Building a Culture of Compliance at Your Organization

Corporate culture is a hot topic. The idea is that it’s a primary driver for all sorts of company activity. Good and bad. Helpful and not so helpful. But it’s an especially hot topic in the world of finance – particularly since the financial crisis – as senior leadership in firms of all shapes and sizes and governments from around the world struggle to find ways to keep firms and the people who populate them on the right side of the regulatory rulebook. But what exactly is organizational culture? And how do you get your head and hands around it in a practical way to shape and point it in the direction you want it to go?

Here, I share an overview of some high-level thinking on the subject from the field of organizational psychology, as well as some guidance on how automated compliance software can be the perfect practical complement to the more philosophical aspects of transforming company culture.

What Culture Is – and Isn’t

Culture is a mindset. When you embed culture, it shapes behavior. It becomes the instrument people fly by. And it’s subconscious, so it’s a very powerful form of behavioral and social control. It’s socialization. It’s why we have cultures. Human beings are wired to create cultures.

Culture is a story we make up about what it means to be in an organization, how we get rewarded or avoid punishment. And every employee makes up that story based on what he or she sees. But you don’t manage culture directly. You manage the things that shape behavior, and once those behaviors are observed and experienced, they get internalized as culture.

Culture is a Behavioral Nudge

Culture can nudge us to do the right thing or wrong thing. Why do firefighters run into burning buildings? It’s culture. Deep socialization. And socialization affects our behavior. Firefighters aren’t calculating. Running into burning buildings is what they do. That’s deep culture.

All people are corruptible. That’s why social psychology and behavioral ethics are so important: They help us understand what affects behavior. The trustworthy company creates a culture that nudges people to doing the right thing.

Culture is Always Moving

Culture is a tournament of competing pressures that employees must respond to. As compliance officers, you’re in the business of affecting those pressures. You’re in the systems business, but you’re also in the culture business. You are leaders that help embed the culture.

Most major trust violations are preceded by cultural drift. An ethical culture is a social control mechanism that can prevent drift. Compliance officers are in the drift-prevention business. Your job is to say: “Look where we’ve gotten to. Let’s find a way to get back to where we were.”

Culture is About Competing Values

In every company, there’s a competition going on about what the real values are. We can say these are our values, but there’s a fight going on about what they are in practice.

Employees want to work for a good company. It’s about building a trustworthy organization, one that’s self-regulating. Because when you don’t self-regulate, you invite external regulation.

Trust and Control is Best

“Trust is good, but control is better.” So goes a famous quote attributed to Lenin. This implies that trust and control are opposites. That you can have trust or control, but you can’t have both. In the compliance business you need to have both, and you can have both.

If you have all control and no trust, then you have a very risky situation. On the other hand, if you have all trust – meaning lots of great culture – but no control, you also open your firm up to risk.

Trust is a Judgment

Trust is a judgment of confident reliance on a person, group, organization or system when there is risk or uncertainty. Trust only matters when there’s risk and uncertainty. If everything’s totally certain — if you can predict the outcome — you don’t need to trust.

When people trust, they do it based on expectations of positive future behavior. If that trust is violated, there’s a trust violation, and people lower their expectations. The relationship is damaged, and people get angry. That’s what distrust is: low expectations about future behavior.

Trust Can Be Managed

We look for sources of evidence as to whether an organization is trustworthy. From that evidence, we decide to trust. But you don’t manage trust directly, just like you don’t manage love directly. You manage other things that lead to that outcome.

Think about managing trust as embedding trustworthiness. You can embed trustworthiness in a person (i.e., a leader), but you can also embed trustworthiness in a company, a system.

How to Gain Trust

We’re not all equal in the degree to which we’re willing to trust. You manage trust by managing trustworthiness. Embed the following six elements into your leadership style and even those with a naturally low disposition to trust will begin to trust you.

1. Communication: Communicate openly and frequently.
2. Benevolence: Demonstrate you care.
3. Alignment of Interests: Demonstrate that your interests are aligned.
4. Similarities: Communicate that you have similar values and that you have similar loyalties.
5. Integrity and Predictability: Show you can be predictable and that you practice what you preach.
6. Capable and Competent: Demonstrate that you’re capable and competent at what you do.

The Paradox of Trust and Control

In any company there’s social control, or culture. There’s behavioral control, or monitoring. And there’s output control, or reporting. Social control is trust inducing. Behavioral control and output control can cause distrust. They can send signals to employees that you don’t trust them.

But you can’t trust all employees. You wouldn’t be a trustworthy company, from a client’s perspective, if you blindly trusted all employees all the time. But employees get upset when you don’t trust them, so it’s important how you implement behavioral and output controls.

If controls are justified and rationalized, trust is enhanced. If controls are arbitrary, distrust and disengagement can result. When controls are enabling, they enhance trust. When they’re coercive, they create distrust.

This is the paradox of trust and control. You need both. Low controls are risky. Too much control means people become disengaged and “check the box.” Optimal trust is the spot in the middle. It’s the perfect combination of trust and control — culture and control systems — administered in just the right manner and in just the right places. This is what a trustworthy organization looks like.

Where Technology Comes In

Thinking along these lines, it’s easy to see where compliance technology can be part of the control system: as part of that balance – that point of optimal trust – between too much and too little control. An employee conflicts of interest monitoring system — whether it be employed for personal trading, gifts and entertainment spending, political donations, private investments or outside business activity — is a control element that can be justified and rationalized to the employee base.

First, systems like this aren’t arbitrary. Just the opposite, in fact. If an employee’s position in the company necessitates personal trade monitoring, for example, chances are there are others in the company in the exact same position — probably people the employee works with on a regular basis and can readily relate to. Compliance monitoring systems also aren’t coercive, or at least they don’t come across that way. It’s up to the employee to physically enter gift or entertainment spends, for example. Yes, it’s required, but it’s still up to the employee to voluntarily complete the task, and it therefore offers some measure of personal empowerment.

Compliance tech also demonstrates openness on the part of the firm. There’s transparency into what’s being asked (i.e., everyone is working in the same system doing the exact same thing). No one is above the rules. The firm is practicing what it preaches. Also, because, as we now know, culture is always moving, it’s worth noting that technology like this helps keep compliance on top of organizational drift by providing data that may indicate standards are slipping and that the firm is sliding toward greater risk and possible ill repute.

This data-driven capability is a fine complement to the compliance officer’s own intuitive sense of what’s happening in the organization, and it is a good reminder that technology on its own is rarely a be-all end-all. Technology is an enabler, a helper, something humans partner with to make a task easier to accomplish and more effective overall. Compliance technology helps firms get to that optimal trust spot. That perfect combination of trust and control. That balance of culture and control systems. That true culture of compliance.

The subject matter for this post is attributed to organizational psychologist Dr. Robert Hurley, who spoke on the subject of company culture and ethics at the StarCompliance 2018 U.S. User Conference.