Thousands of laws and regulations both inside and outside the United States cover what’s recognized as the exploding field of compliance. Violations can lead to civil and criminal penalties, destroy lives and shatter the reputations and even the existence of non-complying organizations as we have seen in cases such as Enron and Arthur Andersen.
Often lost in the maze of processes, hotlines, internal departments, systems and matrixes set up to address compliance requirements is the fact that daily workplace behavior drives compliance. Are problems prevented, detected or corrected when they do occur – or allowed to spin out of control into potential crises?
Too often, organizations forget that busy people working in challenging times need to know what to do and what not to do related to compliance — with the same clarity as other job responsibilities they shoulder. Most importantly, they need to know and believe to their core that their employer sincerely wants to find out about problems and welcomes the concerns they bring forward. The following five steps can help achieve that desired goal.
1. Start with desired results.
Setting up processes, structures, policies and procedures is the easy part. Actually, minimizing compliance risk in everything from employment matters to nuclear safety to financial operations — is the hard part. Clearly, the most effective way to identify and fix problems is to do so internally instead of through outside investigations and lawsuits. Ideally, employees at all levels need to know enough to identify issues or potential problems. The question is: What do we need to do to encourage our employees whatever they do wherever they work to help us find out about problems as they arise not after great damage has already been done? We know employees will report fires, gas leaks or exposed wires. How can we develop our compliance programs so they help us identify other “unsafe” practices with the same urgency? This is the key question that must be asked and the results that must be obtained.
2. Involve leaders.
When compliance crises occur, they can result in significant financial costs, damaged reputations, lost lives, goodwill and talent. Ultimately, these disasters may distract employees from dealing with market challenges and may lead to dissolution of the enterprise. Leaders who fail to prevent these crises are not fulfilling their responsibilities. Yet, too often, leaders see compliance as a web of processes and systems that can be handed off to others while they focus on other “more important” priorities. But their lack of involvement in compliance speaks volumes to everyone along the chain of command. Instead, leaders need to talk about compliance, write about it and demonstrate through their daily conduct that compliance is vitally important. I heard one CEO say to his direct reports “We want to win, but we want to win the right way.” That went a lot further than memos and bulletins about processes and regulations that have been written but never read by scores of other leaders. If CEOs made the following their mantra and repeated it regularly they could accomplish a lot to avoid problems at far less expense than they likely now incur: “We want to find out about problems; we welcome them. Let us know. I won’t let anyone be harmed here for doing that.”
3. Identify common behaviors that cut across multiple compliance areas and make those central to all compliance initiatives and daily business.
If you think about catastrophes cutting across multiple compliance areas you’ll see a common pattern. When we recall disasters such as Enron, BP, Madoff and Massey, Challenger and Columbia, we now know there were signs of problems that resulted in disaster. In these instances, officials refused to listen to concerns that, if investigated, could have prevented these devastating events. Instead, they ignored the complaints or, worse ostracized or retaliated against those who brought the issues forward.
One need only examine the range of laws being passed or considered, the charges of unlawful retaliation being filed and prosecuted and the expansive way the Supreme Court has ruled on retaliation claims to see the obvious flaw in compliance systems isn’t that individuals lack knowledge of illegal or dangerous practices. Instead, the problem is that they don’t report them, are ignored when they do or that organizations are unwilling to address issues brought to their attention. What should be the driving issue in compliance is not how do we get information on key violations out to multiple audiences, but rather how do we focus our efforts on getting them to know we’re really serious about this. Here are four simple standards that can be translated into clear specific behaviors that should be the basis of all compliance efforts:
- Know the basics of your codes and policies, where to find them and that they are important.
- If you don’t know whether or not a practice is proper, go to your leader or another “safe place” and ask for help. This is vital to you, your team members and our whole enterprise: It’s just like reporting a safety concern.
- Leaders must know how to welcome concerns whatever they are and understand it is part of their critical job responsibility to do so. Welcoming concerns is not only a commitment, it’s a specific skill tied to what is said, and person-to-person reactions involving tone of voice, and the expression and follow up of other non-verbal behavior.
- It is never proper to lie, fabricate a document or cover up a concern or take action against someone who brings a concern forward.
4. Find this out.
Employers regularly survey their workforces on multiple issues from benefits, to training to career advancement to all of the elements that drive engagement – an area of focus that goes to the heart of compliance. In the early 1990s, we at ELI were helping a nuclear power company change its culture so that safety complaints would be raised internally rather than by the less direct route and processes involving the Nuclear Regulatory Commission and the U.S. Department of Labor. I spoke to one hourly employee anonymously and asked her if she would bring safety concerns forward to her manager so that they could be quickly addressed. “You’ve got to understand,” she replied. “I won’t bring any issue forward to my manager unless I know he wants to hear about whatever work-related issues I want to tell him about. He needs to build his credibility before I’ll come to him. Otherwise, I’ll keep quiet or go outside the company.”
The most important questions to ask and keep asking managers and employees at all levels are these:
- Do you believe that your organization really wants to find out about problems?
- Would you feel comfortable raising serious concerns to your manager or others in the company believing they would welcome your concerns and then be committed to investigating and resolving them?
Until your surveys show that most individuals answer this positively, your organization has an important gap in its compliance program and won’t be maximizing its ability to prevent, detect and correct problems no matter how many hotlines, training sessions, policies and directives it implements. Getting positive, enduring responses to these questions is a matter of leadership, culture, and daily behavior.
5. The goal is cultural, not administrative.
If you review the Federal Sentencing Guidelines, as just one example, you’ll note that the key focus is on establishing a culture of compliance. Processes and other administrative measure may help this develop but alone are sufficient.
Overall, the key is to have leaders demonstrate their commitment, individuals learn specific behaviors that help them find out about problems and for organizations to establish their long-term credibility by acting effectively when issues are brought to their attention.