Culture remains one of the most nebulous concepts in compliance, but in fits and starts companies are starting to get their arms around how to recognize it, manage it, and improve it.
At least a dozen different regulatory directives or frameworks make prominent references to organizational culture or corporate culture as the cornerstone of an effective compliance approach, but not a single one defines it, said Rich Girgenti, principal at KPMG and U.S. leader in forensic services for the firm. That includes pronouncements like the Sarbanes-Oxley Act, the Dodd-Frank Act, the Federal Sentencing Guidelines, the U.S. Justice Department’s guide to FCPA, NYSE, and NASDAQ listing standards, the COSO internal control framework, and even the more recent Yates memo.
No only do regulators not clearly define culture, they seem to go out of their way to avoid doing so, said Deborah Bailey, advisory managing director at KPMG. Yet most compliance professionals today know it when they see it, she said. Practice has come up with many different definitions that are not written with nearly as much authority as those bellwether regulatory directives. “But you know it and feel it, by and large, when you go in the door,” she said.
Bailey and Girgenti teamed up with leaders in financial services and healthcare at the recent Compliance Week 2016 annual conference in Washington, DC, to provide some ideas on how compliance officers can better define corporate culture, which is the first step to better measuring and managing it.
It’s a timely discussion, given calls from leaders in the internal audit profession to being performing some audit procedures around culture. The Institute of Internal Auditors published a white paper earlier this year encouraging members to start putting pencil to paper on how they could come up with an audit plan that would call attention to risks related to culture.
The paper provides a number of suggestions for cultural indicators that auditors could examine, like employee satisfaction and perceptions, training, customer complaints, whistleblower responses and protections, various HR practices, strength of leadership, and many others. The list extends far beyond examining whether the company has a written code of conduct or a policy on ethics.
Especially in the financial services sector, said Bailey, regulators have left a void for companies to fill. “They’ve challenged individual firms to figure this out and address this on their own,” she said. “And the industry is really rallying around this and trying to address it in a significant way.”
“We start by thinking about what it is we want people to do, then step back and see what could go wrong.”
Mike Lamberth, Senior Compliance Officer, Capital One Financial Corp.
Mike Lamberth, managing vice president and senior compliance officer at Capital One Financial Corp., said the company tried to be clear and simple in its mission by using only four words: “change making for good.” The double meanings are intentional. “We start by thinking about what it is we want people to do, then step back and see what could go wrong.”
A simple mission focused on aligning to create positive customer outcomes makes it easier for associates to understand what to do in any job function anywhere throughout the company, Lambert said, even in other countries. Employees will better internalize the idea of making lives better for customers than performing in a way that meets a legal threshold.
That led to a robust training program meant to instill a positive culture around the company’s mission. “Training has become an incredibly useful tool,” he said, although he anticipated the quiet groan that training advice might inspire. “I wasn’t against training. I was against bad training.”
It’s important, said Lambert, to develop an organization that is comfortable escalating concerns, questions and risks. And the escalation of issues should be prominent, the responsibility of more senior people in the organization who have more experience, he said.
All of that requires a formal approach to establishing culture, said Lambert. “You’ve got to get something formal in place, and do not make the mistake that says if you have it on paper, it’s the same as having culture.”
Attendees at CW 2016 were asked to respond to the following:
On-site polling at the conference suggested companies have some room to grow in terms of formalizing their approaches to establishing and assuring a positive culture. Almost half of participants said they don’t have a formal program for designing, implementing, and evaluating conduct and culture. Nearly 40 percent said they “never” use formal metrics for monitoring effectiveness of conduct and culture. Less than one-fourth said they report any kind of conduct or culture metrics to the board of directors.
John Crisan, chief compliance officer for Johnson & Johnson, said he’s in an industry sector a step down from financial services in terms of regulatory demands around culture. That doesn’t mean the company is any less committed, however. The company’s credo has been in place since the early 1940s. “It permeates our organization, and we measure against it,” he said. It even factors into performance evaluations.
The primary means of measuring against the credo is an annual ethics survey, said Crisan. The survey changes each year to reflect emerging themes or trends or to ask questions around any concerns that may be arising. The compliance program calls for plenty of personal visits to various locations, in part to assess culture. “You can tell a lot and you can sense where there’s a culture of compliance and ethics or something you want to pay a little more attention to,” he said.
Especially with third parties or recent acquisitions, site visits are critical, said Crisan. “You have to be in there, face to face,” he said. If a visit suggests concerns about whether business leadership there understands the expectations, it may be time to engage the legal department or other resources to escalate the concern.
Crisan also likes to leverage current events and use those as teaching moments. “Never let a good crisis go to waste,” he said. When the Chinese government took action against a pharmaceutical company, “you can bet I used that opportunity to talk to my Chinese partners and really drive home why compliance matters to us.”
Companies like Capital One and Johnson & Johnson have seen some success, said Girgenti, because they sought more than simply a compliance mindset. “They began by defining a higher purpose,” he said. “That it’s not just a compliance culture but it’s critical to business success. That played into building a culture of compliance and integrity.”