“There’s a direct link between culture and the probability or severity of an enforcement action, “
CEO, US Financial Industry Regulatory Authority (FINRA).
When a heavy hitter talks like this, something has changed. It’s likely to affect how regulators elsewhere view their role.
Successful compliance norms always need a clear link to the company culture. What needs to change is more companies regarding this as a desirable destination. Until recently, the main emphasis has been on having the right boxes to tick for local behaviour.
Many companies now rely on sophisticated technology solutions to make sure compliance in happening. For example Navex, or IPC Systems, Inc. both offer elaborate technology answers to promote compliance. The latter for instance, claims a comprehensive solution using risk as the main entry point. As one head of compliance has put it, such technology
“Helps me sleep at night.”
It can indeed feel reassuring knowing some benign software will alert you to potential issues. Soon we’ll be seeing genuine Artificial Intelligence (AI) on the case. This will have such a broad reach it’s hard to know how far it will go or how soon. What’s for sure is, it’s going to be sooner than a lot of people in compliance think. When people talk of “robots taking over” this means large cost and quality makeovers.
Meanwhile, the stakes are changing. In the US, for example, FINRA assumes large firms will use compliance technology. Instead, it’s moving to a more difficult space. This is culture, and “the way you do things around here.” As FINRA’s CEO explained recently
“Rules alone cannot address the very real challenges that financial firms have in ensuring ‘good people’ do not take actions that harm their clients and expose their firms.”
Yet that is exactly what’s happened in recent years. Despite armies of compliance staff trying to stop this happening on their watch.
What companies need is not more technology, or “a culture of compliance.” Instead, culture of doing what’s right must come to pervade the entire organisation.
For example, a new financial regime in the UK makes fresh demands on senior staff. Now they must take ‘reasonable steps’ to stop regulatory breaches. Failure to do so could make them accountable for the shortcomings.
This demand is broader than the narrow remit of compliance. It’s for a clearer focus on lines of responsibility and on culture. Senior UK finance managers must both model and embed the firm’s culture. Not just talk about it. This raises questions of how to:
- Unravel the way the new rules will affect the established culture?
- Meet regulators cultural expectations?
- Police the culture?
- Make decision-making consistent and with an ethical dimension?
- Adjust financial incentives for people to do the right thing?
- Adapt recruitment policies to hire more ethical employees?
- Refine and simplify controls, governance and avoid jargon and complexity?
In many of these areas, HR has an important role play. For example helping to define principles, procedures and monitoring systems.
Making sense of culture
Transparency and cyber security seldom trigger changes to internal procedures according to a recent EIU study. Nor are codes of conduct being much affected. The main focus in so many places remains on narrow legal compliance. Undaunted, FINRA in the US will now use five indicators to assess a firm’s culture. These are best summed up as five simple questions
- Are Control functions valued within your organisation?
- Are you trying to identify risk and compliance events?
- Do you tolerate breaches of policy controls?
- Are supervisors effective role models of the firm’s culture?
- Do you seek out and deal with company locations not conforming to cultural norms?
This is just a starting point. FINRA expects to produce a more sophisticated approach. This will identify what cultural information makes a difference in revealing unacceptable risk situations. Many metrics purport to show compliance and culture at work. None has universal acceptance.
For example, how valid are exit interviews for making sense of a company’s culture? Or how useful is it for a firm to rely on an independent third party to report on its current practices. ? “Very important,” say the experts as you’d expect.
The single most important measure to indicate a culture that is promoting “doing the right thing” is having ethically engaged employees. Yet less than 8% of firms have such engaged employees. That is, people willing to stick their heads above the parapet and report wrongdoing.
Towards a cultural solution
Some companies do see their compliance programs as building a culture of integrity and respect.
Encouraging people to speak up about wrongdoing, implies a culture where compliance staff need expertise in:
- Human behaviour, how to promote company-wide change and how to be inspiring communicators
For this to happen perhaps the CCO should also head up Human Resources, or vice versa ?
B. Dipietro, Chasing the ‘Holy Grail’: How to Measure Compliance? Wall Street Journal, May 23, 2016
IPC expands portfolio of comprehensive compliance solutions, AT Monitor, May 23, 2016
Finra’s Ketchum Warns of Dangers of Poor Firm Culture, Think Advisor, May 23, 2016
Benchmarking Your Ethics and Compliance Programme in EMEA & APAC, Navex, Feb 18th, 2016
D. Strachan and J. Kershaw : Can culture really be ‘policed’? CIPD 2 Jun 2016