Compliance Culture

Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Appealing to Myers-Briggs dichotomies in compliance communications

The Myers-Briggs Type Indicator (MBTI) is a set of personality types that categorizes individuals’ experiential preferences. The MBTI has become very popular for use in business settings, for managers to determine how to develop employees or build teams as well as for individuals to analyze their own way of working and define their particular world view and tendencies in interacting with others, based on these preferences.

The MBTI classification system is fundamentally based upon the presumption that humans have four main psychological functions, or dichotomies, through which they view the world. These are thinking (T), feeling (F), sensation (S), and intuition (N). Thinking and feeling are the functions people rely upon for judgment in decision-making. Sensation and intuition describe how people perceive new information. Taken together, one of these four functions will be naturally dominant for each person the majority of the time.

Added to these functions are people’s attitudes, expressed by the terms introversion (I) – a preference to operate internally, focused on reflection and ideas – and extroversion (E) – a preference to operate externally, focused on behavior and people. This relates to how people prefer to live their “outer lives” and is not necessarily as simple as defining a person as “shy” or “outgoing” but looks deeper into how people get or spend their energy and whether their information-processing, personal focus, and pace is determined inward or outward.

Finally, the MBTI also incorporates lifestyle preferences, identifying that people have preference for using either the judging (J) functions (thinking or feeling) or the perceiving (P) function (sensation and intuition).

These eight psychological functions and preferences – four sets of two each – can be mixed and matched among each other in different combinations, resulting in the sixteen MBTI distinct “personality types.” In any given group there is likely to be some mix of these types, sometimes more diverse than others. Each type brings with it some indications for the person may behave in an individual or collective setting. Therefore understanding the elements of these different types can be useful in fine-tuning messaging to have maximum appeal to one, some, or all of them.

Based on the above, there are four dichotomies to the MBTI. In each dichotomy, individuals select from two letters (T for thinking versus F for feeling, for example) the one which most accurately, if not completely, seems most accurate in depicting their personality types. The differences between these four dichotomies are important to understand and useful to take advantage of in tailoring communication across organizational levels to raise compliance awareness.

  1. Introversion (I) or Extroversion (E): Preference for Introversion suggests an inward focus, with more contemplation and observation in learning or gathering information. I types would enjoy e-learnings, reading guidelines and policies, or other self-paced activities. Preference for Extroversion, on the other hand, indicates a suitability for fast-paced outward focus. These are the eager participants in dilemma sessions or group trainings who like to work with others and develop their ideas out loud, getting energy from quick progress of talking through learning materials.
  2. Sensation (S) or Intuition (N): Preference for sensation means that concrete, practical information will be the most appealing to these individuals. Communications should use clear and literal descriptions based in reality. Those who prefer intuition, on the other hand, may be more likely to dream about what could be rather than what is. Contemplating business cases and dilemmas would be fun and enjoyable for them.
  3. Thinking (T) or Feeling (F): Those who lean toward Thinking will respond to decision-making that is promotes rationality and justice. A rules-based approach to communicating compliance principles will evoke their sense of reason and equity and make the objectives relatable. On the other hand, people who prefer Feeling will benefit from a values-based approach. Playing up personal morality and situational empathy is more effective for them.
  4. Judging (J) or Perceiving (P): Judging is aligned with a preference for planning and methodical assessment. These people will be convinced of the value of a compliance program by, for example, formal risk inventories and control framework evaluations, and coordinated, long-term implementation plans with steps and phases for their goals. People who prefer Perceiving, on the other hand, need a flexible view. This is challenging to adapt to fixed rules and regulations, but offering creative approaches to those can be an engaging possibility.

For more information on the MBTI and its four dichotomies, check out this handy interactive chart.

READ MORE

Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible

READ MORE

Compelling arguments to encourage business buy-in on compliance training

It is essential in all industries and job functions that employees act with integrity and in compliance with applicable rules and regulations, and this must be supported with adequate training. However, a common challenge for compliance professionals concerns how to successfully and sustainably convince senior business management to invest in and support compliance training as a priority. Regulatory changes and enforcement actions, and the necessity for ethical decision-making in the regular course of business, show us that compliance awareness should be valued.   Amidst the pressures of commercial activities, changing marketplaces and political environments, and time-sensitive daily necessities, though, training on compliance topics may not always seem urgent. However, there are important incentives which can be emphasized to business partners to encourage their buy-in on this critical training.

  • Compliance training fosters prized employee engagement and encourages transparency, which is necessary to mitigate reputational risk and enable whistle-blowers. Knowledge is power, and training empowers employees to use their understanding of the regulations and policies to show good conduct and to understand the importance of acting in compliance with regulations and policies, as well as the impact of unethical behaviour and the necessity of identifying and escalating misconduct where it occurs.
  • Once emboldened with knowledge by training, employees can take compliance topics forward into discussions and practical applications. Clarity and ease of discussion are important drivers of employee integrity. Simply put, individuals must first understand what they could do in order to follow a policy or regulation, before they can be asked to make a good choice in support of this. Libertarian paternalism suggests governance structures could affect behavior positively by influencing options available to deciders without disrespecting freedom of choice. Adequate training informs this approach, so that individuals have clarity and the ability to talk, ask questions, and work through scenarios in order to develop their own mental muscles on compliance topics on an everyday basis.
  • Employee awareness of compliance risk stimulates business management to act and react, creating a robust tone at the top. Senior management can be encouraged to contribute to a culture of compliance by a version of the “warm-glow” effect. Their buy-in is supported by an egoistic motivation derived from acting as role models to the employees they lead – a positive feeling that comes from being admired and adulated as an example. Employees who are actively informed about the values of compliance, ethical decision-making, and integrity will look for accountability and responsiveness from their leaders. When employees expect and emphasize this, management teams are enabled to reward good conduct and sanction misconduct, taking visible and precedent-setting action to recognize both.
  • The subject matter of compliance training is mostly accessible to employees at all levels. While some topics are more technical or demand a more academic approach to regulations and practices, the vast majority of compliance topics – to name a few, conflicts of interest, insider trading, information handling, money laundering and sanctions, anti-bribery, code of ethics – are, at least on an introductory level, practical and interesting to discuss without any prerequisite knowledge from the employees. In the post-2008 financial crisis world, many people have a good layperson’s understanding of these general concepts from the news. They even often have a desire to increase awareness and discuss these topics, but they need familiarity first. Basic sessions can give employees a first look, so that they are prepared to discuss with their colleagues and managers, while subsequent advanced sessions can develop comfort and expertise.
  • Targeted training on compliance topics helps to normalize expectations of risk ownership in an increasingly complicated regulatory and legal environment. Many employees may be open to challenging their ideas about their business practices that originated in the less comprehensive regulatory and legal landscape of the past, but they must be convinced to make compliance a daily consideration in their work. If they are not fluently aware of compliance concepts, then they may feel overwhelmed. This gives them the impression that either they are expected to be compliance officers themselves in addition to their regular tasks or that interaction with Compliance can only be a “tick the box” exercise. Neither outcome is desirable, yet both can be overcome by raising awareness and therefore promoting relevance.

The overall impression from the foregoing is that visibility with business partners is crucial for the compliance advisory function to succeed. All compliance professionals should seek to build relationships and interact on these compelling yet challenging topics in order to make them personally meaningful to business partners.

READ MORE