Category: Best Practices

Categories
Best Practices

Hero’s journey of the compliance professional

The hero’s journey is a myth narrative popularized by the American writer Joseph Campbell. Campbell studied hero myth patterns in contrast with psychology, ritual, and analysis and used his view of the hero’s journey to describe the generic narrative archetype of various heroic stories as follows: “A hero ventures forth from the world of common day into a region of supernatural wonder: fabulous forces are there encountered and a decisive victory is won: the hero comes back from this mysterious adventure with the power to bestow boons on his fellow man.”

This pattern will be familiar to any fan of a wide variety of adventure and fantasy stories such as Star Wars, Indiana Jones, Harry Potter, and much more. However, this narrative construct can be applied not just to literature and Hollywood movies but also to the work of the compliance professional attempting to imbed an authentic and effective organizational culture of compliance. In this view, the hero is the organization – and it is the objective of the compliance officer, as a guide or expert figure of sorts, to guide it through the stages of the journey to successful completion.

The hero’s journey is divided into three principal “acts” – departure, initiation, and return. Within each of these acts the hero undergoes a variety of tasks, ordeals, and lessons which compromise the stages, seventeen of them in total, of the journey.  The themes of persuasion, doubt, adversity, seeking guidance and expertise, challenge, success, and transformation which recur in the journey all translate provocatively to the ambitions of a corporate compliance program.

The three acts of the hero’s journey, as applied to corporate compliance and organizational ethics, are as follows:

  1. Departure – In which the hero is still living in the ordinary world and receives a call to action for an adventure which is daunting and requires a mentor’s guidance before embarking on it, this act depicts the organization which is without a compliance program or an organization where the compliance function is immature and inadequately implemented, without genuine engagement. The call to action in this case could be an internal, positive one – a decision to focus proactively on integrity and ethics, for example, or the company could be a new one which wishes to have a compliance risk framework from the beginning. It could also be an external, possibly negative one – such as new regulations or laws, a company or industry public scandal, or supervisory enforcement. The mentor offering guidance in the compliance professional, the person with the subject matter expertise and balance of rules and values knowledge who can support the organization in answering the call to action.
  2. Initiation – This is the stage in which the hero leaves the ordinary world and goes out into the unknown, extraordinary world to face a variety of challenges, some with guidance or support and others without but against great obstacles or resistance. The hero encounters crisis in the attempts to reach his goal. Once the goal is achieved, the hero has to go back to the ordinary world of before, again amidst challenges. In this stage, the unknown world represents the as-yet unformed environment of drivers for and obstacles against organizational and employee integrity and ethical decision-making. In confronting this, the organization accepts the need to implement or improve a controls framework and struggles with the appropriate approach and tone. A wide variety of interests diverge and compete in this process, with the priorities of different business lines, other support functions, stakeholders, external partners, supervisors, and even customers or followers diverging from and competing with each other. Some of these parties will be helpful allies and willing advocates for compliance initiatives, acting as evangelists with each other and the public to sell the comparative value of a compliance program. Others will be doubters who present tests to the maturity and necessity of the program’s design and goals, or even enemies who wish to defeat the effort in favor of commercial or other concerns. It is from here that the compliance professional must carefully craft communications and branding strategies for the compliance program to be convincing and overcome these trials. Once overcoming the crisis – be it incomplete implementation of a program leading to risk and loss, or reputational damage due to insufficient organizational integrity, or negative action by a regulator – the compliance professional can re-emphasize the fundamental values of the program to an organization with a new appreciation for their importance.
  3. Return – In the final act of the journey, the hero returns to the ordinary world, newly endowed with the central goal achieved and the ability to use this hard-won enlightenment for the common good. This process has been transformative and the hero has ascended to a higher level of being due to the triumph of the journey. At the culmination of its journey, the organization has successfully implemented a robust and pro-active compliance program which will be both functional and aspirational. The corporate compliance framework enables the organization and its employees to follow an ambitious yet responsible strategy guided by a flexible yet foundational balance of values and rules.

For a detailed description of the classical stages of the Hero’s Journey, check out this outline by Christopher Vogler.   And for a vivid explanation and illustration of the Hero’s Journey and its various applications in literature, watch this entertaining TED-Ed lesson by Matthew Winkler:

Categories
Best Practices

Tips for improving employee accountability in compliance programs

The most ambitious culture of compliance paired with the most robust controls framework still cannot succeed without employee adherence. Employees who don’t know the correct thing to do, or those who make an unethical or non-compliant decision despite knowing, can be addressed with awareness communication in the first case or remedial action in the second case.

However, the more frequent and challenging scenario is that employees have received information about compliance risk management priorities and ethical culture at their organization. They understand this information well enough and maybe even admire the aims of the compliance program, but there’s a problem – they don’t see themselves as having an active role in it.

The best efforts of compliance programs will always be overcome by apathetic or unengaged employees who don’t see themselves as having personal compliance responsibilities. In cybersecurity, for example, the best IT systems with the most up-to-date risk controls structure will still be defeated by an employee who falls for a phishing scheme or leaves behind an unsecured laptop in a public place. Some mistakes are unavoidable, of course, just like some risks can only be mitigated or accepted. However, many other errors, acts of misconduct, or risk factors can be prevented with the appropriate individual vigilance and diligence.

So how can a corporate compliance program emphasize to employees that individual responsibility is the fundamental defense in any risk and control framework? Too many solutions from management or consultancy rely heavily on data solutions and systems approaches to addressing compliance risk. The logic goes: failures of existing compliance programs to prevent ever-evolving fraud and misconduct are unfortunately not unusual, so why not simply blame human misjudgment or incompetence for inadequate controls and therefore just automate processes whenever possible?

The above is a cynical and defeatist attitude toward corporate compliance; if management or its advisors decides that corporate compliance will fail, then it certainly will do so. However, removing the obstacles to individual responsibility is an important step to empowering organizational integrity. Outsourcing or digitalizing analysis and advisory work is an artificial, external solution. It may expedite or simplify some aspects of working with compliance risk management, but it cannot ever be as effective as a values-based approach that creates a corporate culture where good judgment and ethical decision-making are incentivized and supported.

Indeed the first, and probably best, solution for raising the standard of compliance programs and their controls is to promote employee engagement in these across all levels of the organization. This starts with individual accountability, which compliance professionals and senior management can nudge employees toward embracing these ways:

  • Walk the walk: Senior management should weave a thread of the corporate cultural values throughout all matters that touch an employee’s working life. This needs to be consistent and visible. Communication should be simple and straightforward, practical and not preachy, but it should express and reinforce the cultural values. In HR matters, for example, transparency should be communicated and modeled. Employees must see the corporate cultural values explicitly expressed as they experience corporate administration across the organization. This brings the values from mere words to a living system in which they are participants.
  • Nudge with timely reminders: Regulatory, legal, and policy requirements change rapidly. Employees that are trained regularly should be respected for what they already know; heavy-handed instruction can be seen as condescending. However, reminders upon key messaging events (anniversaries, completion of investigations, or announcements of strategies) or updates when there are new guidelines or expectations are critical. These reminders can act as nudges toward appropriate behavior for individuals whose attention may have moved on or whose understanding was out of date.
  • Work against culture of fear: People often think about speaking up in the workplace in terms of following an internal escalation process or being a whistleblower. To some people, speaking up by challenging an established procedure or an experienced colleague may seem unprofessional or presumptuous. The possibility of being opposed or facing retribution can be very scary for employees who might want to express uncertainty or ask questions. Corporate compliance programs have a responsibility to create a culture where speaking up routinely is safe and supported. A relationship-based approach to business compliance advisory is a great first step toward combating the fear factor and helping employees to speak up to check understanding or challenge practices. Involved employees are more likely to be accountable ones.
  • Actively address accountability gaps: When it is evident that an employee or group of employees do not embrace accountability in compliance risk management, address it, but not punitively. Open discussion can be mutually beneficial. Take the opportunity to express that individual responsibility is expected, and also to listen to the limitations or uncertainties that may provide an explanation for why it’s missing.
  • Insist on consequences: Disciplinary action is never the intended outcome for any employee-management relationship. Ideally everyone would want to and be able to do the right things all the time, but clearly mistakes and misconduct happen. Good people/bad people dichotomies are classic but not necessarily helpful. In reality, it’s most important to establish from the beginning that consequences for doing the wrong thing exist and will be enforced fairly and meaningfully.

There will always be people in organizations who either are in need of training or resourcing attention (wanting to do the right thing but not being properly equipped) or people who are not cultural fits (wanting to do the wrong thing despite organizational priorities). Engaging these people where possible is critical, just as holding all others accountable for their actions and responsibilities is the frontline defense most important to compliance risk management.

Categories
Best Practices

GRC for compliance professionals

Compliance as a function is sometimes subject to varying definitions. Across different companies, industries, and cultures, organizational perspectives on the purpose and scope of a compliance program can vary. Some see compliance as an alternative to or close relation of the legal department, while others position it much more independently, perhaps as an intermediary between the business lines and audit. Still others may see compliance as the depository for risk-based support activities that do not otherwise fall cleanly into any other established unit.

As previously discussed on this blog, and as this blog will continue to ensure to express, the autonomy and visibility of compliance is integral to the integrity and sustainability of an organization’s employees and business strategy. Compliance blends a rules-based approach with a values-based approach to reconcile ethical expectations with legal obligations and technical requirements.

Professionals who work with interpreting legal and regulatory guidance and implementing these into business practices will likely recognize the acronym “GRC.” GRC stands for governance, risk management, and compliance. This umbrella term integrates these functions to describe the operational activities undertaken by an organization to execute plans, manage risk, and encourage integrity.

The GRC model refers to process themes, not necessarily functional units of an organization. Indeed, the three themes of GRC may be included in operational tasks and across numerous independent departments, including HR, finance, IT, audit, and at the board level, in addition to the obvious areas such as risk, legal, and compliance.

GRC can be seen as a discipline that seeks to coordinate the flow of information and ownership of risk so that the activities and processes it encompasses are effectively and efficiently incorporated. As organizations become bigger, this discipline becomes all the more important for keeping channels of communication open and clear, both up and down silos as well as across business areas.

Ethical decision-making thrives in an integrated system where objectives are clearly expressed and information-sharing is transparent and relied-upon.   Elevating a coordinated GRC discipline can foster a communication regimen in an organization where reasonableness and feedback rather than heuristics and routine dominate. Equity and integrity can thrive if actions are taken openly and cooperatively rather than in isolation.

In the ever-changing regulatory landscape of modern business, it is so important that an organization’s GRC activities be coordinated so that work is not duplicated or wasted and gaps are filled rather than passed over with tunnel vision. These functions share stakeholders and objectives, and therefore should share information to maximize meaningful impact and minimize redundant effort.

The basic concepts of the GRC approach are all useful for a compliance officer or other professional to consider:

  • Governance: This refers to the management control framework used by an organization’s senior leadership, relying on management information from across the organization in order to direct and control the overall strategy and operation of an organization. This concerns major existential questions for the organization, such as – what are the roles of leaders at all levels? What are the reporting mechanisms and what checks and balances exist for these? How does business strategy translate into directions to various business units and how are these instructions communicated to employees? Having an informed perspective on the organization’s governance objectives is very important for a compliance officer because this gives insight to the tone at the top and the mechanism through which these critical values become concrete practices.
  • Risk management: Risk management is the identification, assessment, and response to risk factors which may have an impact on an organization’s activities. This also includes considering risks which do not have an impact and ascertaining that this evaluation remains correct and current as fluid business objectives and conditions may change. All organizations are subject to some risks, such as operational risk, technological risk, and financial risk, while others may be determined by the industry in which they operate, such as market risk, liquidity risk, political risk, third-party risk, and product-specific risks. Risk management entails planning and implementing controls in order to address these risks, either by mitigating them, changing strategy or practice to eliminate them, accepting them, or transferring them to a service provider or partner who is positioned to best respond to them. Legal, legislative, and regulatory risks are of particular interest to compliance officers, as are compliance-centric risks such as reputational risk. Compliance officers should take risk identification and assessment well into account when planning compliance program objectives so that these can be fine-tuned to the emergent and most important needs the business faces in this area.
  • Compliance: Of course, staying in good standing with supervisory authorities and ensuring that business practices and procedures meet standards and requirements set by external laws and regulations as well as internal policies and procedures, ensures that the work done in governance and risk management activities is properly directed and sufficiently supported. An on-going assessment and prioritization of the compliance program’s effectiveness and appropriateness is necessary to ensure that the controls in place are up-to-date and working as intended.

The themes above are all germane to the objectives of a compliance program and can be referred to in seeking buy-in from senior management or supervisory board members, with whom ultimate responsibility for establishing and executing these systemic processes rests.

Categories
Best Practices

Appealing to Myers-Briggs dichotomies in compliance communications

The Myers-Briggs Type Indicator (MBTI) is a set of personality types that categorizes individuals’ experiential preferences. The MBTI has become very popular for use in business settings, for managers to determine how to develop employees or build teams as well as for individuals to analyze their own way of working and define their particular world view and tendencies in interacting with others, based on these preferences.

The MBTI classification system is fundamentally based upon the presumption that humans have four main psychological functions, or dichotomies, through which they view the world. These are thinking (T), feeling (F), sensation (S), and intuition (N). Thinking and feeling are the functions people rely upon for judgment in decision-making. Sensation and intuition describe how people perceive new information. Taken together, one of these four functions will be naturally dominant for each person the majority of the time.

Added to these functions are people’s attitudes, expressed by the terms introversion (I) – a preference to operate internally, focused on reflection and ideas – and extroversion (E) – a preference to operate externally, focused on behavior and people. This relates to how people prefer to live their “outer lives” and is not necessarily as simple as defining a person as “shy” or “outgoing” but looks deeper into how people get or spend their energy and whether their information-processing, personal focus, and pace is determined inward or outward.

Finally, the MBTI also incorporates lifestyle preferences, identifying that people have preference for using either the judging (J) functions (thinking or feeling) or the perceiving (P) function (sensation and intuition).

These eight psychological functions and preferences – four sets of two each – can be mixed and matched among each other in different combinations, resulting in the sixteen MBTI distinct “personality types.” In any given group there is likely to be some mix of these types, sometimes more diverse than others. Each type brings with it some indications for the person may behave in an individual or collective setting. Therefore understanding the elements of these different types can be useful in fine-tuning messaging to have maximum appeal to one, some, or all of them.

Based on the above, there are four dichotomies to the MBTI. In each dichotomy, individuals select from two letters (T for thinking versus F for feeling, for example) the one which most accurately, if not completely, seems most accurate in depicting their personality types. The differences between these four dichotomies are important to understand and useful to take advantage of in tailoring communication across organizational levels to raise compliance awareness.

  1. Introversion (I) or Extroversion (E): Preference for Introversion suggests an inward focus, with more contemplation and observation in learning or gathering information. I types would enjoy e-learnings, reading guidelines and policies, or other self-paced activities. Preference for Extroversion, on the other hand, indicates a suitability for fast-paced outward focus. These are the eager participants in dilemma sessions or group trainings who like to work with others and develop their ideas out loud, getting energy from quick progress of talking through learning materials.
  2. Sensation (S) or Intuition (N): Preference for sensation means that concrete, practical information will be the most appealing to these individuals. Communications should use clear and literal descriptions based in reality. Those who prefer intuition, on the other hand, may be more likely to dream about what could be rather than what is. Contemplating business cases and dilemmas would be fun and enjoyable for them.
  3. Thinking (T) or Feeling (F): Those who lean toward Thinking will respond to decision-making that is promotes rationality and justice. A rules-based approach to communicating compliance principles will evoke their sense of reason and equity and make the objectives relatable. On the other hand, people who prefer Feeling will benefit from a values-based approach. Playing up personal morality and situational empathy is more effective for them.
  4. Judging (J) or Perceiving (P): Judging is aligned with a preference for planning and methodical assessment. These people will be convinced of the value of a compliance program by, for example, formal risk inventories and control framework evaluations, and coordinated, long-term implementation plans with steps and phases for their goals. People who prefer Perceiving, on the other hand, need a flexible view. This is challenging to adapt to fixed rules and regulations, but offering creative approaches to those can be an engaging possibility.

For more information on the MBTI and its four dichotomies, check out this handy interactive chart.

Categories
Best Practices

The five branches of ethics as applied to compliance principles

Compliance and ethics are related but separate disciplines. In a professional setting each one relies heavily upon the principles and practices of the other, while still maintaining its own distinct character.

Compliance concerns not necessarily the intuitive or collective ideas about right and wrong, nor the legal bright lines about what is permissible or prohibited, but rather the decision points between all of these. The function of compliance in a practical sense is to adjust or create conditions to choices in order to analyze or bridge the gap between good and bad, yes and no. In compliance, ethics provides the values-based approach, while the legal and regulatory guidance provides the rules-based approach. The work of the compliance professional is to attempt to reconcile the two and in that work create a second set of connections, this time between that which is legally acceptable or not, and that which is deemed ethically appropriate or not.

Very simply put, ethics, on the other hand, refers to the standards of behavior by individuals or organizations and the moral principles governing the conducting of an activity by the same. This is a values-based approach to “right” and “wrong,” or what is good for people and the society in which they live and work. The concept of right and wrong behavior is fundamental to ethics and acts as a systematic discipline in order to guide decisions on how to act.

Ethics draws its foundations from five branches, each one of which is useful to inform a practical and discipline perspective for a corporate compliance program.

  • Normative ethics contemplates the questions which arise in consider how one should act morally, in line with the norms and expectations of society or a community/organization in which the actions are taken. What are the different interests at stake and what are the potential consequences and outcomes of the possible actions to be taken? This view is very helpful in ethical decision-making and designing defense strategies to encourage identifying and choosing good decisions while discouraging and removing incentives or rationales for bad decisions.
  • Meta ethics focuses on what morality actually is and means – in general as well as in context. This involves the careful analysis of the level of understanding about moral considerations as well as an analysis of the situational status and scope of it. This approach is imperative for defining a values-based culture and corresponding corporate identity and business strategy. These values must be organic and intrinsic from the beginning in order for them to truly imbed as genuine. If they are imposed upon the business culture with no respect for what original standards were set for the organization at its inception, then a values-based approach to a culture of compliance will not permeate the company’s actions- customer service, product design, hiring and retaining employees – and a strong tone at the top cannot succeed.
  • Applied ethics goes in-depth into the practicality of really using ethical theory in order to analyze actual moral issues in both private and public life. The practical skills inherent for this discipline are incredibly useful for creating the dialogs that support compliance awareness. Taking a critical look at real-life moral issues that would be encountered in one’s personal time or on an everyday basis at work is a very useful way to get comfortable with approaching ethical dilemmas. Dilemma analysis and discussion is key for encouraging a robust culture of compliance at all organizational levels.
  • Moral ethics is the philosophical area of ethics that centers on defining, choosing, and suggesting behavior with classifications of “right” and “wrong” in mind. This practice is the most directly influential in determining standards and expectations for conduct. Elevating moral conduct by clearly defining it as a corporate cultural norm is imperative for encouraging employees to value it as such as well. Senior leadership should genuinely demonstrate this as well, acting as good conduct role models to embody the cultural values and categorizations for understanding the difference between right and wrong and making good choices within that dichotomy.
  • Finally, descriptive ethics is the study of attitudes of individuals or groups of people aimed at characterizing and understanding their beliefs. The objectives of this branch of ethics are very important for compliance risk management because they help to expose heuristics and routines in play that may encourage or hinder ethical decision-making and the cultivation of strong compliance themes within the corporate values. This is crucial for providing positive support for organizational and employee integrity.

Given the above, there are great affinities between the principles of ethics and those of compliance. The two disciplines share prolifically in their application in life in general and specifically in the workplace. It is very useful for compliance professionals to have some foundation in the discipline of ethics and an understanding of the practical application of its system of principles.

Categories
Best Practices

Using ethical dilemmas for creating a compliance training dialog

For effective compliance training, learners must be prepared to discuss and challenge dilemmas independently and with others. The details of specific policies, directives, and regulations can quickly become very dry and irrelevant, whether the audience is made up of compliance officers, senior managers, or new starters. To prevent topic fatigue and keep important compliance training vivid and engaging for those attending awareness sessions, it is important to encourage discussion. An active participant will think, care, and learn more than one who is just watching the clock for the end of the program.

One way to spark discussion that can be employed at all levels is using ethical dilemmas. This is effective either as a stand-alone program, where attendees are introduced to ethical dilemmas and spend time in groups discussing their ideas and views, or as an icebreaker to a content session, to grab the audience’s attention and test their knowledge from the beginning. This can provide an approach to then thinking about the practical handling of compliance subject which is both easy and enjoyable.

Considering and responding to ethical dilemmas helps learners to build fluency with ethical decision-making and evaluating potential conflicts of interest, especially in balance with their own possible interests. Giving meaning to the impact of behavior and choice is significant for establishing cultural values that emphasize individual responsibility and integrity. Dilemma analysis involves several simple but thought-provoking steps following the prompt:

  • What is the ethical question?
  • What personal values are relevant in considering this ethical question?
  • Who are the parties with interests in this dilemma?
  • What are their interests and how do they conflict?
  • How can the ethical question be answered and what are the potential consequences?
  • What is the decision in response to the ethical question?
  • Is the choice that came from the decision-making process of the dilemma possible/practical to do in light of all considerations and consequences?

Ethical dilemmas used as such for prompts in compliance training should be universal and straightforward. In general, dilemmas used to teach this style of thinking to beginners or to instigate audience participation in at the start of a session should not focus on specific employee responsibilities or business functions. For very advanced and targeted audiences it may be acceptable to give a anonymized example of a dilemma they may come across in their work, but for the most part, daily life dilemmas are more relatable and more fun to discuss, regardless of the experience level of the participants.

Some examples of simple dilemmas that can be analyzed as described are:

  • You are meeting some friends at a standing room-only concert and arrive late. As you approach the venue you walk past your friends, who are got there early and are waiting near the front of the line. They tell you they have been there for almost two hours and invite you to join them where they are in the line, even though the end of the line is very far behind them.
  • Your company has been considering some wellness initiatives to offer to employees as benefits but hasn’t contacted any providers yet. Your roommate just finished yoga teacher training and wants to get experience as a corporate instructor.
  • You are taking an exam after studying hard for days to prepare and attending every class the entire term. However, you woke up this morning with a terrible cold and can’t focus. You know the professor will not allow a rescheduled or make-up test. There is no proctor in the room and you have all of your course material with you.
  • You and your partner have a joint bank account where you are both named. Your partner is one week into a two week trip abroad when a letter comes from the bank. You have to fill out and return a form with both your and your partner’s signatures. If you don’t return the form within two business days you will not be able to use your credit card.
  • You are taking your relative to an urgent doctor’s appointment. The parking lot is quite busy but all three of the parking spots designated for disabled drivers are empty. Your relative has no problem walking, but you are already five minutes late for the appointment.

Choosing simple prompts like the ones suggested above will allow the learners to be more creative and perhaps to even engage in discussion with themselves. The facts may be straightforward, but the huge array of perspectives and outcomes that people can suggest is always impressive. By keeping the dilemma prompt at a level everyone can understand regardless of his or her own background and initial interest, the dialog can be truly inclusive. This allows the person who is running the training session to fall into the role of a true facilitator, which offers the enriching experience of watching individuals converse organically on these provocative questions.

Categories
Best Practices

Communication strategies for increasing employee engagement in compliance programs

Every compliance professional’s strategic annual plan will include seeking increased employee engagement in and attention to the organization’s compliance program. Communication strategies must be carefully devised with the goal in mind of making compliance vivid and interesting to employees. The compliance message can quickly become routine and dry: sign an attestation, request pre-approval, complete a checklist. This sort of messaging alienates employees rather than engaging them. They have only a small function in the compliance operations this way. Nothing is learned or shared, they are just doing a “tick the box” type exercise.

Instead, the true aspiration of the compliance messaging is that employees take interest, learn something new, ask questions, and feel connected to the story of the organization’s compliance program. This is accomplished via effective and appealing communication that speaks to all audiences and sets a new, compelling tone.

  • Key moment messaging: Compliance is highly relatable to current events and new stories. Therefore compliance communications should take full advantage of key moment messaging opportunities. Relate communication topics to outside events to make the objectives of the compliance program even more concrete. For example, if there is a major earthquake somewhere in the world and your office is located in Southern California, take that opportunity to engage with employees about disaster recovery and business continuity policies and procedures. Their interest will already be heightened and the necessity of the information will be at its most tangible.
  • Positive reinforcement: Start with a kudos, congratulations, or positive sentiment. Any action that needs to be taken or improvement that needs to be made based upon the communication will be much better received if the message gets off to a welcoming start. Set a productive tone by thanking employees for their participation in the last request or calling out good insights or high engagement. Then build off that encouragement to bring in the next steps needed and issue the call to action.
  • Branding: Branding and marketing are now important considerations across all business lines and functions. Compliance is not immune to this, as messages from so many sources fight among themselves for precious attention and airtime from employees. Therefore compliance professionals must carefully consider branding options that will maintain the substantive content of their communications yet be adequately branded to be appealing. Using humor or a catchy, fun theme to introduce the communication, before getting to the meat of the message, can provoke curiosity and prompt engagement. Don’t take it too far and make it a joke – but a little bit of amusement can go a long way.
  • Give visuals/shortcuts: On a similar note, think about making simple takeaways from the communication, however complex its overall message. One way to do this is to provide a visual, like an example of a new form that has to be filled as standard procedure, or a chart showing results on an initiative over previous periods and projected future results. If a visual is not applicable, try using acronyms or slogans that will work as mnemonics to help people remember your message and keep the meaning in mind.
  • Make it interactive: The best way to engage employees in compliance communications is to concretely incorporate them in it. Make the messages interactive for them. Ask an open-ended question and promote any responses received so that employees know the request for input is credible. Take a poll or offer a quiz. This way, employees can share in the mission and the effort by weighing in themselves, which allows them to personalize the message and be more likely to remember it.

To interest and appeal to all employees, compliance communications should not be generic or routine. Taking advantage of opportunities to make compliance relatable, and capitalizing on human interest or emotional connections that can be made, will help to make the mission of the compliance program much more interesting and effective.

Categories
Best Practices

Key compliance culture values for promoting employee integrity

Employee integrity is the cornerstone value for establishing organizational integrity, and therefore for the success of any compliance program. As fundamental as employee integrity is, it is also complex, elusive, and affected by a huge array of factors and influences. Perceptions and biases can defeat individual intentions for ethical behavior. External forces on the decision-making process and the impact of management in a complicated organizational structure and business world can defeat incentives for integrity and honesty.

What can a compliance program do to address the need for employee integrity in a world which presents so many obstacles and hindrances to developing and maintaining this trait? Compliance professionals should be the organizational standard bearers for encouraging good people to do good things and limiting access of the occasional bad people to do bad things. This message can be very simple and should focus on reinforcing positive perceptions of corporate values and leadership expectations so that employees aspire to model their own character within this.

  • Openness: Transparency and honest, active communication are crucial to the success of a compliance program. Employees must see that openness of communication and transparent reporting and sharing are highly valued. Open communication is directly linked to reduction of reputational risk and perceptions of greater honesty. Establishing a culture where employees feel it is encouraged or expected to speak up and speak out requires management to be meaningfully open, accessible, and relatable. In an environment where employees feel that all behavior and performance can be discussed openly, they will also be aware that it will all be noticed, and therefore will feel positive pressure to meet best expectations for integrity.
  • Clarity: Clarity of expectations and perceptions is essential for a culture of integrity. As with all objectives for compliance culture at an organization, norms and values must be clear and consistent across all employee populations. Communicating different or confusing messages, or giving information that impacts everyone to only some and leaving others out to hear it indirectly, is disastrous for imbedding ethical traits in an organization. Clarity promotes understanding and discussion, both of which are necessary for employees to take up the cultural objectives of the organization as their own.
  • Leadership: Tone at the top is just the first step. Leadership should be encouraged as a professional competency at all levels in the organizations, so that advocacy for the compliance culture can take root everywhere. Employees need to see leaders speaking up about the importance of integrity, but they individually also need to feel they are in the position to speak up themselves, and will be looked upon as vested with responsibility for their own integrity and choices in everyday ethical dilemmas.
  • Trust: Trust is the most simple factor for encouraging integrity in organizations, and indeed in all interactions and relationships, and it is also one of the most difficult and fraught qualities to meaningfully establish and maintain. Trust is constantly threatened and questioned. It cannot be given automatically and still have meaning, but it must be given confidently and with expectation that it will be received in return. Investments in mutual trust cannot be forced or demanded. The pain of having colleagues or managers who are not trustworthy can cause deep damage in teams and organizations and impede individual development. The only solution to this is to see trust as a reward and an ongoing evaluation, and to embrace frank and open dialogs which can help to resolve prior mistrust and discourage future violations.
  • Engagement: Engagement discussions usually focus on employees, but the quest for achieving it starts with management. Employees should see that management follows up, takes integrity seriously by individually espousing all the values, responds visibly to problems and complaints, and confronts issues boldly and confidently. Management engagement in the compliance culture should embrace professional skepticism and pursue public accountability. When employees see this, then they are empowered in turn to engage with their direct managers, peers, and direct reports to have discussions about integrity matters and to demonstrate all the traits that support ethical decision-making.

Modelling the key values of a compliance culture to create strong organizational drivers for integrity should be the focus of the conduct objectives of every compliance program. The fundamental message should be that performance and behavior linked to demonstrating integrity will be encouraged and appreciated.

Categories
Best Practices

Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible

Categories
Best Practices

Compliance practices for encouraging whistleblowers

Whistleblowers are people who speak up to expose information or activities indicating wrongdoing by individuals, departments, or organizations. They may reveal this information internally, such as to a supervisor or to a designated business unit or hotline. They may also reveal it externally, such as to regulators, supervisors, or the media. Corporate cultures should enable employees to have the courage and compulsion to act as whistleblowers in situations where it may be necessitated.

  • Set clear expectations for conduct: The most ethical corporate culture is one that has clear values and norms which can be expressed and reinforced at all levels. A culture in which expectations about employee and organizational integrity are expressed openly and referred to in justifying business decisions is a culture where employees will also be comfortable challenging behavior and choices which appears to fall outside of those expectations. An organization’s culture should be openly intolerant to unethical behavior and explicit about the right processes and practices. This way, deviations can be easy to see for participants and ethical blindness or responsibility shifting can be replaced with compliance awareness and individual accountability. People will have the confidence to speak up about wrongdoing if they are certain that they know and believe in what the right action should be.
  • Model speaking out from the top: The tone at the top is an important driver of whistleblowing. Employees should see that leadership also speaks up boldly against wrongdoing and admits to shortcomings or omissions. Senior management and/or supervisory board members should be visibly engaged in seeking to prevent, identify, and correct inappropriate conduct and practices. If employees see that those at the top of the organization are reinforcing the cultural principle of exposing problems, then they will respect the necessity of this role and be empowered to take it seriously.
  • Facilitate ease of access to reporting: A major reason why employees do not take action is because they do not know how. All employees should be provided with information about whistleblowing procedures and given the opportunity to ask questions and check understanding, including discussing dilemmas, about when whistleblowing would be appropriate or applicable. It is also imperative that the mechanism for the whistleblowing, once the employee endeavors to do so, is accessible and publicized. If there is a hotline, a dedicated mailbox, or a specific person to reach out to, then employees should be able to find and follow the procedure without being discouraged by undue difficulty of the process.
  • Provide active feedback: People will not act as whistleblowers if they believe nothing will come of their reporting. Organizations must actively recognize people who come forward and keep them as informed as possible of steps that are being taken. Employees must know that if they step up to report an issue, they will be listened to meaningfully and that the appropriate people will take action. Constructively listening to the person who is whistleblowing is the first necessary step. Then, the employee should be kept informed of what will follow and, once any investigations are complete, the outcome. This way the employee knows that taking on the responsibility and risk of stepping forward will be attended to with the appropriate seriousness.
  • Control against retaliation: Most importantly, whistleblowers should be protected and shielded from recrimination. While false claims or dubious motivations need to be discouraged, genuine whistleblowers who wish to reveal and stop harmful business practices should not be punished. In order to enable people to come forward as whistleblowers, organizations must adequately reassure employees that they will not face termination, demotion, harassment, or other mistreatment in response. Corporate cultures must forbid professional retaliation in any form in order to create an environment where an employee with evidence of unethical or fraudulent business practices could step out as a whistleblower.

The role of the whistleblower is extremely important in raising the legal, ethical, and compliance standards of organizations. Having a corporate culture in which this reaction to wrongdoing is promoted is, in and of itself, crucial for developing a controls framework which prevents and addresses misconduct effectively.