“Culture” in this context is not easily defined and will vary between businesses. An organisation should have a clear sense of purpose, with every employee, wherever located or in whichever business line, knowing what the organisation stands for. In large multi-nationals, this will be difficult. The more remote an office in terms of its geography, including distance from and degree of control by ‘headquarters’, the harder it can be to assert a particular global culture. As Hui Chen, DoJ Compliance Expert has acknowledged2, compliance officers often have to “help their colleagues … navigate towards [compliance] expectations in societies that are not necessarily accustomed to these behaviours”.
The establishment of a robust sense of purpose that can withstand the pressures of the local environment is not easy. A concise set of values, communicated both internally and externally, is a first step, providing a reference point for the standards according to which an organisation wishes to conduct its business and by which it would like to be judged. Those values need to be reiterated at the start of every new policy, survey or training so that all rules and guidance are set out in context.
The recent Deferred Prosecution Agreement agreed between the UK’s Serious Fraud Office (SFO) and Standard Bank Plc3 reveals quite the extent to which the SFO, and indeed the courts, will test the underlying culture of compliance within an organisation when considering a potential settlement; in this case, the compliance training was deemed to be inadequate and the internal policies not sufficiently well-understood. Combined with a lack of co-ordination between group entities, this resulted in the compliance procedures as a whole being found to be lacking taking into account the risks posed.
The senior management of a company, including the most senior executives, undoubtedly have the greatest influence in driving a particular culture. They need to lead by example and establish the appropriate “tone from the top”. A compliance programme that lacks the visible and demonstrable backing of senior management will have limited effect. Senior management should make ethical conduct and ethical decision-making normal business practice and emphasise, through their messaging and conduct, the importance of a compliant culture. To do so, they will need to be well-informed about each element of the compliance programme, being provided with high-quality management information and updated risk assessments. That way, they can ensure that the programme is embedded across the business when visiting different offices, communicating with country or divisional management, and generally on a day-to-day basis.
Regular communication by leadership, both internally and externally, about the company’s values, compliance initiatives, and stakeholder response to any compliance progress made, will serve to promote effective compliance as a key business strategy. Thus, responsibility for “compliance” should be shared across the company and compliance fully integrated with other risk management functions. The HR function, for example, should be aligned with compliance to conduct background checks, to test attitudes to compliance during recruitment and promotion, to assess the impact of remuneration practices and incentives on culture, to engage in relevant disciplinary action and to report on “lessons learned”. As Hui Chen has stated4, “compliance can identify issues in a company’s financial controls, HR processes, or sales strategy but … without the commitment of finance, HR or sales leadership, these issues cannot be remediated.”
A framework of employee engagement, feedback and review is important to sustain the established culture. The results of this engagement should be subject to review and analysis which should in turn inform changes to the programme. Following instances of unethical behaviour, there should be demonstrable sanctions, which could include such things as claw-back of bonuses and demotion. Equally critical, appraisals should start rewarding behaviours that go toward embedding the company’s values and move away from traditional metrics that often have a narrow focus on achieving financial targets.