It’s Time to Question Everything About Best-Practice Compliance
A strong company culture of integrity isn’t just a nice thing to have. It has become increasingly clear that companies focused on integrity are likely to reduce the risk of misconduct while also bolstering a solid corporate reputation, genuine employee compliance, robust governance, and even profitability. More and more companies are feeling the limitations of an old-fashioned approach to ethics and have started to take a more proactive stance.
Behavioral science can provide compliance officers and their teams with a unique insight and perspective on the organizational elements required for companies to build an ethical culture.
In my conversation with Alison Taylor, executive director at Ethical Systems, she explained why applying key concepts from organizational psychology and behavioral ethics can reveal much as to why corporate compliance programs succeed or fail.
Are modern compliance programs effective?
Today, there is a remarkable degree of international consensus over what a best-practice compliance program should look like. The current approach to compliance is deeply informed by a company’s need to detect it and deter regulatory scrutiny. The vast majority of multinational companies have all the elements in place. But since integrity and corruption scandals still occur with depressing regularity, the effectiveness of even best-practice compliance can be questioned.
Why is organizational psychology relevant for compliance?
Organizational psychology and research into behavioral ethics tells us that human beings are highly prone to justifying and rationalizing unethical behavior; we are far more influenced by peers and bosses than most of us would like to admit. Much corporate practice (not just in compliance) is based on anecdotal approaches and benchmarking, not on understanding and applying what works. For this reason, measuring an organization’s distinct culture is important. It provides a baseline by which you can evaluate your efforts and investments and come to understand whether the money and time were well spent!
Is it unhelpful for compliance programs to so closely replicate criminal law?
Yes, this has several unintended behavioral consequences for corporate employees. The emphasis on rules and processes makes people focus on how to navigate, manage, and evade rules set by compliance teams, not on comprehending the wider need for integrity and ethical decision-making. This is evident in such recent integrity scandals as those at Wells Fargo and Volkswagen, where problems that involved whole groups and teams cannot be explained by the decisions of a few bad people. Yet compliance programs implicitly assume that the world is divided into good people and bad people: if you can find and remove the “bad apples” in an organization, you won’t have a problem. It also assumes that human beings make rational, cost-benefit decisions as to whether it makes sense to pay a bribe, and that it is the organization’s job to make the costs of bribery outweigh the benefits. The importance of culture and leadership calls for “tone at the top,” but how to measure and maintain this ideal remains unclear to many companies.
How does corporate culture help support the effectiveness of compliance programs and policies?
Compliance programs cannot be evaluated in a vacuum because their effectiveness depends so much on an organization’s culture, norms, leadership, incentives, and overall strategy. Put another way, you can evaluate the effectiveness of compliance processes and systems only within the overall cultural context and norms of a given organization. My own research suggests that corrupt cultures harbor a focus on growth at all costs; along with unrealistic incentives (particularly bonus targets); authoritarian leaders who evade accountability; and a climate of fear, necessity, insecurity, powerlessness, and intense rivalry. In such cultures, whistleblowers fear speaking up or take pains to do so, only to find their efforts ignored or silenced by leadership. In short, we all need to consider organizational norms and human psychology, along with policies, processes, investigations, and monitoring. Programs that attend to these issues are certain to be far more effective. Further details are available in my working paper, Five Levels of an Ethical Culture, and in an older study of mine on what corrupt cultures have in common.
How should companies consider organizational norms and human psychology when it comes to implementing policies and processes?
The way to start is to measure and understand the organization’s culture. Take the incentives question. In most large corruption scandals, it had previously been made clear to employees that they would be fired if they violated the Code of Conduct and paid a bribe. Lack of training and awareness was not the company’s problem. Rather, it was that employees had simultaneously been told to adhere to the Code of Conduct and to meet punishing sales targets in challenging, highly competitive markets. If employees are told to meet goals that contradict each other, they are likely to prioritise performance targets set by their direct bosses over any abstract rules dispatched by a far-off compliance officer in the head office.
How should companies go about training employees?
The same point applies. In most organizations, training is an online process that takes a consistent approach—because consistency is mandated by the regulator. A recent study published in the Georgia Law Review argues that corruption risk in organizations is not evenly distributed; the vast majority of risk sits with a “power few” who ought to receive special attention in terms of training and oversight.
What should companies do with their internal reporting data?
It is tempting to view an absence of reports from whistleblowers as good news. But silence could mean that employees distrust the confidentiality of the hotline, or do not expect the organization to follow up. Without knowing the cultural context, it is hard to draw conclusions. Companies need to think about the messages they send to employees across the organization. If compliance efforts contradict louder, more powerful and immediate messages, they will fail.
Do you think many companies fail to recognize the importance of organizational psychology when it comes to compliance practices?
It is not surprising that companies are laser-focused on meeting regulatory requirements. The penalties and punishments for not doing so are considerable. Compliance officers are exposed to personal liability and must navigate an ever-more complex network of emerging and overlapping laws and requirements.
The impacts of the EU’s General Data Protection Regulation (GDPR) provide just one example. Compliance teams must use their limited resources to confront ever-expanding responsibilities. Moreover, organisational psychology suggests that compliance officers need to pay attention to issues beyond their direct remit, such as bonus structures, growth targets, and leadership priorities. Corporate culture is inherently complex and difficult to measure and evaluate; assessing the prospects for wrongdoing requires skills and capabilities that are absent in most compliance teams. All these factors have limited the ability of compliance teams to integrate useful concepts from organizational psychology.
How can compliance efforts surpass those limits?
There is now a compelling body of research on how to build more ethical, sustainable cultures, much of it accessible in books and articles. Training compliance teams on core concepts from organizational psychology and behavioral ethics is a useful approach. It will, for example, expand understanding of how to improve employee training and hotlines. Assuring the independence and authority of the compliance function is also keenly important because it can help compliance teams hold senior leadership to account. Fundamentally, though, there needs to be a lot more empirical research into what works in companies and what doesn’t.
What does measuring and evaluating company culture involve?
Although measuring culture is difficult, there are helpful options out there. It is possible, for example, to adapt employee engagement surveys to include some broader culture questions. Ethical Systems has conducted research in the ways in which companies can evaluate culture and have identified 10 key areas of measurement, including leadership behavior, organizational ethos, social contract, individual perceptiveness, and employee response to observed misconduct. Successfully measuring these dimensions were found to predict unethical behavior because they are uniquely relevant to the objective of determining ethical culture. This is also the basis of the culture measurement tools we have developed for companies to use.
What are your biggest tips for compliance officers looking to establish the right culture within their companies and bolster the effectiveness of their compliance processes?
Focus on incentive structures. Compliance officers should try to work with HR and senior leadership to set realistic growth targets to ensure that teams are not being lured into unethical conduct by poorly designed individual and group reward targets. This is the biggest risk factor for unethical conduct in many organizations. Consistent and credible research tells us what works and what doesn’t.
What do you make of the current focus on the purpose and values of the corporation and on rethinking capitalism so it will pay attention to the needs of all stakeholders, not just shareholders?
It’s wise. Questions of corporate integrity have never ranked higher on the senior leadership agenda than they do in 2020. There is also compelling evidence that younger employees are far more focused on social purpose and values than older generations have been; they want to work for companies that embody these values. Compliance officers need to work closer with senior executives and corporate responsibility teams to design ethical organizations that inspire and motivate employees. Meanwhile, transparency is broadly increasing. Company reputations can be dramatically damaged in hours, even minutes, via viral campaigns on social media, and they increasingly need to behave as if anything they say or do might become public knowledge. The feedback loop among unethical conduct, reputational risk, and market value has tightened extraordinarily, strengthening the business case for a more holistic, strategic approach toward ethics and compliance.
Alison O’Connell is editor of Lexology PRO Compliance, from which this post was reprinted.