Accountability and Compliance Culture – The Role of Compliance and Internal Audit
Accountability and compliance culture has moved higher up the agenda within several companies the past months. We see this among our clients.
A growing number of consumers require accountable, responsible and compliant companies that have the interests of their customers in mind and are committed to continuous improvement. And even though many organisations understand the importance of being accountable, the word “accountable” is not always the most popular one among employees. Over time, accountability has developed a negative connotation and that may be one reason for why organisations not continuously measure and report on the culture of accountability, or responsibility, or ethical behavior or compliance. Another reason is that several companies just find it very difficult to measure and report on their culture of accountability (in some organisations “Compliance culture” or “risk culture”).
So how can organisations measure and account for their culture of accountability, responsibility, ethical behavior and compliance considering the numbers of drivers and uncertainties without being required to take on big investments?
How to measure and report on “good” culture?
Research studies around the world on organizational cultures have tried to identify the characteristics of a good culture. Today, we have experienced that there is no universally “right” or best culture. Cultural variations will even exist within the organization. Finance could have a more conservative culture, while the sales team’s culture may be considerably more aggressive — both within limits, of course. This is even more explicit in global organisations. Personally, I have experienced cultural variation on several levels. Mainly as a Compliance Officer and Internal Auditor discussing risk management with Operations and IT, both also moving from an American owned company to a Spanish owned company. And I have experienced how culture impacts risk management processes as well as working and performance culture.
That said, there is probably a “right” culture for each organization — the culture that will help the company achieve its strategy and reach business objectives the most effective way.
To foster the desired culture, each culture driver should be well-designed, aligned with the other drivers, and operate effectively. However, often they are not always so well-designed and aligned, so where can you as Compliance Officer or Auditor start?
Clear roles and responsibilities
Ultimately, culture resides in the perception of employees. If employees believe the right thing is x, y, or z, they will act accordingly. In addition, people struggle to handle in the best interest of the organisation when roles and processes are ambiguous. On the other hand, most problems have multiple right answers. Therefore, employees should be given the freedom and control they need to make decisions, or managers should lower risk of confusion by setting clear requirements and documenting these throughout the organisation. If a team is truly accountable, members will identify gaps, learn new roles and processes, document their responsibilities and ultimately build a more capable team. As a Compliance Officer or Internal Auditor, you can measure whether policies or procedures are clear in defining these roles and responsibility and that requirements are clearly assigned. Where freedom and control have been given to a team (often in entrepreneur companies) you can measure that decisions are in line with management’s delegations, documented and followed up upon or training is provided helping them to adjust their behaviors and make the right decisions. Finally, you can look at employee surveys (or even create one yourself) or use interviews to evidence whether roles are clearly understood by operating employees.
Reporting and evaluation
In best practice accountable organizations, no one expects to “stay under the radar.” These organizations use multiple forms of feedback and evaluation to assess effectiveness of a process or team. However, no one will be willing to step up, speak out if their feedback is not being proper evaluated or employees are being punished wrongly for speaking up. I have personally experienced both organisations where missing reports were spoken of as a bad thing as well as managers blaming employees of failing upon reporting. Therefore, in the process of reporting deficiencies or given feedback (i.e. operational risks process, risk committee or team meeting) the organisation need to collect as much data as needed to be able to see what’s working and what isn’t – and analyse the cause. This requires that each employee can say what they know, what they think and what they did (or didn’t do). It also requires that the organisation takes a systems approach, and responds by adjusting processes or holds individuals accountable if required. Compliance Officer and Internal Auditors can measure on the governance of such processes, on reports made on each level of the organisation compared with others, as well as historic reports, frequency of policy violations, frequency of corrective actions etc. In addition, the respond and analysis on each report should be considered, just like reoccurred deficiencies reported should be accounted for.
Thorough and up-to-date training
Conduct and compliance training is key to reach the desired culture just like employees must acquire new skills, adopt new perspectives, and exhibit new behaviors to succeed in regulatory change and digital change. Understanding a well-designed training program begins by assessing areas where more training may be warranted; and how the program is tailored to better engage workers. However, it is my experience that a well-designed compliance training program is not always prioritised above controlling and reporting, just like review of whether the program is operating effectively is often not in scope of compliance or audit plans.
Training in best practise organisations is prioritised by boards and management. Also, training is as business and risk relevant as possible. Finally, different training methods are known to increase employee engagement and understanding for employees to adjust their behaviors accordingly. Compliance Officers and Internal Auditors can measure on how often trainings are done, if training is triggered by monitoring activities (e.g. observed employee behaviors), completion rate vs. employees, how often trainings are updated and if training considers leverage numerous of relevant information source. As a minimum, all employees should receive continuous relevant conduct training, other trainings should be applied with a risk based approach.
Culture is multifaceted and complex but can be measured.
An organization’s culture is amorphous, varied from place to place, and changeable over time. And it does not lend itself to be evaluated. Compliance Officers and Internal Auditors should engage them self to evaluate culture by the use a variety of techniques — some quantitative, some qualitative — with the goal of continually enriching management’s understanding of the organisations culture of accountability, responsibility, ethical behavior and compliance.
More and more frequently-used measures are internal audit assessments or reports, culture or internal survey results carried out by external parties. At Transcendent Group, we have experience in such assessments in various organisations. When designing employee surveys, we are phrasing questions so that employees assess aspects of the environment created for them instead of assessing their own or managers behaviour, ensuring that the results are more reliable. Apps/It-supported surveys are seen as effective and low-cost ways of increasing accessibility to employees and of engaging employees in the way many people now commonly communicate. In addition to building a certain level of reliability into the survey process, we usually follow up on survey results by looking for corroborating evidence. The first and second lines of defense usually have a story to tell. The result can be handed over so that Compliance Officers and Internal Auditors can work cooperatively with the first line and coordinate their work in order to continuously measuring and ensuring improvements towards the “right” culture of their organisation.