Back to front is a good idea, after all. For any of you who don’t remember Kriss Kross, the (then) 13-year-old duo shot to fame with the single “Jump” in 1992. But they were equally remembered for wearing clothing back-to-front. A style my son frequently imitates (unintentionally and usually when we’re already late for school).
Could the back-to-front approach work for compliance?
The case for
After launching a few online compliance assessments, it seems like a good time to analyse the results. If we strip out the behemoths (large MNCs and multilateral institutions) and focus on fast-growing and rapidly internationalising organisations, there’s a pattern. Back-to-front pays off.
The conventional compliance wisdom I was weened on suggests that the basic infrastructure for an effective program goes something like this:
π Leadership (tone from the top)
π Policies & procedures
π Training
Risk assessment should really live here, but it seldom does (in my experience, it comes much later).
Once these building blocks are in place, we might get to:
π Third-party management
π Accounting controls
π Risk assessment
π Maybe splash some cash on monitoring
Then we start:
π (Incentives!?) & disciplinary measures
π Confidential reporting (speak up)
π Investigations
But how do you know what to say (tone from the top), what to emphasise in policies and training, where best to place controls and monitoring, and how to risk-rank, if people aren’t speaking up?
The folks I’m working with, especially impact investors and fast-growing sustainability-minded organisations, are starting with speaking up and investigations. They’re getting considerably better results doing so.
Getting comfortable with discomfort
Speak up extends beyond a reporting line (hotlines, apps, etc.). That’s very important, but it begins with culture. We need to know where the confused, confounded, conflicted, and cynical people are. Not to judge, but to help them. Gathering this information can be done in many ways – surveys, interviews, watercooler chats, exit interview data, 360 feedback, and on. If you need examples of any of these, please ask.
But the medium is often the message. By listening and showing we’re willing to hear the stuff many (leaders especially) sometimes try and dodge saves a LOT of work building complex compliance architecture and systems that no one wants. But if we get people talking and speaking up we need to be ready to investigate properly. If you’re thinking, “Well, you would say that, you’re an investigator”, you’re right. That’s how I learned about compliance. Not by reading statutes or building control frameworks, but by seeing how stuff went wrong.
There’s no better teacher than failure. Smart organisations embrace investigations. I see this in the assessment data – those organisations with the strongest compliance cultures are all green in the confidential reporting and investigations sections.
Training, policies, messages from on-high, and the rest are much better received when they face risk realities. To understand risk realities, you need to master speak up, investigations, and risk assessment.
The case against
“That’s all very well, but some of us have regulatory boxes to tick, policies to put in place, and training completion statistics to deliver.” I hear you. All I’m saying is don’t lead with a policy, systems, and high-handed tone from the top. Create that content to CYA (if ya know, you know). But don’t make it the centrepiece of the program. Soft launch as much of that perfomative stuff as you can, while you allow the real issues to filter up through culture assessment and speak up.
Then you can create actionable (not performative) policies, systems, messages, and training that help address the REAL issues you face.
But what about best practice? Best practice is right-sizing risk. If I were asked to create a best practice security plan for a bank, it would look very different to that for a fertiliser factory. Best practice security design will tell us to focus on vulnerabilities, set in the context of what you do and the (local, stakeholder, political, etc.) environment.
Surely then, ethics & compliance best practice should be built around our environment and internal vulnerabilities. That data (typically) sits in (frontline, not boardroom) heads – so start by gathering it. So, like Kriss Kross, jump to it for “jumpin’ an’ pumpin’ an pump movin’ all around” results.