I recently had the chance to visit with Tina Rampino, Associate Managing Director at K2 Integrity. We chatted about the big picture on culture. We began with the basics: that a culture of Compliance is the foundation of an organization’s compliance program. Rampino said it is a measure of how well employees feel empowered to identify, mitigate, and escalate risk within their institution. An institution’s compliance culture is set by an institution’s Board and Executive Leadership team. Their messaging should be continuously reinforced in an institution’s risk appetite statement, policies, training and enterprise-wide communications. A strong compliance culture should be evident at all levels of the financial institution and across all three lines of defense.
Rampino detailed some key questions to ask, such as “What is the tone that is set from the most senior levels of the organization? Are employees motivated by doing any and all business no matter the risk? Are they empowered to act with integrity and choose the right business that aligns with their compliance culture?” She went on to relate, “Many institutions have built training and communications programs to help employees understand what the “right business means” – reinforcing an institution’s risk appetite statement, incorporating policies and procedures, and training on red flags and high-risk issues.” She concluded, “A culture of compliance should empower employees, not just in the second line of defense but in all areas of the institution – to think about the risks being presented through their customers, transactions, and products and services and how they can do their part in mitigating risk to the institution.”
An effective compliance training program can help to ensure that an institution is regularly addressing new issues and emerging risks. It also helps to ensure that employees have the right knowledge and skills necessary to perform their roles, so they understand the risks within the institution and their business area as well as the consequences of non-compliance. Rampino detailed some of the areas your organization should focus on with the following questions, “Do our training programs match the risks of our institution, and the variety of functions within it?”; “Do our employees have the right experience and training to do their jobs?” and “Are we regularly addressing new issues and ensuring our programs help our teams deal with emerging risks?”
We next turned to some of the key actions senior executives and leaders can take to not simply ‘talk-the-talk’ but also ‘walk-the-walk’ of compliance. Senior executive and leaders are responsible for setting the tone from the top which means setting expectations for the importance of compliance throughout the organization and by modeling behaviors for their employees. Rampino details the seven elements of a culture of compliance.
- Tone from the Top.
- Establishing and communicating enterprise-wide policies and programs.
- Defining clear roles and responsibilities across the three lines of defense.
- Ensuring adequate staffing and resources for functions responsible for compliance.
- Designing and implementing a comprehensive compliance training program.
- Establishing compliance incentives
- Creating efforts to embed and sustain a compliance culture.
An institution’s leadership must support all those elements to ensure that employees have what is needed to effectively manage their compliance risk.
We concluded by considering the role both training and communication have in a culture of a compliance program. Interestingly, Rampino said it maybe “the MOST important role because it is a means by which these critical messages are delivered to all employees.” The reason is that a comprehensive compliance training program “not only ensures that employees are aware of their responsibilities, it provides them with detailed information on how they should identify, mitigate, escalate, and report risk.” Moreover, “the most important asset to an institution’s compliance program is truly each and every employee.” Comprehensive and well thought-out training should assist in creating awareness, developing, and refining skills needed to ensure compliance. The training program should reflect the risks within the organization and should evolve as emerging risks are identified.
In terms of an effective communications program, institutions should ensure robust and recurring communication. “One and done” is not an effective way to deliver communications or develop an organizational culture. A robust program issues clear messages in a recurring fashion. Rampino concluded with some key takeaways on communications. First, institutions that want to create a culture of compliance should issue policy alerts and remind staff of changes. Second, information should then be easily accessible and readily available for employees. Finally, town halls, quarterly newsletters, and even short video messages explaining changes can be effective ways to ensure that all staff members understand what they must do to support the institution’s focus on compliance.