Blogpost

It’s Not Just a Check The Box Exercise: Building a Culture of Compliance

Last week I outlined ideas on implementing appropriate best practices in structuring effective compliance programs. Leveraging program management disciplines can streamline the logistics of compliance management. However, process alone is not sufficient without the right “tone at the top” to focus an organization’s efforts. Senior leadership within an organization is accountable for managing risk and compliance for their respective areas, providing the right direction and prioritization for compliance activities. A compliance officer needs to be able to connect the dots on key policies and actions to help both executives and employees understand expectations.

Here are some thoughts on maturing the compliance culture, without over-burdening employees with all the compliance details:

  • Executive buy-in is critical to success: Know who the key stakeholders are for each area of compliance focus. Create an elevator speech for your executives that tell the value proposition for each compliance area – help them tell the story in just a few sentences. Identify both qualitative and quantitative measures and metrics to gain support. Treat your compliance investments using the same business case methodologies to help grow support for changes you need to make. Nothing has more credibility than when Senior Leadership provides visible verbal and written support to a compliance program.
  • Make it real to employees:Keep the message in simple terms so employees understand their role. Most employees won’t be involved in all aspects of compliance. Organizations that try and educate on the nuances of each regulation can lose employee mindshare in the detail. Leverage news or media events or examples to demonstrate how other organizations have had to deal with compliance issues. Use examples to translate those issues into your organization to make it real.
    Transparency in reporting: A mature compliance culture has agreed upon criteria for risk rating and how to escalate. Use common terminology for what is “Red – Yellow – Green”. If your compliance dashboard is always GREEN and then you escalate a major issue to RED, you have not taken the leadership on the journey. Make sure you focus not only on internal drivers but external market factors that can shift your risk thresholds.
  • Driving accountability: Compliance is not a consensus model. The compliance program needs to have clearly identified stakeholders and owners. Ensure that ownership is at the deliverable and outcome level and not just a review of information level. Scorecards are a good way to track accountability – especially when multiple areas need to work together.
  • Board level engagement: Boards and Audit or Governance Committees have obligations to the company. Executive management needs to engage and inform that Board of the risks and actions the company is taking. If the Board is driving the details of the compliance program, that’s a risk that leadership is not taking the right level of accountability. The Board should be “noses in” and “hands out” in driving compliance program details. Build education programs to help your Boards and Committees better understand emerging areas of compliance. Educated leaders make better business decisions.

So as your organization heads into the fourth quarter, focus your 2016 list on strengthening the culture of compliance. Starting with some self-reflection helps you focus on the tactics that are going to resonate with leadership and employees.

  • What are the biggest challenges for your organization for compliance management?
  • What changes (internal and external) require you to make compliance changes?
  • Has the organization’s risk appetite changed?
  • Are their new leaders on board?

I like to leverage simple tools with my team to get to root causes of an issue. A favorite of mine is THE FIVE WHYS, a lean methodology. Take a compliance topic or challenge from above and break it down. Have your team answer the question and respond with WHY. Do that five times for each question and you will get at some of the cultural challenges you need to overcome to mature your compliance culture.

Linnea Solem Chief Privacy Officer, Vice President Risk and Compliance for Deluxe Corporation and a former Chair of the Shared Assessments Program. Linnea is a management professional with 20+ years financial services experience in areas eCommerce, technology, business development, marketing, information practices and risk management. She is a Certified Information Privacy Professional and led Deluxe’s compliance initiatives for Y2K, GLB, Check 21, and Red Flags Legislation. You can connect with Linnea on LinkedIn.

Reposted with permission from Deluxe Blogs