What Really Drives Compliance – Is ‘Tone from the Top’ Enough?
In this contributed article, Hoda Aden Mohamed, Corporate Compliance at Nordic Semiconductor, asks what really drives compliant cultures - is it the tone at the top? Or something more practical?
March 15, 2023, was not a good day for Carrie Tolstedt. The former high-ranking manager who led Wells Fargo’s retail banking empire pleaded guilty that day to U.S. criminal charges for her role in the bank’s sales tactics scandal. Between criminal fines, civil penalties, and a clawback to her retirement package, her activities will have set her back $87 million.
Tolstedt isn’t alone among senior executives held civilly or criminally accountable for their actions. Regulators and prosecutors around the world are increasingly taking aim at top company leaders for their personal misdeeds and for the failings of the organisations they lead.
In one sense, all compliance failures are failures of senior management. Although it’s true that they can’t watch all the people all the time, they are meant to set the example that drives the culture of the organization. What happens in the cubicles begins in the C-suite.
Tone from the top
The “tone from the top” has become an industry cliché for something far more fundamental: leadership. Good leaders lead by example, visibly demonstrating a personal commitment to the values they espouse, and holding themselves and others to the highest standards.
This begins with communication, but too often it ends with it as well because there is no follow-through. Creating a culture statement and establishing a Code of Conduct are standard practice, but they are only meaningful if top management breathe life into them.
In 2015, a major European corporation published its culture statement in its annual report, saying in part that its commitment to doing the right thing “has always gone beyond statutory and internal requirements” as it sought to “create a corporate culture that stops potential breaches before they happen”. Statements like these demonstrate real commitment and are a model for other corporations to follow.
Later that year, that corporation – Volkswagen – was caught deliberately installing technology to deceive emissions tests for cars sold in the United States. The scheme was executed with the full knowledge of senior leadership, presumably some of whom signed off on the culture statement earlier that year. In addition to paying billions of dollars in fines, Volkswagen was forced to buy back or fix nearly 500,000 cars and halted sales of its diesel cars in the U.S. Estimates of the total cost topped $33 billion, more than its operating profit for the previous year.
And the year before that.
Combined.
A cookbook with no recipes
Organisations often place great emphasis on their culture statements. Too often, though, they don’t recognise that the statement is a goal (what they want the culture to be) and not a description of what is actually happening in the cubicles, or even the C-suite (see box). So communication is important, but it’s only the first step. Without actions to achieve the goal, culture statements are like cookbooks with pictures of gourmet dishes but with no recipes for how to make them.
Codes of conduct
One of the most common approaches to giving life to culture statements is the Code of Conduct. These documents can also be among the best tools available to Ethics and Compliance Officers, but only if they are taken seriously both by leaders as well as staff. They should not be viewed merely as corporate window dressing. Worse still, they should not be used as a tool to shield the organisation from liability for the actions of its staff – “He signed his annual attestation of the 150-page Code this year, so clearly we told him not to commit this violation”.
What practical steps can organizations take to make sure their Codes of Conduct are not paper tigers? Most of us already know a few. Meaningful, consistent, and visible enforcement of the Code of Conduct is of paramount importance, of course. The quickest way to undermine an organization’s culture is to state that it has “zero tolerance” for specific behaviours, and then fail to punish violations – especially if a senior leader is involved.
Codes should be simple, specific, and short. No one – no one – is going to read every word of a long and wordy document, and so their signature is a meaningless ticking of the box. High level imperatives like “always act with integrity” are fine, but unenforceable. The Code must include specific behaviours that can be detected, investigated, and punished appropriately.
The real driver of conduct
But the most fundamental factors in driving behaviour are often overlooked: performance goals and incentives.
Staff will respectfully sit and listen to CEO speeches about culture and will dutifully attend the quarterly Town Hall. Then they will return to their desks, forget what they just heard, and do what their performance reviews drive them to do. Increase sales by 40%? Raise the number of accounts per bank customer? Finish the oil well by October? Sell more diesel cars in the US? These are the things that truly drive culture.
Of course, incentives are important and should not be done away with. But they bring risk, and some bring greater risk than others. This should be reflected in audit plans, risk assessments and monitoring programs.
Importantly, incentives should be reasonably attainable. Tolstedt oversaw a program at Wells Fargo in which employees at all levels were judged by the number of accounts and loans that were held by each customer. This “cross-selling” activity became the key metric reported each quarter and ultimately the driver of personal success or failure. Employees who were otherwise ethical came to commit fraud simply to keep their jobs – recommending products customers didn’t need, opening credit cards accounts without the customer’s knowledge, and even inventing fake clients. Cross-selling itself is a reasonable goal, but management created a culture of abuse by setting unreasonably high targets, constantly increasing the targets for the sake of a good story to tell the shareholders, and focusing performance evaluations unduly on this single metric.
To understand how poorly designed incentives can drive misconduct, it’s important to realize that misconduct isn’t just about bad people choosing to do the wrong thing. It’s also about why good people choose to do the wrong thing. We all have conflicting ethical duties – to the organization, to our families, to society. A bad incentive may present a good person with a conflict between these perceived duties. Yes, an employee has a duty to the company to follow the Code of Conduct, but they may also have a duty to their family to earn a livelihood and provide for them. If it’s necessary to cut a few corners or mislead a few customers, the employee may view their actions as ethical. In their mind, they didn’t choose between ‘right and wrong’, but between two ‘rights’.
Keeping the boss on a leash?
Setting the tone and breathing life into the culture are clearly among the most important roles of senior management. But what if the managers themselves commit violations? How do Ethics and Compliance leaders keep an eye on senior leaders, and ensure that they are subject to the same standards as everyone else?
Some factors are out of the hands of the Compliance and Ethics Officer. Reporting lines are of great importance, and it’s rarely up to the Compliance Officer whether they will have a reporting line to the Board or how often they will report. Still, other steps can be taken that are within the powers of the Compliance leader. Ensuring that controls and policies apply at all levels without exception is an important tool to ensuring C-suite accountability. In fact, some restrictions such as Outside Business Activities may apply more frequently to senior leaders than to the intern in accounting.
Transparency in reporting is also important, ideally with reports and metrics broken down by seniority level where possible. Taking it a step further, senior leader compliance can be its own metric, providing a visible indicator of the tone from the top and an incentive for senior leaders to take compliance seriously.
Detecting and reporting senior level misconduct is hard enough, but the real trick is meting out disciplinary action when appropriate. Three steps are helpful here:
First, disciplinary actions should be determined by a formal disciplinary committee composed of senior executives, and not by one individual. It’s far harder to bully ten people than to bully one.
Second, when deeper investigation is warranted, it’s wise to call in an outside firm to conduct the inquiry. In the most serious cases, these third parties should provide their findings to the Board so that they are further insulated from senior management pressure. The use of outside firms for this purpose is common practice, and for good reason.
The third bit of advice may be harder to swallow. When all is said and done, it is the responsibility of the Ethics and Compliance Officer to stand their ground. The Compliance profession is all about objective and consistent application of ethical standards, and the whole process falls apart if you bend to the will of those with a bigger office than you. Yes, your job may be on the line, and you may find yourself confronting one of those choices between two “rights”. If you can’t choose the real ‘right’ thing, you should do yourself a favour and consider another line of work.
Conclusion
The good news is that the overwhelming majority of leaders, employees, and organisations act ethically and with integrity on a day-to-day basis. Ensuring that it stays that way requires creativity and determination. Above all, the ethical environment of an organization requires true leadership from the highest levels, and Compliance processes that channel this leadership into visible results.
Nurturing a healthy and supportive culture is imperative to business operations, and having tools to oversee workplace activity and handle misconduct helps. Our compliance solutions assist financial organizations with supervising and monitoring their business data to mitigate risk and comply with regulatory guidelines.
