Compliance Culture

Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Corporate cultural change: Awareness and dialog, not training

This is the final entry in a series of five posts suggesting best practices for implementing corporate cultural change.  For an overview of all the tips on this subject, check out this preview postThe first post in the series was about tone and conduct at the top and the importance of operationalizing these. The second post discussed how to tangibly encourage organizational justice via consistent, visible investigation and enforcement efforts. The third post focused on policies to have in place, while last week’s post was about the procedures to complement and support those. Today, the fifth and last post in the series will provide ideas for how compliance programs can go beyond traditional training to create a culture which risks and values are addressed and integrated into awareness and communication efforts.

The last four posts have discussed the management controls and organizational structures that are important to implement in order to address needed cultural change and manage compliance risks. Motivating management to act as leadership and vice versa and then taking advantage of their fluency to leverage buy-in for enforcement efforts, policies, and procedures that will contribute to reform and improvement initiatives has been the focus so far. The final area for compliance and ethics professionals to take on in this process is employee and organizational education.

READ MORE

Corporate cultural change: Concise and accessible procedures

This is the fourth in a series of five posts suggesting best practices for implementing corporate cultural change.  For an overview of all the tips on this subject, check out this preview postThe first post in the series was about tone at the top and conduct to support it. The second post discussed the role of consistent, visible enforcement in promoting organizational justice and fairness.  Last week’s post focused on the importance of putting concrete, values-based policies in place.  Today’s post will be about implementing procedures that are consistent with those policies.  Next week, on March 27, the fifth and last post in the series will suggest how compliance professionals can foster a culture where employees are effectively engaged in awareness and communication to combat risks and support controls.

Last week’s post focused on the importance of creating and implementing policies that sufficiently and authentically support systemic responsibility for reform and intention for improvement.  Just as the appropriate tone and conduct must be observed from the highest levels of the organization in order to support enforcement efforts in the event of misconduct and abuse, corresponding policies must follow in order for the cultural norms to thrive.

For the standards set by the policies to succeed, organizations must put in place procedures that dictate practices which are consistent with and supportive of them.

Creating and implementing concrete, values-based policies is critically important for organizations to demonstrate operational commitment to improvement.  In order to take material advantage of momentum for reform in the examples set at the top in both attitude and behavior, as well as to nurture the culture of compliance created to support organizational justice and fairness, the policies in place must formalize this all.

Corporate compliance professionals should seek to create and communicate procedures that include the following traits in order to support a culture of compliance and enable progress, encourage organizational integrity and moral engagement, and protecting the vulnerable while punishing and preventing wrongdoing.

In order to accomplish this lofty goal, keep in mind “The 5 C’s” of procedures to implement for corporate cultural change:

  • Credible – Any procedure intended to prevent abuse, punish wrongdoing, and protect individuals must be believable.  Individuals asked to follow procedures must find them credible and believe that if faithfully executed, the risks and dangers they are intended to prevent or mitigate will be successfully addressed.  Regular review and the opportunity for ad-hoc adjustments, and transparency about the frequency and seriousness with which both of these tasks can be undertaken, will promote the believability and reliability of procedures.
  • Concise – It’s imperative that procedures are understandable by all.  They should not be so academic or theoretical that individuals using them struggle to know what they require and direct.  Concise procedures are practical ones.
  • Convenient – Convenience has two aspects with procedures: first, the ease of physical delivery and retrieval, and second, the quality of actual user experience.  Don’t put the procedures deep in the labyrinth of an intranet site or high on a shelf in a binder no one will ever open, and be sensitive to employees who may work remotely or with alternative accommodations.  Taking care of people who may not see e-mails or receive announcements at head office also allows compliance officers to “put a face to the name” and get some important personal contact with these individuals so that they know who to contact with questions and may feel more comfortable doing so.  The procedures also cannot be so burdensome in their steps or include so much complicated background information that they can’t be followed by the average reasonable employee.
  • Considerate of the audience – Further to concise, clear language in, and practical delivery of, the procedures, organizations should consider the audience fully in all stages of procedure provision.  The procedures should never be written and provided just to tick a box.  It’s so important to keep in mind that these are not just regulatory compliance obligations or requirements on a spreadsheet that must be completed.  Procedures must be used and relied upon by individuals.  Those audience members are the most important stakeholders and participants in the procedures, and drafting and implementing the procedures must be done so with great intention toward being considerate of them as the top priority.
  • Constructive – In reliance of the foregoing posts, and above all other considerations, the efficacy of procedures is imperative to make them useful.  Therefore the procedures must be constructive and aimed toward encouraging and enabling the real processes and interactions that are necessary for reform.  The desired result is a positive, fair corporate culture where people can speak up and speak out as well as work together toward creating an organization which reflects their own values.

Check back next week, Monday March 26, for the final post in this series of five, which will suggest best practices for going beyond training, in order to create convincing and compelling employee education campaigns and communications.

READ MORE

How to make voluntary engagement with compliance values meaningful

A pure rules-based approach to compliance is direct and clear-cut, but by design lacks emotional or personal engagement. Following rules of all kinds – legal, community-based, household; practical, austere, illogical – is a social norm most humans are taught from their earliest memories. Despite this, many of them do not do it very well even with the best intentions, and still more never intend to attempt adherence.

To have any expectation that rules will be credible and inspire understanding and respect, there must be an authentic and compelling “why,” a purpose that people feels relates to them and calls for their commitment. Many laws are so deeply linked to societal expectations and taboos that the majority of people do not need to be persuaded to appreciate them – restrictions against pre-meditated murder, property theft, and abuse of animals for example. Those who remain unconvinced these acts should be prohibited and punished are not likely to view violating laws as something offensive or damaging either.

Sincere attempts to reach individuals who are antipathetic toward all rules, however few or rare they may actually be in society, with a rationale rooted in values are not likely to prevail. In general a values-based approach can be very powerful and evocative, but in order for it to hold personal appeal it must strike a difficult balance between universal relatability and individual accountability. All organizations should define their values and position their strategy and public branding within that set of principles, but this is delicate. If the values are too specific then they will be exclusionary rather than engaging, appealing only to a core group of true believers rather than attracting a wider audience. If the values are too broad, however, then they will be superficial and ring empty – again preventing individuals from attaching to them and being their standard bearers.

An especially effective tactic for bridging this gap is to make corporate values a living artifact which reflect the organization as it grows and changes along with business and society. In an ambitious and forward-looking organization, the profile and strategy will evolve and so should the outlook of what matters most in defining its purpose. Using a rules-based approach to provide both the floor and the roof for the terms of the corporate mission statement, values can fill the space between and invite everyone – employees, partners, stakeholders alike – inside.

There are many mechanisms through which corporate compliance programs can appeal to employees to make the connection between rules and values. Inspiring voluntary compliance, where employees feel aware of and responsible for the values of the compliance program and connect to them individually, adds weight to the mandatory compliance expected by the rules. Increasing the relatability of the requirements with principles behind them gives people incentive to sign on and go along with the compliance program. Compliance programs can aim to encourage ongoing employee adhesion to the organization’s values-based approach in the following ways, ranging from the lightest touch to the heaviest:

  • Nudges: Simply put, make it possible for employees to make ethical choices by expressing values that promote this and building decision-points into the processes they encounter in their working experiences which reflect those values. Business strategy should coincide with business values, and if it does not, then actions such as setting new standards client acceptance or exiting and reassessing product offerings or market participation are natural consequences of trying to bring the two together. In order for employees to make choices that reflect both individual and organizational integrity, the procedures and standards within which they work should facilitate and support this type of decision-making. Doing the right thing should always be accessible and indeed prompted.
  • Codes: While nudges make values implicit and leave the decision ultimately in the employee’s hands, in codes values are explicit and expectations for adherence to them are formalized. Codes can take a variety of formats, and in some industries regulatory requirements may dictate their scope and even content, but generally speaking, the more concise and accessible the better. Employees at all levels should be able to read, understand, and engage with the code, whether it dictates ethics, conduct, or both, and they should be able to retrieve, review, and ask questions about it whenever they want. A code document should be updated on an ad-hoc basis and reviewed regularly, and it should be seen as a living record of the specific values of the organization which underlie all other policies and procedures in place.
  • Attestations: Once a code is available, employees can be asked to attest to their compliance with it. This can take a very simple form, even just a one-liner of “I attest that I have been in compliance with the requirements set forth in the Code as of the below date.” This can be done once per year (or other regular period of choice) or on an ad-hoc basis. Asking an employee to attest to adherence prompts self-reflection and may also create a space for questions or dilemma discussions, which are important tools for ensuring awareness.
  • Warnings: Warnings may sound punitive, but in reality they can just be reminders. Unlike attestations, which look backwards and ask employees to self-assess based on their past behavior, warnings would accompany present choices or activities. For example, an expense claim form might include a statement on it reminding the submitter that the data on the form should be accurately and honestly reported, and that there are certain expenses which may not be reimbursable or permitted. Providing these warnings at the time the employee is going to take action that checks compliance values brings together all the previous methods – it provides a nudge, makes expectations explicit, and directly asks the employee to consider ethical obligations when making choices in the course of the task.
  • Oaths: Oaths take the most advanced step of ensuring that employees comply with the ethical and compliance expectations of their profession by asking that they voluntarily submit to discipline should they violate these. This submission is by taking an oath and signing it, typically with witnesses and even a level of formalization or ceremony in order to underscore the significance of the commitment and the seriousness of trespassing against it with future misconduct. A very interesting example of a professional oath is the Banker’s Oath in the Netherlands, which is intended to restore trust in the financial sector and banks specifically by requiring that every Dutch employee take an oath to comply with uniform ethical guidelines. To read more about the Banker’s Oath, visit the website of the Dutch independent organization Foundation for Banking Ethics Enforcement (FBEE).

The above methods for encouraging voluntary compliance can be employed by compliance professionals simply and powerfully in routine compliance communications and awareness initiatives. Reminding employees of values – the purpose – helps to heighten the credibility and appeal of rules – the requirement – and provide a mission perspective to their engagement in the compliance program.

READ MORE

Tips for improving employee accountability in compliance programs

The most ambitious culture of compliance paired with the most robust controls framework still cannot succeed without employee adherence. Employees who don’t know the correct thing to do, or those who make an unethical or non-compliant decision despite knowing, can be addressed with awareness communication in the first case or remedial action in the second case.

However, the more frequent and challenging scenario is that employees have received information about compliance risk management priorities and ethical culture at their organization. They understand this information well enough and maybe even admire the aims of the compliance program, but there’s a problem – they don’t see themselves as having an active role in it.

The best efforts of compliance programs will always be overcome by apathetic or unengaged employees who don’t see themselves as having personal compliance responsibilities. In cybersecurity, for example, the best IT systems with the most up-to-date risk controls structure will still be defeated by an employee who falls for a phishing scheme or leaves behind an unsecured laptop in a public place. Some mistakes are unavoidable, of course, just like some risks can only be mitigated or accepted. However, many other errors, acts of misconduct, or risk factors can be prevented with the appropriate individual vigilance and diligence.

So how can a corporate compliance program emphasize to employees that individual responsibility is the fundamental defense in any risk and control framework? Too many solutions from management or consultancy rely heavily on data solutions and systems approaches to addressing compliance risk. The logic goes: failures of existing compliance programs to prevent ever-evolving fraud and misconduct are unfortunately not unusual, so why not simply blame human misjudgment or incompetence for inadequate controls and therefore just automate processes whenever possible?

The above is a cynical and defeatist attitude toward corporate compliance; if management or its advisors decides that corporate compliance will fail, then it certainly will do so. However, removing the obstacles to individual responsibility is an important step to empowering organizational integrity. Outsourcing or digitalizing analysis and advisory work is an artificial, external solution. It may expedite or simplify some aspects of working with compliance risk management, but it cannot ever be as effective as a values-based approach that creates a corporate culture where good judgment and ethical decision-making are incentivized and supported.

Indeed the first, and probably best, solution for raising the standard of compliance programs and their controls is to promote employee engagement in these across all levels of the organization. This starts with individual accountability, which compliance professionals and senior management can nudge employees toward embracing these ways:

  • Walk the walk: Senior management should weave a thread of the corporate cultural values throughout all matters that touch an employee’s working life. This needs to be consistent and visible. Communication should be simple and straightforward, practical and not preachy, but it should express and reinforce the cultural values. In HR matters, for example, transparency should be communicated and modeled. Employees must see the corporate cultural values explicitly expressed as they experience corporate administration across the organization. This brings the values from mere words to a living system in which they are participants.
  • Nudge with timely reminders: Regulatory, legal, and policy requirements change rapidly. Employees that are trained regularly should be respected for what they already know; heavy-handed instruction can be seen as condescending. However, reminders upon key messaging events (anniversaries, completion of investigations, or announcements of strategies) or updates when there are new guidelines or expectations are critical. These reminders can act as nudges toward appropriate behavior for individuals whose attention may have moved on or whose understanding was out of date.
  • Work against culture of fear: People often think about speaking up in the workplace in terms of following an internal escalation process or being a whistleblower. To some people, speaking up by challenging an established procedure or an experienced colleague may seem unprofessional or presumptuous. The possibility of being opposed or facing retribution can be very scary for employees who might want to express uncertainty or ask questions. Corporate compliance programs have a responsibility to create a culture where speaking up routinely is safe and supported. A relationship-based approach to business compliance advisory is a great first step toward combating the fear factor and helping employees to speak up to check understanding or challenge practices. Involved employees are more likely to be accountable ones.
  • Actively address accountability gaps: When it is evident that an employee or group of employees do not embrace accountability in compliance risk management, address it, but not punitively. Open discussion can be mutually beneficial. Take the opportunity to express that individual responsibility is expected, and also to listen to the limitations or uncertainties that may provide an explanation for why it’s missing.
  • Insist on consequences: Disciplinary action is never the intended outcome for any employee-management relationship. Ideally everyone would want to and be able to do the right things all the time, but clearly mistakes and misconduct happen. Good people/bad people dichotomies are classic but not necessarily helpful. In reality, it’s most important to establish from the beginning that consequences for doing the wrong thing exist and will be enforced fairly and meaningfully.

There will always be people in organizations who either are in need of training or resourcing attention (wanting to do the right thing but not being properly equipped) or people who are not cultural fits (wanting to do the wrong thing despite organizational priorities). Engaging these people where possible is critical, just as holding all others accountable for their actions and responsibilities is the frontline defense most important to compliance risk management.

READ MORE

Using ethical dilemmas for creating a compliance training dialog

For effective compliance training, learners must be prepared to discuss and challenge dilemmas independently and with others. The details of specific policies, directives, and regulations can quickly become very dry and irrelevant, whether the audience is made up of compliance officers, senior managers, or new starters. To prevent topic fatigue and keep important compliance training vivid and engaging for those attending awareness sessions, it is important to encourage discussion. An active participant will think, care, and learn more than one who is just watching the clock for the end of the program.

One way to spark discussion that can be employed at all levels is using ethical dilemmas. This is effective either as a stand-alone program, where attendees are introduced to ethical dilemmas and spend time in groups discussing their ideas and views, or as an icebreaker to a content session, to grab the audience’s attention and test their knowledge from the beginning. This can provide an approach to then thinking about the practical handling of compliance subject which is both easy and enjoyable.

Considering and responding to ethical dilemmas helps learners to build fluency with ethical decision-making and evaluating potential conflicts of interest, especially in balance with their own possible interests. Giving meaning to the impact of behavior and choice is significant for establishing cultural values that emphasize individual responsibility and integrity. Dilemma analysis involves several simple but thought-provoking steps following the prompt:

  • What is the ethical question?
  • What personal values are relevant in considering this ethical question?
  • Who are the parties with interests in this dilemma?
  • What are their interests and how do they conflict?
  • How can the ethical question be answered and what are the potential consequences?
  • What is the decision in response to the ethical question?
  • Is the choice that came from the decision-making process of the dilemma possible/practical to do in light of all considerations and consequences?

Ethical dilemmas used as such for prompts in compliance training should be universal and straightforward. In general, dilemmas used to teach this style of thinking to beginners or to instigate audience participation in at the start of a session should not focus on specific employee responsibilities or business functions. For very advanced and targeted audiences it may be acceptable to give a anonymized example of a dilemma they may come across in their work, but for the most part, daily life dilemmas are more relatable and more fun to discuss, regardless of the experience level of the participants.

Some examples of simple dilemmas that can be analyzed as described are:

  • You are meeting some friends at a standing room-only concert and arrive late. As you approach the venue you walk past your friends, who are got there early and are waiting near the front of the line. They tell you they have been there for almost two hours and invite you to join them where they are in the line, even though the end of the line is very far behind them.
  • Your company has been considering some wellness initiatives to offer to employees as benefits but hasn’t contacted any providers yet. Your roommate just finished yoga teacher training and wants to get experience as a corporate instructor.
  • You are taking an exam after studying hard for days to prepare and attending every class the entire term. However, you woke up this morning with a terrible cold and can’t focus. You know the professor will not allow a rescheduled or make-up test. There is no proctor in the room and you have all of your course material with you.
  • You and your partner have a joint bank account where you are both named. Your partner is one week into a two week trip abroad when a letter comes from the bank. You have to fill out and return a form with both your and your partner’s signatures. If you don’t return the form within two business days you will not be able to use your credit card.
  • You are taking your relative to an urgent doctor’s appointment. The parking lot is quite busy but all three of the parking spots designated for disabled drivers are empty. Your relative has no problem walking, but you are already five minutes late for the appointment.

Choosing simple prompts like the ones suggested above will allow the learners to be more creative and perhaps to even engage in discussion with themselves. The facts may be straightforward, but the huge array of perspectives and outcomes that people can suggest is always impressive. By keeping the dilemma prompt at a level everyone can understand regardless of his or her own background and initial interest, the dialog can be truly inclusive. This allows the person who is running the training session to fall into the role of a true facilitator, which offers the enriching experience of watching individuals converse organically on these provocative questions.

READ MORE

Communication strategies for increasing employee engagement in compliance programs

Every compliance professional’s strategic annual plan will include seeking increased employee engagement in and attention to the organization’s compliance program. Communication strategies must be carefully devised with the goal in mind of making compliance vivid and interesting to employees. The compliance message can quickly become routine and dry: sign an attestation, request pre-approval, complete a checklist. This sort of messaging alienates employees rather than engaging them. They have only a small function in the compliance operations this way. Nothing is learned or shared, they are just doing a “tick the box” type exercise.

Instead, the true aspiration of the compliance messaging is that employees take interest, learn something new, ask questions, and feel connected to the story of the organization’s compliance program. This is accomplished via effective and appealing communication that speaks to all audiences and sets a new, compelling tone.

  • Key moment messaging: Compliance is highly relatable to current events and new stories. Therefore compliance communications should take full advantage of key moment messaging opportunities. Relate communication topics to outside events to make the objectives of the compliance program even more concrete. For example, if there is a major earthquake somewhere in the world and your office is located in Southern California, take that opportunity to engage with employees about disaster recovery and business continuity policies and procedures. Their interest will already be heightened and the necessity of the information will be at its most tangible.
  • Positive reinforcement: Start with a kudos, congratulations, or positive sentiment. Any action that needs to be taken or improvement that needs to be made based upon the communication will be much better received if the message gets off to a welcoming start. Set a productive tone by thanking employees for their participation in the last request or calling out good insights or high engagement. Then build off that encouragement to bring in the next steps needed and issue the call to action.
  • Branding: Branding and marketing are now important considerations across all business lines and functions. Compliance is not immune to this, as messages from so many sources fight among themselves for precious attention and airtime from employees. Therefore compliance professionals must carefully consider branding options that will maintain the substantive content of their communications yet be adequately branded to be appealing. Using humor or a catchy, fun theme to introduce the communication, before getting to the meat of the message, can provoke curiosity and prompt engagement. Don’t take it too far and make it a joke – but a little bit of amusement can go a long way.
  • Give visuals/shortcuts: On a similar note, think about making simple takeaways from the communication, however complex its overall message. One way to do this is to provide a visual, like an example of a new form that has to be filled as standard procedure, or a chart showing results on an initiative over previous periods and projected future results. If a visual is not applicable, try using acronyms or slogans that will work as mnemonics to help people remember your message and keep the meaning in mind.
  • Make it interactive: The best way to engage employees in compliance communications is to concretely incorporate them in it. Make the messages interactive for them. Ask an open-ended question and promote any responses received so that employees know the request for input is credible. Take a poll or offer a quiz. This way, employees can share in the mission and the effort by weighing in themselves, which allows them to personalize the message and be more likely to remember it.

To interest and appeal to all employees, compliance communications should not be generic or routine. Taking advantage of opportunities to make compliance relatable, and capitalizing on human interest or emotional connections that can be made, will help to make the mission of the compliance program much more interesting and effective.

READ MORE