A “culture of compliance” is a catchphrase that has seemingly permeated nearly every other speech or article about corporate compliance for the last decade. But high usage of the phrase notwithstanding, most compliance professionals focused on anti-corruption, antitrust, or other compliance issues are likely struggling with ways to introduce and sustain elements of a compliance-oriented corporate culture.
As we recently discussed, a corporate culture that contains compliance as a core component is the veritable ‘holy grail’, and the true hallmark of an operative and meaningful compliance program. Realistically, however, it is often easier to tell what a compliance-oriented corporate culture is not – rather than what it is. Indicia of the former category, for example, are CEOs who creatively find ways to make exceptions from company disciplinary rules for high producing sales staff, senior sales executives who press for end of quarter sales with an unrestrained and high decibel level message of “we need to make our numbers; I need to see results….”, and managers who let process details slide. And for all of these behaviors, there are employees who observe, process and follow their leaders’ examples.
Do what's right
Describing what a culture of compliance looks like in practice – much less how to evaluate it – is tricky. As Lori A. Richards, former director of the SEC’s Office of Compliance Inspections and Examinations, noted, “Culture is one of those concepts that everyone recognizes, but no one can define.” She went on to explain, however, that one test of whether a firm has a culture of compliance relates to whether the company has “a culture of doing not only what is within the strict parameters of the law, but also what is right — whether or not a regulator or anyone else is looking.”
How can one evaluate this in a given company? Harvard Business School professor Michael Hammer introduced the concept of a “process audit” — to assess to what degree a company’s material internal processes have become ingrained in its corporate psyche. He lays out a series of indicators for differentiating processes in their infancy from mature company processes. Using some of Dr. Hammer’s indicators as inspiration, we propose a few of our own that relate specifically to helping create and sustain a culture of compliance, as contrasted with scenarios that speak to larger cultural gaps:
A young (or non-existent) compliance culture may exist if
A more mature compliance culture may exist if
- Your company has a compliance program, but it is “borrowed” wholesale from others
- Your company has designed the compliance program to fit the business risks unique to its facts and circumstances
- Your company’s compliance function is seen as “responsible” for the program
- The compliance function is seen as helping to lead the program for a shared (all employees) responsibility
- The compliance function is seen as a “cost center”, particularly during budget reviews
- The compliance function is seen as a critical business partner, since it helps the company generate “good business” and “clean sales”
- Your company informs employees of their obligations under the compliance program and stresses the importance of their adherence and involvement
- Compliance incentives are part of periodic employee performance reviews and compensation plans
- Your company’s employees are aware of policies and procedures, but are single-mindedly focused on their job functions
- Employees are actively involved in supporting adherence to the policies and procedures, as well as proposing improvements to the program
- Each compliance function-led project is laborious, time consuming and feels like reinventing the wheel
- The company includes compliance components within its high compliance risk operations and as part of its strategic planning process
- Compliance personnel assess adherence to the program and recommend improvements
- Compliance personnel periodically evaluate the program in relation to relevant external (industry and general leading practices) and internal (the company’s business goals and strategies) considerations
- The compliance program’s operations and “effectiveness” is only partially documented, and then by a paper trail
- The chief compliance officer uses an automated software tool as the program’s “system of record” - to manage and help visualize program operations and status
Moving from a non-existent/young to a mature culture of compliance takes time, is difficult and is unlikely to be successful without the involvement of enlightened and committed senior management, actively supporting this progression through their “tone from the top” role(s). The Resource Guide to the U.S. Foreign Corrupt Practices Act explains the trickle down effect of senior management’s example: “By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant middle managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure.” And as Deputy Assistant Attorney General Brent Snyder stated, “It does not matter how comprehensive a company’s compliance program is if the senior management does not make it a foundation of the company’s corporate culture.”
The “longest journey begins with but a single step” saying is attributed to Confucius in the 500 BC period, and still applies today to the challenge of effecting compliance supportive corporate cultural change. Begin with a plan identifying manageable (and preferably measurable) changes in a few discrete areas, such as working with HR to introduce compliance program components into performance reviews and compensation plans. Through primarily emphasizing the business and reputational benefits of these initial limited activities, recruit a respected senior member of management to be the plan’s champion. Get some small victories and build on that success to take on other pro-compliance cultural obstacles. But above all, take that first single step.