Creating a Culture of Compliance

Chris Keefer


November 1, 2021

Person in a suit pictured from the neck down standing in front of a shelf of legal files, holding a stack of legal papers.

Depending on the type of product or service you provide, numerous laws and regulations govern what you can do and how you can do it. Many of these compliance obligations extend well beyond just a couple of departments or a handful of employees. For example:

  • Cybersecurity laws can affect every employee who has a computer and email address.
  • Workplace behavior laws can affect every employee who interacts with other employees.
  • Workplace safety laws can affect every employee involved in the production process.
  • Anti-corruption laws can affect your entire internal and external sales, marketing and distribution networks.
  • Antitrust laws can affect every employee who has influence over how you compete in the marketplace.

Developing and implementing internal standards and guidelines to address these laws is critical. However, it is not enough to just cobble a policy together and share it with everyone. The following steps can help successfully create a culture of compliance:

Step 1: Generate Buy-In

Telling senior executives that they can or cannot do something simply because a particular law says so is often not well-received. To best generate buy-in, it is more productive to explain to them why compliance is important, and to do so in plain English—not legalese.

You can start with a presentation to key stakeholders, beginning with background on the applicable law itself. For example, when developing and implementing an antitrust compliance program, consider including a history lesson on the rise of these laws in the United States, including the role of legendary figures like Teddy Roosevelt, John D. Rockefeller, Andrew Carnegie and J.P. Morgan. The storytelling aspect—in addition to the content—is an important part of getting the audience interested and engaged.

Then, generally discuss the laws themselves, including how they are enforced and penalties for violation. If your audience has tuned out, mention that criminal violations of the Sherman Antitrust Act are felonies punishable by up to 10 years in prison and fines of up to $1 million per violation for individuals and up to $100 million per violation for corporations.

Next, provide real-world stories of what can happen when you violate the law. If you are generating buy-in for an anti-corruption policy, for example, talk about how the Department of Justice sanctioned medical device manufacturer Smith & Nephew for using a Greek distributor to make improper payments to doctors at state-owned hospitals as the DOJ considered this to be bribery of government officials. Smith & Nephew had to pay a $16.8 million fine and agree to a compliance monitor for 18 months. It also had to give up over $4 million in profits and pay nearly $1.4 million in prejudgment interest to resolve civil charges with the Securities and Exchange Commission.

Now that you have their attention, provide some easy-to-understand hypotheticals, and have your audience discuss whether the conduct would constitute a violation. There will inevitably be at least one “devil’s advocate” who will argue the contrarian position. While this may be frustrating to you or some members of the audience, it is ultimately a good thing since it means at least some people are paying attention and considering the material. Be sure to incorporate others into the discussion as much as possible, creating a cooperative dialogue and encouraging everyone to participate and think critically.

Reinforce throughout that this is not intended to make them experts on the specific law, but rather to assist them in understanding their compliance responsibilities, spot potential issues when they arise, and flag problems or warning signs when necessary.

Step 2: Develop a Written Policy

A written policy should serve as a frontline shield to potential regulatory action, but it should also be something that can be read and understood across the organization without too much effort.

Consider opening with a letter from the chief compliance officer or another high-ranking senior executive, communicating the company’s commitment to high ethical standards and expectation that employees follow the policies. This establishes the significance and gravity of the policy, and reinforces that it is not just another perceived roadblock put up by the legal or compliance department.

Next, add a general summary of the detailed policy. This should be no more than a couple of pages and list the most important aspects—the “never do this” or “always do that” items. Then, provide a statement briefly communicating the overarching, non-specific compliance guidelines, which should include some version of the following:

  • Each employee is responsible for compliance with the subject laws.
  • Employees may not engage in, approve of or tolerate any conduct violating the subject laws.
  • Managers are personally accountable not only for their own actions but also for the conduct of their subordinates.
  • Employees violating the policy may be subject to disciplinary action, including termination.
  • The company will provide educational materials and programs as needed to explain what is expected of employees in terms of compliance obligations.

The next section should be an overview of the subject laws themselves and categories of enforcement and penalties for violation, followed by a more comprehensive list of the specific prohibitions and requirements. This list should be broken down into easy-to-read sections with a bullet-point summary at the end of each.

Be sure to include a section at the end for employees to expressly acknowledge receiving, reading and understanding the policy, where to go with any questions, and the consequences of not following the policy, potentially including disciplinary action or termination.

Step 3: Provide Regular and Meaningful Training

Developing a robust written policy is only part of creating a culture of compliance. It is equally important to provide regular and meaningful training to help employees understand and incorporate their obligations into day-to-day responsibilities. Depending on the size of your company, individually training employees may be impractical or impossible. To reduce training burdens, learning management system software can provide relevant modules to automate delivery and tracking of training for all relevant employees.

Establishing a culture of compliance starts at the top, so executives and managers must lead by example. At a minimum, consider in-person training for management-level personnel, making them personally accountable for training subordinates. Training should be well-documented to ensure enterprise-wide compliance, with regular auditing to ensure best practices. Consider a third-party expert to periodically audit your compliance controls.

Carried out effectively, these efforts can not only reduce risk, they may also help mitigate damage in the event of an issue. When facing an investigation or lawsuit alleging non-compliance, you can confidently demonstrate that your company has written policies governing such infractions, regularly educates personnel on these policies, and fosters a culture of compliance with the laws and regulations governing your industry.

Chris Keefer is the principal of Keefer Strategy, a preventive law practice that helps ­businesses proactively address enterprise-wide risks.