Compliance Culture

Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Ethical decision-making and hard choices

Encouraging ethical decision-making is one of the main aspirations of any corporate compliance program.  At both the employee and organizational level, it’s important to support and promote the choices that are most consistent with both explicit rules and implicit values.   Individuals and corporations can demonstrate their principles-based identity through the choices they make.

Genuine commitment to making the most ethical decisions through the complex environment of inadequate information, lack of connection to consequences, competing interests, and limitations of belief systems/choice frameworks – just to name a few of the many risks inherent – is a critical component of a culture of compliance.  Individual persistence to honor internal codes of ethics and moral convictions will scale up to create heuristics and habits across the organization that support responsibility and thoughtfulness rather than a culture of fear and habits reflecting limited vision.

READ MORE

Principles of ethical decision-making

Simply put, ethical decision-making is about making choices from a basis of integrity.  Decisions are not pure or in a vacuum.  People make choices in an often very complicated landscape of conflicting interests, isolation from consequences, stubborn habits and heuristics, and narrow cognitive frameworks.

Therefore effective ethical decision making has two components: first, the intention and second, the action.  The intention requires an individual determination to do the right thing for the right reason at the right time.  The action, on the other hand, requires commitment at both the individual and the collective/organizational level to maintain and support the intention.  This process happens amid a complicated context of incentives for, and obstacles to, both individual ethics and corporate culture of compliance.

READ MORE

CSR tips for compliance professionals

Corporate social responsibility (CSR) is closely related to business compliance.  Both CSR and business compliance share the objective to integrate requirements from legal, regulatory, and social expectations with organizational strategy.  Business compliance has the broadest mandate of creating both rules-based and values-based structures and systems to support corporate and employee integrity and adherence to laws, regulations, and norms.  In contrast, CSR has these same goals but focuses on engaging in corporate actions that contribute to social good, generate positive public relations attention, and promote ethics and accountability.

While compliance is often focused on defining internal standards for conduct and strategy in order to follow or improve upon outside requirements, CSR has a much more public posture.  CSR is focused on defining the company’s positions on the environment, reform, justice, philanthropy, community relations, and other outwards-facing social initiatives.  After these objectives are defined, the company then presents and promotes its positions to consumers and society. CSR and compliance both contribute to a company’s mission statement and values, but CSR has a heavier hand in guiding the corporate image that is presented to consumers, industry partners, and society as a whole.  

READ MORE

Compliance must-haves for changing organizational culture

The ongoing public disclosures about sexual harassment and abuse that have filled the news since mid-2017 have led to a major cultural reckoning.  Courageous people have come forward to share stories about inappropriate and dangerous behavior of high-profile individuals.  The public discourse about these people who were violated by abusers and predators with the complicity or support of other individuals or organizations has, to this point, focused largely on bringing these offenses to light, in order to listen to and believe in victims, so that they may be supported and empowered as survivors and as bearers of new societal norms.

READ MORE

Happy Martin Luther King Jr. Day!

Happy Martin Luther King Jr. Day from Compliance Culture!

In honor of the holiday, please check out the below selections from some sermons and speeches delivered by Dr. King which are especially pertinent to ethics and morality.  These profound and incisive words can inspire not just spiritual and philosophical observations, but are also useful to consider in formulating individual and organizational values and cultural identity.

READ MORE

The moral hazard of “future-proofing” your business

Corporate buzzwords are famously annoying. While they’re often intended to convey a positive or progressive intent, this business jargon can often becoming meaningless on its own, standing mostly for whatever management trend has caught senior leadership’s attention for that moment. “Outside the box”; “That’s in my wheelhouse”; “Have a dialog around”; “Agile”; “Lean and Mean”; “Operationalize”; “Gap analysis” – anyone who works in an office has heard and, probably eventually been aggravated by, these words and phrases.

From a compliance perspective, there is one corporate buzzword which is enjoying current prominence that is more harmful than others: “future-proof.” This term describes the aspiration of businesses to stay focused on improving today’s practices in order to be ready for tomorrow’s risks. It aspires toward a proactive, strategic model of compliance risk management. Thinking differently about compliance risks in trying to prevent or mitigate future problems instead of just responding to past ones is a more rigorous, assertive approach.

However, the concept of future-proofing is intrinsically flawed and worse yet, dangerous to rely upon. The idea that absolute certainty can be brought to compliance risk management is a moral hazard in the discipline. Responding to and anticipating risks can be dynamic and forward-looking. A crucial part of the practice of compliance is bridging the gap between what individuals and organizations must do or not do, and what they may, but claiming to predict future results sets an unrealistic business expectation. A robust compliance program is not an insurance policy, nor does a heightened awareness of compliance risk allow an organization to read the tea leaves and assure management and stakeholders that only calm seas lay ahead due to preparing a controls framework.

Rather than suggesting perfect immunity against changes in regulations and law and emerging risks, compliance officers should set realistic expectations with the businesses they serve. No one can tell the future, though of course for the right price any person will offer a guess. The allure of the unknown should not distract from concrete compliance demands.

The future will show what it holds in due time, and before that happens the best approach is to meet the current standards and exceed them in specific areas where the organization has shown vulnerability or seeks more risk and exposure. Complete compliance with current regulations and laws and a governance structure which supports and promotes all of an organization’s policies, procedures, and most importantly philosophies are non-negotiables. Companies cannot fail to get this part right before concerning themselves with what may be out of view over the horizon.

Let’s also not focus on the future at the expense of the past – real lessons should be learned from mistakes and experiences. Instead of just forgiving and forgetting, use what happened yesterday to derive a more informed assessment of the as-is situation and design a compliance program that capably responds to this instead of being overly formal and stale. Making a commitment to the practice of compliance as an ongoing function means that as the business evolves so does compliance, along with it instead of blindly ahead of it.

Certainty cannot be promised – indeed, this reality is one of the reasons why a responsive, strategic compliance advisory program is essential to any organization’s risk management efforts. Avoid making undeliverable assertions about future perfection and instead, focus on learning humbly from yesterday’s mistakes, out-performing the present’s expectations, and remaining open for the insights and challenges which are yet to come. Instead of future-proofing – focus on future-sustaining.

READ MORE

Compliance as both function and discipline

Compliance makes concrete and professionalizes the rules, regulations, and questions of ethics and integrity that are everywhere in life. It can be very absolute, used in creating a framework to ensure adherence to external legal and supervisory requirements as well as internal policies and procedures, to form a rules-based approach to risk management. It can also be more esoteric, probing the challenge between general norms and existing controls, and what may be morally acceptable or within individual expectations.

Considering the distinction between the function of compliance and the discipline of compliance is helpful to develop a more mature understanding of its applications in both modes. Compliance as a function creates frameworks, translates regulations and directives into internal policies and procedures, identifies program priorities, and plans management strategies. Compliance as a discipline takes all of these efforts to ensure awareness of, and steps to comply with, all relevant laws and regulations, and applies them directly to the business in order to target this work toward facilitating ethical decision-making, encouraging integrity, and positively impacting business strategy.

The function of compliance describes the general task of keeping up to date on rules and regulations and designing governance, risk, and compliance (GRC) management strategies and structures to present to senior management, executive boards, and outside stakeholders such as regulators and other supervisory bodies. This includes regulatory compliance, which ensures that organizations are abiding by both industry regulations and government legislation. This also includes designing governance and control structures intended to encourage employee and organizational integrity and create disincentives against and penalties for misconduct.

The discipline of compliance, on the other hand, describes the dynamic and business-linked support activities that the compliance professional undertakes within the broader context of the organization. Disciplinary compliance takes the above-described principles and frameworks and applies them in the business arena. This is where the rubber meets the road between the compliance officer and the business line he or she serves. In this setting, compliance is a relationship-based activity of providing advices, cooperating and aligning with other stakeholders and functional partners, suggesting defense strategies in light of real-time business risks and strategies, and maintaining an on-going bird’s eye view of the business landscape which can only be achieved by pro-active, personal engagement.

Building upon the above definitions and borrowing from the philosophy of ethics, the comparison could be made between the compliance function and normative ethics on one hand, and the compliance discipline and applied ethics on the other hand.

The compliance function links to normative ethics, in which moral behavior is compared to the norms of the social context in which the actions are taken, because of the emphasis in both on external or supervisory expectations and standards. Normative ethics is quite useful in identifying and categorizing compliance risks and suggesting possible mitigations and strategies for the ones that cannot be eliminated or are deemed acceptable to some extent. Within the function of compliance, the question of what individuals should or should not do, is answered by relevant laws, regulations, principles, rules, standards and codes of conduct, and other guidelines applicable to these individuals and the organizations in which they work.

The compliance discipline, in the meantime, can be connected neatly to applied ethics, which centers on the use of ethical theory in order to analyze and address actual moral issues that arise in work and life. Dilemma analysis and discussion, and compliance awareness dialogs, all borrow from the didactic constructs of applied ethics.   Building upon the structures and foundations that come from the compliance function and from the philosophy of normative ethics, the compliance discipline and applied ethics both are used to take these frameworks from strict requirements to living, practical considerations within the robust culture of compliance at the organization.

For more posts on types of compliance and ethics, check out some of these: Guiding principles for a compliance advisory practiceCompliance 101: A quick guide; The five branches of ethics as applied to compliance principles; How to make voluntary engagement with compliance values meaningful.  Posts each Monday, which are categorized in “Best Practices,” often address this sort of topic from both academic and practical perspectives.

READ MORE

7 Habits for compliance professionals

Stephen R. Covey was one of the most prominent authors of leadership, self-improvement, and motivational books and speeches of the 20th century. Though the businessman, author, educator, and speaker passed away in 2012, his well-known writings are still influential and insightful for the current generation of managers, students, and thinkers. The teachings from Covey’s books can be applied in many fields of life – business, family, religion, and community, lending heavily to his continued popularity with a wide variety of people. Not simply positioned as self-help, Covey emphasized ethics and distinct definitions of both values and principles, as separate concepts that independently influence people’s behaviors and decision-making.

Due to these emphases, Covey’s writing is specifically interesting and useful for compliance professionals looking for a novel way to approach imbedding into a corporate culture both individual values – which one could see as ethics or morality – and organizational principles – which one could see as compliance program requirements and goals. Covey’s teachings often touch upon the value of inner success, rejecting external competitive measures as the true sign of achievement in favor of emphasizing personal mission statements and progressive goal-setting to allow an individual or an organization to go from immature dependence, through self-sufficient independence, into the higher state of functioning interdependence with others. This strategic vision has a high affinity with the sort of planning compliance officers must do to encourage a successful culture of compliance.

Arguably, Covey’s best-known book is the worldwide best-seller The 7 Habits of Highly Effective People. This book is not only a worldwide best-seller that gains new fans every year for its simple and timeless insights on how to work toward, achieve, and sustain inner success, but it is also the Covey book which is most applicable for compliance professionals to study and take into consideration in the course of their work.

Taken individually, each of the 7 Habits endorses values and principles and encourages conduct in support of those, which are useful for compliance risk awareness both in planning program priorities by the compliance officer as well as encouraging awareness and fostering integrity for individuals and organizations.

Steven R. Covey’s famous 7 Habits, annotated with suggestions for their applicability to corporate compliance and ethics programs, are as follows:

  1. Be Proactive – This is the first of three Habits that focus on maturing from dependence to independence, a process also referred to by Covey as self-mastery. This Habit introduces the concepts of Circle of Influence, one’s effective community – in a business perspective, partners, stakeholders, and clients or served parties – and Circle of Concern, where problems happen and dysfunction or distrust can stymy success and achievement.
  2. Begin with the End in Mind – Simply put, this Habit calls upon individuals and organizations to be devoted planners. Once the plan is set, apply with dedication to following it, in on-going and careful review of its efficacy and currency. Planning is a fundamental component of any successful compliance program. Setting goals and priorities for the program is necessary to encourage informed business buy-in and checking these goals and priorities on a continuous basis helps to keep them grounded in reality and responsive to evolving business and regulatory demands.
  3. Put First Things First – This Habit identifies the difference between leadership and management, a crucial dichotomy for the encouragement of both ethical leadership and adequate supervision, which are equally necessary in order to model conduct expectations and ensure progress in one’s mission. Covey says that leadership in society requires personal vision and for the individual to embrace the importance of character ethic, or internal personal qualities such as ethics, honesty, and loyalty, rather than personality ethic, or external personal qualities such as popularity or other short-term human interaction traits.
  4. Think WinWin – This is the first of three Habits that focus on interdependence, offering tips for working with others. In a service function such as compliance, working together effectively to establish a consistent and open relationship-based approach to risk management is crucial. Likewise, it is important for individuals to appreciate the importance of interdependence also, to see that their individual actions are significant in the overall scheme of the compliance program and to appreciate the importance of accountability, driving them to discuss dilemmas and enhance understanding. Finally, from an organizational perspective interdependence is also very important, driving home the cultural significance of corporate social responsibility and even political engagement in establishing corporate values and creating an identity and purpose in society.
  5. See First to Understand, Then to be Understood – This Habit focuses on the importance of listening for genuine understanding in order to build trust and promote personal credibility. Of particular importance are the Greek philosophy concepts of Ethos, the trust individuals inspire or in Covey’s words their Emotional Bank Accounts; Pathos, aligning and communicating with others and their own emotional trust; and Logos, the reasoning that must be included in communicating with and considering the trustworthiness of others, while projecting your own. Check back in the future for an blog post dedicated to the important concept of Emotional Bank Accounts.
  6. Synergize – This Habit reinforces the key interdependent competency of teamwork. Set goals together and achieve and maintain them together as well. In compliance terms, establishing trust and transparency as key values requires a cooperative commitment to supporting these individual values in the organizational principles that are established, be it via a corporate mission statement or through business strategy and growth plans.
  7. Sharpen the Saw – This final Habit focuses on personal and interpersonal continuous improvement. Balance is key to contended success in both life and business; no achievement attained with disrespect for resources it requires can be sustainable. In order to be truly successful, renewal and sustainability are the most important priorities. Continuous improvement for a compliance program or a company’s corporate values requires continuing risk re-assessments and a rolling plan for how to implement and refine compliance planning and communication.

For an in-depth look at Stephen R. Covey’s work and legacy, check out this official website maintained by the Covey Family. And for an entertaining take on the book, watch this animated book review of The 7 Habits of Highly Effective People.

READ MORE

Tips for conducting compliance investigations

The task of a compliance officer is not to “set it and forget it.” Apart from planning and advising on risk management strategies, and monitoring business implementation of the attendant policies and procedures, compliance professionals must remain vigilant about the potential for violations. Internal compliance violations can run the causal gamut – they could be because of internal controls failures, unwitting omissions due to lack of awareness, or outright misconduct and malfeasance.

Compliance officers should approach an investigation into a compliance exception thoughtfully and with careful preparation. If the planning for or administration of the investigation is flawed from the beginning then the investigation results will not be reliable. In many fields, such as scientific research, planning investigation tactics and strategy is a discipline all of its own, demanding special expertise in statistical methodology standards.

For purposes of the internal investigations of compliance officers, a common-sense approach, focused on fairness and transparency, can take the place of technical expertise in conducting informal internal investigations that will still generate reliable and meaningful results. Compliance professionals should keep the following fundamental themes in mind when designing an investigation effort:

  • Reject foregone conclusions: Compliance investigation inquiries can be sensitive and intimidating. Most people do not want to do the wrong thing and will be worried or even frightened by the possibility that they have broken rules or regulations. They will fear that their jobs are at risk or worry about the reputation of the company due to the misconduct. Therefore, take the investigation seriously, even if its scope is limited or it’s routine. Don’t decide the outcome before the information is gathered. Investigations should be motivated by intellectual curiosity, in the case of annual or planned investigations, or, in the case of ad-hoc or event-driven investigations, an objective desire to protect and promote integrity, which knows no master.
  • Work carefully: Sloppiness and poor preparation will doom an investigation from the beginning. Compliance professionals should work carefully and check their work as they go along. Simple errors such as directing queries to the wrong recipients or asking for information that is out of scope of the investigation can cause a terrible impression with stakeholders and disrupt the efforts of the investigation.   Communication is key, and information communicated to all parties throughout the investigation should be accurate, clear, and appropriate at all times.
  • Give support, not interference: Compliance often collaborates with other functions such as HR, Legal, and Risk; this collaboration should be encouraged, not complicated or avoided. In planning investigation strategy, work together with partners and stakeholders whenever possible (legal privilege and confidentiality, where it applies, must of course always be respected). Sharing information helps to make conclusions stronger and to avoid inefficient duplication of efforts.
  • Follow through with enforcement when misconduct is evidenced: Investigations are toothless when the results are just put on a shelf and forgotten. Enforcement action must come next, and in every outcome, there is appropriate follow-up. In instances where misconduct is discovered, whether it is from negligence or intentional wrongdoing, disciplinary action should be taken with concrete consequences. Substantive structural changes should be made also the risk control framework to seek to prevent or identify earlier the non-compliant behaviour whenever possible. Punishing the wrongdoer is not enough; addressing the root causes of the wrong-doing has to happen too.
  • Feed-forward when no malpractice is discovered: Not every investigation will be an open and shut case where there are good people and bad people and everything wraps up neatly. It may be that the investigation yields no evidence that anything material happened. It’s also possible that the investigation would show some unrelated deficiencies, such as in communication strategies or employee awareness. Finally, the investigation could produce inadvertent lessons for the compliance officer him or herself to take back to a future risk assessment and planning session. Whatever these conclusions are, don’t discard them just because they don’t lead to a punitive action. Feed them forward into risk controls improvements and future compliance program efforts.

Compliance officers who consider the above suggestions in planning their own investigation strategy will be focused on obtaining neutral, credible information. They will communicate clearly and engage stakeholders supportively. Enforcement actions stemming from the investigation efforts will be pro-active and productive. With these approaches, compliance officers can establish credibility and effectiveness in conducting internal investigations.

READ MORE

How to make voluntary engagement with compliance values meaningful

A pure rules-based approach to compliance is direct and clear-cut, but by design lacks emotional or personal engagement. Following rules of all kinds – legal, community-based, household; practical, austere, illogical – is a social norm most humans are taught from their earliest memories. Despite this, many of them do not do it very well even with the best intentions, and still more never intend to attempt adherence.

To have any expectation that rules will be credible and inspire understanding and respect, there must be an authentic and compelling “why,” a purpose that people feels relates to them and calls for their commitment. Many laws are so deeply linked to societal expectations and taboos that the majority of people do not need to be persuaded to appreciate them – restrictions against pre-meditated murder, property theft, and abuse of animals for example. Those who remain unconvinced these acts should be prohibited and punished are not likely to view violating laws as something offensive or damaging either.

Sincere attempts to reach individuals who are antipathetic toward all rules, however few or rare they may actually be in society, with a rationale rooted in values are not likely to prevail. In general a values-based approach can be very powerful and evocative, but in order for it to hold personal appeal it must strike a difficult balance between universal relatability and individual accountability. All organizations should define their values and position their strategy and public branding within that set of principles, but this is delicate. If the values are too specific then they will be exclusionary rather than engaging, appealing only to a core group of true believers rather than attracting a wider audience. If the values are too broad, however, then they will be superficial and ring empty – again preventing individuals from attaching to them and being their standard bearers.

An especially effective tactic for bridging this gap is to make corporate values a living artifact which reflect the organization as it grows and changes along with business and society. In an ambitious and forward-looking organization, the profile and strategy will evolve and so should the outlook of what matters most in defining its purpose. Using a rules-based approach to provide both the floor and the roof for the terms of the corporate mission statement, values can fill the space between and invite everyone – employees, partners, stakeholders alike – inside.

There are many mechanisms through which corporate compliance programs can appeal to employees to make the connection between rules and values. Inspiring voluntary compliance, where employees feel aware of and responsible for the values of the compliance program and connect to them individually, adds weight to the mandatory compliance expected by the rules. Increasing the relatability of the requirements with principles behind them gives people incentive to sign on and go along with the compliance program. Compliance programs can aim to encourage ongoing employee adhesion to the organization’s values-based approach in the following ways, ranging from the lightest touch to the heaviest:

  • Nudges: Simply put, make it possible for employees to make ethical choices by expressing values that promote this and building decision-points into the processes they encounter in their working experiences which reflect those values. Business strategy should coincide with business values, and if it does not, then actions such as setting new standards client acceptance or exiting and reassessing product offerings or market participation are natural consequences of trying to bring the two together. In order for employees to make choices that reflect both individual and organizational integrity, the procedures and standards within which they work should facilitate and support this type of decision-making. Doing the right thing should always be accessible and indeed prompted.
  • Codes: While nudges make values implicit and leave the decision ultimately in the employee’s hands, in codes values are explicit and expectations for adherence to them are formalized. Codes can take a variety of formats, and in some industries regulatory requirements may dictate their scope and even content, but generally speaking, the more concise and accessible the better. Employees at all levels should be able to read, understand, and engage with the code, whether it dictates ethics, conduct, or both, and they should be able to retrieve, review, and ask questions about it whenever they want. A code document should be updated on an ad-hoc basis and reviewed regularly, and it should be seen as a living record of the specific values of the organization which underlie all other policies and procedures in place.
  • Attestations: Once a code is available, employees can be asked to attest to their compliance with it. This can take a very simple form, even just a one-liner of “I attest that I have been in compliance with the requirements set forth in the Code as of the below date.” This can be done once per year (or other regular period of choice) or on an ad-hoc basis. Asking an employee to attest to adherence prompts self-reflection and may also create a space for questions or dilemma discussions, which are important tools for ensuring awareness.
  • Warnings: Warnings may sound punitive, but in reality they can just be reminders. Unlike attestations, which look backwards and ask employees to self-assess based on their past behavior, warnings would accompany present choices or activities. For example, an expense claim form might include a statement on it reminding the submitter that the data on the form should be accurately and honestly reported, and that there are certain expenses which may not be reimbursable or permitted. Providing these warnings at the time the employee is going to take action that checks compliance values brings together all the previous methods – it provides a nudge, makes expectations explicit, and directly asks the employee to consider ethical obligations when making choices in the course of the task.
  • Oaths: Oaths take the most advanced step of ensuring that employees comply with the ethical and compliance expectations of their profession by asking that they voluntarily submit to discipline should they violate these. This submission is by taking an oath and signing it, typically with witnesses and even a level of formalization or ceremony in order to underscore the significance of the commitment and the seriousness of trespassing against it with future misconduct. A very interesting example of a professional oath is the Banker’s Oath in the Netherlands, which is intended to restore trust in the financial sector and banks specifically by requiring that every Dutch employee take an oath to comply with uniform ethical guidelines. To read more about the Banker’s Oath, visit the website of the Dutch independent organization Foundation for Banking Ethics Enforcement (FBEE).

The above methods for encouraging voluntary compliance can be employed by compliance professionals simply and powerfully in routine compliance communications and awareness initiatives. Reminding employees of values – the purpose – helps to heighten the credibility and appeal of rules – the requirement – and provide a mission perspective to their engagement in the compliance program.

READ MORE