Plenty of CEOs “check the box” on compliance. The drill goes something like this: Once a year, the CCO presents the written compliance plan at a board meeting or C-suite retreat. After scanning the checklist of do’s and don’ts, the CEO basically feels satisfied the bar has been met. Time to move on to the next agenda item.
But does checking the box truly protect the company from risk? Does it enhance its business or propel its growth strategy? The likes of Amazon, Apple and Dollar Shave Club have earned kudos for building cultures permeated by a sharp focus on customer service, right down to the smallest interaction. In the same way, regulated companies need to make sure that compliance permeates the organization. The benefits go beyond risk management: A true culture of compliance feels open and honest to everyone it touches; it leads to higher morale, easier recruiting and retention, happier customers and, ultimately, higher productivity. (If this sounds like an overstatement, imagine how it would feel to be at an outfit scandalized by endless sexual harassment claims or embroiled in accusations of “Enron accounting.”) Developing a culture of compliance requires effort, but the concepts are straightforward:
Set the Tone Setting the right tone starts with the CEO. This does not mean simply honing your message. Fundamentally, it is about integrating compliance into all that you do. The CEO should see all processes in the organization as opportunities to further the company’s culture of compliance, whether they involve the supply chain, operations, facilities, sales, marketing, HR, the board, you name it. How can you prevent costly mistakes? Where could you find opportunities to implement best practices? Have you listened directly to rank-and-file feedback about what’s actually happening on the ground? When it comes to setting the tone, remember that actions matter much more than words (which certainly matter, too). When the CEO makes a visible, daily commitment to compliance, it is easy for everyone else in the organization to follow suit. Consistency is essential. The CEO should set clear expectations and never move goalposts without thinking carefully about the fallout.
Train Your People Like all other job responsibilities, employees must be trained in compliance. It starts with having a code of conduct, issuing copies to all employees and posting it on the company’s intranet. Consider also posting the code on your outward-facing website to demonstrate your culture of compliance to external stakeholders – customers, suppliers, business partners and the public. But don’t stop there. Train new employees on their first day. Train all employees at least annually. Develop policies and procedures, distribute and post them and train employees on the distinction. Policies have the force of “law” in a company, violations of which subject an employee to discipline, up to and including termination. Procedures are business rules for the company’s operations. Training should include a combination of facilitated in-person training and online training. Take the training yourself, ensure your executive leadership team does, too, and take it seriously. Doing so sets the example for all employees to follow (remember, tone starts at the top).
Build Trust The CEO and Chief Compliance Officer must have a bond of trust. At a macro level, this starts with the CEO initiating “the talk” — a freewheeling discussion about questions like how to handle incident responses or what the CEO wants with respect to the frequency of compliance-related communications and the level of detail. Some CEOs want to know about any breaches that occur, and ASAP. Others are a bit more hands-off. The CEO should remove the guesswork by communicating openly about expectations with the compliance team.