Curating a Culture that Supports Effective Compliance Programs

John Arvanitis , Michael Watt


October 28, 2021

An array of tiles with images and text, including the word

Many companies have compliance policies, procedures and training in place, as well as guidance from management, but still experience compliance failures. Often, these failures are the result of a culture that is more about talk and less about action.

An ethical culture is the starting point for any effective corporate compliance program, according to the U.S. Department of Justice (DOJ) 2020 guidelines to prosecutors on evaluating these programs. Employees responsible for compliance and its implementation must consistently monitor and evaluate their organization’s culture, and the whole workforce must understand and execute the enterprise’s compliance expectations, ensuring that these goals and objectives are front and center in all aspects of the company's day-to-day operations. By building an effective compliance program, an organization may be able to meet regulatory expectations that can ultimately protect them from potential legal and reputational risk.

Building a Compliance Culture

Organizations that are aware of their weak compliance culture—either because they faced regulatory action or conducted a risk assessment—have a long road ahead of them. They can start by addressing the following: tone from the top and middle, education, resourcing, incentives, and response and remediation.

Tone from the Top and Middle: Increasingly becoming a cliché for compliance professionals, “tone from the top” tends to fail when there are many levels between the top and the workforce. The messaging gets lost along the way. Therefore, senior leadership, middle management and frontline management need to align their tone and commitment.

The chief compliance officer (CCO) should have direct access to the executive committee and board and their support, including involvement in strategic decision-making. While a properly staffed compliance function that delivers regular updates to the board can be effective, an actual seat at the table is the best method of leveraging the CCO’s positive influence on culture.

Education: Educating both internal staff and external partners includes opportunities to practice handling morally ambiguous situations and test decision-making. Customized training that includes realistic scenarios leads to empowered employees and a culture of compliance.

Online training platforms are useful and cost effective to educate your entire workforce and receive a certification of compliance, but retraining sessions may be stale and seen as an inconvenience. The same can be said for automated attestations that the employee has read and understood a corporate code of conduct—similar to not reading the terms and conditions before clicking “I Agree” on a social media website. Kroll’s 2021 Anti-Bribery and Corruption Benchmarking Report found that despite the ongoing pandemic, compliance officers continue to prefer in-person training where personalization is more feasible.

Resourcing: Unfortunately, many compliance professionals and their departments receive the minimal budget needed to fulfill requirements. However, the strongest driver from a resourcing perspective is when the management team makes strategic investments to improve the compliance program on an ongoing basis. Solely avoiding cutting corners is not enough.

Incentives: Particularly in a time of unique financial challenges, organizations are tempted to set unachievable performance goals without considering ethics or integrity, making them ripe targets for regulators. Organizations that are still developing a culture of integrity may have employees who do not feel pressure to act unethically, but do not have incentives for ethical behavior either. Thus the strongest cultures are those that meaningfully incorporate integrity into performance evaluations and promotion guidelines, including evaluating management on the integrity of their teams.

Response and Remediation: The true test of a culture of compliance is when the company encounters an ethical breach. Few events are more of a setback to a compliance program that is otherwise developing positively. Does the company have a response policy or is their response entirely situational? Effective policies give employees confidence that organizational responses are applied consistently, require reporting to the appropriate regulator and detail an escalation path that includes a protected whistleblower function.

At the remediation stage, the most robust compliance cultures have boards that hold their executive committees accountable. The more egregious breaches are thoroughly investigated internally with the intent of using findings to improve processes and controls.

Barriers to Implementation

Any organization beginning their path to a robust ethical culture will face a number of critical challenges. Many compliance departments feel the pressure from regulators to demonstrate efforts to improve their cultures and take problems seriously. This pressure may cause them to overreact to minor policy violations, attempting to demonstrate that they have an effective program before a true culture shift is realized. The effort to improve their own culture organically also may be seen as disingenuous or self-interested by others in the company. Buy-in from the executive committee, the C-suite and middle management may help prevent these issues.

The compliance department may also already be overtaxed with new regulations, increasingly limited budgets and daily firefighting. Stories of successful CCOs who were afforded enough bandwidth for a compliance department to address an existential issue like culture are rare.

Lastly, organizations need a qualified, ethical and passionate staff of compliance professionals to champion ethical change. This staff must be able to understand the wider experiences of their business to understand practices, motivations and incentives. If they can do this, they can make their business, their leadership and their regulators happy.

When an organization’s employees are committed to a culture of compliance, achieving operational and compliance goals and objectives is possible. It is imperative for an organization and its workforce to recognize their compliance responsibilities, but it is just as important to have them understand why they must operate in an ethical and compliant manner every day.

John Arvanitis is a managing director in the Compliance Risk and Diligence practice of Kroll.
Michael Watt is an associate managing director in the Compliance Risk and Diligence practice of Kroll.