Skip to content

Series: How to Develop a Compliance Culture - Think Big, Start Small - Part 2

If compliance officers ever needed a specific example of why developing a strong culture of compliance matters, look no further than the U.S. Justice Department’s announcement in October of several policy shifts meant to strengthen its enforcement against corporate misconduct.

One of those shifts is a policy that the department will now look at all of a company’s prior misconduct — civil, criminal, and regulatory actions; both in the United States and overseas — while deciding how to resolve a current case of misconduct, even if those prior misdeeds aren’t similar to whatever put your business on the hot seat today.

Consider what that policy really means. Prosecutors will want to get a sense of your organization’s fundamental approach to business conduct, and whether that approach includes a sincere interest in trying to uphold legal and regulatory obligations.

In other words, the department is putting new emphasis on trying to understand your culture of compliance.

So how, then, should a compliance officer build that culture? What small nudges can you use that, over time, will lead to big shifts toward that ethical culture companies want? Let’s try to figure that out.

Compliance Culture Matters to All Businesses

First, understand that a culture of compliance is important to large enterprises and small companies alike. That’s because the nature of modern business is changing — to a world where “compliance” is about how your enterprise conducts itself on a daily basis, rather than about filing specific forms or disclosures at specific intervals.

For example, to achieve compliance with data privacy regulations, a business must address how it collects and processes customers’ personal data. Well, most businesses collect and process customer data every single day. You can’t simply review your data security at the end of the quarter and ask, “Did we have any privacy breaches in the last three months? Nope? OK, carry on.” The company needs to assure that those processes for handling customer data are structured and operate correctly, every day. Or, if a breach does happen, the company needs to identify, contain, and remediate the damage as quickly as possible.

To do those things effectively, the whole workforce needs to be aware of its privacy obligations and care about them. You need a culture of compliance with the rules, not just a quarterly look-back to see whether something went amiss. 

Moreover, as more regulation addresses daily business conduct, that also means businesses hit regulatory compliance obligations earlier in their lifecycle — so smaller businesses need to care about a culture of compliance too. Indeed, smaller companies might need to care more about a culture of compliance, because they’ll have fewer resources to buy technology or implement compliance policies. They’ll need the right cultural mindset from their employees.

The Challenges of Developing a Compliance Culture

That said, building a compliance culture is not easy. The challenges and obstacles can include:

You don’t know the company’s baseline culture.

If the compliance team doesn’t understand what the company’s current ethical culture is (the good, the bad, and the ugly), you won’t be able to develop plans to improve the culture. So assessing the state of the corporate culture as accurately and honestly as possible is the first step.

Different locations might have different perceptions of corporate culture.

Companies with multiple offices (and especially those with offices across multiple countries) will most likely have different workplace habits and priorities; they might even have different understandings of what “ethical conduct” means in practice. Compliance officers need to understand those differences, and be prepared to bend them toward one common vision.

Senior management hasn’t defined its business and ethical priorities.

The CEO is responsible for defining business objectives and for emphasizing that ethical conduct should be a high priority for everyone. Senior management needs to declare its ethical principles (“We don’t cheat to win business,” or “We put customer service first,” for example), and then the company needs to communicate the importance of those priorities in clear messaging to employees.

Your incentive structures don’t align with compliance goals.

Those clear messages are important; so is compensation. Incentive pay, promotion criteria, perks for success on the job: they should all be structured so they drive employees to support ethical conduct, not to ignore it.

Your Compliance Culture Starts With Small Steps

Changing corporate culture is a long, arduous process; and advances in the culture will come in small steps. Even those small steps, however, can be leveraged into large drivers of change over time. So consider these ideas to implement right away.

Make workforce surveys a regular event.

We mentioned earlier the importance of understanding your organization’s “baseline” culture, through workforce surveys and analysis of internal whistleblower reports. Keep up the practice of corporate culture surveys (perhaps annually) for two reasons. First, the results will let you see how the ethical culture evolves over time. Equally important: employees will see that you’re trying to reach them where they are. They’ll hear the message that the company cares about their opinions (even if, at first, they don’t believe it).

Praise specific incidents of good conduct.

Some compliance officers believe they shouldn’t praise examples of doing “the right thing” in a difficult situation because ethical conduct should be the norm — so why praise what should be standard behavior? The intention is noble, but it’s misguided. Do call out examples of good conduct in employee newsletters, team meetings, or CEO presentations. Positive reinforcement drives home the importance of ethical conduct, and the specific examples show employees that they’re not the first to face difficult choices.

Reward team effort as much as individual effort.

Incentive compensation is an excellent motivator for high performance, but don’t end up pitting employees against each other for success. That leads to a culture of backstabbing and cutting ethical corners. Work with the HR department to develop incentives for the whole team, and incentives based on the company’s ethical priorities. Then let those incentives drive performance that’s ethical as well as high.

Define small, achievable goals.

One surefire way to leave employees dismissive of your efforts to overhaul corporate culture is to declare just that: a sweeping overhaul of corporate culture. Chief compliance officers can plan for big reforms, but give employees small, specific goals that they can achieve quickly. For example:

  • Completing all ethics training courses within 30 days of assigning courses to them.
  • No entertaining high-risk clients without written prior approval.
  • Conducting all staff meetings in one language, where every attendee has the chance to speak and be heard. (This one is more for global teams, where language barriers can impede a strong culture.)

From those specific, achievable goals you can build onto larger ambitions.

Remember to Look at the Big Picture

For all those small steps compliance officers can take to improve corporate culture, we shouldn’t forget the “think big” part of the headline at the top of this post, either. Compliance officers can take several other steps on their own to define larger goals and be sure those smaller steps work toward them.

First, use a strategic approach. Every small step you introduce to employees (or allies in related risk assurance functions, such as legal or HR) should work toward achieving larger objectives for your compliance program. Setting a deadline to complete ethics training allows you to demonstrate that ethics is a priority for the business. Setting approvals for high-risk clients lets you see how much entertainment spending goes to those clients, which you can then compare to business received; and you can then work with business units to develop better policies about when and whether such clients are worth the risk.

Second, set measurable goals — and state them to your CEO and the board, to win their support. Without specific goals to improve ethical conduct, and a way to assess your progress toward them, you’ll fall into the rut of responding to the compliance disaster of the day. Come budget review time, you won’t be able to show your board and C-suite why investing in compliance is worth it.

Third, review your processes for managing compliance tasks efficiently. The more you can automate processes related to third-party due diligence, internal reporting, case management, and data analytics, the more you can free your time for substantive issues around policy management, complex investigations, and articulating messages about ethics — which will all be worth more in the long run, than time you spend poring over spreadsheets to see who forgot what due diligence or internal control check.


Matt Kelly

Matt Kelly is an independent compliance consultant and the founder of Radical Compliance, which offers consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also hosts Matt’s personal blog, where he discusses compliance and governance issues, and the Compliance Jobs Report, covering industry moves and news. Kelly was formerly the editor of Compliance Week. from 2006 to 2015. He was recognized as a "Rising Star of Corporate Governance" by the Millstein Center in 2008 and was listed among Ethisphere’s "Most Influential in Business Ethics" in 2011 (no. 91) and 2013 (no. 77). He resides in Boston, Mass.

Implement a tailored Third-Party Risk Management solution