The Intersection of Culture and Compliance


Employees at all levels of the organization make decisions that impact compliance every single day. To ensure that those decisions are wise ones, employees need to understand where they fit into the organization. If there's not a shared understanding of roles and responsibilities supported by controls and accountability there's a risk of chaotic compliance—and a chaotic culture across the firm.

Watch an on-demand MCO webinar on Building a Culture of Compliance


Tone from the top and culture matter to compliance across the firm. Watch the on-demand webinar Beyond Wishful Thinking: How to Create a Thriving Culture of Compliance with Michael Rasmussen from GRC 2020 for practical guidance on implementing a best-practices framework that supports and enhances compliance. 



The concept of culture is difficult to pin down

How do you even define what culture is in a firm? According to GRC Pundit and Analyst Michael Rasmussen, it's a hard concept to explain because so many factors impact culture.  One factor that has a strong impact on culture is where in the world a firm is based. There are regional and local aspects to culture as well.  It's even more complex for corporations that cross jurisdictions and operate across multiple locations.

Ever see the movie Shrek, where the character Shrek compares ogres to onions because they both have layers? Compliance culture is layered like an onion as well. To fully understand it you need to pull back the layers including not just global, regional and local culture, but also overall corporate culture, culture within different working groups, and the management and working styles of individuals.

"The more we study the major problems of our time, the more we come to realise that they cannot be understood in isolation. They are systemic problems, which means that they are interconnected and interdependent."

— Fritjof Capra

That's a quote from a physicist, but it can be applied to any ecosystem, and firms are definitely ecosystems. Compliance and culture are interdependent parts of the system. It's all interconnected. 

How is your firm approaching compliance? As Michael noted in the webinar Beyond Wishful Thinking: How to Create a Thriving Culture of Compliance, a scattered approach is an indicator and a driver of scattered culture. If a firm has multiple policy portals, multiple manuals, spreadsheets, etc., compliance is going to be an interconnected mess. 


Constant change has an impact

According to the Thomson Reuters 2023 Cost of Compliance survey, Global Financial services firms are dealing with 257 regulatory change events every business day coming from 1200+ regulators. 

In the article Navigating Chaos in Enterprise Risk magazine, published by the Institute of Risk Management, Michael writes about how churning regulations have a substantial impact on culture.  As Michael notes, change in one area has cascading effects that impact the entire ecosystem.

New and updated laws, proposals and enforcement actions can all have a potential effect on how a firm does business. There's also impact from factors including inflation, economic and geopolitical uncertainty, changing business environments, new hires, employee turnover, mergers and acquisitions and technology updates. The list of considerations that impact culture, compliance and the operations of the firm is expansive and constantly evolving.

If a firm doesn’t have a structured approach to identifying changes that apply to the operations of the firm, clearly updating the associated policies, procedures and controls, and then effectively communicating the changes to employees it’s safe to say that chaos will ensue.

Read our Guide to Compliance Oversight for guidance on managing obligations in an increasingly intrusive regulatory environment

Michael shared that he has seen companies with 18K policies and procedures in multiple portals across the firm. Another midsize financial services firm that he worked with spent 80% of its compliance resources managing the updating of documentation. And yet another firm spent 200 hours building a report every single year that should have been able to be generated by the push of a button. And if that’s how things are set up you’ve got the inevitability of failure – too many documents and manual processes lead to confusion, inefficient and incomplete compliance and significant risk of finding issues too late.

Firms need to streamline policies and communication to streamline engagement and compliance. Implementing that structured approach and framework will enhance and support the corporate culture and not work against it. 


Are your policies and procedures on point?

Well-maintained policies and procedures are key to successful compliance. Michael shares that firms should be evaluating:

  • Are policies and procedures written in clear and concise language? 
  • Are core values like integrity and honesty reflected in the policies?
  • Do you have a main index of all of your policies?
  • Do you have effective processes for identifying required updates and making the changes?
  • Is there an effective way of communicating relevant requirements to employees in a timely manner?
  • Is there a single portal view?

When policies and procedures are stored in multiple places, for example, in a Finance portal, HR portal, Compliance portal, etc. there's significant risk of redundancy, variances and rogue policies that did not go through proper channels of approval. Michael shares that he's seen firms take six months to draft or update a policy. Given the sheer volume of regulatory change in financial services right now that's just not even a feasible way to do business.

See how MCO's Policy Content Governor helps firms effectively manage policies in an integrated portal


Employees have a tremendous influence

You can have the best policies and procedures in a singular portal, but if your employees don’t understand how to apply the policies in their day to day work you’re going to have problems. That’s where training and engagement come in.

Different jobs have different levels of risk exposure, such as access to confidential information or direct access to customers. Communications and training should be tailored by level and risk exposure to ensure employees get the level of information that they need to effectively perform their duties and fully understand their compliance obligations. Training should be followed up with attestations to confirm receipt of training and understanding. 

And according to Michael, there’s a strong but subtle difference between accountability and responsibility. You can delegate responsibility. Accountability you own and you can’t give that to someone else.

See how MCO helps compliance manage roles and accountability in accordance with global regimes

Compliance engagement impacts all levels of the organization. Michael reminds people that it takes time to develop a culture of compliance, but unethical behavior can destroy it overnight. It can take years to rebuild. Employees who understand their compliance obligations and who are committed to upholding ethical standards within the organization are a firm's best protection



Regulators can see past smoke and mirrors

Michael asks the question, how do we leverage technology to define and nurture compliance and an ethical corporate culture? A solid informational technology architecture supports an effective compliance engagement strategy by providing firms with a central hub of compliance information. With a singular compliance platform, employees know exactly where to go to fulfill their compliance responsibilities. Automation reminds employees of their obligations in a timely manner. 

An integrated compliance system provides the framework for communicating to employees at all levels of the firm what's happening and why. The right people are given access to the right information at the right time. Employees are given the information that they need to understand where they fit within the organization and what's expected of them.

Regulators want to see tangible proof that firms are meeting their regulatory obligations and that employees are adhering to the firm's policies and procedures day in and day out as they go about their jobs. Just saying it's policy isn't enough anymore. Compliance must be able to prove it with documentation from a defensible source.

Clear issue and incident reporting helps firms identify potential concerns before they become problematic, and before the regulators are the ones to uncover them. Compliance technology also provides automation and tracking – a defensible audit trail with tangible proof of who did what, when and why. 

Compliance technology allows firms to:

  • Demonstrate that you have the right policies
  • Demonstrate the policies are kept current
  • Demonstrate that policies are shared and attested
  • Demonstrate that transactions are monitored
  • Demonstrate that compliance metrics and measurement are in place

The benefits of a singular compliance platform go far beyond meeting regulatory requirements. The right compliance technology makes compliance more efficient and effective, increasing resilience and agility across the firm. 

The webinar Beyond Wishful Thinking: How to Create a Thriving Culture of Compliance wrapped up with an audience question about getting buy-in to invest in compliance technology. Michael advises that firms should start by building a business case that clearly communicates both regulatory and business benefits to key management stakeholders. Read more about selecting compliance technology in the white paper Getting IT Done - Optimize the Software Selection Process for the Best Outcome.



The world is complex. Culture is complex. Compliance is complex. Let us help.

New call-to-action


Contact us today to see how we can help your firm enhance culture by effectively and efficiently managing conflicts of interest, compliance obligations and regulatory change.