Building a dedicated compliance programme should be an essential part of any organisation’s operating policy.
But why is it so important? How do you implement it? And what are the key things to take into consideration?
We decided to put together a guide to outline the key things you need to know about developing a compliance programme.
Why Do You Need a Compliance Programme?
There are a number of reasons why your organisation should have a compliance programme in place.
It’s The Law
To operate, legally, as an organisation you have to conform to an array of legislation, regulations, mandatory and voluntary standards. The regulations can come from a wide array of places. For example your national government, the European Union, organisations such as the World Trade Organisation, trade agreements (eg NAFTA) or foreign government legislation. Adhering to these is what we mean by compliance.
There are direct financial and legal reasons for having a compliance programme. When handing out the largest ever fine (£20m) for a breach of environmental standards the judge in the case cited the organisation’s ‘history of non-compliance’. A chief executive of a financial organisation was fined almost £1m for being non-compliant with regulations in relation to whistleblowing.
General Data Protection Regulation (GDPR)
Compliance areas like money laundering, modern slavery and whistleblowing could seem abstract to some organisations. For example, many managers would be forgiven for saying ‘we aren’t a financial organisation’ so maybe compliance isn’t for us. GDPR affected organisations tiny, small, medium, large and huge. It affects organisations inside and outside of Europe. The threat of fines up to €20 million, or 4% of annual revenue left all organisations scrambling to comply.
GDPR means that no organisation can ignore their compliance obligations.
Social Awareness & Brand Identity
The quality of your service or product is, of course, the key to success. However, most business leaders will point to brand name and reputation as the second most important factor in the success of an organisation. Being compliant helps to protect against unnecessary damage to your brand name. If your organisation loses important customer data on the street, this will stick in mind of consumers or potential clients. When they are choosing between your organisation and the competitor that has never lost customer data, they will probably go with the safe option. This can have an incalculable negative impact on profit. The reputation damage could have been averted with a proper IT security policy, reinforced with adequate training.
Millennials, Generation Y and Generation Z
From 2008 to 2017 there was a £40 billion growth in the ethical goods* market. This growth is the result of the spending power of millennials, generation y and generation z becoming a bigger factor in the market. These demographics care more about the ethics behind the goods and services they use than previous generations of consumers. They care that your organisation is compliant with modern slavery legislation, they care about environmental standards and they care that their data is secure. They care about this as consumers and also as employees.
Note: Ethical goods are goods which were ethically made or do not harm the environment and society. Organic, free-range food and fairtrade products are examples.
The United Kingdom enacted its Modern Slavery Act in 2015. One of the principles behind this legislation is that reputation matters to organisations and that business ethics matter to consumers. The legislation requires certain organisations to publish annual statements on their efforts to combat modern slavery. The Secretary of State can force compliance through the high court. However, the government expects stakeholders (eg consumers or shareholders) to hold companies to account.
How Do You Implement a Compliance Programme?
Implementing a compliance programme is a large project. Briefly, a good compliance programme will look like this:
- Knowing the scope is the first step and also an ongoing step. You need to know about all the regulations that govern your industry. You also need to list the internal compliance requirements.
- Gather information from inside and outside your organisation. Leverage the knowledge of board members, managers, and employees. There is likely to be a wealth of information here. Research industry developments, analyse how your competitors implement compliance programmes and perhaps consult with relevant professionals.
- Set down the goals that you need to work towards.
- A risk assessment will help you prioritise. You will not only identify risks but will also be able to analyse the probability and potential damage of each risk. This means you can appropriately focus your efforts.
- Align your policies, procedures and processes. They need to work in tandem.
- Is everything understood? Stakeholders need to know their roles. Does a policy assign responsibility to someone specific? They need to know this. Does a policy create a new process? The relevant parties need to know. Communicate with anyone with responsibilities and encourage feedback.
- Is there buy-in? It’s easy to have policies. In fact, there are some freely available on the internet that are ready to go! However, the organisation needs to be ready and willing to embrace them. You might want to gauge buy-in with surveys or reviews.
- Ongoing assessment, eg reviews, audits, monitoring and continuing oversight, is needed. Once things are in place, you need to make sure everything operates effectively. Ongoing monitoring also helps to find gaps not previously considered in the risk assessment.
- Employees, managers and executives will need targeted, periodic and recurrent training.
- You should define your key performance indicators and any other quantifiable outcomes of your compliance programme. Gather the relevant information and share it with all the relevant stakeholders. You need to measure your success or failures!
What Do You Have to Comply With?
The regulatory and compliance landscape facing organisations is constantly changing and expanding. PwC remarked that regulation and compliance legislation is a ‘growth industry’. The annual Cost of Compliance Survey released by Thomson Reuters analysed on average 216 regulatory updates a day in 2018 (this was increased from 201 in 2017).
The specifics of what your organisation needs to comply with depends on your organisation. There are broad topics that apply to all organisations, for example, health and safety, fraud prevention, equality and diversity, and GDPR.
There are industry-specific compliance issues. For example, companies in the food industry have numerous standards they have to adhere to. Certain types of financial organisations have specific and strict rules to follow in relation to money laundering. The majority of public organisations (eg state-owned) have to follow guidelines in relation to the Freedom of Information Act.
Does your organisation operate in multiple countries and across different regions? This could heighten your responsibilities in terms of anti-bribery laws and anti-modern slavery laws. Your organisation might also have to consider the subtleties of country-specific legislation.
The Two Pillars
It doesn’t matter what industry you are in. It doesn’t matter whether your organisation is big or small, or even whether it’s publicly or privately owned. There are two pillars on which a compliance programme rests:
These pillars work together and form an essential part of any compliance programme. When these pillars are absent or poorly implemented, the results can eventually be disastrous.
|In the worst case scenario of a violation by an employee, you will probably want to show that they read the policy and completed any training .|
Why Are Compliance Policies So Important?
Policies are important because they:
- outline to employees what is expected of them in terms of ethics, behaviours, or performance standards
- enable an organisation to have clear and consistent responses across different departments of the company
- demonstrate to regulators that the organisation is serious about being compliant with all relevant standards
- are necessary to be compliant with certain legislation
Policies set the tone for an organisation and have an important impact on an organisation’s internal culture. This is demonstrated starkly in the collapse in 2018 of facilities management and construction company, Carillion. The collapse was a result of a ‘rotten corporate culture’, ‘incredibly poor standards’, ‘conflicts of interest’ and ‘basic failings of governance’.
Why is Training So Important?
Your organisation could invest time researching the regulatory framework in which it operates. It could hire internal or external compliance experts and consultants. It could put in place technology, procedures and equipment to ensure compliance. The compliance team or management could write policies and email them to staff to finalise the compliance project.
This will all be undone if employees do not understand the policies and procedures. All it would take is one accident or one misunderstanding by a staff member to expose the whole organisation. Training is the thread that holds compliance together. Employees do not need to know the minutiae of the regulation – just the basics, how it affects their role and why it matters.
PwC Denmark commissioned a report called ‘Getting ahead of the watchdogs: Real-time compliance management 2018 State of Compliance’. The report ranks organisations into categories of Leaders (ie those with the best compliance programmes), Fast Followers (second best) and finally Strivers. The report states:
Compliance training and communications are more comprehensive and up-to-date at Leaders than at Fast Followers and Strivers. Leaders also are more often using multiple sources of information to inform and target their training and think creatively about new ways to digitally engage employees in training activities. All of those actions positively affect their organizations’ overall risk profiles. Employees are familiar with the risks and behaviours that are permissible and those that are impermissible, and they’re therefore less likely to do things that would place the organization at higher risk.
What Should You Look For?
The compliance training topics your organisation needs should become apparent during the risk assessment and research stage. For example, a financial organisation might need policies, procedures and therefore training on fair treatment of customers. However, how you choose to deliver it might be less clear.
Increasingly, companies are turning to eLearning to provide training for their employees. Some companies use only eLearning content and others use a blend of instructor-led training and eLearning. The eLearning market has grown year on year since 2009, but what is the cause? One study found that for every dollar spent on eLearning there was a $30 return on productivity. eLearning is cheaper, takes less time to complete, requires travelling to and from a classroom, and some research indicates it might improve knowledge retention over classroom study.
|The Case For eLearning|
In the 1990s IBM made a conscious effort to reorganise and modernise the organisation. They had employees spread across the world, high staff turnover and challenges to their revenue. Their cumbersome internal training systems were one aspect of the business they tried to improve. One pillar of the solution was eLearning. They credit eLearning with annual savings of $350M and with a more loyal, more flexible and more productive workforce.
Content is King
To get the most out of your eLearning and maximise compliance, choose a well-constructed course with clear, accurate and engaging content. One methodology to keep in mind while looking is active learning.
Active learning is a teaching methodology that is used in all levels of education. Active learning might have been a part of your own education. Group discussion, debates, brainstorming activities and different types of educational games are common examples of active learning in a classroom setting. The opposite is known as passive learning. An example of this would be a student listening to a lecture.
The goal of active learning is to engage the learner in the process of knowledge construction. Through active learning, learners internalise what they have learned and increase their ability to recall (ie use knowledge) when called upon. This is crucial to help employees act in a compliant manner during the hustle and bustle of the average (or not so average) work day!
Examples of active learning strategies in eLearning you can look out for:
- Pre-testing: You learn from your mistakes. It’s common knowledge. You make a mistake with a recipe, you figure out what went wrong and resolve to improve the next time. This translates to formal learning as well. Research into the educational value of pre-testing (test questions being asked before learners read content) concluded:
Even if tests are not answered successfully, they have the potential to improve future learning, as measured by both immediate and delayed performance measures. This finding suggests that using tests as learning events in educational settings could have lasting benefits for learners’ content acquisition, and that tests should be considered a potent learning opportunity, rather than simply as an assessment measure
eLearning is a good environment for this type of pre-testing. The environment is risk-free. Any fear of public embarrassment (ie fear of being wrong publicly) is not present. Ungraded pre-test questions in an eLearning course allow learners to make and learn from their mistakes without these risks.
- Case Studies: In educational theory cases studies are stories or narratives with information written to invite analysis by learners. They will include a description of a problem and provide some important data (eg stats, quotes, images). In many cases, some data will be purposely left out. Learners are put in the position of making decisions or evaluations based on the information available. Connecting theoretical information with real life (or like real) case studies engages learners in many ways. Depending on the specifics of the case study they develop problem-solving, analytical abilities and decision making.
- Interactivity: Multiple choice, drag and drop, true or false and hotspots. The nuts and bolts of a traditional eLearning course. A good eLearning course will combine information high-quality information screens with quiz screens. A sprinkling of traditional eLearning quizzes helps keep the learner actively engaged. They force the learner to think about and process the content. Importantly, it does not allow them to passively click the next button over and over! Avoid courses without the nuts and bolts.
- Branching: eLearning branching scenarios are similar to choose your own adventure books or a recent Netflix special. They build on case studies but allow learners to see the consequence of an incorrect action. There is strong evidence in the academic literature of the educational benefits of branching scenarios. For example, a study of the use of such scenarios in third level engineering courses concluded:
A well-designed scenario both intellectually and emotionally engages the learner, increasing motivation, knowledge acquisition, and most importantly the ability to synthesize and apply knowledge with prudence. Good scenarios also ensure that learners can practice in a safe, yet lifelike environment, and can be comfortable experimenting with different approaches.
‘Synthesize and apply knowledge with prudence’ is an important outcome for compliance training. Many compliance topics have grey areas. They can require employees to make judgement calls or to apply existing knowledge in an unfamiliar context or scenario. Being free to make mistakes and being allowed to explore the ramifications of the mistake gives the learner a thorough, well-rounded understanding of the subject.
To operate legally as an organisation you need to be compliant with a vast array of legislation and regulation. Depending on the age of your organisation you might be building a compliance programme from the ground up or maintaining or expanding an existing programme. In either scenario you will need:
- Policies that establish procedures, processes and company ethics. You need a mechanism to ensure they are read and understood by individual employees.
- Training that teaches employees how to work in a compliant manner. Many leading and forward-thinking organisations use eLearning as part of their compliance training programmes.
- Active learning is an important learning methodology to look for when comparing eLearning supplier.