Compliance Culture

Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Insights from management for compliance officers

This is the fourth and final in a series of four posts on insights for compliance officers from different fields of study.  The first post in this series covered lessons from psychology regarding, for example, self-interest and decision-making, from prominent figures such as Sheena Iyengar and Malcolm Gladwell.  The second post was about insights for compliance officers from self-development and coaching, including from people such as Wayne Dyer and Eckhart Tolle.  Last week’s post discussed behavioral economics, focusing on the work of people such as Dan Ariely and Richard Thaler.  Today’s post will suggest ways in which management theory can be applied to corporate compliance programs.

As a practice, compliance is greatly concerned with topics such as governance, controls, leadership, sustainability, business values, organizational integrity, risk controls, institutional decision-making, tone and conduct at the top, and corporate culture.  It shares these general disciplinary themes with management theory, which takes on the broad task of determining and guiding the strategic direction of an organization and steering its employees and resources in furtherance of these goals.  Given that the contributions of a robust compliance program to the regulatory, practical, and cultural aspects of this task are great, compliance officers stand to gain great insight from studying commentary from the field of management theory.

READ MORE

Compliance as both function and discipline

Compliance makes concrete and professionalizes the rules, regulations, and questions of ethics and integrity that are everywhere in life. It can be very absolute, used in creating a framework to ensure adherence to external legal and supervisory requirements as well as internal policies and procedures, to form a rules-based approach to risk management. It can also be more esoteric, probing the challenge between general norms and existing controls, and what may be morally acceptable or within individual expectations.

Considering the distinction between the function of compliance and the discipline of compliance is helpful to develop a more mature understanding of its applications in both modes. Compliance as a function creates frameworks, translates regulations and directives into internal policies and procedures, identifies program priorities, and plans management strategies. Compliance as a discipline takes all of these efforts to ensure awareness of, and steps to comply with, all relevant laws and regulations, and applies them directly to the business in order to target this work toward facilitating ethical decision-making, encouraging integrity, and positively impacting business strategy.

The function of compliance describes the general task of keeping up to date on rules and regulations and designing governance, risk, and compliance (GRC) management strategies and structures to present to senior management, executive boards, and outside stakeholders such as regulators and other supervisory bodies. This includes regulatory compliance, which ensures that organizations are abiding by both industry regulations and government legislation. This also includes designing governance and control structures intended to encourage employee and organizational integrity and create disincentives against and penalties for misconduct.

The discipline of compliance, on the other hand, describes the dynamic and business-linked support activities that the compliance professional undertakes within the broader context of the organization. Disciplinary compliance takes the above-described principles and frameworks and applies them in the business arena. This is where the rubber meets the road between the compliance officer and the business line he or she serves. In this setting, compliance is a relationship-based activity of providing advices, cooperating and aligning with other stakeholders and functional partners, suggesting defense strategies in light of real-time business risks and strategies, and maintaining an on-going bird’s eye view of the business landscape which can only be achieved by pro-active, personal engagement.

Building upon the above definitions and borrowing from the philosophy of ethics, the comparison could be made between the compliance function and normative ethics on one hand, and the compliance discipline and applied ethics on the other hand.

The compliance function links to normative ethics, in which moral behavior is compared to the norms of the social context in which the actions are taken, because of the emphasis in both on external or supervisory expectations and standards. Normative ethics is quite useful in identifying and categorizing compliance risks and suggesting possible mitigations and strategies for the ones that cannot be eliminated or are deemed acceptable to some extent. Within the function of compliance, the question of what individuals should or should not do, is answered by relevant laws, regulations, principles, rules, standards and codes of conduct, and other guidelines applicable to these individuals and the organizations in which they work.

The compliance discipline, in the meantime, can be connected neatly to applied ethics, which centers on the use of ethical theory in order to analyze and address actual moral issues that arise in work and life. Dilemma analysis and discussion, and compliance awareness dialogs, all borrow from the didactic constructs of applied ethics.   Building upon the structures and foundations that come from the compliance function and from the philosophy of normative ethics, the compliance discipline and applied ethics both are used to take these frameworks from strict requirements to living, practical considerations within the robust culture of compliance at the organization.

For more posts on types of compliance and ethics, check out some of these: Guiding principles for a compliance advisory practiceCompliance 101: A quick guide; The five branches of ethics as applied to compliance principles; How to make voluntary engagement with compliance values meaningful.  Posts each Monday, which are categorized in “Best Practices,” often address this sort of topic from both academic and practical perspectives.

READ MORE

GRC for compliance professionals

Compliance as a function is sometimes subject to varying definitions. Across different companies, industries, and cultures, organizational perspectives on the purpose and scope of a compliance program can vary. Some see compliance as an alternative to or close relation of the legal department, while others position it much more independently, perhaps as an intermediary between the business lines and audit. Still others may see compliance as the depository for risk-based support activities that do not otherwise fall cleanly into any other established unit.

As previously discussed on this blog, and as this blog will continue to ensure to express, the autonomy and visibility of compliance is integral to the integrity and sustainability of an organization’s employees and business strategy. Compliance blends a rules-based approach with a values-based approach to reconcile ethical expectations with legal obligations and technical requirements.

Professionals who work with interpreting legal and regulatory guidance and implementing these into business practices will likely recognize the acronym “GRC.” GRC stands for governance, risk management, and compliance. This umbrella term integrates these functions to describe the operational activities undertaken by an organization to execute plans, manage risk, and encourage integrity.

The GRC model refers to process themes, not necessarily functional units of an organization. Indeed, the three themes of GRC may be included in operational tasks and across numerous independent departments, including HR, finance, IT, audit, and at the board level, in addition to the obvious areas such as risk, legal, and compliance.

GRC can be seen as a discipline that seeks to coordinate the flow of information and ownership of risk so that the activities and processes it encompasses are effectively and efficiently incorporated. As organizations become bigger, this discipline becomes all the more important for keeping channels of communication open and clear, both up and down silos as well as across business areas.

Ethical decision-making thrives in an integrated system where objectives are clearly expressed and information-sharing is transparent and relied-upon.   Elevating a coordinated GRC discipline can foster a communication regimen in an organization where reasonableness and feedback rather than heuristics and routine dominate. Equity and integrity can thrive if actions are taken openly and cooperatively rather than in isolation.

In the ever-changing regulatory landscape of modern business, it is so important that an organization’s GRC activities be coordinated so that work is not duplicated or wasted and gaps are filled rather than passed over with tunnel vision. These functions share stakeholders and objectives, and therefore should share information to maximize meaningful impact and minimize redundant effort.

The basic concepts of the GRC approach are all useful for a compliance officer or other professional to consider:

  • Governance: This refers to the management control framework used by an organization’s senior leadership, relying on management information from across the organization in order to direct and control the overall strategy and operation of an organization. This concerns major existential questions for the organization, such as – what are the roles of leaders at all levels? What are the reporting mechanisms and what checks and balances exist for these? How does business strategy translate into directions to various business units and how are these instructions communicated to employees? Having an informed perspective on the organization’s governance objectives is very important for a compliance officer because this gives insight to the tone at the top and the mechanism through which these critical values become concrete practices.
  • Risk management: Risk management is the identification, assessment, and response to risk factors which may have an impact on an organization’s activities. This also includes considering risks which do not have an impact and ascertaining that this evaluation remains correct and current as fluid business objectives and conditions may change. All organizations are subject to some risks, such as operational risk, technological risk, and financial risk, while others may be determined by the industry in which they operate, such as market risk, liquidity risk, political risk, third-party risk, and product-specific risks. Risk management entails planning and implementing controls in order to address these risks, either by mitigating them, changing strategy or practice to eliminate them, accepting them, or transferring them to a service provider or partner who is positioned to best respond to them. Legal, legislative, and regulatory risks are of particular interest to compliance officers, as are compliance-centric risks such as reputational risk. Compliance officers should take risk identification and assessment well into account when planning compliance program objectives so that these can be fine-tuned to the emergent and most important needs the business faces in this area.
  • Compliance: Of course, staying in good standing with supervisory authorities and ensuring that business practices and procedures meet standards and requirements set by external laws and regulations as well as internal policies and procedures, ensures that the work done in governance and risk management activities is properly directed and sufficiently supported. An on-going assessment and prioritization of the compliance program’s effectiveness and appropriateness is necessary to ensure that the controls in place are up-to-date and working as intended.

The themes above are all germane to the objectives of a compliance program and can be referred to in seeking buy-in from senior management or supervisory board members, with whom ultimate responsibility for establishing and executing these systemic processes rests.

READ MORE