Redefining Compliance
Following the first significant bribery and corruption scandals of the early 2000s (some might still remember the first ABB and the “old” BHI DPAs and, of course, the Siemens saga), companies started devoting more attention to the growing US FCPA exposure, from introducing codes of conduct and key policies to employee training and communication to establishing ethics hotlines and investigation management. Corporate lawyers started to learn how to speak in a human language that ordinary folks would understand, improving their communication and presentation skills in the process. Dedicated ethics and compliance (E&C) teams were established. Boards started asking questions.
A lot has changed in the past two decades. Or has it?
Tools
While there are plenty of GRC Systems on the market, adopting technology is not a minor task and definitely not a cheap one. While businesses are rushing to transform their ERP systems, compliance, more often than not, is at the end of the queue. Not every compliance department can afford it. But even where adopted, the ability to tailor standardised system workflows to organisation-unique processes is a challenge. Thus, manual processes, XLS and PPTs continue to be the E&C professional’s “go-to” tools.
RegTech, with its big data and ML capabilities, is a game changer. With their primary focus on real-time transactional monitoring, escalation and reporting, they are essential tools in fraud and money laundering detection, market surveillance and transaction monitoring, aggregation and reporting. If you go beyond financial services and other regulated industries, not so much.
Program Effectiveness
Enforcement agencies around the world keep sending a loud and clear message – Ethics and Compliance programs need to be effective (read “work in practice”).
While we have long moved beyond Compliance 2.0 (some might remember this term from a few years back), the question of program effectiveness continues to linger.
When asked, compliance professionals usually bring up plenty of stats (either in XLS or as a GRC system report): the number of employees trained, C-suite communications issued, third parties screened, reporting volumes, process-performance data, or a number of remedial actions triggered by the audits or as a result of investigations.
Indeed, the Compliance Program might be working, but is it effective in achieving the intended results? How well is it embedded in the business processes and day-to-day activities?
How many E&C departments measure the impact of their compliance activities? Do those activities mitigate the compliance risks as intended? Are they efficient and add value or a burden? What is the actual Compliance ROI?
While compliance processes and systems produce an ever-increasing number of data points, effectiveness and impact analysis are not necessarily in every company’s toolbox.
Compliance without culture is a “tick-the-box” exercise.
By now, everyone agrees that compliance cannot be achieved in isolation. We are all people, and our mindsets and behaviours are driven by much more than corporate policies, procedures and training.
Nevertheless, corporate compliance is still largely prescriptive and process-driven. Let’s take Speaking Up as an example. Companies often have dedicated policies that require employees to report compliance concerns, provide training on what is expected from employees and how to report; whistleblowers are protected, anonymity and confidentiality are often ensured. But why does Speaking Up continue to be such a big issue?
For that, we need to ask whether the corporate culture is actually conducive to Speaking Up. Are employees being able to recognise the situation (moral attentiveness), motivated to report (moral engagement), believe the organisation will apply fair process (organisational justice), and last but not least, do they feel psychologically safe to talk to the manager or E&C professional?
For compliance to be genuinely effective, we must change gears and look at individual behaviours and group dynamics rather than solely focusing on prescriptive measures. Nurturing the “right” corporate culture is essential for program success.
Looking across the aisle.
As the compliance field grows, we often find ourselves pursuing different paths. Instead of tapping into other industries' expertise, we spend time and already strained resources to reinvent the wheel. Many of the offences characterised by the Financial Industry as “Financial Crimes”, such as bribery and corruption, sanctions violations, or insider dealings, are something that other higher-risk industries, such as energy, infrastructure and healthcare, have dealt with for years and built a war chest of successful prevention strategies, tools and competencies. $BNs of fines could have been avoided if lessons were learned from other industries' past compliance incidents and, more importantly, the program improvements they made in light of those.
Going Beyond the Complexity Ceiling.
It is not to say that compliance has not evolved. It did, and significantly. It is no longer about simply meeting applicable regulatory obligations but a corporate environment rooted in moral drivers where misconduct and unethical behaviours are not tolerated.
Today, compliance is at a new juncture where the current toolbox has reached its limit, and to be able to navigate the fast-evolving social, economic and regulatory landscape effectively, it needs to redefine itself once again.
We will be back in two weeks!
Comhla Intelligent Compliance
At Comhla, we are driven by a mission to revolutionise the way organisations approach compliance and misconduct prevention. We leverage cutting-edge applied research in behavioural science, actionable data insights, compliance, internal controls and regulatory expertise to help our clients identify and target conduct risks before misconduct occurs. We believe that each organisation should be proactive about maintaining business integrity. By going the extra mile to provide evidence-backed solutions tailored to our customer's unique needs, we enable them to maximise Compliance ROI while increasing the effectiveness and impact of the prevention strategies.
Follow us on LinkedIn: https://www.linkedin.com/company/comhlaic
Learn More https://comhla.co
We aim to publish once a fortnight. The information provided in this newsletter is not intended to and does not render legal, accounting, tax, or other professional advice or services.