What did the Global Financial Crisis tell us? Amongst many insights, the world discovered that there was a major problem with the approach organisations took towards risk and compliance management. As a result, this has led to many regulatory reforms and increased scrutiny on an organisation’s ability to conduct operations in an ethical manner to ensure customer interests are placed first. While this has placed increased regulatory demand on organisations, some have taken this as an opportunity to improve their own internal culture, ethics and operating environment, thereby reaping benefits far beyond just regulatory compliance. To avoid the mistakes of the organisations fallen prey during the GFC and the countless scandals of the past, it is critical to maintain a strong risk and compliance culture within your organisation. 

What is compliance culture?

A compliance culture is an organisation’s attitude, integrity, and respect towards meeting their compliance obligations. 

Today’s regulatory environment is complex and as Small and Medium Enterprises (SMEs) grow, their compliance obligations increase substantially. Requirements emerging from legislation such as Privacy, Responsible Lending, Financial Advisers Act, Conduct and Culture and AML/CFT pose many challenges for a business to manage it all, especially for SMEs.  In order to operate under this regulatory climate, organisations need to maintain a strong compliance culture to be able to manage their obligations effectively.

However, compliance culture starts with a strong risk culture. In our view, compliance culture is a subset of risk culture. The ability for an organisation to comply with evolving regulations requires effective risk management processes. Pure risk management processes are not enough in ensuring compliance – a strong risk culture is what underpins it all. Employees make many decisions each day, all which contribute towards an organisation’s ability to meet certain compliance requirements. Ultimately every employee has their own morals, ethics, and risk appetites, all of which contribute towards the decisions they make on a day-to-day basis. Good risk culture builds accountability/ownership across the organisation, which can flow on to have positive effects on managing compliance. A strong risk culture plays a huge role in the success of your staff adopting compliance management frameworks and processes, increasing the efficiency and effectiveness of meeting your compliance obligations. 

So how do you make a risk culture stronger?

A strong risk culture has a correlation to meeting your compliance requirements, because the risk taking ethos in an organisation is based on cultural values, morals and ethics.  However, it’s important to note that purely meeting obligations doesn’t indicate a strong risk culture. An effective risk culture is also one that encourages risk-taking necessary for successful innovation. Here are some ingredients of what makes a strong risk culture:

• Consistent tone from the top – the Board and Senior Management have critical roles to play in risk culture, including a commitment to compliance, with respect to the decisions they make and the messages they send to their employees. They need to ensure they create an environment encouraging:
  • Employees to make tactical decisions relating to risk. For example, taking risks when appropriate (such as experimenting a new idea or targeting a new market) and avoiding risk when it comes to compliance related decisions (such as meeting your regulatory requirements).
  • The timely flow of information up and down the organisation with bad news being communicated in an effective manner to help promote a culture of honesty and transparency. We have seen instances in the past where Senior Management would avoid reporting bad news to the Board, an example of poor risk culture, which can lead to non-compliance.  
  • The status quo to be challenged by having diversity in values, gender, backgrounds, and perspectives within Senior Leadership Teams.
  • Risk reporting and whistle blowing to pro-actively learn from mistakes.
• Rewarding appropriate risk taking behaviours – encourage employees to experiment and come up with new innovative ideas. Employees should not only be rewarded for successful experiments, but also not be afraid of failure. Organisations must determine their risk appetite with respect to compliance, which is usually low or no appetite at all. 
• No complex processes – large, manual, and complex tasks or processes are a common reason why employees revert to circumvention and find alternative methods without understanding the risks, particularly risk of non-compliance. The use of efficient technologies to achieve the same outcome can go a long way in encouraging employees to follow established processes and procedures set by the organisation.
• Risk management skills, resources, knowledge is valued – a properly established risk management function with support for professional bodies/forums will encourage employees to up-skill and promote positive risk behaviours. 
• An effective testing and monitoring program – risk and control functions have the responsibility of facilitating and monitoring effective risk management practices and alerting management of any emerging issues. Your risk and controls functions can be used to manage and monitor compliance in an ever-changing regulatory landscape. 

If your organisation lacks one or more of these elements, you are exposed to additional risk of non-compliance. This inevitably leads to the all too familiar situation where we see fines for a regulatory breach, excessive risk taking, complexity in operations, and reduced transparency and clarity for employees and your customers. 

Steps you can take to improve compliance culture

According to the Institute of Risk Management, improving an organisation’s compliance or risk culture involves a clear understanding of the current culture and the desired state. We have outlined four important steps your organisation should take to get started on this journey:

1. Understand regulatory expectations and ensure the regulatory function within your organisation is well equipped to design internal policies, processes, and controls that ensure compliance. This involves a certain level of expertise, often requiring the right mix of compliance professionals and tools. SMEs typically struggle to find the right expertise and people, and as result, obtain assistance from external consulting firms.
2. Make a long-term commitment to allocate resources towards compliance-focused initiatives. This ensures having the right level of funding required to help transform the organisation’s culture over a long period of time. SMEs must consider how they will allocate resources towards ensuring they understand their current compliance requirements and the steps they will take to meet them.
3. Ensure employees are provided with the right level of training to understand and embed regulatory expectations and requirements with their day-to-day processes and controls. There is little use in spending excessive amounts of money building change initiatives to address regulatory requirements if your employees cannot implement them. 
4. Revisit your audit plans to ensure that it includes periodic reviews which assesses organisational compliance against the identified regulatory expectations. The findings from these reviews should directly feedback into the change initiatives. Ensure your AML/CFT auditor or other compliance partner works with you to achieve this. 
5. Investing in tools and technologies can go a long way in ensuring that employees do not circumvent established policies, processes, and standard procedures by reducing process complexities. Examples include automated workflows, leveraging data analytics, incident reporting systems, etc. For SMEs or start-ups, the real opportunity is to get this correct from the start – investing in technologies rather than manual (and paper-based) processes pays off in the long-run. 

“Every organisation has a risk culture (or indeed cultures): the question is whether that culture is effectively supporting or undermining the longer-term success of the organisation”.

How we can help

Disclaimer: This blog post provided is for information only and cannot be relied on as evidence of complying with your statutory obligations. It does not constitute legal advice and cannot be relied on as such.

If you would like to understand how Accelerate Advisory could help with your compliance, or require an independent audit, please do complete the form on this website, email us at [email protected] or  call us at +64 21 02535718