The Perfect Compliance Combo: Culture and Controls
Compliance practitioners divide their commentary and insights into two general categories – ethical culture and compliance controls. It is easy to divide compliance issues into these two categories. Ethical culture articles are a little less concrete; compliance controls are practical and focused on policies and procedures.
A compliance program cannot be deemed effective, however, unless there is a combination of these two important functions. An ethical culture is the most effective compliance control. Employees in ethical companies are far less likely to engage in misconduct, and much more likely to report someone else who they suspect is engaged in misconduct. This basic principle is a critical control that applies across-the-board in every aspect of a compliance program and the company’s business.
Compliance policies and procedures are critical to promote an ethical culture and provide important mechanisms to mitigate risk and ensure proper accounting and use of funds. As I frequently say, you can design compliance policies and procedures that are works of art, efficient and well drafted; however, in the absence of a commitment to a culture of compliance and ethical conduct, the policies and procedures are unlikely to succeed. Compliance controls by themselves are insufficient to achieve an effective ethics and compliance program.
Culture and controls go hand in hand. One cannot be effective without the other. Chief compliance officers that focus on one area to the detriment of the other are going to struggle. I have seen examples of both extremes. An effective ethics and compliance program depends on a careful and sensitive balance of these two objectives.
It is easy to see how each of these objectives reinforce the other. An ethical culture depends on specific policies and procedures to guide important compliance functions. A third-party intermediary cannot be engaged without completing the due diligence process. Of course, the company will apply ethical business principles when it engages the third party. Before that, however, the company has to follow its due diligence controls to ensure proper screening and analysis.
A company’s culture of ethics is a fundamental requirement to ensure that employees follow compliance policies and procedures. It is always surprising that employees can avoid a policy or procedure without any serious consequences. Just ask yourself how many third parties were engaged without completing any due diligence process. Or examine how many vendors or suppliers were engaged without going through the onboarding process.
In a company with a strong ethical culture, the rates of compliance with policies and procedures are likely to be much higher than companies that have weak ethical cultures. Employees are likely to perceive a rule-based compliance program differently than a balanced combination of ethical culture and compliance controls.
A company’s balance between these two basic strategies may vary in different countries – some areas may be more rule-based, while others may work more effectively by emphasizing ethical values and principles. The differences may not be significant but the emphasis can be important depending on the audience and specific local conditions.