Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Compliance and risk

As the compliance profession continues to mature, a cross-functional, integrated approach emerges as the most productive and effective operating model.  Compliance officers must continually seek to present themselves as partners to and promoters of the work of other functions – including legal, HR, sustainability, communications, and many more.  Compliance programs should strive to be powerful sparring partners and sources of important subject matter expertise that are willing to work together to give the business the most value for its controls framework.  The alternative – being seen as potential hindrances to progress or wallflowers that prefer to come only when they are called – must be avoided at all costs.

One of the most important partners for compliance in this capacity is the risk function.  It’s extremely important to have a healthy cooperation across the functional line between risk and compliance and to establish a respectful and enthusiastic system of knowledge sharing and collaboration, both internally as well as in facing the business.

Below are some important considerations for compliance programs to incorporate in aligning with risk.


Corporate cultural change: Concrete and values-based policies

This is the third in a series of five posts suggesting best practices for implementing corporate cultural change.  For an overview of all the tips on this subject, check out this preview postThe first post in the series discussed tone and conduct at the top.  Last week’s post was about the importance of consistent, visible enforcement.  Today’s post will discuss strategies for creating and implementing effective policies.  The fourth post in the series, on March 19, will focus on putting in place procedures that are complementary to those policies.  Finally, on March 27, the fifth and final post will discuss tips for going beyond training in order to create effective and engaging employee education initiatives to boost awareness and compliance culture.

As discussed in the last two posts in this series, concrete changes to organizational culture cannot be accomplished through mere rhetoric, even when it is underlaid by sincere desire for progress.  Compliance program best practices must be observed and supported by senior management and top leadership in order for effective controls and cultural values to take root throughout the organization.


Selected TED/TEDx talks on privacy and reputation

In an increasingly inter-connected and digital society, challenges to privacy and reputation are frequent.  Even before social media put everyone at constant pressure to “overshare,” when people’s very personal details were not always a quick Google search away, privacy was still under threat.  A person’s visibility and public representations are often judged and demanded for credibility and honesty evaluations performed by employers, potential partners, members of the community, and even complete strangers.  Giving up privacy in favor of radical openness may be the way some reality stars have attained their celebrity, but for many people this feels invasive and like a violation of security.

In a broader sense, people’s individual privacy settings in terms of what they wish to share or disclose, how, and to whom, have a direct bearing on reputation.  Cultural practices around privacy and information sharing can give rise to serious reputational risk that impacts individuals and communities and frays the social fabric in which transparency is desirable or even possible.  These norms and ethical expectations are intensified in the digital age, where an individual’s personal information can never truly be deleted or taken back once it is made public.


Business compliance wish list for cryptocurrencies

One of the hottest topics of 2017 was cryptocurrencies.  The blockchain-derived digital currencies such as Bitcoin, Ethereum, and Ripple were the subject of seemingly endless interest and speculation, in both the media and the markets.  In an excitement reminiscent to many of the dot-com boom, cryptocurrency companies rushed to become issuers via initial coin offerings (ICOs).  Companies that were previously unrelated to blockchain or any product of the technology changed their names or indeed their entire operational purposes to attract market interest.  Investors searched for information and guidance, experimented with the digital currency as both a payment service and a securities holding, and filled social media and dinner table conversation with curiosity and enthusiasm for the disruptive potential cryptocurrencies hold for banking, technology, and the markets.


Taylor Swift and compliance risk management

Taylor Swift is one of the most famous and successful pop music stars of the last decade. She has dominated the charts, the front pages of tabloids, and the trending posts on social media for years, as much for her songs and music videos as for her romantic exploits and friendship feuds. In an era of being famous for being famous, Swift is a special kind of celebrity who presents a public personality that takes deep advantage of this trend while still giving commercial justice to her origins as a country pop singer. In this dichotomy, Swift has both fans and detractors on both sides – those who are enthralled by the mystique of her celebrity image are just as engaged with the public brand of her persona as those who actually have any interest in her music itself at all.

With this source of her visibility on the music charts and in front of the paparazzi camera lens, it is no surprise that Swift has experienced her share of growing pains on the world stage. Swift’s eponymous album was released in 2006 when she was just 16 years old; at the time of her most recent release, Reputation, in November 2017, she was 27 years old. The generational changes any person experiences during the intervening years are transformative on all levels – personality, relationships, career, worldview.

To go through these phases and changes in front of the whole world, means that your choices and their contexts and subtexts are part of a powerful public dialog. A specific aspect of Swift’s fame has been that her fans and detractors alike are preoccupied with parsing the similarities and differences between the public face Swift presents in her music and media appearances and clues for what her private, undiscussed motivations and ambitions might be.

Swift’s public image has been negatively impacted in recent years following several high-profile feuds with other celebrities such as Katy Perry and Kim Kardashian West. Those wishing to question her motives or critique her actions have had plenty of fodder. The contradictions in her established image and her possible schemes and attention-getting frauds have fueled many a comment thread on social media. Swift’s most recent album is therefore aptly named Reputation and takes direct aim at this critical focus about her identity.

The change in Swift’s position in popular media due to the critical reception of what is, in reality, her brand strategy, presents a compelling case study in reputational risk. Even though one’s reputation is based largely on perception or even assumption and innuendo, it has a very real effect on public standing. This is true for Swift who is an individual representing her brand and work, just as it is true for an organization representing its business strategy, product or service line, and client relationships. It is especially amplified by those with a large internet presence, as the nature of online interactions in the digital age is to inspire investigation and critical judgment. As the saying goes, you can never really delete anything from the internet, and that proves true time and again – especially when statements by or images of someone like Swift can generate discussions and debates bigger than the original post ever could have been.

Therefore reputational risk presents a challenge to high-profile individuals and brands that is hard to reconcile with desires for publicity and competitive attention and impossible to control once a controversy or reaction has been ignited, innocently or otherwise. The morality of reputational identity and the necessary efforts to maintain and construct it together create an important exercise in defining and adhering to a strategic, values-based approach.

The changing fortunes and public opinion of a celebrity like Swift can be easily translated to the organizational context, where business entities rely on their public profile and engagement with consumers and stakeholders to maintain competitive edge. Corporate identity and credibility is incredibly valuable and also inestimably vulnerable to reputational risk. Negative news articles, mentions of companies pursuing legal but unpopular business strategies, involvement in politically complicated regions or activities, and other conduct that puts companies on the razor’s edge of popular opinion can have disastrous effect on a brand and its interests.

Management of reputational risk for organizations should take a common sense approach. Compliance training materials often refer to one of two tests: would you want to read about this on the front page of a newspaper, or, would you be comfortable discussing this action in public, say at a dinner party, with someone you admire, like a parent or mentor? If the answer is no then the action or strategy is not advisable. Having the possible public outcome from individual or organizational actions in mind before the activity is undertaken helps to maintain a view on consequences and hopefully, therefore ground the decision in practical ethics.

For a broad take on Taylor Swift and the contemporary value of reputation, check out this opinion piece in the Financial Times.


GRC for compliance professionals

Compliance as a function is sometimes subject to varying definitions. Across different companies, industries, and cultures, organizational perspectives on the purpose and scope of a compliance program can vary. Some see compliance as an alternative to or close relation of the legal department, while others position it much more independently, perhaps as an intermediary between the business lines and audit. Still others may see compliance as the depository for risk-based support activities that do not otherwise fall cleanly into any other established unit.

As previously discussed on this blog, and as this blog will continue to ensure to express, the autonomy and visibility of compliance is integral to the integrity and sustainability of an organization’s employees and business strategy. Compliance blends a rules-based approach with a values-based approach to reconcile ethical expectations with legal obligations and technical requirements.

Professionals who work with interpreting legal and regulatory guidance and implementing these into business practices will likely recognize the acronym “GRC.” GRC stands for governance, risk management, and compliance. This umbrella term integrates these functions to describe the operational activities undertaken by an organization to execute plans, manage risk, and encourage integrity.

The GRC model refers to process themes, not necessarily functional units of an organization. Indeed, the three themes of GRC may be included in operational tasks and across numerous independent departments, including HR, finance, IT, audit, and at the board level, in addition to the obvious areas such as risk, legal, and compliance.

GRC can be seen as a discipline that seeks to coordinate the flow of information and ownership of risk so that the activities and processes it encompasses are effectively and efficiently incorporated. As organizations become bigger, this discipline becomes all the more important for keeping channels of communication open and clear, both up and down silos as well as across business areas.

Ethical decision-making thrives in an integrated system where objectives are clearly expressed and information-sharing is transparent and relied-upon.   Elevating a coordinated GRC discipline can foster a communication regimen in an organization where reasonableness and feedback rather than heuristics and routine dominate. Equity and integrity can thrive if actions are taken openly and cooperatively rather than in isolation.

In the ever-changing regulatory landscape of modern business, it is so important that an organization’s GRC activities be coordinated so that work is not duplicated or wasted and gaps are filled rather than passed over with tunnel vision. These functions share stakeholders and objectives, and therefore should share information to maximize meaningful impact and minimize redundant effort.

The basic concepts of the GRC approach are all useful for a compliance officer or other professional to consider:

  • Governance: This refers to the management control framework used by an organization’s senior leadership, relying on management information from across the organization in order to direct and control the overall strategy and operation of an organization. This concerns major existential questions for the organization, such as – what are the roles of leaders at all levels? What are the reporting mechanisms and what checks and balances exist for these? How does business strategy translate into directions to various business units and how are these instructions communicated to employees? Having an informed perspective on the organization’s governance objectives is very important for a compliance officer because this gives insight to the tone at the top and the mechanism through which these critical values become concrete practices.
  • Risk management: Risk management is the identification, assessment, and response to risk factors which may have an impact on an organization’s activities. This also includes considering risks which do not have an impact and ascertaining that this evaluation remains correct and current as fluid business objectives and conditions may change. All organizations are subject to some risks, such as operational risk, technological risk, and financial risk, while others may be determined by the industry in which they operate, such as market risk, liquidity risk, political risk, third-party risk, and product-specific risks. Risk management entails planning and implementing controls in order to address these risks, either by mitigating them, changing strategy or practice to eliminate them, accepting them, or transferring them to a service provider or partner who is positioned to best respond to them. Legal, legislative, and regulatory risks are of particular interest to compliance officers, as are compliance-centric risks such as reputational risk. Compliance officers should take risk identification and assessment well into account when planning compliance program objectives so that these can be fine-tuned to the emergent and most important needs the business faces in this area.
  • Compliance: Of course, staying in good standing with supervisory authorities and ensuring that business practices and procedures meet standards and requirements set by external laws and regulations as well as internal policies and procedures, ensures that the work done in governance and risk management activities is properly directed and sufficiently supported. An on-going assessment and prioritization of the compliance program’s effectiveness and appropriateness is necessary to ensure that the controls in place are up-to-date and working as intended.

The themes above are all germane to the objectives of a compliance program and can be referred to in seeking buy-in from senior management or supervisory board members, with whom ultimate responsibility for establishing and executing these systemic processes rests.


Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible


Tips for e-mail handling of confidential information

To most people it’s impossible to imagine the modern office without e-mail as the primary mode of communication. With the widespread popularity of tablets and smartphones moving our e-mail accounts from our desktops to our cell phone screens and everywhere in between, the risks attendant to this ubiquitous use of e-mail is always at the forefront of compliance concerns surrounding the handling of confidential information. To handle this, ongoing controls are advisable to ensure that the flow of information is protected and restricted to sharing on a need-to-know basis only.

  • Determine recipients carefully: Recipients should be determined case-by-case by the purpose of the e-mail. Senders should also consider whether the information is intended to be used internally (for information purposes only) or also at a later stage externally (such as for promotional purposes). In general, recipients should be as limited as possible. Include broader stakeholders more remote to the work that the confidential information concerns only insofar as they are known to be interested (for example Compliance, Legal, or other functions serving the business line). Seek to avoid administrative burden on the sender to update standing lists to tailor them to a particular message, as this is where human error can lead to inadvertent dissemination.
  • Consider most appropriate method of distribution: Use individual addresses, not group mailboxes, to control the recipients, as group mailboxes can be under collective and changing ownership. Posting messages on shared, secure intranet or internet sites may be an attractive alternative to e-mails. This can help to prevent accidentally incorporating unintended recipients, but the community or site needs to be closed and carefully administered.
  • Remember strict criteria for sharing confidential information: Generally, confidential information should only be shared on a need-to-know basis, not like-to-know. Possessing confidential information should be seen as a responsibility, not a privilege, and seeking access to this information or inclusion in communications that share confidential information should be discouraged unless there is a work necessity. As a broad rule, e-mails sent to individuals or groups without first informing them of their responsibilities with handling confidential information should contain public information only.
  • Seek review/approval before dissemination: Think of clicking “send” on an e-mail as publishing the information contained within it. Are your messages up to publication standards? It would be wise to have those which contain confidential information reviewed first by business management before circulation. Management should also be comfortable seeking advice from Compliance on whether sharing the information is appropriate in terms of content or recipients if necessary.
  • Include disclaimer language regarding forwarding/use of information therein: Even with the above points considered, it still could be wise to add disclaimer language to the e-mail to discourage erroneous distribution or misuse. E-mails can easily be printed, forwarded, or copied and pasted. Standard disclosure language could be, for an example: “Information in this transmission is intended only for the person(s) to whom it is directed. Any disclosure, copying, forwarding, re-publishing, or other dissemination of the information is unauthorized. No liability is accepted for any unauthorized use of the information contained herein.”

Using e-mail has become second nature to most people, but communicating confidential information always merits extra caution. Considering the above control framework can help to use e-mail more carefully and wisely to ensure that confidential information is not mishandled or inadvertently disseminated


Guiding principles for a compliance advisory practice

Guiding principles formalized in mission statements or charters have long been seen as essential to positioning businesses and individuals in them for success. Virtually every major organization has such a mission statement at the center of its business principles, which is used to succinctly define its internal strategy as well as it to represent the image it wishes to present to its stakeholders and the public. Famously, the business or personal mission statement is prominently featured in Habit 2 of Stephen R. Covey’s 7 Habits of Highly Effective people. This reasoning indicates that acting with a defined purpose and memorializing it by creating a formal mission statement for this credo gives power and motivation to decision-making. This concept can be powerfully applied to a compliance officer working within an advisory practice, a function which is greatly supported by having a basis in well-articulated guiding principles and values.

  • Express and adhere to a bright-lined scope within the advisory model. Defining and sticking to a scope is essential for success. The compliance officer’s role must be well-defined and meet shared objectives determined by business needs and risk awareness analysis. The compliance officer who fails to plan scope adequately, fails to plan in the grand scheme of efficient and strategic self-positioning.   An advisory model is not a finite scope of work, such as in the Legal function where an issue-limited “go or no-go” opinion is often expected. Nor is it an operational approach, such as in Human Resources, where queries on and exceptions to practices and procedures are handled case-by-case. Instead, the compliance advisory anticipates both solicited and unsolicited advices and focuses on building a practice with business management where both modes are equally appreciated and expected.
  • Promote a risk management profile consistent with the clearly-defined role of compliance. A successful compliance advisor must represent and broadcast a profile consistent with his or her position in an integrated system of compliance risk management. Ownership of risk must be thoughtfully distributed and articulated. In the popular three lines of defense model, for example, the business is responsible for management control in the first line. Independent assurance is owned by audit in the third line. Compliance sits in the second line responsible for risk and control oversight functions. Strict adherence to this model or any other defense structure is necessary to promote the establishment, implementation, and evaluation of effective controls.
  • Pro-actively align with colleagues in other functions to strengthen integrated efforts. Strategy for compliance advisors often focuses on gaining buy-in from business management.   Foundational to this, however, is successful cooperation with other functions that also face the business from on oversight perspective. Compliance advisors should value cooperation and coordinated efforts with close peers before communicating to others. This starts with fellow compliance colleagues but extends immediately to frequent partners such as Risk, Legal, Finance, and Human Resources. All of these functions succeed in their work because of reliable credibility within the organization. High cohesion among the partner functions is crucial to model collaboration and prevent the business from shopping across functions to find favorable outcomes.
  • Incorporate the spirit of customer excellence/continuous improvement practices. A compliance advisor should embrace a service-oriented and relationship-focused way of working. In a clear and evolving view of what is needed to support the compliance function and from whom, imbuing the role with a commitment to ongoing improvement of advice provided, with the cooperation and expertise that entails, will help to maintain relevance and flexibility. Feed-forward input from business partners and a focus on efficiency and evolution helps to make sure that compliance initiatives have the support they need to be implemented and compliance investments can be viewed as integral to business strategy.
  • Demonstrate added value to business partners. Successfully persuading management that compliance adherence can support commercial sustainability under the right circumstances, rather than undermine it, more than justifies the costs of implementing and maintaining effective compliance controls. In giving advices, compiling reporting, providing and analysing management information, and updating on the intersections of business objectives and regulatory developments, compliance advisors can earn trust by demonstrating integrity as a core practice. Once this becomes a genuine shared goal, compliance can not only add value to the business, but indeed be seen as an active participant in these interests.

The ideal compliance advisory profile is one of an individual who is trusted, professional, and collaborative.  This profile, in combination with strong guiding principles setting ground rules about scope, role, and sustainability via high standards and added value, is the basis for the compliance advisor’s way of working, promoting a progressive and professional profile that is visible to the business served and functional partners.


Selected TED/TEDx talks for compliance and ethics insights

TED and TEDx conferences and events have become important and popular venues for speakers from all walks of life.  This includes academics and business leaders but also ordinary people who have had inspiring or extraordinary experiences, to share their insights and stories. Given how ever-present ethics and morality are in business and life, many talks touch on useful compliance topics.

  • Creating Ethical Cultures in Business (Brooke Deterline) – We must question why we don’t speak up on behalf of other people or ideals, and how it makes us feel after we encounter a situation where we want to say something but don’t. Challenging discomfort and fear can help us advocate for each other and our principles and create corporate cultures where standing up courageously and speaking our values is seen as safe and helpful. Courage is an inspiring and powerful antidote to corruption and unethical behavior.

  • Building Business on Character Ethic (Kevin Byrne) – Commercial profitability and competitive advantage dominate most metrics of business success, but how can these be achieved and sustained without integrity? Taking care to do the right thing in all areas of business – from dealing with customers to retaining employees and everywhere in between – and avoid reputational risk are powerful drivers in building a business designed to last.

  • Why Credibility is the Foundation of Leadership (Barry Posner) – Speaking to the perennial compliance topic of tone at the top, leaders must be people worth believing and following. We evaluate whether those in senior management or supervisory positions are competent and credible. Expertise, intelligence, passion, and innovative thinking – all of these things are also necessary for leadership to succeed, but in order for anyone to believe in them, integrity must come first.

  • We Need a “Moral Operating System” (Damon Horowitz)  A strong, developed moral framework is necessary for knowing what to do with all the information and power we possess and must make decisions about how to use on a regular basis in both business and life in general. Ethical decision-making is challenging and nuanced and can even be awkward. Thinking, discussing, debating, and defining beliefs are all integral to understand our human ability to distinguish right from wrong and make a principled choice on how to act.

  • Our Buggy Moral Code (Dan Ariely) – Confronting the theory that purely bad people are to blame for the majority of bad things that happen in society, the work of behavioral economists such as Dan Ariely suggests that human behavior is far more complex than static good or bad values. Rather, wrongdoing in decision-making is influenced greatly by intuition and context. Situational awareness and a strong affinity for personal morality are therefore important mitigating factors to unethical behavior.

This is merely a brief selection of TED/TEDx talks touching upon personal empowerment, entrepreneurship, leadership, decision-making, and behavioral economics – all topics which are linked powerfully to compliance and organizational ethics.