Bringing your compliance programme to life
Published on 10th Oct 2019
The compliance team in an international business is often unfairly seen as the ‘business prevention unit’. But as the minefield of regulations becomes ever more complex and fragmented, its role is increasingly important, as are its methods of moving from tick-box compliance to a culture of compliance.
Whether it is competition, data protection, bribery or sanctions, simply producing large amounts of paper and implementing e-learning programmes no longer cuts it; particularly given the information overload arriving in our email inboxes and social media newsfeeds every day. Whilst some of that paper and training may look good to a regulator, preventing compliance problems requires effective communication and practical application. In short, the paper needs to be brought to life.
We set out below a basic methodology for managing international compliance programmes and some of the ways in which those programmes can be brought to life to encourage a culture of compliance.
There is an increasing trend to appoint legal counsel to be the overseer or project manager of these risks. The role involves:
- prioritising the risks;
- analysing where the business is currently failing to meet compliance requirements;
- implementing systems and training;
- engaging the business through cultural change; and
- helping to manage a crisis situation.
The compliance function
Compliance risk is exposure to legal penalties, financial forfeiture and material loss which an organisation faces when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best practices. Compliance risks differ between industry sectors and businesses, as does the make-up of the compliance team. However, there is an increasing trend for a number of these areas to sit within a dedicated compliance function, rather than for example sit within the in-house legal team. In broad terms the key legal compliance areas that tend to sit within this function are:
- fraud & bribery;
- privacy and data;
- cyber security; and
- health, safety & environment.
There is a very good reason why these areas of compliance are grouped together in this way; while the subject matter of each may be different; the approach to be adopted to assess the risks and implement compliance policies and procedures to deal with those risks are very similar.
There are therefore a number of advantages to looking at the risks holistically and adopting similar systems and procedures to manage the risks, including the following:
- Adopting a similar approach to all compliance risks will make implementation more efficient because the business recognises a consistent and uniform approach, and lessons learnt in one area can be implemented more readily across all compliance areas.
- One team of people has oversight of all business risk and can spot how the risk areas are interlinked, identify trends and allocate budget with a better understanding of priorities.
- Defined compliance targets can be put in place with measurable KPIs, which can then be used to get board engagement and show improvement across all compliance areas.
Compliance structure: the process for managing a compliance system
When leaders of compliance take up a new role in an organisation, the hope is that they inherit a well-run system. However, the more common scenario is that there is a system of sorts but there is a lack of understanding of some risks in some parts of the business and there are other areas that need updating to take account of new legislation. On the upside, this is an opportunity to implement new methods.
The obvious starting point when grappling with compliance is to understand what the business needs to be complying with and what the priorities are. A number of businesses use a risk register of some form. This can simply be a list of legislation, but increasingly, businesses are moving to grouping risks into areas or themes and ranking the risks. Prioritising in this way helps with allocating resources and working out which areas to tackle first. Prioritising risks tends to be a balance between the likelihood of the risks impacting the business and the likely costs in terms of financial penalty and reputation if the risk turns into a problem.
Once the risks have been identified, some form of gap analysis needs to be completed, to understand how the business is already addressing those risks. This inevitably involves a desktop review of documented systems and procedures but, importantly, it must also include discussions with the business. The discussions should be with every level of management as well as the “shop floor”, to understand practically where the potential risks are and whether any existing systems are being implemented and operating effectively. Open and constructive discussion with employees will provide a much greater understanding of compliance risk than simply looking through documents; plus, it will help with the implementation of any changes because employees feel engaged with the process.
Once the gap analysis is complete an effective compliance structure works around a triangle model:
Bringing compliance to life
However, while the structure is important, not least from a legal perspective, it is not enough to achieve compliance.
Imagine a global company that builds a big enough bureaucracy to ensure that all 100,000 employees in its operating companies worldwide follow each and every law and regulation. How could the CEO of that company be assured that his or her people were meeting the compliance requirements?
They cannot. Even if this company was 99.9 per cent successful in its compliance efforts, that’s still 100 non-complying personnel.
The key is to achieve a compliance culture, whereby people inherently choose to comply because it is simply the way things are done within the business and they know enough about the risks in question to apply basic common sense. Achieving this type of generative culture is difficult and something that is achieved incrementally over a period of time. However there are two essential elements.
- First, it has to be led by the Board and followed through at all management levels.
- Second, it involves open and constructive dialogue throughout the business to identify any blockages to achieving compliance.
Bringing your compliance programme to life is much more about how you get the business to engage in compliance and communicate simple messages than it is about having a detailed policy for every risk.
There are many ways that business can inject life into their compliance programmes, but here are our top 10:
- Draw expertise from around the business. Whilst the compliance team will have oversight of compliance programmes, it is important to enlist the help of a variety of people in the business when implementing compliance programmes. They will be best placed to understand the pressures the business is under and how best to communicate with their teams. They will also add a different perspective to the business risk.
- Avoid using the “C word”. Compliance to some people conjures up images of online training and policies that no-one reads. Be creative and use other labels to get the message out. For example, the protection of personal data can be a business opportunity as well as a compliance risk.
- Agree a set of core company risk principles. These could be around specific compliance areas (e.g. a zero tolerance approach to unsafe situations) or could be broader (e.g. all employees will speak out when they identify something that is not compliant). Set KPIs around these principles so they are measurable and use the KPIs as a way to engage with the Board and the business. Consider including compliance-related objectives in performance appraisals and reward schemes.
- Be positive and focus on what people should do, not what people cannot do. List of do’s and don’ts can be helpful, but start with the do’s.
- Make your documentation simple, accessible and user-friendly. Make it visual, use simple text, diagrams, and video – less is often more! Think about your audience and how practically they are going to view and use these documents – are they mobile friendly, for example? Hiding policy documents somewhere on the intranet will be a sure fire way of making sure they don’t get read.
- Engage with the business through visualisation and key messaging. Think of compliance campaigns as advertising campaigns. What images and core messages will best communicate the risk and what needs to be done? Consider the use of behavioural psychologists to “nudge” people towards compliance.
- Make your training engaging and include follow up. Practical exercises and crisis simulations where employees learn by doing can be very effective and fun. Don’t be limited to e-learning, reading and seminars.
- Use technology effectively. There are many good compliance tools available that will help to convey information, collect data and create useful reports and dashboards. Dedicated cloud-based platforms, accessible anywhere in the world from any device, can be a better place to store documents such as policies and risk assessments than intranets and document management systems. Consider how someone new to the compliance team can quickly lay their hands on all relevant documents.
- Don’t over use red/amber/green (RAG) ratings in reporting. Often, the real issues behind the colour coding are lost and it also leads towards a culture where red or amber lights are seen as unacceptable. An effective compliance system should identify a problem which can then be addressed. Think about using a 1-9 grading instead (1-3 Red, 4-6 Amber, 7-9 Green). This allows for more detailed analysis and average numeric ratings.
- “Walk the talk” – the Board and all levels of management need to demonstrate compliance in everything they do (leading by example). They also need to talk, in an open and constructive way, with employees on at least a weekly basis about the employee’s role and any challenges they are facing. This will help to identify where and why the documented compliance systems are not working.