What makes a good compliance culture can be deconstructed into multiple components yet it is instantly recognizable. It is strong and functional yet in no way hinders the development of profitable new business and can adapt to market, technological or regulatory change. A good compliance culture is represented across all levels of the organization ensuring a coherent and integrated approach to compliance throughout the company. The essence of how staff, managers and executives interact and work is towards a common goal and value system based on mutual respect, integrity and ethical behaviour focused on the long term health of the business, not just short term gains.
In the wake of the financial crisis, good compliance culture and ethics are commonly touted by regulators and governments alike as key to promoting both trust and confidence within the financial system and regulatory bodies charged with their oversight. Equally without the credible threat of regulatory enforcement, it is questionable whether a good compliance culture would be possible. So what are the key ingredients?
The framework for organizations that are serious in embedding a good compliance culture within their business is based on the following:
- Tone at the top: Corporate strategy partnered with legal, risk and compliance
- Tolerance statements aligned to policy measures and triggers, including swift remediation and proactive compliance risk management
- Governance and accountability with supervision, discipline and swift investigatory processes tied to performance management
- Risk assessment, ongoing monitoring, testing and reporting (internal and external)
- Ongoing Training, guidance and development aimed at all levels of the organization
- Robust regulatory and active supervisory regime
Tone at the Top
The tone at the top sets an organization’s guiding values and ethical behaviour. Executive commitment to invest and empower those in compliance, risk and legal resources creates the appropriate oversight and encourages staff to do the right thing. Legal, risk and compliance staff must be viewed as important and critical partners in the business and not simply as support functions. Their views are sought and followed through with respect to new business, operations, business models and planning, pricing and product development. Legal, compliance and risk staff have visible reporting lines into the Board, where breaches for non-compliance are taken seriously and are met with swift investigatory and disciplinary action and accountability. It then follows that the Executive which should include the Chief Compliance Officer, Chief Risk Officer and Executive Legal Counsel are duly qualified, credible leaders and can take action.
A corporate strategy committed to compliance, risk and legal requirements must therefore be more than a statement of mere good intentions and must be continuously reinforced. Judy O’HanrahanIt is where the executive takes decisive leadership and ownership of a corporate strategy strongly aligned to
- regulatory, legal requirements
- consumer protection
- providing a safe and fair environment for staff
- implementing active deterrents of unethical or unlawful activities and
- protecting institutional assets from data theft, financial crime, fraud or business disruption
- promoting ethical behaviours that foster respect, integrity, consistency and concern for the organization’s core values.
This should be the experience of every employee, from new starter to those that seek to exit. It should be clear to both new and veteran employees that those who represent the core endorsed compliance values and principles are promoted or hired to leadership roles and/or appropriately rewarded. Creating and maintaining the right tone at the top aligned with a corporate strategy partnered in legal, risk and compliance offers can and will increase client and employee retention, ultimately leading to the establishment of a good reputation.
Tolerance statements aligned to policy measures
A good compliance framework is not only designed to address events as they arise but also to pre-empt them by taking steps to address potential issues. In organizations that have zero tolerance for actions or lack of action that could lead to breaches in compliance, swift, specific, measureable, realistic and time-bound actions are taken by management to address exposures. Limits and warning levels should be built into processes and procedures with clear escalation policies that are adhered to. Notification of breaches and reporting should be well defined and transparent within an agreed structure characterized by a hierarchy up to the Board. Policies are widely understood and followed by staff who can attest to each by aligning their procedures with them and taking an active role in their review through a governance structure.
Governance and Accountability
In order to foster a good compliance culture, good governance is established through a robust and credible three lines of defense model.
The First line
All managers and staff take ownership of a consistent compliance approach supported by far sighted incentive structures, where recognition of staff doing the right thing for consumers and for the business and each other is recognized and rewarded and actively promoted. Each business unit has embedded risk and compliance partners who are knowledgeable about their business processes and are senior and independent enough to influence or change behaviours and reward positive outcomes. Primarily accountable for development of controls in tandem with procedures and policies to prevent, detect and respond to compliance failures, they can also test their effectiveness.
Middle management are empowered to turn compliance values into practice and encourage employees to come forward with legal, compliance and ethical questions without fear of retaliation, building trust and increased levels of employee engagement.
Judy O’Hanrahan Senior leaders hold themselves and others accountable for complying with the ideals of the agreed norms of what makes a good compliance culture. Bad behaviour such as circumventing policy or procedure must have negative consequences. It is clear to all that positive behaviour is rewarded and new recruits are screened against agreed principles and values. Finally, internal issues or matters must be adjudicated with fairness, transparency and integrity, and whistle-blowers are protected when they make a disclosure.
The Second line
Legal, risk and compliance departments are asking questions about conduct, ethics and culture and not just providing assurance on regulatory and legal technical questions. Their oversight of the effectiveness and integrity of the compliance value system must be established in every aspect of the business. Embedding compliance within the processes and procedures in business units must extend not only to laws, regulations and business principles but to best practice and proactive risk management. Their message must be consistent with that of the business and must be endorsed by the executive. They are seen as critical partners in protecting the reputation of the organization, involved in operational and strategic decisions, testing and compliance monitoring.
Chief Compliance Officers play a strategic role in the organization, cultivate the right stakeholder relationships, are trusted advisors to the business, have access to the board, drive and influence the culture and are viewed as authentic leaders and role models.
The Third line
Audits are measuring the corporate compliance strategy and success of implementation of a good compliance culture based on agreed tolerance statements. An annual compliance charter, plan, policies, monitoring and reporting should be tested for effectiveness and accuracy and process related testing. Employee surveys on culture conducted internally or externally by third parties are helpful in measuring the cultural pulse of the organization.
In essence, a good compliance culture is underpinned by good behaviour which must be linked to goals and an incentivized scheme that rewards respect, dignity at work, integrity and trust.
Risk assessment, ongoing monitoring, testing and reporting
A compliance risk assessment helps an organization understand its risk exposure, prioritize risks, assign ownership and adequately resource and mitigate risks, starting with those that have the highest potential for violations of laws and regulations. The application of a risk methodology based on impact and likelihood identifies the inherent risk combined with controls, highlights the residual risk. This must be authorized and agreed with business partners together with an appropriate response that is monitored and reported up the hierarchy, presented in a dashboard against defined tolerances. Audit and Compliance plans should be complementary and monitoring reviews carried out by risk, compliance and audit serve as an early warning system to potential compliance issues by taking samples of business unit activities, products or output.
Ongoing Training, Guidance and Development
Individuals will need additional reinforcement on ethics and compliance programs through innovative training or workshops so that staff can connect to the values through Judy O’Hanrahan information sharing and story-telling. New starters, higher risk staff, management and operational staff should have specific training geared towards their needs. Encouraging staff to enrol on professional compliance courses run by external parties and to become industry leaders by participating in external committees or federations contributes to further reinforcing a positive compliance culture supported by external validation.
Robust regulatory and active supervisory regime
A sharp supervisory approach by an active regulator supports organisations looking to create a positive compliance culture and provides the assurance to consumers that they will be protected. Bernie Madoff’s victims, for example, would wonder how did regulatory agencies such as the SEC, FINRA, which are charged with monitoring financial institutions, fail in their supervisory duty to uncover the largest Ponzi scheme in history. After all, there were warning signs and tip-offs that were ignored, missed or misunderstood. Examiners had sat in Madoff’s offices for two months in 2005 without a complete understanding of the firm’s activities.
Regulators who understand how these organisations operate and are able to unravel what appear to be complex activities promote ethical behaviour and protect consumers. By focusing on matters associated with good corporate governance and operational risk with a credible threat of enforcement wake organisations up to the realities that created the perfect storm that was the financial crisis of 2008.
In conclusion, organisations with a good compliance culture create lasting relationships with clients, customers, employees and suppliers. This ultimately leads to a good reputation in the market and a positive brand that in turn will attract long term investors. It is evident from scandals involving high profile companies such as Madoff, Enron or Anglo-Irish Bank that implementing and maintaining a positive compliance and ethical culture ensures organisational survival and contributes to the stability of the financial system, something that regulators recognize and are therefore scrutinizing as part of their supervisory regime. It is a reciprocal relationship between organisations and their regulators. Without the credible threat of regulatory enforcement extending to personal liability of senior management, compliance and ethics may be mere check the box exercises or seen as obstacles to new business. Nonetheless, organisations that encourage mutual respect, dignity at work, integrity and honesty among staff and management lay the foundation for not just a good and positive compliance culture but a truly sustainable work environment that is recognisable by its outperformance and endurance.