Culture and compliance – new best friends?

Following the release by the United States Department of Justice (DoJ) of new remediation standards for FCPA compliance programmes (see: DOJ launches pilot program for FCPA cases), compliance professionals are once again revisiting the key components of their programmes. Beyond the US, the standards reinforce the requirements of the Bribery Act in the UK¹> and prospective legislation in other jurisdictions which is seeking to place a similar onus on businesses to prevent, detect and report financial crime.

Key elements the DoJ will assess in determining effectiveness of a compliance programme are

• The ‘culture of compliance’
• The resources dedicated to the compliance function
• The quality of the compliance personnel
• The independence of the compliance function
• Whether the compliance programme has performed an effective risk assessment
• How compliance personnel are compensated and promoted
• Auditing of the compliance programme
• The reporting structure of compliance personnel within the company.

The challenge for businesses is to go beyond a ‘tick- box’ approach to compliance, to implementing, and maintaining, a positive culture of compliance. The above criteria alone may prove challenging for businesses headquartered beyond the United States in jurisdictions where compliance and its associated concepts may be less developed. Below, we consider how organisations might steer their employees towards complying both with the letter of the law and, just as critically, the spirit of the law.

‘Culture’ in this context is not easily defined and will vary between businesses. An organisation should have a clear sense of purpose, with every employee, wherever located or in whichever business line, knowing what the organisation stands for. In large multi-nationals, this will be difficult. The more remote an office in terms of its geography, including distance from and degree of control by ‘headquarters’, the harder it can be to assert a particular global culture. As Hui Chen, DoJ Compliance Expert has acknowledged²>, compliance officers often have to ‘help their colleagues … navigate towards [compliance] expectations in societies that are not necessarily accustomed to these behaviours’.

The establishment of a robust sense of purpose that can withstand the pressures of the local environment is not easy. A concise set of values, communicated both internally and externally, is a first step, providing a reference point for the standards according to which an organisation wishes to conduct its business and by which it would like to be judged. Those values need to be reiterated at the start of every new policy, survey or training so that all rules and guidance are set out in context.

The recent Deferred Prosecution Agreement agreed between the UK’s Serious Fraud Office (SFO) and Standard Bank Plc³ reveals the extent to which the SFO, and indeed the courts, will test the underlying culture of compliance within an organisation when considering a potential settlement; in this case, the compliance training was deemed to be inadequate and the internal policies not sufficiently well-understood. Combined with a lack of co-ordination between group entities, this resulted in the compliance procedures as a whole being found to be lacking taking into account the risks posed.

The senior management of a company, including the most senior executives, undoubtedly have the greatest influence in driving a particular culture. They need to lead by example and establish the appropriate ‘tone from the top’. A compliance programme that lacks the visible and demonstrable backing of senior management will have limited effect. Senior management should make ethical conduct and ethical decision-making normal business practice and emphasise, through their messaging and conduct, the importance of a compliant culture. To do so, they will need to be well-informed about each element of the compliance programme, being provided with high-quality management information and updated risk assessments. That way, they can ensure that the programme is embedded across the business when visiting different offices, communicating with country or divisional management, and generally on a day-to-day basis.

Regular communication by leadership, both internally and externally, about the company’s values, compliance initiatives, and stakeholder response to any compliance progress made, will serve to promote effective compliance as a key business strategy. Thus, responsibility for ‘compliance’ should be shared across the company and compliance fully integrated with other risk management functions. The HR function, for example, should be aligned with compliance to conduct background checks, to test attitudes to compliance during recruitment and promotion, to assess the impact of remuneration practices and incentives on culture, to engage in relevant disciplinary action and to report on ‘lessons learned’. As Hui Chen has stated⁴, “compliance can identify issues in a company’s financial controls, HR processes, or sales strategy but … without the commitment of finance, HR or sales leadership, these issues cannot be remediated.”

A framework of employee engagement, feedback and review is important to sustain the established culture. The results of this engagement should be subject to review and analysis which should in turn inform changes to the programme. Following instances of unethical behaviour, there should be demonstrable sanctions, which could include such things as claw-back of bonuses and demotion. Equally critical, appraisals should start rewarding behaviours that go toward embedding the company’s values and move away from traditional metrics that often have a narrow focus on achieving financial targets.

Embedding a compliant culture takes more than ‘tone from the top’. The most demonstrable evidence of a company’s commitment to a compliant culture is the extent of the resources allocated to the compliance function.
Human resource and budget (with compliance having its own independent budget, rather than shared with, say, the office of the General Counsel) is key. These resources should be sufficient to allow effective integration across the business, proportionate to the size of the organisation, and reflect the risk of doing business in the relevant sectors and jurisdictions. An effective compliance programme cannot be static. A company should periodically review its compliance programme and update in light of new developments, such as changes in business focus, new regulatory pronouncements or other developments pertinent to the company’s operations. Ideally, resources should extend to the periodic engagement of external consultants to provide an independent analysis of the effectiveness of the compliance programme and insight on how to build or sustain the desired culture.

Ms Chen argues⁵ that, in all areas, “strong compliance must be data driven”. Therefore, resources should also allow a compliance function to use technology to facilitate the assessment, limitation and detection of risk, taking into account the proliferation of ever-changing business systems.

A compliance function created as an after-thought out of necessity in, say, rushed remediation efforts will struggle to be effective. However, a function established to work in tandem with senior management, which is fully and thoughtfully resourced and integrated with other risk management functions, will play a significant role in an organisation meeting its strategic compliance objectives.

The DoJ considers whether compliance personnel can understand and identify transactions identified as posing a potential risk. Compliance professionals should have relevant qualifications and experience for the role. Personal qualities are equally important; the head of compliance should be an individual of sufficient gravitas to reinforce the importance which management places on compliance and ethical conduct.

According to Hui Chen⁶, being in compliance requires “backbone and good judgment and excellent people skills”. With the right characteristics, a successful head of compliance can engage effectively to attract the support of the entire work-force. This support will underpin changes in compliance culture far more effectively than, say, a whistleblowing hotline or online training programme.

Compliance personnel should be proactive in learning about the risks implicit in their organisation’s sector including continually anticipating new, emerging risks. They should learn from their peers through networking at industry events and sharing best practice. It is often instructive to learn from those operating in sectors with greater exposure to risk or more experience in establishing effective compliance.

The DoJ expects that compliance personnel and, in particular, the head of compliance, are not placed in a position of possible conflict of interest between their compliance work and other responsibilities. It is thus prudent for an organisation, where possible, to require compliance personnel only to perform compliance tasks. If this is not realistic, such as in smaller companies, appropriate steps should be taken to ensure potential conflicts of interest are avoided.

The concept of independence does not rule out close co-operation between the compliance function, management and staff. This relationship will be crucial if compliance risks are to be detected early and managed effectively.

The most effective compliance programmes are underpinned by regular risk assessments. The concept of ‘compliance by design’, pursuant to which the compliance programme is tailored according to the sector that the organisation is operating in, its geographical spread, case studies based on issues faced by competitors and the organisation’s own historical issues, is the most effective basis.

A risk assessment cannot be a one-off exercise but should be carried out as regularly as practicable. Businesses should assess the risks to which they are subject, analyse the most significant risks and allocate sufficient resource to remediate accordingly.

Broader questions of culture, attitude and knowledge should be tested, measured and the information gleaned then used to enhance the programme.

If the commitment to a compliant culture truly exists, the management of regulatory risk will be afforded the same importance as that of other senior management positions. Consequently, businesses should assess carefully whether the pay and promotion prospects of its compliance personnel reflect this principle.

In a large organisation, one would expect the remuneration of the head of compliance to be in line with other heads of department. To maintain independence, a sub-committee of the Board should determine the level of remuneration.

Any remuneration linked to the financial performance of the business line for which an individual exercises compliance responsibilities may undermine his/her independence and should be avoided. Remuneration related to the financial performance of the organisation as a whole, however, is generally deemed to be acceptable. Promotion should be linked to the effective management of risk over a defined period, combined with noticeable improvements in culture.

The DoJ takes into account whether the compliance programme has been the subject of an external or in-house audit, including whether it has been designed appropriately to identify key risks and, if so, what action has been taken. Any gaps noted should be remediated as soon as practicable and the programme improved accordingly, not allowed to remain unchanged and stagnant until a particular event provides the necessary impetus for change.

In order to maintain a compliant culture, regular feedback (from both management and employees) on the compliance programme, including levels of confidence in the ethical conduct of the leadership team, and monitoring to ensure continuous improvement, are crucial.

The DoJ expects that the head of compliance should have formal reporting obligations directly to the board, or at the least the senior management team, to facilitate sufficient influence among leadership. Reporting too far down in a company structure may limit the effectiveness of a compliance leader.

The nature of the reporting line between the remainder of the compliance team and the head of compliance will depend on how the organisation has chosen to organise its compliance function. Some companies opt for stand-alone compliance reporting lines; others report through the risk function; others report through the office of the General Counsel. However structured, organisations must have in place reporting lines that are clearly articulated and operationally effective.

Reporting outcomes (negative or positive) to management makes leaders accountable for compliance and allows them to assess how well the organisation is managing its compliance risk.

There should be clear policies in place concerning the escalation of, and response to, significant issues. Direct access to the board should be granted to the head of compliance where necessary, such as in the case of possible breaches identified during the course of an investigation.

While there is no shortage of guidance concerning compliance ‘best practice’, the more intangible concept of ‘culture’ is more difficult to define.

At its most basic, culture should be the creation of a common purpose across an organisation, with a set of values reinforced from the top that permeate through every aspect of the business. In contrast to a time when too many organisations’ cultures were found by regulators and prosecutors to be failing, a compliant culture may start to become a company’s most valuable asset. The challenge for businesses globally is to establish, maintain and resource an effective framework to support their desired culture of compliance.