Compliance Culture

Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Corporate cultural change: Concise and accessible procedures

This is the fourth in a series of five posts suggesting best practices for implementing corporate cultural change.  For an overview of all the tips on this subject, check out this preview postThe first post in the series was about tone at the top and conduct to support it. The second post discussed the role of consistent, visible enforcement in promoting organizational justice and fairness.  Last week’s post focused on the importance of putting concrete, values-based policies in place.  Today’s post will be about implementing procedures that are consistent with those policies.  Next week, on March 27, the fifth and last post in the series will suggest how compliance professionals can foster a culture where employees are effectively engaged in awareness and communication to combat risks and support controls.

Last week’s post focused on the importance of creating and implementing policies that sufficiently and authentically support systemic responsibility for reform and intention for improvement.  Just as the appropriate tone and conduct must be observed from the highest levels of the organization in order to support enforcement efforts in the event of misconduct and abuse, corresponding policies must follow in order for the cultural norms to thrive.

For the standards set by the policies to succeed, organizations must put in place procedures that dictate practices which are consistent with and supportive of them.

Creating and implementing concrete, values-based policies is critically important for organizations to demonstrate operational commitment to improvement.  In order to take material advantage of momentum for reform in the examples set at the top in both attitude and behavior, as well as to nurture the culture of compliance created to support organizational justice and fairness, the policies in place must formalize this all.

Corporate compliance professionals should seek to create and communicate procedures that include the following traits in order to support a culture of compliance and enable progress, encourage organizational integrity and moral engagement, and protecting the vulnerable while punishing and preventing wrongdoing.

In order to accomplish this lofty goal, keep in mind “The 5 C’s” of procedures to implement for corporate cultural change:

  • Credible – Any procedure intended to prevent abuse, punish wrongdoing, and protect individuals must be believable.  Individuals asked to follow procedures must find them credible and believe that if faithfully executed, the risks and dangers they are intended to prevent or mitigate will be successfully addressed.  Regular review and the opportunity for ad-hoc adjustments, and transparency about the frequency and seriousness with which both of these tasks can be undertaken, will promote the believability and reliability of procedures.
  • Concise – It’s imperative that procedures are understandable by all.  They should not be so academic or theoretical that individuals using them struggle to know what they require and direct.  Concise procedures are practical ones.
  • Convenient – Convenience has two aspects with procedures: first, the ease of physical delivery and retrieval, and second, the quality of actual user experience.  Don’t put the procedures deep in the labyrinth of an intranet site or high on a shelf in a binder no one will ever open, and be sensitive to employees who may work remotely or with alternative accommodations.  Taking care of people who may not see e-mails or receive announcements at head office also allows compliance officers to “put a face to the name” and get some important personal contact with these individuals so that they know who to contact with questions and may feel more comfortable doing so.  The procedures also cannot be so burdensome in their steps or include so much complicated background information that they can’t be followed by the average reasonable employee.
  • Considerate of the audience – Further to concise, clear language in, and practical delivery of, the procedures, organizations should consider the audience fully in all stages of procedure provision.  The procedures should never be written and provided just to tick a box.  It’s so important to keep in mind that these are not just regulatory compliance obligations or requirements on a spreadsheet that must be completed.  Procedures must be used and relied upon by individuals.  Those audience members are the most important stakeholders and participants in the procedures, and drafting and implementing the procedures must be done so with great intention toward being considerate of them as the top priority.
  • Constructive – In reliance of the foregoing posts, and above all other considerations, the efficacy of procedures is imperative to make them useful.  Therefore the procedures must be constructive and aimed toward encouraging and enabling the real processes and interactions that are necessary for reform.  The desired result is a positive, fair corporate culture where people can speak up and speak out as well as work together toward creating an organization which reflects their own values.

Check back next week, Monday March 26, for the final post in this series of five, which will suggest best practices for going beyond training, in order to create convincing and compelling employee education campaigns and communications.

READ MORE

Tips for improving employee accountability in compliance programs

The most ambitious culture of compliance paired with the most robust controls framework still cannot succeed without employee adherence. Employees who don’t know the correct thing to do, or those who make an unethical or non-compliant decision despite knowing, can be addressed with awareness communication in the first case or remedial action in the second case.

However, the more frequent and challenging scenario is that employees have received information about compliance risk management priorities and ethical culture at their organization. They understand this information well enough and maybe even admire the aims of the compliance program, but there’s a problem – they don’t see themselves as having an active role in it.

The best efforts of compliance programs will always be overcome by apathetic or unengaged employees who don’t see themselves as having personal compliance responsibilities. In cybersecurity, for example, the best IT systems with the most up-to-date risk controls structure will still be defeated by an employee who falls for a phishing scheme or leaves behind an unsecured laptop in a public place. Some mistakes are unavoidable, of course, just like some risks can only be mitigated or accepted. However, many other errors, acts of misconduct, or risk factors can be prevented with the appropriate individual vigilance and diligence.

So how can a corporate compliance program emphasize to employees that individual responsibility is the fundamental defense in any risk and control framework? Too many solutions from management or consultancy rely heavily on data solutions and systems approaches to addressing compliance risk. The logic goes: failures of existing compliance programs to prevent ever-evolving fraud and misconduct are unfortunately not unusual, so why not simply blame human misjudgment or incompetence for inadequate controls and therefore just automate processes whenever possible?

The above is a cynical and defeatist attitude toward corporate compliance; if management or its advisors decides that corporate compliance will fail, then it certainly will do so. However, removing the obstacles to individual responsibility is an important step to empowering organizational integrity. Outsourcing or digitalizing analysis and advisory work is an artificial, external solution. It may expedite or simplify some aspects of working with compliance risk management, but it cannot ever be as effective as a values-based approach that creates a corporate culture where good judgment and ethical decision-making are incentivized and supported.

Indeed the first, and probably best, solution for raising the standard of compliance programs and their controls is to promote employee engagement in these across all levels of the organization. This starts with individual accountability, which compliance professionals and senior management can nudge employees toward embracing these ways:

  • Walk the walk: Senior management should weave a thread of the corporate cultural values throughout all matters that touch an employee’s working life. This needs to be consistent and visible. Communication should be simple and straightforward, practical and not preachy, but it should express and reinforce the cultural values. In HR matters, for example, transparency should be communicated and modeled. Employees must see the corporate cultural values explicitly expressed as they experience corporate administration across the organization. This brings the values from mere words to a living system in which they are participants.
  • Nudge with timely reminders: Regulatory, legal, and policy requirements change rapidly. Employees that are trained regularly should be respected for what they already know; heavy-handed instruction can be seen as condescending. However, reminders upon key messaging events (anniversaries, completion of investigations, or announcements of strategies) or updates when there are new guidelines or expectations are critical. These reminders can act as nudges toward appropriate behavior for individuals whose attention may have moved on or whose understanding was out of date.
  • Work against culture of fear: People often think about speaking up in the workplace in terms of following an internal escalation process or being a whistleblower. To some people, speaking up by challenging an established procedure or an experienced colleague may seem unprofessional or presumptuous. The possibility of being opposed or facing retribution can be very scary for employees who might want to express uncertainty or ask questions. Corporate compliance programs have a responsibility to create a culture where speaking up routinely is safe and supported. A relationship-based approach to business compliance advisory is a great first step toward combating the fear factor and helping employees to speak up to check understanding or challenge practices. Involved employees are more likely to be accountable ones.
  • Actively address accountability gaps: When it is evident that an employee or group of employees do not embrace accountability in compliance risk management, address it, but not punitively. Open discussion can be mutually beneficial. Take the opportunity to express that individual responsibility is expected, and also to listen to the limitations or uncertainties that may provide an explanation for why it’s missing.
  • Insist on consequences: Disciplinary action is never the intended outcome for any employee-management relationship. Ideally everyone would want to and be able to do the right things all the time, but clearly mistakes and misconduct happen. Good people/bad people dichotomies are classic but not necessarily helpful. In reality, it’s most important to establish from the beginning that consequences for doing the wrong thing exist and will be enforced fairly and meaningfully.

There will always be people in organizations who either are in need of training or resourcing attention (wanting to do the right thing but not being properly equipped) or people who are not cultural fits (wanting to do the wrong thing despite organizational priorities). Engaging these people where possible is critical, just as holding all others accountable for their actions and responsibilities is the frontline defense most important to compliance risk management.

READ MORE

Appealing to Myers-Briggs dichotomies in compliance communications

The Myers-Briggs Type Indicator (MBTI) is a set of personality types that categorizes individuals’ experiential preferences. The MBTI has become very popular for use in business settings, for managers to determine how to develop employees or build teams as well as for individuals to analyze their own way of working and define their particular world view and tendencies in interacting with others, based on these preferences.

The MBTI classification system is fundamentally based upon the presumption that humans have four main psychological functions, or dichotomies, through which they view the world. These are thinking (T), feeling (F), sensation (S), and intuition (N). Thinking and feeling are the functions people rely upon for judgment in decision-making. Sensation and intuition describe how people perceive new information. Taken together, one of these four functions will be naturally dominant for each person the majority of the time.

Added to these functions are people’s attitudes, expressed by the terms introversion (I) – a preference to operate internally, focused on reflection and ideas – and extroversion (E) – a preference to operate externally, focused on behavior and people. This relates to how people prefer to live their “outer lives” and is not necessarily as simple as defining a person as “shy” or “outgoing” but looks deeper into how people get or spend their energy and whether their information-processing, personal focus, and pace is determined inward or outward.

Finally, the MBTI also incorporates lifestyle preferences, identifying that people have preference for using either the judging (J) functions (thinking or feeling) or the perceiving (P) function (sensation and intuition).

These eight psychological functions and preferences – four sets of two each – can be mixed and matched among each other in different combinations, resulting in the sixteen MBTI distinct “personality types.” In any given group there is likely to be some mix of these types, sometimes more diverse than others. Each type brings with it some indications for the person may behave in an individual or collective setting. Therefore understanding the elements of these different types can be useful in fine-tuning messaging to have maximum appeal to one, some, or all of them.

Based on the above, there are four dichotomies to the MBTI. In each dichotomy, individuals select from two letters (T for thinking versus F for feeling, for example) the one which most accurately, if not completely, seems most accurate in depicting their personality types. The differences between these four dichotomies are important to understand and useful to take advantage of in tailoring communication across organizational levels to raise compliance awareness.

  1. Introversion (I) or Extroversion (E): Preference for Introversion suggests an inward focus, with more contemplation and observation in learning or gathering information. I types would enjoy e-learnings, reading guidelines and policies, or other self-paced activities. Preference for Extroversion, on the other hand, indicates a suitability for fast-paced outward focus. These are the eager participants in dilemma sessions or group trainings who like to work with others and develop their ideas out loud, getting energy from quick progress of talking through learning materials.
  2. Sensation (S) or Intuition (N): Preference for sensation means that concrete, practical information will be the most appealing to these individuals. Communications should use clear and literal descriptions based in reality. Those who prefer intuition, on the other hand, may be more likely to dream about what could be rather than what is. Contemplating business cases and dilemmas would be fun and enjoyable for them.
  3. Thinking (T) or Feeling (F): Those who lean toward Thinking will respond to decision-making that is promotes rationality and justice. A rules-based approach to communicating compliance principles will evoke their sense of reason and equity and make the objectives relatable. On the other hand, people who prefer Feeling will benefit from a values-based approach. Playing up personal morality and situational empathy is more effective for them.
  4. Judging (J) or Perceiving (P): Judging is aligned with a preference for planning and methodical assessment. These people will be convinced of the value of a compliance program by, for example, formal risk inventories and control framework evaluations, and coordinated, long-term implementation plans with steps and phases for their goals. People who prefer Perceiving, on the other hand, need a flexible view. This is challenging to adapt to fixed rules and regulations, but offering creative approaches to those can be an engaging possibility.

For more information on the MBTI and its four dichotomies, check out this handy interactive chart.

READ MORE

Communication strategies for increasing employee engagement in compliance programs

Every compliance professional’s strategic annual plan will include seeking increased employee engagement in and attention to the organization’s compliance program. Communication strategies must be carefully devised with the goal in mind of making compliance vivid and interesting to employees. The compliance message can quickly become routine and dry: sign an attestation, request pre-approval, complete a checklist. This sort of messaging alienates employees rather than engaging them. They have only a small function in the compliance operations this way. Nothing is learned or shared, they are just doing a “tick the box” type exercise.

Instead, the true aspiration of the compliance messaging is that employees take interest, learn something new, ask questions, and feel connected to the story of the organization’s compliance program. This is accomplished via effective and appealing communication that speaks to all audiences and sets a new, compelling tone.

  • Key moment messaging: Compliance is highly relatable to current events and new stories. Therefore compliance communications should take full advantage of key moment messaging opportunities. Relate communication topics to outside events to make the objectives of the compliance program even more concrete. For example, if there is a major earthquake somewhere in the world and your office is located in Southern California, take that opportunity to engage with employees about disaster recovery and business continuity policies and procedures. Their interest will already be heightened and the necessity of the information will be at its most tangible.
  • Positive reinforcement: Start with a kudos, congratulations, or positive sentiment. Any action that needs to be taken or improvement that needs to be made based upon the communication will be much better received if the message gets off to a welcoming start. Set a productive tone by thanking employees for their participation in the last request or calling out good insights or high engagement. Then build off that encouragement to bring in the next steps needed and issue the call to action.
  • Branding: Branding and marketing are now important considerations across all business lines and functions. Compliance is not immune to this, as messages from so many sources fight among themselves for precious attention and airtime from employees. Therefore compliance professionals must carefully consider branding options that will maintain the substantive content of their communications yet be adequately branded to be appealing. Using humor or a catchy, fun theme to introduce the communication, before getting to the meat of the message, can provoke curiosity and prompt engagement. Don’t take it too far and make it a joke – but a little bit of amusement can go a long way.
  • Give visuals/shortcuts: On a similar note, think about making simple takeaways from the communication, however complex its overall message. One way to do this is to provide a visual, like an example of a new form that has to be filled as standard procedure, or a chart showing results on an initiative over previous periods and projected future results. If a visual is not applicable, try using acronyms or slogans that will work as mnemonics to help people remember your message and keep the meaning in mind.
  • Make it interactive: The best way to engage employees in compliance communications is to concretely incorporate them in it. Make the messages interactive for them. Ask an open-ended question and promote any responses received so that employees know the request for input is credible. Take a poll or offer a quiz. This way, employees can share in the mission and the effort by weighing in themselves, which allows them to personalize the message and be more likely to remember it.

To interest and appeal to all employees, compliance communications should not be generic or routine. Taking advantage of opportunities to make compliance relatable, and capitalizing on human interest or emotional connections that can be made, will help to make the mission of the compliance program much more interesting and effective.

READ MORE