Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Corporate cultural change: Awareness and dialog, not training

This is the final entry in a series of five posts suggesting best practices for implementing corporate cultural change.  For an overview of all the tips on this subject, check out this preview postThe first post in the series was about tone and conduct at the top and the importance of operationalizing these. The second post discussed how to tangibly encourage organizational justice via consistent, visible investigation and enforcement efforts. The third post focused on policies to have in place, while last week’s post was about the procedures to complement and support those. Today, the fifth and last post in the series will provide ideas for how compliance programs can go beyond traditional training to create a culture which risks and values are addressed and integrated into awareness and communication efforts.

The last four posts have discussed the management controls and organizational structures that are important to implement in order to address needed cultural change and manage compliance risks. Motivating management to act as leadership and vice versa and then taking advantage of their fluency to leverage buy-in for enforcement efforts, policies, and procedures that will contribute to reform and improvement initiatives has been the focus so far. The final area for compliance and ethics professionals to take on in this process is employee and organizational education.


Using ethical dilemmas for creating a compliance training dialog

For effective compliance training, learners must be prepared to discuss and challenge dilemmas independently and with others. The details of specific policies, directives, and regulations can quickly become very dry and irrelevant, whether the audience is made up of compliance officers, senior managers, or new starters. To prevent topic fatigue and keep important compliance training vivid and engaging for those attending awareness sessions, it is important to encourage discussion. An active participant will think, care, and learn more than one who is just watching the clock for the end of the program.

One way to spark discussion that can be employed at all levels is using ethical dilemmas. This is effective either as a stand-alone program, where attendees are introduced to ethical dilemmas and spend time in groups discussing their ideas and views, or as an icebreaker to a content session, to grab the audience’s attention and test their knowledge from the beginning. This can provide an approach to then thinking about the practical handling of compliance subject which is both easy and enjoyable.

Considering and responding to ethical dilemmas helps learners to build fluency with ethical decision-making and evaluating potential conflicts of interest, especially in balance with their own possible interests. Giving meaning to the impact of behavior and choice is significant for establishing cultural values that emphasize individual responsibility and integrity. Dilemma analysis involves several simple but thought-provoking steps following the prompt:

  • What is the ethical question?
  • What personal values are relevant in considering this ethical question?
  • Who are the parties with interests in this dilemma?
  • What are their interests and how do they conflict?
  • How can the ethical question be answered and what are the potential consequences?
  • What is the decision in response to the ethical question?
  • Is the choice that came from the decision-making process of the dilemma possible/practical to do in light of all considerations and consequences?

Ethical dilemmas used as such for prompts in compliance training should be universal and straightforward. In general, dilemmas used to teach this style of thinking to beginners or to instigate audience participation in at the start of a session should not focus on specific employee responsibilities or business functions. For very advanced and targeted audiences it may be acceptable to give a anonymized example of a dilemma they may come across in their work, but for the most part, daily life dilemmas are more relatable and more fun to discuss, regardless of the experience level of the participants.

Some examples of simple dilemmas that can be analyzed as described are:

  • You are meeting some friends at a standing room-only concert and arrive late. As you approach the venue you walk past your friends, who are got there early and are waiting near the front of the line. They tell you they have been there for almost two hours and invite you to join them where they are in the line, even though the end of the line is very far behind them.
  • Your company has been considering some wellness initiatives to offer to employees as benefits but hasn’t contacted any providers yet. Your roommate just finished yoga teacher training and wants to get experience as a corporate instructor.
  • You are taking an exam after studying hard for days to prepare and attending every class the entire term. However, you woke up this morning with a terrible cold and can’t focus. You know the professor will not allow a rescheduled or make-up test. There is no proctor in the room and you have all of your course material with you.
  • You and your partner have a joint bank account where you are both named. Your partner is one week into a two week trip abroad when a letter comes from the bank. You have to fill out and return a form with both your and your partner’s signatures. If you don’t return the form within two business days you will not be able to use your credit card.
  • You are taking your relative to an urgent doctor’s appointment. The parking lot is quite busy but all three of the parking spots designated for disabled drivers are empty. Your relative has no problem walking, but you are already five minutes late for the appointment.

Choosing simple prompts like the ones suggested above will allow the learners to be more creative and perhaps to even engage in discussion with themselves. The facts may be straightforward, but the huge array of perspectives and outcomes that people can suggest is always impressive. By keeping the dilemma prompt at a level everyone can understand regardless of his or her own background and initial interest, the dialog can be truly inclusive. This allows the person who is running the training session to fall into the role of a true facilitator, which offers the enriching experience of watching individuals converse organically on these provocative questions.


Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible


Compliance 101: A quick guide

As this blog intends to demonstrate, compliance is both a subject for practitioners as well as a topic of general interest that shows up in business and the news all the time. Current and historical events, popular culture, and all types of jobs touch upon compliance subjects on a daily basis. Just as the law is everywhere in life, so are regulations and questions of ethics and integrity.

However, for such a ubiquitous subject, typical awareness of compliance matters is often very low. People may be very used to asking themselves whether events they read about in the news match with their own general norms. There is often a challenge between existing rules and what may be morally acceptable. This perceived discrepancy is nuanced and can prove hard to navigate without frustration.

As a prelude, ask yourself: have you ever heard of any current events regarding compliance? Or, perhaps, have you ever encountered any problematic dilemmas in your own life, which provoked curiosity about ethical choices and integrity? These could be perhaps news stories, personal experiences, or commercial situations you have observed in work or at school. These can include moral dilemmas and “catch 22” situations where commercial interests and personal obligations collide, as well as stories of crises and scandals. What have you heard, if anything, about the meaning and function of compliance?

Generally speaking, the main definitions of compliance as a discipline include:

  • Conforming to relevant laws, regulations, principles, and rules, standards and codes of conduct applicable to an organization’s activities, in letter and in spirit, or the process of doing so. This may concern gray areas, with no strict answer or universal judgment.
  • The aspiration that informs organizations in their efforts to ensure that they are aware of, and take steps to comply with, all relevant laws and regulations. This can be both prescriptive, referring to such laws and regulations that already exist, or predictive, referring to attempts to anticipate future laws and regulations.
  • Also describes efforts to ensure that organizations are abiding by both industry regulations and government legislation. This practice area is often called regulatory compliance.
  • Finally, emphasizes acting with integrity and therefore draws heavily from the study of ethics and morality, even extending philosophy and psychology. A modern goal of an effective compliance program is to design governance and control structures that encourage employee and organizational integrity and create disincentives against and penalties for dishonest or unethical behavior.

Typical tasks and responsibilities of a compliance professional include:

  • Advising business partners in identifying and assessing compliance risks (of legal or regulatory sanctions, material financial loss, or reputational damage) and effectively managing and mitigating these risks
  • Modeling good conduct and proscribed values of integrity and ethical behavior
  • Training employees and management on compliance matters
  • Monitoring business implementation of key compliance policies and procedures, and reporting accordingly to management on efficacy and accuracy of same
  • Coordinating regulatory stakeholder management

Now, check your impressions about what compliance means, and consider this in concrete terms and from your own perspective. Hopefully you now have a more meaningful insight on what compliance is and means in context of both current and historical events


Compelling arguments to encourage business buy-in on compliance training

It is essential in all industries and job functions that employees act with integrity and in compliance with applicable rules and regulations, and this must be supported with adequate training. However, a common challenge for compliance professionals concerns how to successfully and sustainably convince senior business management to invest in and support compliance training as a priority. Regulatory changes and enforcement actions, and the necessity for ethical decision-making in the regular course of business, show us that compliance awareness should be valued.   Amidst the pressures of commercial activities, changing marketplaces and political environments, and time-sensitive daily necessities, though, training on compliance topics may not always seem urgent. However, there are important incentives which can be emphasized to business partners to encourage their buy-in on this critical training.

  • Compliance training fosters prized employee engagement and encourages transparency, which is necessary to mitigate reputational risk and enable whistle-blowers. Knowledge is power, and training empowers employees to use their understanding of the regulations and policies to show good conduct and to understand the importance of acting in compliance with regulations and policies, as well as the impact of unethical behaviour and the necessity of identifying and escalating misconduct where it occurs.
  • Once emboldened with knowledge by training, employees can take compliance topics forward into discussions and practical applications. Clarity and ease of discussion are important drivers of employee integrity. Simply put, individuals must first understand what they could do in order to follow a policy or regulation, before they can be asked to make a good choice in support of this. Libertarian paternalism suggests governance structures could affect behavior positively by influencing options available to deciders without disrespecting freedom of choice. Adequate training informs this approach, so that individuals have clarity and the ability to talk, ask questions, and work through scenarios in order to develop their own mental muscles on compliance topics on an everyday basis.
  • Employee awareness of compliance risk stimulates business management to act and react, creating a robust tone at the top. Senior management can be encouraged to contribute to a culture of compliance by a version of the “warm-glow” effect. Their buy-in is supported by an egoistic motivation derived from acting as role models to the employees they lead – a positive feeling that comes from being admired and adulated as an example. Employees who are actively informed about the values of compliance, ethical decision-making, and integrity will look for accountability and responsiveness from their leaders. When employees expect and emphasize this, management teams are enabled to reward good conduct and sanction misconduct, taking visible and precedent-setting action to recognize both.
  • The subject matter of compliance training is mostly accessible to employees at all levels. While some topics are more technical or demand a more academic approach to regulations and practices, the vast majority of compliance topics – to name a few, conflicts of interest, insider trading, information handling, money laundering and sanctions, anti-bribery, code of ethics – are, at least on an introductory level, practical and interesting to discuss without any prerequisite knowledge from the employees. In the post-2008 financial crisis world, many people have a good layperson’s understanding of these general concepts from the news. They even often have a desire to increase awareness and discuss these topics, but they need familiarity first. Basic sessions can give employees a first look, so that they are prepared to discuss with their colleagues and managers, while subsequent advanced sessions can develop comfort and expertise.
  • Targeted training on compliance topics helps to normalize expectations of risk ownership in an increasingly complicated regulatory and legal environment. Many employees may be open to challenging their ideas about their business practices that originated in the less comprehensive regulatory and legal landscape of the past, but they must be convinced to make compliance a daily consideration in their work. If they are not fluently aware of compliance concepts, then they may feel overwhelmed. This gives them the impression that either they are expected to be compliance officers themselves in addition to their regular tasks or that interaction with Compliance can only be a “tick the box” exercise. Neither outcome is desirable, yet both can be overcome by raising awareness and therefore promoting relevance.

The overall impression from the foregoing is that visibility with business partners is crucial for the compliance advisory function to succeed. All compliance professionals should seek to build relationships and interact on these compelling yet challenging topics in order to make them personally meaningful to business partners.