Establishing and maintaining a culture of compliance
Does your company regard compliance as an added value to your business or as a business cost? Bill Dee, Director, Compliance and Complaints Advisory Services Pty Ltd, Australia, and Angus Young, Assistant Professor, Hang Seng Management College, Hong Kong, give some tips on how to establish a culture of compliance in your company.
Everyone thinks they know what compliance means – it is assumed that compliance is just about companies meeting their legal obligations. Compliance professionals are very aware that compliance is more than having a tick list of ‘things to do’ to ensure compliance with relevant laws. This approach does not create good corporate citizens or governance.
Compliance should entail a commitment to ethical values and corporate social responsibilities throughout the organisation. Also compliance should not be thought of as business cost or simply a reduction of legal risk – it is an added value because it increases the public’s trust of corporations – it demonstrates that they are ‘doing the right thing’. To achieve this it has to come from the top, but also staff at all levels have to embrace compliance as part of corporate culture and the way companies do business. The first step therefore is to educate the board and the second is to train staff.
Why establish a culture of compliance?
There are a number of compelling reasons why business executives and corporations should be concerned with compliance. These include:
• it is the law and conforming to the law is very much part and parcel of good corporate governance
• courts take into account whether there is a culture of compliance when assessing penalties
• it reduces the risk of heavy fines, high legal fees and, most importantly, damage to reputation caused by engaging in conduct that society deems to be unacceptable, and
• it reduces the risk of incurring opportunity costs in dealings with regulators.
In a nutshell, a culture of compliance with legislation and regulation is not an optional extra, but an essential element of doing business.
How to establish a culture of compliance
There are two critical aspects of how to establish a culture of compliance: attitude and infrastructure. Both are required to establish and maintain such a culture.
The first thing to bear in mind is that a compliance culture can’t be bought ‘off the shelf’, it has to be nurtured. Commentators agree that culture is all about the shared values, beliefs and attitudes within an organisation. You need to consider how your corporation embraces and applies the concept of compliance to its total business strategy and implementation. The basic test of whether a corporation has an effective compliance culture is whether or not compliance is accepted as a business added value rather than a business cost.
For a culture of compliance to be successful it has to be top driven and have the right ‘tone at the top’. The expression ‘tone at the top’ has become a compliance mantra and rallying call for industry
and regulators in recognition of the significant influence that organisational leaders such as the board and senior management exert on employee attitudes and, as a consequence, on the entire range of organisational behaviours. A culture of compliance occurs when the whole organisation has a low tolerance to breaking the law.
Some top managers may profess fake support for compliance but, at the same time, send signals (by wilful omission or otherwise) that they are actually indifferent to it. Such wilful and deliberate blindness by top management can totally negate a ‘professed’ culture of compliance. The executive and senior management must visibly and actively ‘own’ compliance. They are specifically tasked with ensuring that compliance is adequately resourced, is given a place at management meetings and in reporting, and most importantly will foster transparency of compliance reporting.
Tone at the top is undoubtedly critical for a healthy culture of corporate compliance. The chief executive officer, the board chairman and the directors must be clearly seen by both word and practical example to set a culture of compliance within the organisation. But these behaviours alone won’t result in a compliant organisation. A good compliance culture links specific people, to specific documents, control points and risks, and ultimately to a specific goal. In a good culture of compliance, this will be a seamless web. In the words of the now Chief Justice of the High Court of Australia, then a Federal Court judge: ‘Broadly speaking it may be said that the clearest indicator of a corporate culture of compliance is the existence within a corporation of effective compliance programmes.’
An unambiguous commitment at the top of the corporate heirarchy to effective compliance must be backed up by a comprehensive compliance management system including supporting internal practices and procedures.
The board/ top management must:
• have serious compliance breaches and especially regulator concerns escalated to them
• ensure reporting systems to the board are in place and that reporting is timely (reporting involves not only reporting of non-compliance but reporting back against strategies to improve or rectify compliance)
• understand compliance (education may be needed)
• appoint a senior manager with sufficient authority as a compliance manager/ officer
• ensure the compliance manager
has access to all relevant board committees and the board if needed
• resource and empower compliance – that is, put board authority behind it
• receive and act upon incisive reporting (not just ‘noting’ it)
• ask probing questions, and
• have access to and use actual compliance expertise.
There should be adequate resources for the compliance function including:
• a compliance manager or officer
• access to expert advice
• a committee that covers compliance matters
• annual training, and
• policies and practices.
Regulatory risk assessment
Risk assessment is about assessing the likelihood and the consequences of breaches of applicable laws. This means that companies need to determine which regulatory risks are most likely to occur and then identify which ones would have the greatest impact. This involves undertaking an analysis of the nature of the company’s operations, what type of market it operates in, what guidelines the regulators have published that are relevant to the firm and the results of any enforcement activity regulators have taken in the industry that the firm operates in. Once risks have been identified controls/ procedures/ practices need to be developed to manage those risks.
Operational compliance covers the day-to-day processes and systems for compliance. These could include:
- procedural work instructions
- systems and exception reports
- segregation of duties
- mandatory face-to-face annual training of high- and medium-risk staff, including scenario-based training and role playing
- annual completion of online training
- six-monthly completion of compliance questionnaires and certificates
- communications to staff on relevant issues on an ongoing basis
- channels for providing on-the-spot advice
- visible and accessible means of reporting suspected breaches to the compliance manager, and
- communication of the consequences of breaching competition legislation provisions to high-risk staff.
Regular and documented monitoring to ensure adherence to procedures is an important due diligence feature. Where compliance is essentially behavioural (such as compliance with competition legislation) the reporting systems of complaints handling and whistleblowing systems are the most appropriate forms of monitoring.
Other forms of monitoring could include:
• the compliance manager undertaking unannounced spot checks to ensure procedures are being followed
• ensuring mandatory attendance at training
• ensuring completion of compliance certification and questionnaires, and
• involving in-house auditors to undertake audits that procedures designed to control high-risk matters are being conformed to.
Education and training
Annual face-to-face training for at-risk staff should be implemented. The training should identify and deal with day-to-day, real-world risk situations and how to handle them – this can be done through hypothetical scenarios and role playing. New staff, particularly those who are classified as at risk, should be required to complete the online training and testing programme within a month and should attend face-to face training at quarterly catch-up sessions.
Because some training is conducted annually, a concern arises as to how to keep competition legislation compliance up to date, particularly for at-risk staff. In relation to this concern, an organisation may want to consider the following initiatives:
• an online training and testing programme which is accessible 24/7 as a reference tool
• circulation of the regulator’s media releases relevant to the company’s operations with a commentary about lessons for the company
• regular update messages such as:
o the launch of the company’s updated compliance policy, and
o reminders of the ‘do’s and don’ts’
• in-house legal staff can make presentations and be available to give advice at conferences
• memos can be distributed to relevant staff regarding lessons learnt from the field
• compliance questionnaires and certificates can be circulated every six months
• lessons from the field can be discussed at team meetings, and
• quarterly compliance committee meetings can serve as a reminder for communications.
Director, Compliance and Complaints Advisory Services Pty Ltd, Australia
Assistant Professor, Hang Seng Management College and Adjunct Professor, Southwest University of Political Science & Law, PRC
Angus Young presented a seminar ‘Establishing a corporate culture of compliance’ for the Institute’s ECPD programme on 17 June 2013 (see page 36 for
a review). He is also the author of a number of publications
on corporate law, director’s duties, insolvency, financial and securities law, competition law and legal education.