FTI Consulting’s Angie Gorman, Janet Hale and David Stickney offer their guidance to help companies set about measuring the effectiveness of their compliance culture — including commitment, capacity and cooperation.
In today’s environment of heightened regulatory scrutiny and enforcement, ensuring a culture of compliance is more relevant than ever. However, as compliance practitioners, we often struggle with not only understanding how to define this intangible “culture” but also how to measure and monitor it.
To evaluate whether our company’s compliance culture is strong, weak or somewhere in between, we need to ask a few questions:
- What is a culture of compliance and is it really that important?
- What would a regulator say about my company’s culture?
- Can we test or monitor our own compliance culture? If so, how?
Let’s start with the first question: What is a culture of compliance and why is it important to my company? Very simply, culture has been described as “the way we do things around here.” A culture of compliance is present when employees from top leadership to the front lines share a commitment to perform their work ethically and in accordance with legal expectations. By creating such a culture, companies put themselves in a position to mitigate the risk of being subject to enforcement actions from regulators and lawsuits from consumers. Furthermore, regulators, such as the Consumer Financial Protection Bureau (CFPB), have noted that a culture of compliance is one of the first steps in building a financial system that prevents harm. The DOJ has also made its expectations clear in its updated guidance issued in March.
Regulators often look at three aspects of characteristics or behaviors when assessing a company’s culture of compliance, also known as the Three Cs. The Three Cs consist of commitment, capacity and cooperation.
These derive from a combination of statements and examination procedures used by regulators and the DOJ. Commitment comes directly from the assessment factors of the Federal Financial Institutions Examination Council (FFIEC) rating system regarding board and management oversight. Capacity is briefly discussed when assessing an institution’s compliance rating in the FFIEC rating system and is also addressed in the DOJ’s “Evaluation of Corporate Compliance Programs.” Cooperation is outlined in the CFPB’s Responsible Business Conduct supervisory guidance.
The first of the Three Cs, a company’s commitment to compliance, starts with the board of directors and senior management and the tone they present to the company about compliance. Management should stress the importance of adhering to laws that govern its operations and set expectations for the highest level of ethical behavior as defined by the industry. Commitment also includes how the company established and supports its compliance program, meaning did management provide adequate budget, access, training, communication, policies and procedures, and monitoring and/or auditing programs to mitigate compliance risk.
A recent survey conducted by FTI Consulting of 200 compliance professionals representing 625,000 employees and $2.5 trillion in annual revenue revealed several significant weaknesses in management’s commitment to compliance as perceived by survey respondents, ranging from insufficient budget allocations to leaders’ limited participation in communications and behavioral role-modeling to general disempowerment of compliance professionals.
For example, most companies communicate expectations to managers and staff regarding the importance of achieving financial or business growth goals. If those communications rarely or never include messaging about the importance of compliance and ethical business practices, it can foster a culture where “win at any cost” is acceptable and encouraged. This creates a breeding ground for employees to disregard compliance in favor of meeting performance goals. This is a real risk. Just 27% of respondents in FTI’s survey reported that their CEOs communicate to employees about ethics and compliance and only 18 percent said that managers do.
The second C is a company’s capacity to adhere to the laws that govern its operations. By capacity, management should consider personnel and resources. Management should ensure that the people responsible for compliance are knowledgeable and capable of overseeing the compliance function in the company and that those professionals have a seat at the table when important business decisions are being made. In fact, 51% of compliance professionals feel they do not have significant input into providing strategic direction to the executive team or the Board on compliance topics and only 34% strongly agree that they have enough time with upper management to report on compliance matters. Management should also provide adequate resources to mitigate compliance risk, whether it’s funds, systems or personnel. More than half (53%) of compliance leaders today do not have an annual budget available to them to manage their compliance programs and initiatives.
The last C is cooperation, and relates to the second question we should ask: What would a regulator say about my company’s culture? Cooperation in this context pertains to dealings with the regulator(s) who are responsible for overseeing the company’s operations. Cooperation includes providing requested materials appropriately and in a timely manner, being available and responsive to meetings and questions, and being responsive to communications regarding possible findings. By cooperating with a regulator, management reinforces its commitment to compliance.
Measuring compliance culture
Finally, the third question: How do we test compliance culture? Most companies understand the importance of a compliance culture but often perceive culture as something that is unmeasurable. However, a culture of compliance can be measured and doing so enables a company to take action to improve compliance culture based on prescriptive data about what is driving cultural strengths and weaknesses. In addition, measuring compliance culture and acting on the findings strengthens a company’s position with regulators before, during or after an investigation process.
Even though about half of compliance professionals conduct general employee pulse surveys, comprehensive cultural assessments focused on compliance are rare, suggesting that a deeper assessment could help shed light on some of the compliance challenges that organizations have not yet been able to identify. Another common tactic is adding a question or two to the company’s annual employee engagement survey. However, standard culture assessments or employee engagement surveys won’t provide the detailed insights a compliance officer needs to understand employee perceptions specific to compliance.
A specialized assessment is needed that explores not only awareness of policies and where to find them, knowledge of the ethics hotline and the effectiveness of compliance trainings but also employees’ perceptions of the performance of their leaders, managers, peers and themselves with regard to ethical behavior, communication and accountability for compliant business interactions. Most companies would not invest in operational remedies without a clear understanding of the problem, and they should not attempt cultural “fixes” without reliable data either.
Ethics and compliance are an integral part of any organization’s success, but it cannot thrive if it is not fully embedded in corporate culture. What matters gets measured and what gets measured gets accomplished.