Posted by John Kleeman
Almost every day, you can open the financial pages of a newspaper and see a new compliance failure – another company fined multi-millions for breaking regulations. How can an organization develop a culture of compliance?
There seems to be a common thread that runs through almost all high-profile compliance catastrophes. It is that the top-tier executives and middle managers in the organisations simply didn’t model the behaviours that would lead to a culture of compliance.
In other words, an organization must not just pay lip service to complying with regulations but must also communicate effectively to its employees that it really means it. This is a regular theme from regulators. The UK Ministry of Justice, in its guidance on the UK Bribery Act, lists Top-level Commitment as one of its six key principles for bribery prevention. And the U.S. Department of Justice says in its Principles of Federal Prosecution of Business Organizations:
Prosecutors should therefore attempt to determine whether a corporation’s compliance program is merely a “paper program” or whether it was designed and implemented in an effective manner. … prosecutors should determine whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.
Obviously, commitment is commitment, and you can’t fake it. Executives and managers need to genuinely believe that compliance with regulations is important and exhibit appropriate behaviour.
But my research about this issue tells me that by administering regular tests, an organization can reinforce the message that it is committed to compliance – and that this works best under the following five conditions:
- Employees are required to take tests regularly
- Employees believe the tests are fair and genuinely measure their ability to do a job or understand and apply regulations
- Questions are seen to be relevant, not just a tick-the-box exercise – for instance by having employees respond to real-life scenarios
- There are consequences for repeated failures
- Managers and executives set an example by taking relevant tests themselves
Do regulators agree? Here is a quote from the UK Financial Services Authority about an insurance company fined UK£5.5m for bribery (my emphasis):
Aon Ltd should have ensured that appropriate members of staff – particularly those in the Aviation and Energy divisions – received focused training in relation to this area and were tested on their understanding of the relevant risks involved. Effective training and testing in this regard would have emphasised to staff the importance of carrying out effective due diligence prior to authorising an Overseas Third Party for payment.