From internal policies to regulatory obligations to criminal law requirements, the range of compliance challenges faced by employers and employees today is extensive. Having policies and procedures in place to address those challenges is crucial, but it is often not enough. Compliance is best achieved when it is part of a firm’s culture.
Every employee of a firm, from top to bottom, has an important role to play in compliance. Having a culture of compliance means that every one of those employees understands the rules and embraces their part in ensuring that they are followed.
For example, a breach of export controls can just as easily happen in the post room as it can in the boardroom. Likewise, a breach of export controls that started in the boardroom can be stopped in its tracks in the post room by employees who understand the rules and are committed to upholding them.
Why should firms be concerned about compliance and their culture?
Before considering how to build a culture of compliance, it is worth touching on why compliance, and a firm’s culture in general, is so important.
Perhaps the most visible reason for firms to take compliance seriously is the risk of regulatory and legal penalties if they do not. Often just as costly is the harm that compliance failings can cause to an employer or an employee’s reputation. With investors increasingly mindful of a firm’s environmental, social, and governance profile, firms that are able to show that they take their compliance obligations seriously look a more attractive prospect.
Equally, a firm with a reputation for compliance issues around poor workplace conduct, such as harassment and discrimination, may have trouble attracting and retaining the best talent. Conversely, a firm with a healthy and compliant workplace culture may find that the best talent is easier to attract and retain.
Increasingly, culture is also becoming a compliance issue in and of itself. The FCA defines a safe culture as “an environment in which employees feel comfortable to express their opinions and, crucially, are listened to when they do”. In a “Dear CEO…” letter in January 2020, the FCA made clear that senior managers who fail to address non-financial misconduct such as discrimination, harassment, victimisation, and bullying, which it views as indicative of a firm’s culture, may not be considered fit and proper by the regulator.
Building a culture of compliance
As discussed, a culture of compliance means that employees from the top to the bottom of a firm understand the role they have to play in compliance and take that role seriously. Embedding a culture of compliance has to start at the top. One of the most effective ways for a firm to instil a sense of how seriously it takes compliance is to ensure that it specifically allocates responsibility for compliance to a senior individual, as a distinct job role where appropriate. This is not only a key step in building a culture of compliance, but it has real practical benefits by way of ensuring that compliance issues are discussed and addressed at the very top table. To be effective, all senior members of a firm must transparently and consistently set and uphold a high standard of conduct for the rest of the firm to follow. One way of ensuring that employees’ attitudes to compliance are monitored and evaluated is for those senior managers to set KPI’s that cover compliance and to design performance appraisal forms and processes so that there is a section devoted to evidence of compliance, as part of the annual appraisal.
Within reason all of a firm’s employees should receive tailored training on compliance, what the compliance risks they are likely to face in their roles are, and why it is important that they are vigilant as to those risks. Hand-in-hand with this, firms should make real efforts to ensure that employees are not only encouraged to report suspected compliance issues but feel safe to do so. Clear, confidential, and protected reporting channels are essential, and firms should be clear to employees that there will be no recriminations if their suspicions or concerns turn out to be unfounded. On the contrary, employee compliance and reporting, should be actively incentivised.
The FCA’s largest fine in 2019 was £102m against Standard Chartered Bank for inadequacies in its anti-money laundering controls. One of the key failings identified by the FCA related to Standard Chartered’s escalation of identified money laundering risks – senior and well-resourced compliance functions are significantly hampered if they aren’t made aware of potential compliance issues in the first place by the employees on the ground.
It is also essential that firms ensure they have adequate systems and resources in place to build institutional understanding of compliance issues and stay abreast of changes in the rules to which they are subject as soon as they happen. Good compliance programmes are adaptable and ready to respond to a changing regulatory, legal, and social landscape. The more quickly that firms are able to identify and understand relevant changes, the more quickly and effectively they can modify their compliance programmes to mitigate their risks.
Developments in compliance-related rules and requirements should be communicated to the firm as quickly and clearly as possible – doing so is not just practically important, but it will play an important role in reinforcing the importance of compliance in the minds of the employees concerned.
Policies and procedures, while not enough, are nonetheless crucial. Clear and considered policies and procedures are part of the bedrock of a culture of compliance – the details should be freely and easily available to employees and they should be regularly reviewed to ensure that they are fully up to date and fit for purpose.
Building a culture of compliance has benefits for firms that extend far beyond simply making it easier to avoid breaches of the rules, laws, and regulations to which firms and their employees are subject. From reputational benefits to the positive knock-on effect that championing compliant and ethical behaviour can have on other aspects of a firm’s culture, there really is no good reason for firms not to start building a culture of compliance now. They may even find that doing so puts them ahead of the curve if enforcement authorities begin to take an increasing interest in culture as a compliance issue in and of itself.
Checklist for building a culture of compliance
1. Appoint a senior person within the firm to have ultimate responsibility for compliance, make that a job in and of itself where appropriate, and ensure that they have a seat at the top table.
2. Ensure that the firm’s compliance function is well-resourced and responsive to every relevant change in regulations and laws on a day-to-day basis.
3. Openly and enthusiastically convey how important compliance is to the firm and how seriously it is taken by the people at the top.
4. Have up-to-date and fit for purpose compliance policies and procedures – they are the bedrock of a culture of compliance.
5. Provide tailored training to all employees on the importance of compliance, the role they have to play, and the specific risks they are likely to face.
6. Embed compliance into KPIs, appraisals, and promotion decisions.
7. Actively reward employees who make a positive contribution to the firm’s compliance goals.
If you would like to discuss any of these issues further, or for guidance on your specific rights, responsibilities and potential liabilities, please contact Partner Merrill April or Associate David Jones, both of whom specialise in employment and partnership law issues for multi-national employers, senior executives, firms and partners.