7 Habits for compliance professionals

Stephen R. Covey was one of the most prominent authors of leadership, self-improvement, and motivational books and speeches of the 20th century. Though the businessman, author, educator, and speaker passed away in 2012, his well-known writings are still influential and insightful for the current generation of managers, students, and thinkers. The teachings from Covey’s books can be applied in many fields of life – business, family, religion, and community, lending heavily to his continued popularity with a wide variety of people. Not simply positioned as self-help, Covey emphasized ethics and distinct definitions of both values and principles, as separate concepts that independently influence people’s behaviors and decision-making.

Due to these emphases, Covey’s writing is specifically interesting and useful for compliance professionals looking for a novel way to approach imbedding into a corporate culture both individual values – which one could see as ethics or morality – and organizational principles – which one could see as compliance program requirements and goals. Covey’s teachings often touch upon the value of inner success, rejecting external competitive measures as the true sign of achievement in favor of emphasizing personal mission statements and progressive goal-setting to allow an individual or an organization to go from immature dependence, through self-sufficient independence, into the higher state of functioning interdependence with others. This strategic vision has a high affinity with the sort of planning compliance officers must do to encourage a successful culture of compliance.

Arguably, Covey’s best-known book is the worldwide best-seller The 7 Habits of Highly Effective People. This book is not only a worldwide best-seller that gains new fans every year for its simple and timeless insights on how to work toward, achieve, and sustain inner success, but it is also the Covey book which is most applicable for compliance professionals to study and take into consideration in the course of their work.

Taken individually, each of the 7 Habits endorses values and principles and encourages conduct in support of those, which are useful for compliance risk awareness both in planning program priorities by the compliance officer as well as encouraging awareness and fostering integrity for individuals and organizations.

Steven R. Covey’s famous 7 Habits, annotated with suggestions for their applicability to corporate compliance and ethics programs, are as follows:

  1. Be Proactive – This is the first of three Habits that focus on maturing from dependence to independence, a process also referred to by Covey as self-mastery. This Habit introduces the concepts of Circle of Influence, one’s effective community – in a business perspective, partners, stakeholders, and clients or served parties – and Circle of Concern, where problems happen and dysfunction or distrust can stymy success and achievement.
  2. Begin with the End in Mind – Simply put, this Habit calls upon individuals and organizations to be devoted planners. Once the plan is set, apply with dedication to following it, in on-going and careful review of its efficacy and currency. Planning is a fundamental component of any successful compliance program. Setting goals and priorities for the program is necessary to encourage informed business buy-in and checking these goals and priorities on a continuous basis helps to keep them grounded in reality and responsive to evolving business and regulatory demands.
  3. Put First Things First – This Habit identifies the difference between leadership and management, a crucial dichotomy for the encouragement of both ethical leadership and adequate supervision, which are equally necessary in order to model conduct expectations and ensure progress in one’s mission. Covey says that leadership in society requires personal vision and for the individual to embrace the importance of character ethic, or internal personal qualities such as ethics, honesty, and loyalty, rather than personality ethic, or external personal qualities such as popularity or other short-term human interaction traits.
  4. Think WinWin – This is the first of three Habits that focus on interdependence, offering tips for working with others. In a service function such as compliance, working together effectively to establish a consistent and open relationship-based approach to risk management is crucial. Likewise, it is important for individuals to appreciate the importance of interdependence also, to see that their individual actions are significant in the overall scheme of the compliance program and to appreciate the importance of accountability, driving them to discuss dilemmas and enhance understanding. Finally, from an organizational perspective interdependence is also very important, driving home the cultural significance of corporate social responsibility and even political engagement in establishing corporate values and creating an identity and purpose in society.
  5. See First to Understand, Then to be Understood – This Habit focuses on the importance of listening for genuine understanding in order to build trust and promote personal credibility. Of particular importance are the Greek philosophy concepts of Ethos, the trust individuals inspire or in Covey’s words their Emotional Bank Accounts; Pathos, aligning and communicating with others and their own emotional trust; and Logos, the reasoning that must be included in communicating with and considering the trustworthiness of others, while projecting your own. Check back in the future for an blog post dedicated to the important concept of Emotional Bank Accounts.
  6. Synergize – This Habit reinforces the key interdependent competency of teamwork. Set goals together and achieve and maintain them together as well. In compliance terms, establishing trust and transparency as key values requires a cooperative commitment to supporting these individual values in the organizational principles that are established, be it via a corporate mission statement or through business strategy and growth plans.
  7. Sharpen the Saw – This final Habit focuses on personal and interpersonal continuous improvement. Balance is key to contended success in both life and business; no achievement attained with disrespect for resources it requires can be sustainable. In order to be truly successful, renewal and sustainability are the most important priorities. Continuous improvement for a compliance program or a company’s corporate values requires continuing risk re-assessments and a rolling plan for how to implement and refine compliance planning and communication.

For an in-depth look at Stephen R. Covey’s work and legacy, check out this official website maintained by the Covey Family. And for an entertaining take on the book, watch this animated book review of The 7 Habits of Highly Effective People.

Tips for conducting compliance investigations

The task of a compliance officer is not to “set it and forget it.” Apart from planning and advising on risk management strategies, and monitoring business implementation of the attendant policies and procedures, compliance professionals must remain vigilant about the potential for violations. Internal compliance violations can run the causal gamut – they could be because of internal controls failures, unwitting omissions due to lack of awareness, or outright misconduct and malfeasance.

Compliance officers should approach an investigation into a compliance exception thoughtfully and with careful preparation. If the planning for or administration of the investigation is flawed from the beginning then the investigation results will not be reliable. In many fields, such as scientific research, planning investigation tactics and strategy is a discipline all of its own, demanding special expertise in statistical methodology standards.

For purposes of the internal investigations of compliance officers, a common-sense approach, focused on fairness and transparency, can take the place of technical expertise in conducting informal internal investigations that will still generate reliable and meaningful results. Compliance professionals should keep the following fundamental themes in mind when designing an investigation effort:

  • Reject foregone conclusions: Compliance investigation inquiries can be sensitive and intimidating. Most people do not want to do the wrong thing and will be worried or even frightened by the possibility that they have broken rules or regulations. They will fear that their jobs are at risk or worry about the reputation of the company due to the misconduct. Therefore, take the investigation seriously, even if its scope is limited or it’s routine. Don’t decide the outcome before the information is gathered. Investigations should be motivated by intellectual curiosity, in the case of annual or planned investigations, or, in the case of ad-hoc or event-driven investigations, an objective desire to protect and promote integrity, which knows no master.
  • Work carefully: Sloppiness and poor preparation will doom an investigation from the beginning. Compliance professionals should work carefully and check their work as they go along. Simple errors such as directing queries to the wrong recipients or asking for information that is out of scope of the investigation can cause a terrible impression with stakeholders and disrupt the efforts of the investigation.   Communication is key, and information communicated to all parties throughout the investigation should be accurate, clear, and appropriate at all times.
  • Give support, not interference: Compliance often collaborates with other functions such as HR, Legal, and Risk; this collaboration should be encouraged, not complicated or avoided. In planning investigation strategy, work together with partners and stakeholders whenever possible (legal privilege and confidentiality, where it applies, must of course always be respected). Sharing information helps to make conclusions stronger and to avoid inefficient duplication of efforts.
  • Follow through with enforcement when misconduct is evidenced: Investigations are toothless when the results are just put on a shelf and forgotten. Enforcement action must come next, and in every outcome, there is appropriate follow-up. In instances where misconduct is discovered, whether it is from negligence or intentional wrongdoing, disciplinary action should be taken with concrete consequences. Substantive structural changes should be made also the risk control framework to seek to prevent or identify earlier the non-compliant behaviour whenever possible. Punishing the wrongdoer is not enough; addressing the root causes of the wrong-doing has to happen too.
  • Feed-forward when no malpractice is discovered: Not every investigation will be an open and shut case where there are good people and bad people and everything wraps up neatly. It may be that the investigation yields no evidence that anything material happened. It’s also possible that the investigation would show some unrelated deficiencies, such as in communication strategies or employee awareness. Finally, the investigation could produce inadvertent lessons for the compliance officer him or herself to take back to a future risk assessment and planning session. Whatever these conclusions are, don’t discard them just because they don’t lead to a punitive action. Feed them forward into risk controls improvements and future compliance program efforts.

Compliance officers who consider the above suggestions in planning their own investigation strategy will be focused on obtaining neutral, credible information. They will communicate clearly and engage stakeholders supportively. Enforcement actions stemming from the investigation efforts will be pro-active and productive. With these approaches, compliance officers can establish credibility and effectiveness in conducting internal investigations.

How to make voluntary engagement with compliance values meaningful

A pure rules-based approach to compliance is direct and clear-cut, but by design lacks emotional or personal engagement. Following rules of all kinds – legal, community-based, household; practical, austere, illogical – is a social norm most humans are taught from their earliest memories. Despite this, many of them do not do it very well even with the best intentions, and still more never intend to attempt adherence.

To have any expectation that rules will be credible and inspire understanding and respect, there must be an authentic and compelling “why,” a purpose that people feels relates to them and calls for their commitment. Many laws are so deeply linked to societal expectations and taboos that the majority of people do not need to be persuaded to appreciate them – restrictions against pre-meditated murder, property theft, and abuse of animals for example. Those who remain unconvinced these acts should be prohibited and punished are not likely to view violating laws as something offensive or damaging either.

Sincere attempts to reach individuals who are antipathetic toward all rules, however few or rare they may actually be in society, with a rationale rooted in values are not likely to prevail. In general a values-based approach can be very powerful and evocative, but in order for it to hold personal appeal it must strike a difficult balance between universal relatability and individual accountability. All organizations should define their values and position their strategy and public branding within that set of principles, but this is delicate. If the values are too specific then they will be exclusionary rather than engaging, appealing only to a core group of true believers rather than attracting a wider audience. If the values are too broad, however, then they will be superficial and ring empty – again preventing individuals from attaching to them and being their standard bearers.

An especially effective tactic for bridging this gap is to make corporate values a living artifact which reflect the organization as it grows and changes along with business and society. In an ambitious and forward-looking organization, the profile and strategy will evolve and so should the outlook of what matters most in defining its purpose. Using a rules-based approach to provide both the floor and the roof for the terms of the corporate mission statement, values can fill the space between and invite everyone – employees, partners, stakeholders alike – inside.

There are many mechanisms through which corporate compliance programs can appeal to employees to make the connection between rules and values. Inspiring voluntary compliance, where employees feel aware of and responsible for the values of the compliance program and connect to them individually, adds weight to the mandatory compliance expected by the rules. Increasing the relatability of the requirements with principles behind them gives people incentive to sign on and go along with the compliance program. Compliance programs can aim to encourage ongoing employee adhesion to the organization’s values-based approach in the following ways, ranging from the lightest touch to the heaviest:

  • Nudges: Simply put, make it possible for employees to make ethical choices by expressing values that promote this and building decision-points into the processes they encounter in their working experiences which reflect those values. Business strategy should coincide with business values, and if it does not, then actions such as setting new standards client acceptance or exiting and reassessing product offerings or market participation are natural consequences of trying to bring the two together. In order for employees to make choices that reflect both individual and organizational integrity, the procedures and standards within which they work should facilitate and support this type of decision-making. Doing the right thing should always be accessible and indeed prompted.
  • Codes: While nudges make values implicit and leave the decision ultimately in the employee’s hands, in codes values are explicit and expectations for adherence to them are formalized. Codes can take a variety of formats, and in some industries regulatory requirements may dictate their scope and even content, but generally speaking, the more concise and accessible the better. Employees at all levels should be able to read, understand, and engage with the code, whether it dictates ethics, conduct, or both, and they should be able to retrieve, review, and ask questions about it whenever they want. A code document should be updated on an ad-hoc basis and reviewed regularly, and it should be seen as a living record of the specific values of the organization which underlie all other policies and procedures in place.
  • Attestations: Once a code is available, employees can be asked to attest to their compliance with it. This can take a very simple form, even just a one-liner of “I attest that I have been in compliance with the requirements set forth in the Code as of the below date.” This can be done once per year (or other regular period of choice) or on an ad-hoc basis. Asking an employee to attest to adherence prompts self-reflection and may also create a space for questions or dilemma discussions, which are important tools for ensuring awareness.
  • Warnings: Warnings may sound punitive, but in reality they can just be reminders. Unlike attestations, which look backwards and ask employees to self-assess based on their past behavior, warnings would accompany present choices or activities. For example, an expense claim form might include a statement on it reminding the submitter that the data on the form should be accurately and honestly reported, and that there are certain expenses which may not be reimbursable or permitted. Providing these warnings at the time the employee is going to take action that checks compliance values brings together all the previous methods – it provides a nudge, makes expectations explicit, and directly asks the employee to consider ethical obligations when making choices in the course of the task.
  • Oaths: Oaths take the most advanced step of ensuring that employees comply with the ethical and compliance expectations of their profession by asking that they voluntarily submit to discipline should they violate these. This submission is by taking an oath and signing it, typically with witnesses and even a level of formalization or ceremony in order to underscore the significance of the commitment and the seriousness of trespassing against it with future misconduct. A very interesting example of a professional oath is the Banker’s Oath in the Netherlands, which is intended to restore trust in the financial sector and banks specifically by requiring that every Dutch employee take an oath to comply with uniform ethical guidelines. To read more about the Banker’s Oath, visit the website of the Dutch independent organization Foundation for Banking Ethics Enforcement (FBEE).

The above methods for encouraging voluntary compliance can be employed by compliance professionals simply and powerfully in routine compliance communications and awareness initiatives. Reminding employees of values – the purpose – helps to heighten the credibility and appeal of rules – the requirement – and provide a mission perspective to their engagement in the compliance program.

Hero’s journey of the compliance professional

The hero’s journey is a myth narrative popularized by the American writer Joseph Campbell. Campbell studied hero myth patterns in contrast with psychology, ritual, and analysis and used his view of the hero’s journey to describe the generic narrative archetype of various heroic stories as follows: “A hero ventures forth from the world of common day into a region of supernatural wonder: fabulous forces are there encountered and a decisive victory is won: the hero comes back from this mysterious adventure with the power to bestow boons on his fellow man.”

This pattern will be familiar to any fan of a wide variety of adventure and fantasy stories such as Star Wars, Indiana Jones, Harry Potter, and much more. However, this narrative construct can be applied not just to literature and Hollywood movies but also to the work of the compliance professional attempting to imbed an authentic and effective organizational culture of compliance. In this view, the hero is the organization – and it is the objective of the compliance officer, as a guide or expert figure of sorts, to guide it through the stages of the journey to successful completion.

The hero’s journey is divided into three principal “acts” – departure, initiation, and return. Within each of these acts the hero undergoes a variety of tasks, ordeals, and lessons which compromise the stages, seventeen of them in total, of the journey.  The themes of persuasion, doubt, adversity, seeking guidance and expertise, challenge, success, and transformation which recur in the journey all translate provocatively to the ambitions of a corporate compliance program.

The three acts of the hero’s journey, as applied to corporate compliance and organizational ethics, are as follows:

  1. Departure – In which the hero is still living in the ordinary world and receives a call to action for an adventure which is daunting and requires a mentor’s guidance before embarking on it, this act depicts the organization which is without a compliance program or an organization where the compliance function is immature and inadequately implemented, without genuine engagement. The call to action in this case could be an internal, positive one – a decision to focus proactively on integrity and ethics, for example, or the company could be a new one which wishes to have a compliance risk framework from the beginning. It could also be an external, possibly negative one – such as new regulations or laws, a company or industry public scandal, or supervisory enforcement. The mentor offering guidance in the compliance professional, the person with the subject matter expertise and balance of rules and values knowledge who can support the organization in answering the call to action.
  2. Initiation – This is the stage in which the hero leaves the ordinary world and goes out into the unknown, extraordinary world to face a variety of challenges, some with guidance or support and others without but against great obstacles or resistance. The hero encounters crisis in the attempts to reach his goal. Once the goal is achieved, the hero has to go back to the ordinary world of before, again amidst challenges. In this stage, the unknown world represents the as-yet unformed environment of drivers for and obstacles against organizational and employee integrity and ethical decision-making. In confronting this, the organization accepts the need to implement or improve a controls framework and struggles with the appropriate approach and tone. A wide variety of interests diverge and compete in this process, with the priorities of different business lines, other support functions, stakeholders, external partners, supervisors, and even customers or followers diverging from and competing with each other. Some of these parties will be helpful allies and willing advocates for compliance initiatives, acting as evangelists with each other and the public to sell the comparative value of a compliance program. Others will be doubters who present tests to the maturity and necessity of the program’s design and goals, or even enemies who wish to defeat the effort in favor of commercial or other concerns. It is from here that the compliance professional must carefully craft communications and branding strategies for the compliance program to be convincing and overcome these trials. Once overcoming the crisis – be it incomplete implementation of a program leading to risk and loss, or reputational damage due to insufficient organizational integrity, or negative action by a regulator – the compliance professional can re-emphasize the fundamental values of the program to an organization with a new appreciation for their importance.
  3. Return – In the final act of the journey, the hero returns to the ordinary world, newly endowed with the central goal achieved and the ability to use this hard-won enlightenment for the common good. This process has been transformative and the hero has ascended to a higher level of being due to the triumph of the journey. At the culmination of its journey, the organization has successfully implemented a robust and pro-active compliance program which will be both functional and aspirational. The corporate compliance framework enables the organization and its employees to follow an ambitious yet responsible strategy guided by a flexible yet foundational balance of values and rules.

For a detailed description of the classical stages of the Hero’s Journey, check out this outline by Christopher Vogler.   And for a vivid explanation and illustration of the Hero’s Journey and its various applications in literature, watch this entertaining TED-Ed lesson by Matthew Winkler:

Tips for improving employee accountability in compliance programs

The most ambitious culture of compliance paired with the most robust controls framework still cannot succeed without employee adherence. Employees who don’t know the correct thing to do, or those who make an unethical or non-compliant decision despite knowing, can be addressed with awareness communication in the first case or remedial action in the second case.

However, the more frequent and challenging scenario is that employees have received information about compliance risk management priorities and ethical culture at their organization. They understand this information well enough and maybe even admire the aims of the compliance program, but there’s a problem – they don’t see themselves as having an active role in it.

The best efforts of compliance programs will always be overcome by apathetic or unengaged employees who don’t see themselves as having personal compliance responsibilities. In cybersecurity, for example, the best IT systems with the most up-to-date risk controls structure will still be defeated by an employee who falls for a phishing scheme or leaves behind an unsecured laptop in a public place. Some mistakes are unavoidable, of course, just like some risks can only be mitigated or accepted. However, many other errors, acts of misconduct, or risk factors can be prevented with the appropriate individual vigilance and diligence.

So how can a corporate compliance program emphasize to employees that individual responsibility is the fundamental defense in any risk and control framework? Too many solutions from management or consultancy rely heavily on data solutions and systems approaches to addressing compliance risk. The logic goes: failures of existing compliance programs to prevent ever-evolving fraud and misconduct are unfortunately not unusual, so why not simply blame human misjudgment or incompetence for inadequate controls and therefore just automate processes whenever possible?

The above is a cynical and defeatist attitude toward corporate compliance; if management or its advisors decides that corporate compliance will fail, then it certainly will do so. However, removing the obstacles to individual responsibility is an important step to empowering organizational integrity. Outsourcing or digitalizing analysis and advisory work is an artificial, external solution. It may expedite or simplify some aspects of working with compliance risk management, but it cannot ever be as effective as a values-based approach that creates a corporate culture where good judgment and ethical decision-making are incentivized and supported.

Indeed the first, and probably best, solution for raising the standard of compliance programs and their controls is to promote employee engagement in these across all levels of the organization. This starts with individual accountability, which compliance professionals and senior management can nudge employees toward embracing these ways:

  • Walk the walk: Senior management should weave a thread of the corporate cultural values throughout all matters that touch an employee’s working life. This needs to be consistent and visible. Communication should be simple and straightforward, practical and not preachy, but it should express and reinforce the cultural values. In HR matters, for example, transparency should be communicated and modeled. Employees must see the corporate cultural values explicitly expressed as they experience corporate administration across the organization. This brings the values from mere words to a living system in which they are participants.
  • Nudge with timely reminders: Regulatory, legal, and policy requirements change rapidly. Employees that are trained regularly should be respected for what they already know; heavy-handed instruction can be seen as condescending. However, reminders upon key messaging events (anniversaries, completion of investigations, or announcements of strategies) or updates when there are new guidelines or expectations are critical. These reminders can act as nudges toward appropriate behavior for individuals whose attention may have moved on or whose understanding was out of date.
  • Work against culture of fear: People often think about speaking up in the workplace in terms of following an internal escalation process or being a whistleblower. To some people, speaking up by challenging an established procedure or an experienced colleague may seem unprofessional or presumptuous. The possibility of being opposed or facing retribution can be very scary for employees who might want to express uncertainty or ask questions. Corporate compliance programs have a responsibility to create a culture where speaking up routinely is safe and supported. A relationship-based approach to business compliance advisory is a great first step toward combating the fear factor and helping employees to speak up to check understanding or challenge practices. Involved employees are more likely to be accountable ones.
  • Actively address accountability gaps: When it is evident that an employee or group of employees do not embrace accountability in compliance risk management, address it, but not punitively. Open discussion can be mutually beneficial. Take the opportunity to express that individual responsibility is expected, and also to listen to the limitations or uncertainties that may provide an explanation for why it’s missing.
  • Insist on consequences: Disciplinary action is never the intended outcome for any employee-management relationship. Ideally everyone would want to and be able to do the right things all the time, but clearly mistakes and misconduct happen. Good people/bad people dichotomies are classic but not necessarily helpful. In reality, it’s most important to establish from the beginning that consequences for doing the wrong thing exist and will be enforced fairly and meaningfully.

There will always be people in organizations who either are in need of training or resourcing attention (wanting to do the right thing but not being properly equipped) or people who are not cultural fits (wanting to do the wrong thing despite organizational priorities). Engaging these people where possible is critical, just as holding all others accountable for their actions and responsibilities is the frontline defense most important to compliance risk management.

GRC for compliance professionals

Compliance as a function is sometimes subject to varying definitions. Across different companies, industries, and cultures, organizational perspectives on the purpose and scope of a compliance program can vary. Some see compliance as an alternative to or close relation of the legal department, while others position it much more independently, perhaps as an intermediary between the business lines and audit. Still others may see compliance as the depository for risk-based support activities that do not otherwise fall cleanly into any other established unit.

As previously discussed on this blog, and as this blog will continue to ensure to express, the autonomy and visibility of compliance is integral to the integrity and sustainability of an organization’s employees and business strategy. Compliance blends a rules-based approach with a values-based approach to reconcile ethical expectations with legal obligations and technical requirements.

Professionals who work with interpreting legal and regulatory guidance and implementing these into business practices will likely recognize the acronym “GRC.” GRC stands for governance, risk management, and compliance. This umbrella term integrates these functions to describe the operational activities undertaken by an organization to execute plans, manage risk, and encourage integrity.

The GRC model refers to process themes, not necessarily functional units of an organization. Indeed, the three themes of GRC may be included in operational tasks and across numerous independent departments, including HR, finance, IT, audit, and at the board level, in addition to the obvious areas such as risk, legal, and compliance.

GRC can be seen as a discipline that seeks to coordinate the flow of information and ownership of risk so that the activities and processes it encompasses are effectively and efficiently incorporated. As organizations become bigger, this discipline becomes all the more important for keeping channels of communication open and clear, both up and down silos as well as across business areas.

Ethical decision-making thrives in an integrated system where objectives are clearly expressed and information-sharing is transparent and relied-upon.   Elevating a coordinated GRC discipline can foster a communication regimen in an organization where reasonableness and feedback rather than heuristics and routine dominate. Equity and integrity can thrive if actions are taken openly and cooperatively rather than in isolation.

In the ever-changing regulatory landscape of modern business, it is so important that an organization’s GRC activities be coordinated so that work is not duplicated or wasted and gaps are filled rather than passed over with tunnel vision. These functions share stakeholders and objectives, and therefore should share information to maximize meaningful impact and minimize redundant effort.

The basic concepts of the GRC approach are all useful for a compliance officer or other professional to consider:

  • Governance: This refers to the management control framework used by an organization’s senior leadership, relying on management information from across the organization in order to direct and control the overall strategy and operation of an organization. This concerns major existential questions for the organization, such as – what are the roles of leaders at all levels? What are the reporting mechanisms and what checks and balances exist for these? How does business strategy translate into directions to various business units and how are these instructions communicated to employees? Having an informed perspective on the organization’s governance objectives is very important for a compliance officer because this gives insight to the tone at the top and the mechanism through which these critical values become concrete practices.
  • Risk management: Risk management is the identification, assessment, and response to risk factors which may have an impact on an organization’s activities. This also includes considering risks which do not have an impact and ascertaining that this evaluation remains correct and current as fluid business objectives and conditions may change. All organizations are subject to some risks, such as operational risk, technological risk, and financial risk, while others may be determined by the industry in which they operate, such as market risk, liquidity risk, political risk, third-party risk, and product-specific risks. Risk management entails planning and implementing controls in order to address these risks, either by mitigating them, changing strategy or practice to eliminate them, accepting them, or transferring them to a service provider or partner who is positioned to best respond to them. Legal, legislative, and regulatory risks are of particular interest to compliance officers, as are compliance-centric risks such as reputational risk. Compliance officers should take risk identification and assessment well into account when planning compliance program objectives so that these can be fine-tuned to the emergent and most important needs the business faces in this area.
  • Compliance: Of course, staying in good standing with supervisory authorities and ensuring that business practices and procedures meet standards and requirements set by external laws and regulations as well as internal policies and procedures, ensures that the work done in governance and risk management activities is properly directed and sufficiently supported. An on-going assessment and prioritization of the compliance program’s effectiveness and appropriateness is necessary to ensure that the controls in place are up-to-date and working as intended.

The themes above are all germane to the objectives of a compliance program and can be referred to in seeking buy-in from senior management or supervisory board members, with whom ultimate responsibility for establishing and executing these systemic processes rests.

Appealing to Myers-Briggs dichotomies in compliance communications

The Myers-Briggs Type Indicator (MBTI) is a set of personality types that categorizes individuals’ experiential preferences. The MBTI has become very popular for use in business settings, for managers to determine how to develop employees or build teams as well as for individuals to analyze their own way of working and define their particular world view and tendencies in interacting with others, based on these preferences.

The MBTI classification system is fundamentally based upon the presumption that humans have four main psychological functions, or dichotomies, through which they view the world. These are thinking (T), feeling (F), sensation (S), and intuition (N). Thinking and feeling are the functions people rely upon for judgment in decision-making. Sensation and intuition describe how people perceive new information. Taken together, one of these four functions will be naturally dominant for each person the majority of the time.

Added to these functions are people’s attitudes, expressed by the terms introversion (I) – a preference to operate internally, focused on reflection and ideas – and extroversion (E) – a preference to operate externally, focused on behavior and people. This relates to how people prefer to live their “outer lives” and is not necessarily as simple as defining a person as “shy” or “outgoing” but looks deeper into how people get or spend their energy and whether their information-processing, personal focus, and pace is determined inward or outward.

Finally, the MBTI also incorporates lifestyle preferences, identifying that people have preference for using either the judging (J) functions (thinking or feeling) or the perceiving (P) function (sensation and intuition).

These eight psychological functions and preferences – four sets of two each – can be mixed and matched among each other in different combinations, resulting in the sixteen MBTI distinct “personality types.” In any given group there is likely to be some mix of these types, sometimes more diverse than others. Each type brings with it some indications for the person may behave in an individual or collective setting. Therefore understanding the elements of these different types can be useful in fine-tuning messaging to have maximum appeal to one, some, or all of them.

Based on the above, there are four dichotomies to the MBTI. In each dichotomy, individuals select from two letters (T for thinking versus F for feeling, for example) the one which most accurately, if not completely, seems most accurate in depicting their personality types. The differences between these four dichotomies are important to understand and useful to take advantage of in tailoring communication across organizational levels to raise compliance awareness.

  1. Introversion (I) or Extroversion (E): Preference for Introversion suggests an inward focus, with more contemplation and observation in learning or gathering information. I types would enjoy e-learnings, reading guidelines and policies, or other self-paced activities. Preference for Extroversion, on the other hand, indicates a suitability for fast-paced outward focus. These are the eager participants in dilemma sessions or group trainings who like to work with others and develop their ideas out loud, getting energy from quick progress of talking through learning materials.
  2. Sensation (S) or Intuition (N): Preference for sensation means that concrete, practical information will be the most appealing to these individuals. Communications should use clear and literal descriptions based in reality. Those who prefer intuition, on the other hand, may be more likely to dream about what could be rather than what is. Contemplating business cases and dilemmas would be fun and enjoyable for them.
  3. Thinking (T) or Feeling (F): Those who lean toward Thinking will respond to decision-making that is promotes rationality and justice. A rules-based approach to communicating compliance principles will evoke their sense of reason and equity and make the objectives relatable. On the other hand, people who prefer Feeling will benefit from a values-based approach. Playing up personal morality and situational empathy is more effective for them.
  4. Judging (J) or Perceiving (P): Judging is aligned with a preference for planning and methodical assessment. These people will be convinced of the value of a compliance program by, for example, formal risk inventories and control framework evaluations, and coordinated, long-term implementation plans with steps and phases for their goals. People who prefer Perceiving, on the other hand, need a flexible view. This is challenging to adapt to fixed rules and regulations, but offering creative approaches to those can be an engaging possibility.

For more information on the MBTI and its four dichotomies, check out this handy interactive chart.

The five branches of ethics as applied to compliance principles

Compliance and ethics are related but separate disciplines. In a professional setting each one relies heavily upon the principles and practices of the other, while still maintaining its own distinct character.

Compliance concerns not necessarily the intuitive or collective ideas about right and wrong, nor the legal bright lines about what is permissible or prohibited, but rather the decision points between all of these. The function of compliance in a practical sense is to adjust or create conditions to choices in order to analyze or bridge the gap between good and bad, yes and no. In compliance, ethics provides the values-based approach, while the legal and regulatory guidance provides the rules-based approach. The work of the compliance professional is to attempt to reconcile the two and in that work create a second set of connections, this time between that which is legally acceptable or not, and that which is deemed ethically appropriate or not.

Very simply put, ethics, on the other hand, refers to the standards of behavior by individuals or organizations and the moral principles governing the conducting of an activity by the same. This is a values-based approach to “right” and “wrong,” or what is good for people and the society in which they live and work. The concept of right and wrong behavior is fundamental to ethics and acts as a systematic discipline in order to guide decisions on how to act.

Ethics draws its foundations from five branches, each one of which is useful to inform a practical and discipline perspective for a corporate compliance program.

  • Normative ethics contemplates the questions which arise in consider how one should act morally, in line with the norms and expectations of society or a community/organization in which the actions are taken. What are the different interests at stake and what are the potential consequences and outcomes of the possible actions to be taken? This view is very helpful in ethical decision-making and designing defense strategies to encourage identifying and choosing good decisions while discouraging and removing incentives or rationales for bad decisions.
  • Meta ethics focuses on what morality actually is and means – in general as well as in context. This involves the careful analysis of the level of understanding about moral considerations as well as an analysis of the situational status and scope of it. This approach is imperative for defining a values-based culture and corresponding corporate identity and business strategy. These values must be organic and intrinsic from the beginning in order for them to truly imbed as genuine. If they are imposed upon the business culture with no respect for what original standards were set for the organization at its inception, then a values-based approach to a culture of compliance will not permeate the company’s actions- customer service, product design, hiring and retaining employees – and a strong tone at the top cannot succeed.
  • Applied ethics goes in-depth into the practicality of really using ethical theory in order to analyze actual moral issues in both private and public life. The practical skills inherent for this discipline are incredibly useful for creating the dialogs that support compliance awareness. Taking a critical look at real-life moral issues that would be encountered in one’s personal time or on an everyday basis at work is a very useful way to get comfortable with approaching ethical dilemmas. Dilemma analysis and discussion is key for encouraging a robust culture of compliance at all organizational levels.
  • Moral ethics is the philosophical area of ethics that centers on defining, choosing, and suggesting behavior with classifications of “right” and “wrong” in mind. This practice is the most directly influential in determining standards and expectations for conduct. Elevating moral conduct by clearly defining it as a corporate cultural norm is imperative for encouraging employees to value it as such as well. Senior leadership should genuinely demonstrate this as well, acting as good conduct role models to embody the cultural values and categorizations for understanding the difference between right and wrong and making good choices within that dichotomy.
  • Finally, descriptive ethics is the study of attitudes of individuals or groups of people aimed at characterizing and understanding their beliefs. The objectives of this branch of ethics are very important for compliance risk management because they help to expose heuristics and routines in play that may encourage or hinder ethical decision-making and the cultivation of strong compliance themes within the corporate values. This is crucial for providing positive support for organizational and employee integrity.

Given the above, there are great affinities between the principles of ethics and those of compliance. The two disciplines share prolifically in their application in life in general and specifically in the workplace. It is very useful for compliance professionals to have some foundation in the discipline of ethics and an understanding of the practical application of its system of principles.

Using ethical dilemmas for creating a compliance training dialog

For effective compliance training, learners must be prepared to discuss and challenge dilemmas independently and with others. The details of specific policies, directives, and regulations can quickly become very dry and irrelevant, whether the audience is made up of compliance officers, senior managers, or new starters. To prevent topic fatigue and keep important compliance training vivid and engaging for those attending awareness sessions, it is important to encourage discussion. An active participant will think, care, and learn more than one who is just watching the clock for the end of the program.

One way to spark discussion that can be employed at all levels is using ethical dilemmas. This is effective either as a stand-alone program, where attendees are introduced to ethical dilemmas and spend time in groups discussing their ideas and views, or as an icebreaker to a content session, to grab the audience’s attention and test their knowledge from the beginning. This can provide an approach to then thinking about the practical handling of compliance subject which is both easy and enjoyable.

Considering and responding to ethical dilemmas helps learners to build fluency with ethical decision-making and evaluating potential conflicts of interest, especially in balance with their own possible interests. Giving meaning to the impact of behavior and choice is significant for establishing cultural values that emphasize individual responsibility and integrity. Dilemma analysis involves several simple but thought-provoking steps following the prompt:

  • What is the ethical question?
  • What personal values are relevant in considering this ethical question?
  • Who are the parties with interests in this dilemma?
  • What are their interests and how do they conflict?
  • How can the ethical question be answered and what are the potential consequences?
  • What is the decision in response to the ethical question?
  • Is the choice that came from the decision-making process of the dilemma possible/practical to do in light of all considerations and consequences?

Ethical dilemmas used as such for prompts in compliance training should be universal and straightforward. In general, dilemmas used to teach this style of thinking to beginners or to instigate audience participation in at the start of a session should not focus on specific employee responsibilities or business functions. For very advanced and targeted audiences it may be acceptable to give a anonymized example of a dilemma they may come across in their work, but for the most part, daily life dilemmas are more relatable and more fun to discuss, regardless of the experience level of the participants.

Some examples of simple dilemmas that can be analyzed as described are:

  • You are meeting some friends at a standing room-only concert and arrive late. As you approach the venue you walk past your friends, who are got there early and are waiting near the front of the line. They tell you they have been there for almost two hours and invite you to join them where they are in the line, even though the end of the line is very far behind them.
  • Your company has been considering some wellness initiatives to offer to employees as benefits but hasn’t contacted any providers yet. Your roommate just finished yoga teacher training and wants to get experience as a corporate instructor.
  • You are taking an exam after studying hard for days to prepare and attending every class the entire term. However, you woke up this morning with a terrible cold and can’t focus. You know the professor will not allow a rescheduled or make-up test. There is no proctor in the room and you have all of your course material with you.
  • You and your partner have a joint bank account where you are both named. Your partner is one week into a two week trip abroad when a letter comes from the bank. You have to fill out and return a form with both your and your partner’s signatures. If you don’t return the form within two business days you will not be able to use your credit card.
  • You are taking your relative to an urgent doctor’s appointment. The parking lot is quite busy but all three of the parking spots designated for disabled drivers are empty. Your relative has no problem walking, but you are already five minutes late for the appointment.

Choosing simple prompts like the ones suggested above will allow the learners to be more creative and perhaps to even engage in discussion with themselves. The facts may be straightforward, but the huge array of perspectives and outcomes that people can suggest is always impressive. By keeping the dilemma prompt at a level everyone can understand regardless of his or her own background and initial interest, the dialog can be truly inclusive. This allows the person who is running the training session to fall into the role of a true facilitator, which offers the enriching experience of watching individuals converse organically on these provocative questions.

Communication strategies for increasing employee engagement in compliance programs

Every compliance professional’s strategic annual plan will include seeking increased employee engagement in and attention to the organization’s compliance program. Communication strategies must be carefully devised with the goal in mind of making compliance vivid and interesting to employees. The compliance message can quickly become routine and dry: sign an attestation, request pre-approval, complete a checklist. This sort of messaging alienates employees rather than engaging them. They have only a small function in the compliance operations this way. Nothing is learned or shared, they are just doing a “tick the box” type exercise.

Instead, the true aspiration of the compliance messaging is that employees take interest, learn something new, ask questions, and feel connected to the story of the organization’s compliance program. This is accomplished via effective and appealing communication that speaks to all audiences and sets a new, compelling tone.

  • Key moment messaging: Compliance is highly relatable to current events and new stories. Therefore compliance communications should take full advantage of key moment messaging opportunities. Relate communication topics to outside events to make the objectives of the compliance program even more concrete. For example, if there is a major earthquake somewhere in the world and your office is located in Southern California, take that opportunity to engage with employees about disaster recovery and business continuity policies and procedures. Their interest will already be heightened and the necessity of the information will be at its most tangible.
  • Positive reinforcement: Start with a kudos, congratulations, or positive sentiment. Any action that needs to be taken or improvement that needs to be made based upon the communication will be much better received if the message gets off to a welcoming start. Set a productive tone by thanking employees for their participation in the last request or calling out good insights or high engagement. Then build off that encouragement to bring in the next steps needed and issue the call to action.
  • Branding: Branding and marketing are now important considerations across all business lines and functions. Compliance is not immune to this, as messages from so many sources fight among themselves for precious attention and airtime from employees. Therefore compliance professionals must carefully consider branding options that will maintain the substantive content of their communications yet be adequately branded to be appealing. Using humor or a catchy, fun theme to introduce the communication, before getting to the meat of the message, can provoke curiosity and prompt engagement. Don’t take it too far and make it a joke – but a little bit of amusement can go a long way.
  • Give visuals/shortcuts: On a similar note, think about making simple takeaways from the communication, however complex its overall message. One way to do this is to provide a visual, like an example of a new form that has to be filled as standard procedure, or a chart showing results on an initiative over previous periods and projected future results. If a visual is not applicable, try using acronyms or slogans that will work as mnemonics to help people remember your message and keep the meaning in mind.
  • Make it interactive: The best way to engage employees in compliance communications is to concretely incorporate them in it. Make the messages interactive for them. Ask an open-ended question and promote any responses received so that employees know the request for input is credible. Take a poll or offer a quiz. This way, employees can share in the mission and the effort by weighing in themselves, which allows them to personalize the message and be more likely to remember it.

To interest and appeal to all employees, compliance communications should not be generic or routine. Taking advantage of opportunities to make compliance relatable, and capitalizing on human interest or emotional connections that can be made, will help to make the mission of the compliance program much more interesting and effective.