The compliance officer’s job is to prove that the incident was unequivocally a one-off occurrence and not something indicative of the routine way the company does business.
The best way to handle a regulatory investigation is to avoid it in the first place. But even in the best-run organizations, compliance failures happen. When a regulatory investigation is launched, the original compliance failure becomes a small part of the conversation -- the real focus is on the compliance program’s effectiveness as a whole. At this point, the compliance officer’s job is to prove that the incident was unequivocally a one-off occurrence and not something indicative of the routine way the company does business.
Leaders can take the following steps to show they are truly committed to a culture that promotes compliance and risk management -- before regulators come calling.
Show, Don't Tell
One red flag for regulators is a litany of buzzwords being used to describe a workplace’s compliance program or culture (e.g., ethical, strong, preventive, self-governing) with very few examples provided to demonstrate a commitment to these ideals. Regulators will not be impressed by words describing your program’s effectiveness; rather, they will seek evidence of sound processes and effectiveness. While it’s common for executives to say their organization promotes integrity, regulators want to see evidence supporting a commitment to integrity in an organization’s routine systems and processes.
For example, does your organization include an "integrity review" in the promotion process for leaders?
Could your organization demonstrate that it values integrity in business or promotion decisions? Prove it. It is critical that during a regulatory investigation you provide clear examples showing how your company’s culture promotes integrity.
Collect High-Quality Employee Feedback
Understanding how employees view your company culture is typically achieved through workplace surveys. When using surveys to measure employee attitudes, the ability to compare your organization’s data against industry or topical benchmarks is important. Effectual programs not only offer benchmark data but also provide proof points that validate those benchmarks. Demonstrating the validity of your survey items is part of the process of demonstrating the validity and utility of your overall compliance program.
Download & Print: Compliance Industry Benchmark Reports
In addition to the basics, best-practice programs go deeper by using qualitative interviews to thoroughly explore employee trust levels, customer-care values and leadership integrity.
Beyond quantitative survey responses, additional employee feedback may be necessary: Are employees aware of reporting mechanisms within their organization? Do employees feel they can report ethics violations or integrity issues without fear of retaliation? Do they think such reports will be thoroughly investigated? In addition to the basics, best-practice programs go deeper by using qualitative interviews to thoroughly explore employee trust levels, customer-care values and leadership integrity. These insights provide valuable commentary for compliance officers to cross-reference during regulatory investigations. Beyond traditional workplace survey data, they reveal the feelings and experiences that influenced employees’ responses to the survey.
Extend Compliance Beyond the Compliance Department
Executive leaders are ultimately responsible for creating the culture that shapes their employee experience and guides workplace decisions. However, “tone from the top” is another soft concept that will need to be fleshed out in detail to regulators. This requires showing how all business activities and all policies and procedures (compliance-specific or not) are consistent with compliance values. When these don’t align, the program is no longer the best indicator of companywide compliance.
Consider a bank whose leaders communicate a mission to help customers achieve financial security. As a business strategy, the bank waives service fees and penalties for account holders who meet certain minimum deposit requirements. What may seem like a customer relationship incentive put in place by leaders to retain important clients can, in practice, contradict the stated mission of the organization -- the bank’s most financially insecure customers are paying more for their banking services. Regulators are on the lookout for these types of situations in which an organization professes one ideal but practices something else altogether.
It’s clear that preparing for a regulatory investigation starts long before a compliance failure. Compliance officers need to routinely assess and document the comprehensive nature of their program, beyond annual training or a brief employee survey, so that program effectiveness speaks for itself. This makes significant compliance failures few and far between -- and ensures they are truly one-off incidents that neither represent nor stem from the organization’s culture as a whole.
Read More: Managing Employee Risk Requires a Culture of Compliance
