- Creating a culture of compliance is essential for managing risk
- New risk-management methods provide more frequent and timely feedback
- Local managers are vital to on-the-ground reporting and measurement
What are the best ways to ensure that employees are following company policies -- and the law?
For companies today, a culture of compliance isn't something that's nice to have -- it's a requirement. Regulators are looking more closely at these programs, requiring leaders to create and maintain a culture that actively promotes compliance. Federal sentencing guidelines lay out the framework businesses must follow when they are designing their compliance programs, with the end goal of detecting and preventing criminal conduct.
Beyond Written Rules
Successful programs set clear guidelines on what actions are acceptable as employees go about the company's business. However, using a one-size-fits-all, once-a-year approach to managing risk isn't enough.
Creating an effective compliance program requires companies to go beyond a list of written rules. Leaders need to understand the factors that influence employees to behave ethically or unethically to prevent unethical behaviors from endangering a company. Unethical behaviors can be tied to many different risk factors, such as pay, performance pressure, risk tolerance and lack of consequences or accountability. These behaviors are also associated with a culture that excuses ethical failures if corporate objectives are met -- in other words, if the end justifies the means.
For example, Veterans Affairs hospitals across the U.S. are under scrutiny after reports emerged in 2014 that employees were misreporting wait times to meet VA guidelines. According to a recently released internal investigation of VA hospitals in Texas, schedulers said they sometimes engaged in misleading scheduling at the behest of their supervisors. The report states that employees did not receive monetary incentives related to patient wait times, but misreported wait times to meet the VA standards were still a systemic problem in the state.
The sum of all messages employees receive creates an organization's culture, guiding employees' behavior and framing their expectations on how work gets done. When companies manage culture effectively, it serves as an unseen force that influences employees to do the right thing, even when no one is looking.
Having an engaged workforce helps create a culture of compliance, too. Gallup's meta-analysis of employee engagement shows that business units with high employee engagement have 28% less internal theft or shrinkage and 21% higher productivity than their bottom-quartile counterparts. Higher workplace engagement also leads to other positive outcomes, including lower absenteeism (37%), fewer patient safety incidents (41%) and fewer quality defects (41%).
In the past, traditional approaches -- such as developing strategy, communications, job descriptions and hotlines; creating a compliance officer role at headquarters; providing annual training and monitoring performance evaluations -- have been used to demonstrate a commitment to compliance and reducing risk. Many companies have relied on annual training programs to ensure compliance, only to find out that a breach had already occurred.
Now, companies need to know how to measure and analyze compliance data so they can take any necessary actions before something unethical or illegal happens. High-quality data sources with predictive power enable companies to assess their current culture of compliance and take prompt action when needed. These new methods include external benchmarking, anonymous reporting, pulse surveys, reputation analysis, management communications, group discussions, facility visits and scores, exit interviews, internal interviews and focus groups. Companies also use feedback from external stakeholders, such as contractors, suppliers and customers.
Developing an Organization-Wide Culture of Compliance
Gallup's experience has shown that there are five factors organizational leaders can use to create the desired culture: leadership; values and rituals; human capital; work teams and structure; and performance. Companies that manage their cultures successfully can align all five factors to create effective compliance programs.
Leadership: Leaders need to do more than communicate the importance of obeying the rules; they should demonstrate good behavior themselves. Leaders set the tone of compliance, and they do this by sharing their vision and aspirations with employees through stories or by celebrating when employees act in ways that are consistent with the desired culture.
Values and rituals: Leaders may set organizational values, but local managers play a significant role in ensuring that employees connect those standards to their daily work. Managers should understand and be able to clearly explain how values related to compliance, such as trust or integrity, apply to the roles performed by employees on their teams. Workplace rituals and everyday social interactions -- including sharing success stories or recognizing employees or teams who have managed risk exceptionally well -- offer other avenues for managers to reinforce the company's values and its desired culture of compliance.
Human capital: The corporate conversation about compliance and risk begins with the hiring process. Employees should understand from the start that compliance is integral to their jobs, and hiring managers should expect new hires to understand the importance of managing risk. After workers are hired, compliance training and education programs should be ongoing, not just an annual exercise to check the box.
Risk management should be woven into training and communication programs to send and reinforce compliance messages often. When making career progression decisions such as promotions, managers should make it standard practice to consider an employee's past involvement in any compliance or risk situations. Choosing not to promote someone based on past compliance problems sends a strong message to the employee and the organization about how seriously the company takes risk management.
Work teams and structure: Traditional compliance departments take a small-but-mighty approach to connecting with the company by using a small staff of employees to monitor risk across the organization. When companies use newer methods, such as cascading compliance data and feedback to the team level, all managers and employees become part of the risk management team. This strategy makes compliance scalable and multiplies the company's risk management approach exponentially.
Performance: Performance systems and incentives have an impact on employee behavior in any organization. These systems should include setting compliance goals, providing clear accountability structures and structuring reward and recognition programs and incentive plans to reinforce a strong culture of compliance and risk management. Leaders should also analyze less obvious factors that influence employee behaviors, such as deadlines and performance targets. Being aware of these motivations and how they can push workers to cut corners is an important part of any risk management system.