We hear a lot about compliant cultures and their importance in today's business landscape ' but what does it really mean to build a culture of compliance? What does it entail? And more fundamentally, why is a culture of compliance needed at all?
Why Is a Culture of Compliance Needed?
Today, several factors coalesce to drive an unprecedented focus on governance, risk and compliance. One factor is an ever-growing regulatory burden.
Public perception and corporate reputations are increasingly defined by a company's ethical performance and the threat of penalties for those who breach compliance requirements.
Whether you are trying to comply with external legislative, industry-specific or internally mandated standards, many businesses struggle to keep up with their obligations.
To deliver on your accountabilities, it's vital that compliance is embedded within the business; an overlay of compliant activity cannot redeem a flawed culture. We need to rethink our definition of risk and compliance to put compliance front-and-center of business strategy. But among their raft of other responsibilities, how can businesses achieve this and create a true culture of compliance?
Challenges in Creating a Culture of Compliance
In trying to build compliant cultures, organizations face several challenges. Challenges that have been exacerbated over the last year and a half as employers have tried to tackle the dual challenges of business-as-usual and the coronavirus pandemic, which has made for a decidedly "not usual" operating landscape.
It has been particularly difficult to maintain an ethical and positive workplace culture amid the "craziness that's been going on the last year and a half," as Joshua Toas, Vice President of Compliance and Chief Compliance Officer at The Research Foundation for SUNY, described it at Diligent's Modern Governance Summit 2021.
As we move forward, our working world is likely changed forever by a pandemic that has accelerated homeworking and online culture. Compliance teams need to be aware of the need, more than ever, to engage with employees and ensure they feel connected to the business and its ethical values.
Get it right, and people will do the right thing for you wherever "work" happens. Speaking at the same event, Valerie Puckett, Chief Compliance Officer at Modernizing Medicine, noted that "whether someone is going to behave appropriately is really embedded within them" regardless of location.
Toas agrees that "The vast majority are going to do the right thing from any location. They have strong loyalty to the work. They believe in the work. They're passionate."
But this doesn't just happen: It takes a deep-rooted commitment to compliance and ethical corporate behaviors.
7 Building Blocks for a Culture of Compliance
How is this commitment created? What can businesses do to foster a genuine compliant culture? We have identified seven key enablers:
1. Set the Tone from the Top
The board and senior leaders aren't just responsible for compliance oversight; they should be central to your entire approach. The board plays a vital role in determining compliance strategy and best practice, ensuring compensation reflects behaviors in line with corporate values.
They also need to model the behaviors they espouse. The importance of "doing as I do" when it comes to leader actions cannot be underestimated. As Puckett says, organizations "need to understand it starts at the top, and the tone at the top is really important."
2. Engage Employees from the Start
What makes a good compliance culture? Puckett and Toas are in agreement here: compliance needs to be embedded right from the onboarding process.
Ethics, integrity, culture and corporate values should be the focus from the start, providing a strong foundation to help employees know what is expected. Clearly convey the organization's expectations around compliance – and not just to employees, but also at an early stage to your suppliers and other stakeholders.
3. Make the Compliance Team Real and Relatable
Bring to life your corporate ethics and values: your employees can read your policies and processes for themselves "but by speaking about them and sharing real-life stories, compliance leaders can make them relevant.
Toas has sound advice, encouraging chief compliance officers to "Engage any opportunity you're given. Take up opportunities to speak to teams. Focus on leadership programs. Be seen. Be a person. Don't be afraid to roll up your sleeves and engage with people."
Do all of this, and you will open the door to compliance, becoming a "friendly and welcoming face" that makes your business less nervous about approaching you with questions or to flag risks.
4. Embed Compliance, Integrity and Values in Everything You Do
As employees grow within their roles, compliance needs to form a central part of the overall learning strategy for the organization.
Chief compliance officers should work closely with human resources teams to build compliance-related issues into orientation and leadership programs.
Even remotely, this can be highly effective; Toas found that engagement with remote learning and development events, made possible due to technology, has actually increased, with up to 200 people attending sessions that would previously have seen 50-100. Toas believes that here, "Tech has enabled us to do so much more and reach a larger audience."
Employee engagement is key to a culture of compliance: employees need to feel bought into the corporate culture, with a loyalty that pre-disposes them to do the right thing. In the pandemic era, isolation and digital fatigue can erode employee wellbeing. Puckett and Toas advocate time away from the "intense" remote working culture, whether by Zoom-free days, an understanding that people don't need to be on camera, or encouraging outdoor meetings.
5. Ensure Compliance Teams Guide But Don't Dictate
In a crisis, it may be unavoidable that the chief compliance officer becomes a "fixer," but there is a careful line to tread. As Puckett notes, when the unexpected happens, "The good news is [the business] look to us for a fix; the bad news is they look to us for a fix."
Compliance leaders need to step in when required but should try not to get too closely involved in operational issues. If the operational issue you're being asked to fix is also something you should be monitoring for audit reasons, you could hit conflict of interest territory.
Toas addresses this by asking questions rather than suggesting answers. "By asking the right questions, I can make sure the ops folks know what they need to do, and let them figure out the 'how.'"
Puckett concurs, considering herself a "translator" between the legal team and the business to enable operations teams to figure out the best solutions for themselves. Considering whether a proposed route is not just legal, which should be the "floor" for your decisions, but also moral and consistent with your corporate values should all be part of the chief compliance officer's crisis response.
6. Clear Compliance Processes Are Vital
Regulation may tell us WHAT we have to do, but not how we have to get there. And perhaps this is where the compliance leader's skills come to the fore. In Toas' words, "the process matters." Bringing a structure and framework to your compliance processes will help you to embed the right behaviors.
Integrate compliance with your operations. Compliance is far from a standalone function. Strategies like enterprise risk management dovetail with governance, risk and compliance (GRC) to form integrated approaches for tackling the threats you face. Make compliance inbuilt to your audit, risk and governance processes; part of your big picture of corporate strategy.
7. Make the Most of Technology
This might be technology that enables you to engage with the workforce in an era of remote or hybrid working. It might be the ability to interrogate intelligent systems to gain a holistic view of governance, risk and compliance, a "must-do" recognized among the top trends in GRC.
Technology has been invaluable in enabling compliance teams to keep in close touch with their businesses through the pandemic.
Toas recounts how approaches initiated with suppliers and among tech teams (daily stand-ups, for instance) were instigated across the business during the pandemic, using the tech solutions already available to the organization. This allowed the compliance team to remain visible, maintain engagement and retain oversight of key issues.
It also allowed team leaders to ensure their teams were coping with the sudden change in circumstances and the other stresses that came with the pandemic. For Toas, these online meetings became "an alternative to walking by and grabbing a coffee" to check in on his team's wellbeing.
Puckett also responded to remote working challenges via technology, ensuring her team was contactable and keeping close contact via virtual "water-cooler chats" to ensure stress levels were managed.
Technology doesn't just help with engagement and team issues. Choose the right technology solutions to help compliance teams become more efficient and ensure that compliance metrics are more robust – supporting an inbuilt culture of compliance via accurate, reliable data.
Creating a Culture of Compliance that Endures
Companies that responded effectively to the pandemic in compliance – maintaining compliant, ethical behaviors at the heart of their operations – were generally those who had done the groundwork long before COVID-19.
Organizations that had set the correct tone, building a culture of compliance that permeated their entire business, were those best placed to weather the storms of homeworking, disrupted supply chains and employee wellbeing challenges. They have drawn on engaged, loyal employees who understand the importance of supporting corporate integrity.
Creating a culture of compliance means embedding good behaviors at all levels of your organization. It means helping people to make better decisions in following your business's rules, regulations and policies.
There are challenges, of course, but hopefully, our seven building blocks will help. Get it right, and you will be better placed for success, even in the face of the most unexpected events.
In the words of Toas at Diligent's Modern Governance Summit, "in this crazy, upside down world [...] the fact that we were focused on culture and values has really helped us. And marry that with the technology. [...] I think we've become more efficient in this environment."
Create a culture of compliance, and you are on the front foot whatever governance, risk and compliance challenges arise. You can read more about the challenges and success factors in creating a culture of compliance in Diligent's GRC Newsletter; sign up to receive it here.