Does your organisation actively manage its culture to support effective compliance… or do you just leave it to luck? ‘Make or Break | The role of culture in effective compliance’ explains a three step approach to creating and sustaining an effective organisational culture to enable compliance.
2. Contents
Introduction1
Understanding the relationship between 2
culture and compliance
A three-step approach to creating and sustaining 3
an effective culture to enable compliance
How to influence culture4
Closing thoughts5
How can organisations take a
proactive approach to creating
a culture that is aligned to their
strategy, drives real business
value and equips them to
address compliance challenges?
3. Regulators are
becoming more
interested in how
organisations govern
and report their culture
and are wanting to
see evidence of a
continuous focus on
culture, rather than
waiting for a crisis.
They want to see
organisations
proactively seeking to
manage their culture.
The FRC (Financial
Reporting Council) believes
that “rules and sanctions
clearly have their place,
but will not on their own
deliver productive
behaviours over the
long-term.”
Culture can make or break an organisation.
The importance of culture is perhaps most
apparent when things go wrong.
Compliance failings are not just news
– they are headline news
All of these stories have a common thread running through
them – organisational attitudes towards compliance –
or simply put – Culture.
Misbehaving banks have now paid
$240 billion in fines
Source: CNBC, Oct 2015
Companies found in breach of UK’s
pharma code of practice
Source: The Times, Oct 2017
Emissions scandal hits 11 million
vehicles
Source: BBC, Sep 2015
Accounting scandal draws record
fines from regulators
Source: Wall Street Journal, Dec 2015
1
Make or Break| The role of culture in effective compliance
4. Culture is a system of values, beliefs and behaviours that shapes how real work gets done in an organisation. It is expressed as sustained
patterns of behaviour that characterise “how we do things”.
Shared values provide the criteria or standards to define what’s good and desirable. For example, at a pharmaceutical client we found a
key shared value was immense commitment to improving the lives of patients, a broad theme that helped guide certain behaviour.
Shared beliefs refer to what has proven successful time and again and therefore assumes a taken-for-granted status. So if an individual’s
experience of compliance is, “it’s slow, takes too long and really is just a ‘tick box’ task and what really matters in this organisation is hitting
targets”, then you can only guess what type of behaviour that will drive.
Understanding the relationship between
culture and compliance is valuable
Addressing culture following non-compliance
is often tactical
Organisations often jump immediately to think of quick
wins (e.g. a communications campaign, appointing
points of contact) without investing the time to
understand how the organisation’s current culture sets
the context for and is a powerful driver of compliance
actions or decisions an individual makes. This
piecemeal approach is often to appease an upcoming
inspection or post an inspection as a remedial activity.
When trying to reinforce compliant behaviour,
companies may focus on addressing certain actions,
without considering the real drivers behind behaviours.
This only addresses symptoms rather than the root
cause, meaning that behaviour change is only at a
superficial level and less likely to be effective. Critically,
change is less likely to be sustained over time or when
other priorities arise in the organisation.
Often as a consequence of this, the compliance
function of an organisation can be viewed negatively,
and compliance responsibilities viewed as ‘side of desk’,
yet compulsory, activities. With this attitude, people
can easily be less vigilant regarding recognising and
acting on possible compliance breaches.
Organisations need to understand or at a minimum be aware of the tensions individuals
may face in their day-to-day role. For example, commercial drive may be an attribute that an
organisation really values, however it may also be an aspect that creates undesirable trade-
offs when faced with a process or decision leading to shortcuts and non-compliant practices.
Therefore it is essential to consider the culture of the overall organisation and how
compliance sits within this wider cultural context.
2
Make or Break| The role of culture in effective compliance
5. Create a robust, evidence based assessment
Very often, discussions about compliance culture are driven by subjective
observations and isolated data points – which are unreliable as a
baseline. This often leads to culture seeming like a vague concept that is
difficult to define and that executives often feel ill-equipped to discuss or
address. Using a structured framework to describe culture makes it more
manageable and provides a common language for assessing, discussing
and addressing culture and how culture impacts priorities such as
compliance or governance.
We recommend using multiple data sources and cross-referencing
them to increase the quality and rigour of assessment. Typical data
sources include reviewing existing materials such as employee induction
documents to interviewing senior leaders across the organisation; all
underpinned by a structured framework that you
can also apply to define a desired culture.
Potential data sources
Desktop review of artefacts
and data – e.g. job descriptions,
compliance training materials,
onboarding materials
Focus groups – with a representative
sample of a wider management
team, 10-15 participants per group
Compliance maturity assessment
– against 12 core areas to provide
a maturity estimate on a 1-5 scale
informed by multiple data sources
CulturePath survey – cloud based,
with standard indices-focused
questions and customised
demographic and shared beliefs
questions
Leader interviews – with a
representative sample of the senior
leadership team e.g. C-suite, C-1, C-2
Validation workshops – aimed to
feed back and validate the findings
from leader interviews, focus groups
and the survey
The current culture, defined by the multiple data inputs, combined
with an assessment of the non-cultural aspects of the organisations’
compliance maturity clearly helps to map how the current culture is
encouraging (intentionally or not) certain traits and behaviours impacting
compliance outcomes. For example, if one of the cultural traits identified
is “commercial drive”, with individuals feeling the pressure to achieve
ambitious commercial results, this may lead to cutting corners, not
following processes as per the guidance. This cultural trait may be
reinforced by performance management also only recognising and
rewarding sales.
A three-step approach to creating and
sustaining an effective culture to enable
compliance
1
Define the desired culture
Having a really clear desired
culture that is realistic is important
to define what success looks like for
the organisation and guide action
to foster and monitor that desired
culture.
Once there is a clear picture of
the current state culture and an
understanding of the desired culture
inclusive of a focus on compliance,
organisations can then develop a
roadmap to take the organisation on
a compliance culture journey.
2
3
Take action
When selecting what action to take, it is
important to consider what should be
prioritised according to the impact within an
organisation and relevance to the target goal.
For example, is awareness of compliance
processes and standards more impactful
and needed more urgently than recognising
and rewarding compliant behaviours? It all
depends on where an organisation is on their
compliance culture journey.
Short term interventions can ‘get the basics
right’, for example, defining clear roles and
responsibilities can often be implemented in
the short term, whilst solutions to ‘sustain the
future’, such as diversifying the talent pipeline
to include strong compliance skills, will be
developed over the longer term.
3
Make or Break| The role of culture in effective compliance
6. Culture can be influenced using
change levers
Recognise
that change
takes time
Leaders’ actions
need to visibly
reinforce desired
behaviours
Invest time upfront to align leaders on what compliance culture is, how it impacts
their business, and explain the role they need to play. Leaders are typically not
culture experts, but have to act as role models and coaches for their people. Give
them dedicated support to enable this, and make sure it’s not just a job for HR.
‘Tone in the
middle’ is now
as important as
‘tone at the top’
Leaders at all levels must be coached to exhibit the desired cultural values (e.g. be
transparent, have the courage to speak up). Even a well-intentioned tone at the
top will become disrupted if an employee’s immediate manager sets a different
example. Cultural components should also be incorporated into leadership
selection, development, promotion and reward criteria.
Make it real
Drive change where the real work happens. This could be in the business processes
and everyday activities ranging from updating the Standard Operating Procedures
or how you reward the workforce for following these Standard Operating
Procedures. Help people to identify how to bring the desired compliance culture to
life within their day-to-day role. Give extra support to roles that have a high impact
on compliance outcomes.
Culture doesn’t change overnight and the approach should reflect this. Maintain
positive momentum, and don’t stop too soon. A comprehensive work plan
considering cultural levers can be used to drive change, demonstrating true
business impact, building momentum and sustaining change.
Culture can be influenced
e.g. leadership
incentives and
charters
e.g. Town halls,
floor walkers,
QA sessions
e.g. organisation
design, performance
management
e.g. policies,
monitoring and
controls framework
e.g. learning
and development,
training
Leadership
Communications
and engagements
Talent
Process and
infrastructure
Education
4
Make or Break| The role of culture in effective compliance
7. Regulators are becoming more
interested in how organisations
govern and report their culture
and want to see evidence of a
continuous focus on culture.
We are seeing this now more
than ever. A few years ago this
appeared to be a problem in
the banks – but now this is an
issue impacting all industries.
Being aware of how an
organisation’s culture is
influencing compliance outcomes
and behaviours is very important,
as only by being aware can an
organisation identify the right
type of actions to take to move
towards the desired state and
once achieved, to continually
nurture the culture to maintain it.
Culture is on the
regulator’s radar...
5
Make or Break| The role of culture in effective compliance
Compliance, risk or governance maturity
cannot be looked at in isolation of the
overall organisational culture. Being clear on
how an organisation is leveraging its culture
as an asset in driving compliance outcomes
and behaviours will help organisations
understand where they may need to focus
efforts to close any gaps.
The fundamental question any organisation
should consider is; how active is our
organisation in actively managing our
culture to support effective compliance?
Or do we just leave it to luck and
hope we don’t hit the headlines?
...is it on yours?