skip to main content
Worried About Compliance Risk? Culture Is Your Best Defense

Worried About Compliance Risk? Culture Is Your Best Defense

by Nate Dvorak and Jennifer Robison

Story Highlights

  • Tech and data are vulnerable to human flaws and may miss behavioral risks
  • Organizational culture influences employee behavior
  • Creating a culture of compliance encourages ethical decision-making

If you've been increasingly worried about compliance risk, you're not alone. A lot of compliance leaders -- including 90% of those The Wall Street Journal surveyed in 2020 -- say businesses' response to the pandemic, especially remote working, created or exacerbated risks to cybersecurity, privacy, digitization and a handful of other areas. Over three-fourths of compliance officers say they're relying more on data and advanced tools to spot new risks.

Well, no wonder. We're in the midst of major shifts in where and how work gets accomplished, which introduces risks that few organizations were prepared for. But Gallup research shows that tech and data don't make companies as safe as they might hope. In fact, depending on digital transformation as a solution to compliance problems might leave you even more exposed.

Why Tech and Data Won't Do the Trick for Human Behavior

In many cases, technology enabled businesses to adjust when the pandemic hit. All the tech workers who logged countless hours to move organizations remote, practically overnight, deserve our gratitude. The world's IT workers have kept the global economy afloat.

But all tech is built on a human platform, and whatever humans build is vulnerable to flaws. Facial recognition software that still struggles to recognize Black people as people is a chilling example. Correcting for human errors can create hard controls and standardized approaches that can't account for the unexpected -- like a global pandemic -- and often leaves compliance holes. Last August, for instance, Citi wired $900 million in multiple payments to some lenders by accident, and banking is considered one of the most highly controlled industries in the world.

We're in the midst of major shifts in where and how work gets accomplished, which introduces risks that few organizations were prepared for.

The same human flaws can apply to data analysis. Data tell a story, but that story is read by people. If they take the wrong meaning from a story, or use the wrong inputs, their conclusions will be insufficient or incorrect. In fact, according to Harvard Business Review, only a third of leaders whose companies test their compliance programs' effectiveness are either "confident" or "very confident" that they're using the right metrics.

Data that don't stretch wide enough to include key attitudinal risks or reach deep enough into the business-unit level are woefully incomplete. And that is a serious risk.

The 'Why' Behind Behavior Is a Culture Issue

That's the risk that should really worry leaders. Security lies in human behavior -- the kind of behavior that empathizes with customers or checks in on automated processes. Tech and data support cannot completely replace it, and if you don't know which behaviors (or which humans) expose you to risk, tech and data won't support you very well.

And Gallup finds that most leaders don't know which initiatives to pursue to actually change workplace behaviors. The view from the bottom is similar. Only 15% of individual contributors strongly agree with the statement, "I have been able to apply something I learned from this compliance/ethics training program in my day-to-day work," and a meager 10% strongly agree with the statement, "I learned something that changes how I do my work after participating in this compliance/ethics training program."

Getting a grasp on the behaviors that keep a company safe (or that don't) is no small thing. Everyone involved in your company, including customers and vendors, must be considered, as well as training, tone from leaders, the environment managers create, the behaviors employees model, official and tacit performance expectations, and perceptions that your company routinely does the right thing.

It's a lot. But hard controls and standardization often overlook behaviors that compromise you.

Consider one of the questions that Gallup asked a panel of U.S. workers in 2020: "In the past 12 months, have you personally seen or do you have firsthand knowledge of employees or managers demonstrating unethical behavior?" Less than a quarter of U.S. employees (24%) say they have -- but of them, only 47% say they reported it. So, potentially half of all ethical breaches go unreported.

That's bad, but it doesn't tell leaders the whole story. For that, leaders need to know why those who did not report chose to keep quiet. Questions like that begin to reveal cultural weaknesses because the answers unearth what drives reporting behavior and decisions.

Gallup has partnered with organizations to dig even deeper, making very specific comparisons between things like how employees behave when their teams talk about ethics compared with teams that don't, and how workers' feelings about their manager affect their perception of their company.

Those behavioral-level data reveal the heart of a strong ethical culture. And no matter what the data cover, they always share a common element: a human making a decision, for better or for worse.

The Right Decision, Every Time

This common element exists even within the least human of activities, like automated cybersecurity processes. No one listens to computers' conversations -- the internet is a very busy place -- but humans decide how computers get to converse with the programs they choose, the software vendors they select, the threats they take seriously or decide to ignore. Remember Citi's $900 million error? It was automated. No human made those transfers. But behind each transfer was a series of human decisions.

Behavioral-level data reveal the heart of a strong ethical culture.

Most decisions aren't automated, at least not by computers. Almost all decisions that affect security are made by people, in the moment, often thoughtlessly. Employees have heard a million times not to leave their security badges in their cars -- yet every day, someone does, and likely didn't even notice.

And those are the simple decisions. Decisions about bribing a vendor in a country where bribery is normal are thorny, more so when that vendor is the only route to your customers, and excruciatingly more so when your product is necessary for your customers' welfare.

Your company's security depends on your employees' decisions.

That's not a compliance issue. That's a culture issue.

Creating an Ethical Organizational Culture

Think about those employees who are highly satisfied with their manager and think their company does what's right. Their companies may or may not do the right thing -- but those managers do. And employees take their cues from managers. Over and over, Gallup finds that what a company says is not nearly as important as what managers do.

Selecting and developing managers isn't usually considered a compliance thing, but it is. So is trust in leadership. And how performance reviews are conducted. And the intensity of workplace friendships. And how mission is communicated. A lot of things affect employees' decisions, and you cannot control all of them. You can't control most of them.

But leaders can control the environment those decisions are made in. No one comes to work planning to pay the wrong company $900 million or create racist software. It's your culture that guides employees' decisions.

In-depth, holistic culture analyses reveal why people make the decisions they do. Those analyses indicate where compliance is weak and strong, where security is tight or just imaginary. They show leaders the levers to pull to change behavior. To make those behaviors stick and encourage smart decisions, leaders need a culture that empowers compliance.

So if you're worried about compliance, focus on creating a culture that makes doing the right thing "just the way we do things around here" -- whether that "here" is remote or in person. Good tech and exceptional data analysis are necessary but not enough to keep you safe. For that, you need people who care about safety as much as leaders do.

Make culture part of your compliance and ethics strategy:

Gallup World Headquarters, 901 F Street, Washington, D.C., 20001, U.S.A
+1 202.715.3030