioned an NCAA tournament bracket this year. The employee who wins the tournament will receive a $10,000 cash prize. (Having an official, company-sanctioned tournament will make it harder for that guy in accounting to prey on employees with little knowledge of college sports by encouraging them to pick teams based on the school colors.)
- But here’s the catch: In order to participate in the NCAA tournament bracket this year and be eligible for the $10,000 prize, you also must complete the compliance risk assessment bracket by choosing which compliance areas in your operation/country/business unit pose the greatest risk, generating the Final Four Compliance Risks.
- Completing the compliance bracket entitles you to watch one NCAA tournament game on company time—unless Ole Miss goes undefeated in the first three rounds, then each employee who completes the compliance bracket can watch three games. (Employees will do this anyway, so with this admonition, you can try to limit them to one game instead of watching the entire tournament.)
- You must submit both the compliance bracket and the tournament bracket before the first tournament game begins. You must choose a compliance subject matter and NCAA basketball winner for each bracket. The winner of the NCAA bracket will be decided by multiplying the number of correct predictions of winning teams in each round by a weighting formula for each round (here those accounting guys come in handy). But note that with the compliance bracket there are no right or wrong choices—we are all winners for filling out the compliance bracket and bringing these issues into sharper focus.
The email announcing the twin tourneys should preferably be sent by someone in operations—an executive would be terrific. (Warning: If the email is sent by the chief compliance officer or general counsel, employees will think it’s a trick and not respond)
At the end of the tournament, the CCO will appear to be less of a killjoy for facilitating the tournament—and as a bonus, the underground NCAA tournament (with competing brackets and formulations) will end. Employees will be happier, as will be the chief compliance officer and general counsel, who will know that everyone is more aware of compliance concerns and can help make the company compliance program more effective.