WHAT IS CULTURE?
Before having a read through this piece, it is important to understand what culture and corporate culture are. The Oxford English dictionary defines culture as ‘the customs and beliefs, art, way of life and social organisation of a particular country or group’.1 But how does this translate into culture within a business, corporate culture, and more specifically, with regards to compliance and the creation of a positive compliance culture?
When talking about the culture within a business, the language used is very similar to the Oxford English dictionary definition. In short, it is defined as being the personality and character of an organisation – or, in more business-like terms - an ethos and a set of shared values and beliefs. In turn, these values and beliefs drive and motivate the behaviours seen in the corporate environment. Whilst that is all straightforward enough to understand, it is more difficult to properly articulate and explain compliance culture. The Financial Crime Academy defines positive compliance culture as meaning that “the organisation’s Board of Directors, Management and employees are all committed to ensuring that all applicable regulatory requirements shall be complied with in letter and spirit’2. That would be the gold standard of what organisations are trying to achieve. Another way of putting this is that a positive compliance culture creates an environment where all staff are encouraged and empowered to say and do the right thing at all times. When it is looked at in this way, it is inextricably linked to corporate culture. A positive compliance culture cannot exist in a vacuum within what we would consider a negative corporate culture. However, having a positive corporate culture does not necessarily lead to a positive compliance culture, although it undoubtedly helps.
With all of these definitions in mind, what does a positive compliance culture actually look like? The details of this will vary for each organisation, and will very much depend on the size and the nature of the business. In general terms, a positive compliance culture is one which is open, transparent, accountable and which takes its’ regulatory responsibilities seriously. Looking at this from a more tangible and visible perspective, it is a business which is well organised in terms of management structure and responsibilities; it has well defined and positive leadership; it has multiple up-to-date training programmes in place for existing and for new staff; it encourages openness and transparency and has proper lines of communication for the escalation of issues. It emphasises doing the right thing when no one is watching – even if that takes more time and resources, and even if the initial benefits may not be entirely obvious. Most of all, it is a business where senior management sets the standard – the ‘trickle down’ effect of staff learning by example.
HOW DOES A BUSINESS CREATE AND EMBED A POSITIVE COMPLIANCE CULTURE?
As with all cultures, positive compliance culture is primarily a mindset. From a compliance perspective, it has to be supported with proper and current documentation including policies, procedures and processes. If written and implemented properly, this documentation will provide evidence of a positive compliance culture and will make great training tools and aide-memoirs. In order to reach that point, regular reviews will need to be undertaken by the departments responsible for the documentation to ensure that it is up to date and that it continues to be relevant. At this point, the only participation from Compliance should be to monitor and test that these reviews have been carried out properly and that clear audit trails exist documenting all changes. This should form part of the Compliance monitoring plan. Done well, not only does all of this documentation help to embed procedural changes within the organisation, but it also ensures that the changes being made are practical and sustainable.
Documentation is only one element of the creation of a positive compliance culture. The other elements do not have to be complicated, but the construction and implementation does require time, resources and ongoing attention – almost akin to nurturing a plant. It is not always simple or straightforward to implement and difficulties may arise when a negative culture has become embedded within a business and has to be changed. A negative compliance culture could include things such as not taking responsibility for issues; a lack of accountability; blaming people for mistakes rather than looking for the root causes; a fundamental lack of transparency and poor corporate governance. It is very easy to let these bad practices, and others, take over in times of stress and pressure. These are the times which demonstrate how truly embedded a positive compliance culture is – if it is not properly embedded, individuals will revert and regress to previous behaviour, which may well not be in keeping with the revised ethos and approach.
What are the steps to take to build a positive compliance culture? Firstly, as outlined above, it has to be recognised that it is much easier to achieve this in a new business than to change existing practices in an established one. Secondly, it takes time – probably more time than anyone thinks or wants. Thirdly, senior management has to adopt the new approach. The two phrases ‘actions speak louder than words’ and ‘talk is cheap’ are very apt here – the business leaders have to eat, sleep and breathe the new culture, and have to demonstrate it to others at every opportunity. Short cuts cannot be taken – and this is especially important when working to change the culture within an organisation. Slipping back into the old way of doing things will mean disaster. Staff will follow that example and a disconnect will be created between documented policies, procedures and processes, and the work which is actually being carried out. In many ways this is actually worse than having a negative compliance culture, and can create many additional issues, starting with the lack of honesty around the implementation of documented processes and procedures. Consideration should be given to implementing a company-wide code of conduct for all staff, which can outline all of the above, and make compliance with it a condition of continued employment.
Finally, and possibly the most important step, encourage a Speak-Up culture and mindset. Staff must feel comfortable raising issues and breaches with line management, and if they feel that issues are not being taken seriously enough, have clear lines for escalating matters. This comfort is not just in relation to their own job security but also that issues will be dealt with and will not be ignored, or covered up. All of this encourages open and transparent communication, which is essential for a positive corporate culture, not just a positive compliance culture.
There are all sorts of other tools available to create and to embed a positive compliance culture - team building exercises; life and career coaching; compliance seminars and workshops; positive recruitment; leadership etc, but the one important point not already covered is the actual compliance team. Many skills make up a good compliance officer not least of which is communication, especially the ability to listen and to translate information. It is also imperative that the team are approachable, able to build relationships and to network, and are trustworthy – the business must be able to rely on their advice, so it is vital that they have the confidence to say that they aren’t sure and will confirm the answer to a question, rather than guessing or providing the wrong information.
ONCE CREATED AND EMBEDDED, HOW DOES A BUSINESS MAINTAIN A POSITIVE COMPLIANCE CULTURE?
Once the positive compliance culture has been created and is starting to be embedded in the business, the key to maintaining it is to remember that it is a constantly evolving and changing organism – going back to the plant analogy. It cannot be ignored or left alone; it requires regular attention to ensure that it has not veered off from the path, and that it is still functioning as expected. This attention can take the form of many things – ongoing training and CPD3 standards for staff; impressing to staff the importance of what is being done and why it is being done, of the changes being made, of accountability and responsibility and of communication and transparency. The building blocks which were put in place initially will require monitoring to ensure that they are still fit for purpose – as the organisation develops and changes, so will these. Early intervention should prevent issues from arising, or in a worst-case scenario, ensure that issues are dealt with swiftly and efficiently.
Constantly referring back to and making reference to the positive compliance culture is another tool which can be used to reinforce and to embed the changes. These actions make it clear to all staff that the effort and work put in was not just for show, and that the organisation is serious about change; about doing the right thing and, returning to the phrase used earlier, ‘that actions speak louder than words’.
HOW IS THE EFFECTIVENESS OF THE POSITIVE COMPLIANCE CULTURE MEASURED?
There are various steps which can be taken to measure the effectiveness of a positive compliance culture. Firstly, records will show which staff members have successfully taken the required compliance training, and if there are any outliers. Secondly, what do the incident logs reveal? This isn’t necessarily about the number of incidents, but about the quality and transparency of the recording, including investigative actions and remedial work undertaken. Thirdly, instinct, which, of course, it is not possible to measure. But how does the organisation feel? To gain feedback on some elements of this, staff surveys could be undertaken. External reviews and audits could be conducted to assess the effectiveness of the policies, procedures and processes in place.
FINALLY, WHAT BENEFITS ARE THERE TO THE ORGANISATION IN RELATION TO HAVING A POSITIVE COMPLIANCE CULTURE?
The benefits to the organisation are both external and internal. From an external perspective, having a positive compliance culture leads to an enhanced reputation, both within the industry and for customers. In an increasingly competitive market, this is essential. It builds trust – not just with customers, but also with the regulators. This can, depending on the business, pay dividends in the form of reduced oversight and fewer regulatory visits. More importantly, this means that when regulatory changes do take place, the business is well placed to handle them, and often manages to do so at a much smaller resource cost compared to competitors, and in a manner which is more business friendly. From the perspective of the regulators, it means that they can rely on and trust the information which is provided to them, and that they can have constructive dialogues with the business, especially with regards to market developments and initiatives. It also means that regulatory visits are constructive for all parties, rather than becoming antagonistic and fraught.
What other benefits are there? With an enhanced reputation, it becomes substantially easier to retain clients, which has a positive impact on the cost base. It is far more costly financially and far more labour intensive to try to attract new clients to replace ones which have left. Competitors may be cheaper, but dealing with a trustworthy company is invaluable. Having a positive compliance culture makes assessing new business opportunities much smoother, and eliminates the less viable concepts at a much earlier stage, which saves valuable resources, and allows them to be used on the more viable ideas. It may even provide additional business opportunities, spotting gaps in the market and challenging existing practices and thoughts.
From an internal perspective, having a good corporate culture, of which compliance forms is just one element, leads to greater staff retention – staff tend to be happier, more productive and have confidence and trust in the business. Greater staff retention means lower recruitment costs – both financial and in terms of hours spent interviewing and training. It also makes it easier for new joiners – and people will be keen to join the organisation because of the reputation and culture. Staff can have confidence that they will be well treated, and that if an incident does occur, and even with the best compliance culture possible, this will happen, the environment is structured to be supportive and constructive, rather than blaming and shaming. Incidents will be identified as early as possible, with proper investigative and corrective actions being taken swiftly. That in turn satisfies the regulator that the business is being governed robustly, that senior management take their responsibilities seriously and that the business is trustworthy. Taking that one step further, the business becomes one which staff are proud to include on their CV or resume, rather than one which they feel the need to justify or explain away.
The starting point of an organisation will dictate how much work all of the above takes. It can be a lot of work to challenge the status quo, to change mindsets, to get buy-in, not just from senior management but from all staff and for the changes to be so well embedded that they become the default position and approach, even in stressful times. For such a huge amount of work, many of the benefits are intangible and often invisible, which can cause ructions with senior management who may prefer that time, money and effort to be spent elsewhere – a sure sign that the compliance culture needs to be improved!
The conclusion has to be that creating and maintaining a positive compliance culture can only benefit an organisation and is worth all of the time, money and resources that it takes. The risks associated with not taking this action, of not properly embedding the changes or of just not bothering could be significantly more costly in the long run. These risks include financial and legal ramifications, as well as reputational damage. The ultimate risk for a financial services company is the removal of permissions and authorisation, leading to the failure of the business.
[1] www.oxfordlearnersdictionaries.com
[2] Financial Crime Academy – www.financialcrimeacademy.org ‘Culture of Compliance: The Business Benefits’.
[3] CPD – Continuous Professional Development