What factors define a good risk and compliance culture?



The promotion of a sustainable risk and compliance culture across the enterprise is a responsibility of the board and the executive-level leaders, particularly, the chief compliance and risk officers. Their tone at the top filters down the elements of a “good culture” through the layers of management and risk takers. Where culture is favorable, behaviors are more desirable in terms of policy compliance, risk prevention, whistleblowing and accountability.

Regulators and authorities have pronounced about a “poor culture” in enforcement cases to extend liabilities to governance areas. For instance in Spain, the State Prosecutor recently indicated that compliance programs should build the true compliance culture of a company rather than being an instrument to avoid criminal liability. Inadequate culture led by performance complacency, tolerance of improper behaviors or the justification of compliance breaches diverts resources from strategic objectives.

We need to understand the internal and external factors of the risk and compliance culture to change them for the better. Perceptions of the governance structures such as remuneration incentives and performance measurement are critical to adjust risk behaviors. The compliance program should specify these desired expectations to align practices in all part of the company with business ethical values and shared risk tolerance.

Research evidence suggested that culture is strongest in business units when:
  • have smaller (up to 5) and less diverse members (Colquitt et al. 2002), 
  • staff well-being, engagement and tenure are higher (Huhtala et al. 2015, Beus et al. 2010) 
  • social interaction is high and leaders provide clear guidance (González-Romá et al. 2002), 
  • communication network is more dense (Zohar & Tenne- Gazit 2008), 
  • are focused on customer needs (Bedarkar et al. 2015), 
  • more interdependent and have higher group identification (Roberson 2006), and 
  • more cohesive with leaders who are transformational, share a clear strategic vision for the work and behave consistently (Luria 2008) 

The ISO 31.000 on risk management defines that the organization's culture should be assessed as part of the internal context to adjust and to improve the risk policy. Strong culture factors suggested by research can be promoted by:
  • setting a risk tolerance policy to consistently manage holistic risks including compliance, operational, financial and strategic functions, 
  • focusing cost saving and performance programs to investigate accidents and losses, including those covered by insurance and fraud, 
  • setting HR policies to avoid mutual accountability and to promote open door communication, issue escalation and whistleblowing reporting, 
  • adjusting the remuneration scheme to taken risks and internal control reviews, 
  • developing a comprehensive training program to build skills to support behaviors such as detecting fraud red flags, team management and objective settings, workplace incident response, and regulatory compliance, 
  • building a risk and compliance reporting channels for governance oversight, to aggregate risk management information and indicators and to decide on the risk reduction plans, the development of the compliance program, and the internal control effectiveness, 
  • articulating an value-based compliance system with policies and procedures enhancing personal accountability, and 
  • involving suppliers, investors, clients and regulators in creating and developing action plans to support a transparent culture and to anticipate risks. 

Get the latest in corporate governance, risk, and compliance on  Twitter