What makes a good compliance culture can be deconstructed into multiple components yet it is instantly recognisable. It is strong and functional yet in no way hinders the development of profitable new business and can adapt to market, technological or regulatory change. A good compliance culture is represented across all levels of the organisation ensuring a coherent and integrated approach to compliance throughout the company. The essence of how staff, managers and executives interact and work is towards a common goal and value system based on mutual respect, integrity and ethical behaviour focussed on the long term health of the business, not just short term gains. In the wake of the financial crisis, good compliance culture and ethics are commonly touted by regulators and governments alike as key to promoting both trust and confidence within the financial system and regulatory bodies charged with their oversight.
Equally without the credible threat of regulatory enforcement, it is questionable whether a good compliance culture would be possible. So what are the key ingredients?The framework for organisations that are serious in embedding a good compliance culture within their business is based on the following:• Tone at the top: Corporate strategy partnered with legal, risk and compliance• Tolerance statements aligned to policy measures and triggers, including swift remediation and proactive compliance risk management• Governance and accountability with supervision, discipline and swift investigatory processes tied to performance management• Risk assessment, ongoing monitoring, testing and reporting (internal and external)• Ongoing Training, guidance and development aimed at all levels of the organisationSupported by a:• Robust regulatory and active supervisory regimeTone at the TopThe tone at the top sets an organisation’s guiding values and ethical behaviour. Executive commitment to invest and empower those in compliance, risk and legal resources creates the appropriate oversight and encourages staff to do the right thing.
Legal, risk and compliance staff must be viewed as important and critical partners in the business and not simply as support functions. Their views are sought and followed through with respect to new business, operations, business models and planning, pricing and product development. Legal, compliance and risk staff have visible reporting lines into the Board, where breaches for non-compliance are taken seriously and are met with swift investigatory and disciplinary action and accountability. It then follows that the Executive which should include the Chief Compliance Officer, Chief Risk Officer and Executive Legal Counsel are duly qualified, credible leaders and can take action.A corporate strategy committed to compliance, risk and legal requirements must therefore be more than a statement of mere good intentions and must be continuously reinforced.Judy O’HanrahanIt is where the executive takes decisive leadership and ownership of a corporate strategy strongly aligned to• Regulatory, legal requirements• consumer protection,• providing a safe and fair environment for staff• implementing active deterrents of unethical or unlawful activities and;• protecting institutional assets from data theft, financial crime, fraud or business disruption• promoting ethical behaviours that foster respect, integrity, consistency and concern for the organisation’s core values.This should be the experience of every employee, from new starter to those that seek to exit. It should be clear to both new and veteran employees, that those who represent the core endorsed compliance values and principles are promoted or hired to leadership roles and/or appropriately rewarded.
Creating and maintaining the right tone at the top aligned with a corporate strategy partnered in legal, risk and compliance offers can and will increase client and employee retention, ultimately leading to the establishment of a good reputation.Tolerance statements aligned to policy measuresA good compliance framework is not only designed to address events as they arise but also to pre-empt them by taking steps to address potential issues. In organisations that have zero tolerance for actions or lack of action that could lead to breaches in compliance, swift, specific, measureable, realistic and time-bound actions are taken by management to address exposures. Limits and warning levels should be built into processes and procedures with clear escalation policies that are adhered to. Notification of breaches and reporting should be well defined and transparent within an agreed structure characterised by a hierarchy up to the Board.
Policies are widely understood and followed by staff who can attest to each by aligning their procedures with them and taking an active role in their review through a governance structure.Governance and AccountabilityIn order to foster a good compliance culture, good governance is established through a robust and credible three lines of defence model.The First line: All managers and staff take ownership of a consistent compliance approach supported by far sighted incentive structures, where recognition of staff doing the right thing for consumers and for the business and each other is recognised and rewarded and actively promoted.
Each business unit has embedded risk and compliance partners who are knowledgeable about their business processes and are senior and independent enough to influence or change behaviours and reward positive outcomes. Primarily accountable for development of controls in tandem with procedures and policies to prevent, detect and respond to compliance failures, they can also test their effectiveness.Middle management are empowered to turn compliance values into practice and encourage employees to come forward with legal, compliance and ethical questions without fear of retaliation, building trust and increased levels of employee engagement.Judy O’HanrahanSenior leaders hold themselves and others accountable for complying with the ideals of the agreed norms of what makes a good compliance culture. Bad behaviour such as circumventing policy or procedure must have negative consequences. It is clear to all that positive behaviour is rewarded and new recruits are screened against agreed principles and values. Finally, internal issues or matters must be adjudicated with fairness, transparency and integrity, and whistle-blowers are protected when they make a disclosure.
The Second line: Legal, risk and compliance departments are asking questions about conduct, ethics and culture and not just providing assurance on regulatory and legal technical questions. Their oversight of the effectiveness and integrity of the compliance value system must be established in every aspect of the business. Embedding compliance within the processes and procedures in business units must extend not only to laws, regulations and business principles but to best practice and proactive risk management. Their message must be consistent with that of the business and must be endorsed by the executive.
They are seen as critical partners in protecting the reputation of the organisation, involved in operational and strategic decisions, testing and compliance monitoring.Chief Compliance Officers play a strategic role in the organisation, cultivate the right stakeholder relationships, are trusted advisors to the business, have access to the board, drive and influence the culture and are viewed as authentic leaders and role models.The Third line: Audits are measuring the corporate compliance strategy and success of implementation of a good compliance culture based on agreed tolerance statements. An annual compliance charter, plan, policies, monitoring and reporting should be tested for effectiveness and accuracy and process related testing. Employee surveys on culture conducted internally or externally by third parties are helpful in measuring the cultural pulse of the organisation.In essence, a good compliance culture is underpinned by good behaviour which must be linked to goals and an incentivised scheme that rewards respect, dignity at work, integrity and trust.
Risk assessment, ongoing monitoring, testing and reportingA compliance risk assessment helps an organisation understand its risk exposure, prioritise risks, assign ownership and adequately resource and mitigate risks, starting with those that have the highest potential for violations of laws and regulations. The application of a risk methodology based on impact and likelihood identifies the inherent risk combined with controls, highlights the residual risk. This must be authorised and agreed with business partners together with an appropriate response that is monitored and reported up the hierarchy, presented in a dashboard against defined tolerances. Audit and Compliance plans should be complementary and monitoring reviews carried out by risk, compliance and audit serve as an early warning system to potential compliance issues by taking samples of business unit activities, products or output.Ongoing Training, Guidance and DevelopmentIndividuals will need additional reinforcement on ethics and compliance programs through innovative training or workshops so that staff can connect to the values throughJudy O’Hanrahaninformation sharing and story-telling. New starters, higher risk staff, management and operational staff should have specific training geared towards their needs.
Encouraging staff to enrol on professional compliance courses run by external parties and to become industry leaders by participating in external committees or federations contributes to further reinforcing a positive compliance culture supported by external validation.Robust regulatory and active supervisory