‘Actions speak louder than words’ – it’s an idiom that’s as old as time itself yet has never been as relevant to the world of compliance management as it stands today. This is a look at the importance of culture, not spend in compliance.
By Sarah Le Breton, Compliance Quarter.
As a former regulator and law enforcer, I have had firsthand experience in working with regulated entities when it comes to their compliance frameworks, particularly when there are a short-comings that need to be examined and addressed. In most instances when you issue notices to produce, you will invariably find an impressive set of formal documents that set out the way that the company is managing its compliance with the relevant statutory obligations – some clearly have better advisors than others, but on the whole the framework will be there and the key obligations will be addressed, they have ticked that box. Or have they?
Why is it then that some entities manage to come to the attention of regulators more often or are considered as more high-risk regulated entities than others? In short, it’s because compliance is not about merely ticking a box, it is not simply about saying we have those documents in place and we have hired someone to sit in that chair and be adorned with the title of ‘Head of Compliance’. It is true that checklists, policies, audits, staff training and systems that consolidate that into a framework are important, but so is a compliance mentality within an organisation. In short, culture matters – culture is what drives conduct within an organisation, it is the subtle cue that says to one staff member to another that’s ok here. The way your people interpret and apply your compliance framework is your greatest business risk. As the saying goes, ‘integrity is doing the right thing, even when no one is watching’.
Culture in Compliance – Let’s change the ‘compliance paradigm’
It’s time that the mentality towards compliance was altered in business — compliance shouldn’t be considered merely a cost centre within a business (often mocked as such openly) and that directors and boards saw compliance as an opportunity to add value to the business rather than merely ‘red tape spend’. A reputable compliance history should be something that a company is proud of, it should be something that investors and customers take note of and that gives staff confidence that they are working inside an organisation that operates ethically and responsibly. I know myself that I have asked that question when it has come to considering compliance roles within organisations – could I trust these people (the business) to do the ‘right thing’ if I accept responsibility for their program?
So how can we get to this new paradigm for compliance within organisations? It starts with individuals – each and every one of us within an organisation – be that the chairman of the board, the head of compliance, the manager of operations right through to the back office. In short, it starts with culture and our ability to identify and actively manage what is known in the world of risk management as ‘conduct risk’.
Why should we care about ‘conduct risk’ as directors, managers or compliance people in an organisation? It’s because without the actions of individuals we do not see compliance failures – what drives those failures by individuals comes back to the culture in which they were operating (could they get away with that, would anyone notice, would anyone care?). It also comes back down to the business model they were operating within, which is often a stark reflection of the culture within an organisation and its appetite for conduct risk.
Quite simply, if you’re choosing a business model that places profit as the principal measure of success and is rewarding staff off the back of meeting those monetary targets, you will invariably encounter compliance failures eventually. It is the key question that I ask myself when I look at new business or industry to work with – how does this business make money? A failed, outdated or ill-considered business model will never bring any good – no matter how many lawyers, risk managers, compliance staff or resources you throw at it.
Culture in Compliance – So how does a business manage ‘conduct risk’?
It isn’t easy – there isn’t one tangible tool you can simply throw at it to create culture in compliance. The approach an organisation adopts also needs to be multi-disciplinary – it needs to consider things like: how do you manage whistle blowers (do you have a program, is there a policy?); how do you remunerate your staff (is it purely based on KPIs that focus on monetary outcomes, does it incorporate other matters like staff behaviours and broader contributions); does the organisation have any systemic issues that keep arising – be that with civil disputes (bullying complaints, harassment, discrimination, dissatisfied clients etc) and how does the business resolve those – deeds of release?; how does the business define and manage conflicts of interest?
ASIC and APRA have undertaken significant amounts of work into this area and have been quite vocal in their view of the threat that conduct risk plays to business. In July 2017, Commissioner John Price announced that ASIC would also be incorporating consideration of a regulated firm’s culture into their risk-based surveillance reviews over the next four years as part of their corporate plan. It is time that business cared about culture and conduct risk as part of their overall risk management framework.
If you operate in a regulated industry (particularly, energy, financial services or credit) and would like additional support around managing conduct risk in your operations please get in touch with Compliance Quarter and one of our regulatory specialists would be pleased to assist you.
 See ‘Outline of ASIC’s approach to corporate culture’, 19 July 2017 per Commissioner Price available at: http://download.asic.gov.au/media/4393665/john-price-speech-aicd-regulator-insights-on-risk-culture-published-20-july-2017.pdf