The term 'compliance culture' isn't new; for years we've heard about the need for organisations to create one in order to really get on top of and mitigate regulatory and reputational risk.
And whilst the phrase 'compliance culture' (or 'culture of compliance' if you prefer) is one we all recognise, like a lot of qualities pertaining to culture, it can be hard to define.
At DeltaNet International, we imagine 'culture' as it affects the organisation itself. That is, as the DNA that runs through the business colouring its everyday operations.
After all, workplace culture – often called 'corporate culture' – refers to the beliefs and behaviours of the workforce.
It's made up of the various values, attitudes, actions, and norms visible in those around us and regarding various factors in the workplace – one of these being, compliance.
Compliance, on the other hand, is all about doing the right thing, the right way. It's about setting principles and standards and acting accordingly.
When we speak about a culture of compliance, then, these expectations are incorporated into the behaviours, beliefs, and actions of the entire workforce.
It's not enough to have written policies and procedures (whilst these are important benchmarks that should be communicated clearly, they can also feel distant from the organisation).
True Culture of Compliance
A true culture of compliance will not only point to and promote such policies but will also bring them to life – it's about doing what is right simply because it's the right thing to do – regardless of who is watching.
In short, a compliance culture is a critical area that permeates every aspect of business. If it's successful, it will influence our vocabulary, our values, our targets (and the way we achieve them), and our interactions/transactions with those we encounter.
A compliance culture is the filter through which we conduct ourselves and our business, it's never an afterthought that ticks a box.
Beyond written rules- Identify risks, manage expectations
It's important to understand that the look and feel of one organisation's compliance culture will be totally different to that of another. Cultures of compliance are never one size fits all, so it's imperative to identify the specific compliance risks that your company faces and construct a compliance culture in and about these areas.
High-risk factors might include the physical (think construction or chemical work, for example) where health and safety will need to take precedence; or else they could be technological, requiring extra attention on cyber-security and data protection principles. Some organisations, let's say financial institutions, might focus on strategic risks, raising awareness about anti-bribery, anti-money laundering or FCA regulation for example.
Compliance cultures are NEVER one size fits all
Whatever areas of compliance your message centres around, setting and communicating your expectations in these areas is paramount to establishing an effective compliance culture; one that's relevant to you.
Communication is key
Remember, your expectations when it comes to compliance are communicated in more ways than one. It's the sum of all this messaging – whether communicated purposively
(think written policy, mandatory training, posters, and other learning materials) or as a by-product (visible consequences, management buy-in, risk tolerance, performance pressure, and so on) – that creates the culture guiding and framing employee behaviour.
Whilst some go unseen, these messages are nevertheless strong forces which reinforce and represent what the organisation expects from its employees, and what employees can expect from the organisation. As such, it's important these voices are united when it comes to areas of compliance you want to manage.
Codes of conduct and ways of building trust
Whilst creating and maintaining a compliance culture goes above and beyond written policies, it's nevertheless useful to begin here and build outwards.
What does a code of conduct look like?
A code of conduct is the most common policy for organisations to have. Essentially a self-regulating document, codes of conduct are designed to outline specific behaviours, either required or prohibited, as a condition of ongoing employment.
Indeed, many organisations also have supplier or third-party codes of conduct to ensure the entire supply chain is aligned with the minimum standards of behaviour they expect to see.
Recognising success- a tale of ownership and accountability
A culture of compliance is easily recognisable; it's an environment where employees know what is expected of them and, wherein, they make good choices. In this compliant culture, leaders do more than communicate the rules to be obeyed, they model consistently good behaviour themselves.
They set the cultural tone by sharing their vision, reacting quickly (and fairly) to non-compliance, and by celebrating when employees act in a compliant manner.
Inside this successful compliance culture, strategies are delivered to monitor ongoing compliance (think inspections, investigations, regular risk-assessments and simulations to test knowledge).
Plans are also in place to manage and respond-to any vulnerabilities or non-compliance uncovered by these actions – whether this is further education, increased awareness training, or other disciplinary action, the goal is to discover weak links and deal with them promptly.
This is an environment which fosters accountability. Here, designated risk owners are assigned to manage key-risks on behalf of the organisation and, as custodians of compliance, these individuals have clear roles and responsibilities when it comes to the job.
They're well-trained and committed to building trust via competency and consistency; the mindset here is not to 'win at any cost', but to be transparent, to do what's right.
A successful compliance culture does not view training as a 'once and done' exercise, but as a continual process aimed at closing knowledge gaps and upskilling employees.
Employees are not forced to repeat training they don't require either (this wastes time and fosters resentment about said wasted time).
Learning here is adaptive, tailored to the individual, and can be completed seamlessly, in the flow of work.
A successful compliance culture views training as a continual process aimed at closing knowledge gaps and upskilling employees.
The drive to incentivise- what NOT to do when building a compliance culture
One of the biggest mistakes organisations make it when it comes to building a compliance culture is to incentivise it. Yes, compliance and positive behaviour should always be positively reinforced, but it's important to remember that compliance is about doing the right thing for the right reasons – not simply to get a reward.
Incentivising compliance is a risky business (pun intended) because it can erode the trust and commitment that's necessary to cultivate a compliance culture in the first place.
It doesn't make sense to ask employees to self-regulate, to trust their instincts, and to do what's right on the one hand, whilst simultaneously conditioning them that
compliance can be bought and sold somehow.
Under reporting and over reporting- 2 sides of the wrong coin
Additionally, incentivising compliance can lead to two issues that a true compliance culture would always seek to eradicate. In fact, these enemies of any budding compliance culture happen to be two sides of the same coin: under-reporting and over-reporting.
For example, in an environment where going X number of days without a health and safety incident garners rewards:
- How likely is it that real incidents (the type that require action to prevent them reoccurring) will be reported?
- How long until under-reported small incidents build up into a larger problem- one that's potentially devastating for the company?
Likewise, inside an organisation where whistleblowing is overly incentivised and compensated, how long before employees begin to over-report or nitpick just to appear on top of things?
Fostering this kind of over-vigilance is a slippery slope into bad office politics and corporate backstabbing, quite the opposite of the trust-filled accountability culture we want to nurture.
Remember... the appearance of compliance is not compliance
Compliance – and the way your compliance culture takes shape – is an ongoing journey. It's never a destination or something that will one day be 'complete'.
Perpetual stories of improvement
Rather, think of compliance as a spectrum of maturity involving people, processes, and other tools/technology.
Depending on factors such as the size or age of the organisation, your company's position on the compliance maturity spectrum will adjust
over time, as will the legislation and regulations that lay the groundwork for what compliance means.
For instance, younger companies may have cut corners in this respect. It's not unusual for start-ups and SMEs to treat compliance as a series of boxes to check in-line with what the law dictates they must do.
Larger, more established organisations, on the other hand, may have been working on their compliance culture for several years, approaching compliance as it plays a positive role in driving business growth.
Tone from the top
Whilst touched-upon throughout this document, we've deliberately avoided dedicating any single page to 'setting the tone from the top' – even though this element is incredibly important and often discussed when it comes to the topic of compliance cultures. an integral part of the life-force enabling your company to strive for excellence in compliance
The reason for this is the true meaning of the phrase, which carries much more weight than any written theory or principal allows for. Instead, setting the right tone from the top is an integral part of the life-force enabling your company to strive for excellence in compliance.
The DNA that informs the ongoing growth, development, and success of your compliance culture begins here (and can end here too, if leaders are careless).
You must not underestimate it.
At the highest level, successful compliance management is continuous as well as sustainable.
Building a compliance culture means learning from past mistakes and cultivating an environment of continuous improvement that's observable throughout every department, from the top down.