Skip to content

The Three Cs of Compliance Challenges: Change Management, Communication, & Compliance Adoption

The "Three Cs of Compliance" are critical to ensuring the success of a compliance program. Without addressing and implementing change management, effective communication, and buy-in from all departments, organizations will be left with merely a “paper-only” compliance program.

It goes without saying that compliance does not start and end with the compliance department. But exactly how far-reaching must the message be for it to take hold throughout the fabric of the organization? Compliance officers frequently must take on more than their stated job responsibilities as mediators, coordinators, and communicators and must juggle the compliance challenges inherent in the Three Cs of Compliance:

Compliance Challenge #1:  Change Management

Corporations change slowly and are too often trapped in their old ways. This may be part of the company culture and, as many compliance officers know, changing the culture is no easy task. This in turn clashes with the goal of compliance departments in responding to new regulations and striving toward best practices. Particularly if the company has been hit with a fine by regulators and forced to change, corporate functions may fight compliance-driven changes tooth and nail.

We must remember that compliance officers are change agents. Continuing risk assessments are a sign of change, revised policies and procedures are a sign of change, enhanced internal controls are the hallmark sign of change. To effectively bring about change, compliance officers need to align themselves with allies in other departments that favor positive change as well. Whether these allies are formally designated as compliance champions or ambassadors or whether they simply support and are passionate about compliance issues, these individuals are critical to the cause.

On the other hand, alliances may form that go against the tide of compliance-driven change, undermining the mission of compliance officers. Again, to counteract this tide, compliance officers must keep close to like-minded individuals and functions, such as the head of internal audit or allies on the company’s audit committee. Forming business and personal relationships with these individuals can be as important as how the compliance program is formally presented and communicated to senior executives.

Compliance is by no means an impersonal function. Other corporate functions will not simply look up to compliance and do what compliance officers say is the right thing to do. Sales functions will not proactively approach compliance because the third-party policies require compliance approval. Compliance involves building relationships and leading by example. Internal audit is a partner and ally. Supply chain, logistics, and procurement share a common interest with the compliance department. It is important to partner and nurture these company functions. For example, there may be employees in procurement yearning to comply but they want their expertise to be considered when developing and enhancing third-party policies and procedures. These employees live and breathe due diligence on a day-to-day basis and they are the most in tune with how much risk a third-party can pose to business operations.

Compliance Challenge #2:  Communication

Effective communication is one of the biggest challenges faced by compliance officers. Compliance officers must work closely with human resources and marketing to communicate the organization’s message. This message cannot only reside on e-mail. It is too easy for managers and employees to ignore a compliance-related email, particularly if the e-mail is not customized to that employee or corporate function.

To supplement compliance related e-mails from the CEO or CCO, a compliance department may consider an internal newsletter to reach employees. A consistent compliance newsletter is a very effective tool for compliance officers. Depending on the size of the organization and available resources, a company-wide compliance day is also a fun and meaningful way to get the message across. Finally, compliance officers can craft short slide decks for company wide distribution that help senior and middle managers disseminate the compliance message at their weekly team meetings. Similar to safety messages, the compliance messages can be communicated prior to the items on the regular team meeting agenda. Whatever method is used, compliance officers need to employ strategies designed to make their messages interesting and relevant for managers and employees. In the end, it falls on the compliance officer’s shoulders to ensure that the compliance word gets out.

Compliance Challenge #3:  Compliance Adoption

Once a compliance program is scoped out and effectively communicated, the job is not over.  The critical piece of the puzzle is how to incorporate the compliance process into the essential parts of the organization. How can compliance be woven into the fabric of company culture?  Many times, sales and business development functions merely see compliance as the “sales prevention team,” so cultivating a culture that will lead to incorporating compliance processes is key. To change this mentality, compliance officers must do more to understand the business. Ask to be included in weekly sales calls with the business team, ask technical questions about the product, lead with curiosity and interest in the product, and talk to the business about how the product is sourced and manufactured. The information gleaned from these discussions will be critical in developing a compliance program and due diligence policy that is tailored for the organization. A due diligence policy should not be rushed out and forced on the business, particularly when it is not well understood or tailored to the business. Think about launching training and pilot programs and focus groups to make sure a compliance process is well understood and rightsized before launching.  If launch and adoption must be done remotely, have daily calls with the appropriate functions in the first few weeks to test the roll-out.  Remember, if the compliance process is rolled out too soon or is not tailored to the business, the compliance department will lose credibility and employees will protest that the compliance process is not practical.

Compliance Programs Impact Everyone

We have heard it before, but does it really sink in?  Compliance impacts everyone, across departments and spectrums.  If regulators hit the company with a big fine related to compliance breaches, compliance – or the lack of – affects employee morale.  Similar to a safety breach, a compliance breach will impact the company’s reputation.  A resulting fall in the share price will have far-ranging impacts as well.

Compliance impacts employees’ performance reviews with respect to completion of online training or may impact their bonus if the organization has linked completion of compliance objectives to employee bonus. In fact, organizations should make compliance a key objective in employee performance goals. For example, employees could have a basic compliance objective as part of their yearly targets and senior managers could be given an enhanced compliance objective or target that requires more skill and development. These steps will get the business to understand that compliance is much more than a check-the-box online training program.

A compliance program goes beyond the compliance team, it is a company-wide change management program to ensure that every function is aligned with the same compliance requirements. Communication is key to this objective. Compliance officers have to constantly ensure that the program and policies are communicated and reiterated to everyone in the business. In addition, compliance officers must see that the change that was effectively communicated is actually implemented, and that implementation is well thought out and monitored.   If all of these moving parts are not working together, the most important asset of the compliance program will suffer: it’s credibility.


Michael Volkov

Michael Volkov specializes in ethics and compliance, white collar defense, government investigations and internal investigations. Michael devotes a significant portion of his practice to anti-corruption compliance and defense. He regularly assists clients on FCPA, UK Bribery Act, AML, OFAC, Export-Import, Securities Fraud, and other issues. Prior to launching his own law firm, Mr. Volkov was a partner at LeClairRyan (2012-2013); Mayer Brown (2010-2012), Dickinson Wright (2008-2010); Deputy Assistant Attorney General in the Department of Justice (2008); Chief Counsel, Subcommittee on Crime, Terrorism and Homeland Security, House Judiciary Committee (2005-2008); and Counsel, Senate Judiciary Committee (2003-2005); Assistant US Attorney, United States Attorney's Office for the District of Columbia (1989-2005); and a Trial Attorney, Antitrust Division, United States Department of Justice (1985-1989).

Implement a tailored Third-Party Risk Management solution