Compliance Culture

Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Compliance and risk

As the compliance profession continues to mature, a cross-functional, integrated approach emerges as the most productive and effective operating model.  Compliance officers must continually seek to present themselves as partners to and promoters of the work of other functions – including legal, HR, sustainability, communications, and many more.  Compliance programs should strive to be powerful sparring partners and sources of important subject matter expertise that are willing to work together to give the business the most value for its controls framework.  The alternative – being seen as potential hindrances to progress or wallflowers that prefer to come only when they are called – must be avoided at all costs.

One of the most important partners for compliance in this capacity is the risk function.  It’s extremely important to have a healthy cooperation across the functional line between risk and compliance and to establish a respectful and enthusiastic system of knowledge sharing and collaboration, both internally as well as in facing the business.

Below are some important considerations for compliance programs to incorporate in aligning with risk.

READ MORE

Corporate cultural change: Concrete and values-based policies

This is the third in a series of five posts suggesting best practices for implementing corporate cultural change.  For an overview of all the tips on this subject, check out this preview postThe first post in the series discussed tone and conduct at the top.  Last week’s post was about the importance of consistent, visible enforcement.  Today’s post will discuss strategies for creating and implementing effective policies.  The fourth post in the series, on March 19, will focus on putting in place procedures that are complementary to those policies.  Finally, on March 27, the fifth and final post will discuss tips for going beyond training in order to create effective and engaging employee education initiatives to boost awareness and compliance culture.

As discussed in the last two posts in this series, concrete changes to organizational culture cannot be accomplished through mere rhetoric, even when it is underlaid by sincere desire for progress.  Compliance program best practices must be observed and supported by senior management and top leadership in order for effective controls and cultural values to take root throughout the organization.

READ MORE

Taylor Swift and compliance risk management

Taylor Swift is one of the most famous and successful pop music stars of the last decade. She has dominated the charts, the front pages of tabloids, and the trending posts on social media for years, as much for her songs and music videos as for her romantic exploits and friendship feuds. In an era of being famous for being famous, Swift is a special kind of celebrity who presents a public personality that takes deep advantage of this trend while still giving commercial justice to her origins as a country pop singer. In this dichotomy, Swift has both fans and detractors on both sides – those who are enthralled by the mystique of her celebrity image are just as engaged with the public brand of her persona as those who actually have any interest in her music itself at all.

With this source of her visibility on the music charts and in front of the paparazzi camera lens, it is no surprise that Swift has experienced her share of growing pains on the world stage. Swift’s eponymous album was released in 2006 when she was just 16 years old; at the time of her most recent release, Reputation, in November 2017, she was 27 years old. The generational changes any person experiences during the intervening years are transformative on all levels – personality, relationships, career, worldview.

To go through these phases and changes in front of the whole world, means that your choices and their contexts and subtexts are part of a powerful public dialog. A specific aspect of Swift’s fame has been that her fans and detractors alike are preoccupied with parsing the similarities and differences between the public face Swift presents in her music and media appearances and clues for what her private, undiscussed motivations and ambitions might be.

Swift’s public image has been negatively impacted in recent years following several high-profile feuds with other celebrities such as Katy Perry and Kim Kardashian West. Those wishing to question her motives or critique her actions have had plenty of fodder. The contradictions in her established image and her possible schemes and attention-getting frauds have fueled many a comment thread on social media. Swift’s most recent album is therefore aptly named Reputation and takes direct aim at this critical focus about her identity.

The change in Swift’s position in popular media due to the critical reception of what is, in reality, her brand strategy, presents a compelling case study in reputational risk. Even though one’s reputation is based largely on perception or even assumption and innuendo, it has a very real effect on public standing. This is true for Swift who is an individual representing her brand and work, just as it is true for an organization representing its business strategy, product or service line, and client relationships. It is especially amplified by those with a large internet presence, as the nature of online interactions in the digital age is to inspire investigation and critical judgment. As the saying goes, you can never really delete anything from the internet, and that proves true time and again – especially when statements by or images of someone like Swift can generate discussions and debates bigger than the original post ever could have been.

Therefore reputational risk presents a challenge to high-profile individuals and brands that is hard to reconcile with desires for publicity and competitive attention and impossible to control once a controversy or reaction has been ignited, innocently or otherwise. The morality of reputational identity and the necessary efforts to maintain and construct it together create an important exercise in defining and adhering to a strategic, values-based approach.

The changing fortunes and public opinion of a celebrity like Swift can be easily translated to the organizational context, where business entities rely on their public profile and engagement with consumers and stakeholders to maintain competitive edge. Corporate identity and credibility is incredibly valuable and also inestimably vulnerable to reputational risk. Negative news articles, mentions of companies pursuing legal but unpopular business strategies, involvement in politically complicated regions or activities, and other conduct that puts companies on the razor’s edge of popular opinion can have disastrous effect on a brand and its interests.

Management of reputational risk for organizations should take a common sense approach. Compliance training materials often refer to one of two tests: would you want to read about this on the front page of a newspaper, or, would you be comfortable discussing this action in public, say at a dinner party, with someone you admire, like a parent or mentor? If the answer is no then the action or strategy is not advisable. Having the possible public outcome from individual or organizational actions in mind before the activity is undertaken helps to maintain a view on consequences and hopefully, therefore ground the decision in practical ethics.

For a broad take on Taylor Swift and the contemporary value of reputation, check out this opinion piece in the Financial Times.

READ MORE

GRC for compliance professionals

Compliance as a function is sometimes subject to varying definitions. Across different companies, industries, and cultures, organizational perspectives on the purpose and scope of a compliance program can vary. Some see compliance as an alternative to or close relation of the legal department, while others position it much more independently, perhaps as an intermediary between the business lines and audit. Still others may see compliance as the depository for risk-based support activities that do not otherwise fall cleanly into any other established unit.

As previously discussed on this blog, and as this blog will continue to ensure to express, the autonomy and visibility of compliance is integral to the integrity and sustainability of an organization’s employees and business strategy. Compliance blends a rules-based approach with a values-based approach to reconcile ethical expectations with legal obligations and technical requirements.

Professionals who work with interpreting legal and regulatory guidance and implementing these into business practices will likely recognize the acronym “GRC.” GRC stands for governance, risk management, and compliance. This umbrella term integrates these functions to describe the operational activities undertaken by an organization to execute plans, manage risk, and encourage integrity.

The GRC model refers to process themes, not necessarily functional units of an organization. Indeed, the three themes of GRC may be included in operational tasks and across numerous independent departments, including HR, finance, IT, audit, and at the board level, in addition to the obvious areas such as risk, legal, and compliance.

GRC can be seen as a discipline that seeks to coordinate the flow of information and ownership of risk so that the activities and processes it encompasses are effectively and efficiently incorporated. As organizations become bigger, this discipline becomes all the more important for keeping channels of communication open and clear, both up and down silos as well as across business areas.

Ethical decision-making thrives in an integrated system where objectives are clearly expressed and information-sharing is transparent and relied-upon.   Elevating a coordinated GRC discipline can foster a communication regimen in an organization where reasonableness and feedback rather than heuristics and routine dominate. Equity and integrity can thrive if actions are taken openly and cooperatively rather than in isolation.

In the ever-changing regulatory landscape of modern business, it is so important that an organization’s GRC activities be coordinated so that work is not duplicated or wasted and gaps are filled rather than passed over with tunnel vision. These functions share stakeholders and objectives, and therefore should share information to maximize meaningful impact and minimize redundant effort.

The basic concepts of the GRC approach are all useful for a compliance officer or other professional to consider:

  • Governance: This refers to the management control framework used by an organization’s senior leadership, relying on management information from across the organization in order to direct and control the overall strategy and operation of an organization. This concerns major existential questions for the organization, such as – what are the roles of leaders at all levels? What are the reporting mechanisms and what checks and balances exist for these? How does business strategy translate into directions to various business units and how are these instructions communicated to employees? Having an informed perspective on the organization’s governance objectives is very important for a compliance officer because this gives insight to the tone at the top and the mechanism through which these critical values become concrete practices.
  • Risk management: Risk management is the identification, assessment, and response to risk factors which may have an impact on an organization’s activities. This also includes considering risks which do not have an impact and ascertaining that this evaluation remains correct and current as fluid business objectives and conditions may change. All organizations are subject to some risks, such as operational risk, technological risk, and financial risk, while others may be determined by the industry in which they operate, such as market risk, liquidity risk, political risk, third-party risk, and product-specific risks. Risk management entails planning and implementing controls in order to address these risks, either by mitigating them, changing strategy or practice to eliminate them, accepting them, or transferring them to a service provider or partner who is positioned to best respond to them. Legal, legislative, and regulatory risks are of particular interest to compliance officers, as are compliance-centric risks such as reputational risk. Compliance officers should take risk identification and assessment well into account when planning compliance program objectives so that these can be fine-tuned to the emergent and most important needs the business faces in this area.
  • Compliance: Of course, staying in good standing with supervisory authorities and ensuring that business practices and procedures meet standards and requirements set by external laws and regulations as well as internal policies and procedures, ensures that the work done in governance and risk management activities is properly directed and sufficiently supported. An on-going assessment and prioritization of the compliance program’s effectiveness and appropriateness is necessary to ensure that the controls in place are up-to-date and working as intended.

The themes above are all germane to the objectives of a compliance program and can be referred to in seeking buy-in from senior management or supervisory board members, with whom ultimate responsibility for establishing and executing these systemic processes rests.

READ MORE