Control or culture – What does compliance need?

So, what exactly is required for functioning compliance? There are two key components. The first is the compliance function itself. Focused, modern auditing, intelligent security, and an honest “Tone from the Top” form the foundations of a successful compliance function. Having understandable guidelines, comprehensible control intervals, consistent, internal sanctioning, and a compliance officer who serves as a principal point of contact are also of fundamental importance. “The above makes it clear that functioning compliance takes time to take effect. In practice, we see that although more monitoring brings more breaches of the rules to light, this does not necessarily mean that compliance is sustainable,” says Christoph Schlossarek, Senior Managing Director Forensic & Litigation.

This brings the second component into play: If increased control and more rules alone are not enough to prevent compliance violations, other factors influencing functioning compliance must be considered. This is not only about combating and preventing criminal acts via legal action and enforcing regulations, but also about the environment in which compliance violations can grow. It often becomes apparent that the larger and more extensive the violation, the more likely it is that an environment exists that encourages such violations, or at least does not adequately sanction them. This environment is significantly shaped by the culture of a company. It is therefore necessary to start with the organizational culture itself in order to strengthen compliance in a company.

In the USA, this realization has already found its way into case law. There, the term “compliance culture” has been gaining increasing importance for several years: organizational culture is increasingly being used to assess criminal liability and define the level of punishment. Key questions for U.S. courts are to what extent the misconduct of individuals was “inherent” in the respective organizational culture, how often the company has already attracted attention with similar violations, and what measures the company has taken to remedy the situation in the long term [2].

In Europe as well as in Germany the call for greater regulation is part of the public discourse. Here, too, it can be observed that “compliance culture” is increasingly finding its way into European and German regulations and is already explicitly listed in the auditing standard for compliance management systems [3].

If “compliance culture” plays a greater role in the legal assessment of compliance violations, companies progressively ask themselves what exactly characterizes their organizational culture and how they can provide evidence of a functioning “compliance culture.” Ilona Indra, Managing Director in People & Transformation explains:

“Organisational Culture is the manifestation of all factors influencing the way people think, behave and make decisions – individually and collectively – in a company.”

And these factors go beyond the codified values and sets of rules that exist in almost every company. An organizational culture is comprised of four building blocks that companies need to consider and analyze if they want to know what their “compliance culture” is like.

1. Presented: “The way we say we do things here”. This includes:
   • Purpose, values and leadership principles
   • Policies, guidelines, and signature and approval rules
   • Organizational charts and reporting lines
   • Promotion criteria and bonus systems
   • Official announcements and the “Tone from the Top”
2. Underlaying: “The way we really do things here”. This includes:
   • Unwritten laws
   • Actual decisions
   • Relationship networks and personal dependencies
3. Expressed: “What patterns of behavior do I observe in others and how do I want to be perceived?”. This includes:
   • Language rules and dress codes
   • Communication and leadership styles
4. Hidden: “What really drives individual’s actions?”. This includes:
   • Personal values
   • Individual expectations and experiences

If one analyzes these four building blocks, a discrepancy between what is desired and the reality often becomes apparent: “For example, in the building block ‘Presented’ we often observe isolated measures and actions geared to justify the compliance function,” says Christoph Schlossarek. Other practical examples include the perception of the compliance function as an adversary instead of a friend and helper. And in the area of “Expressed” blind allegiance on the part of managers in the absence of critical feedback competence often plays a greater role than conscious reflection on the consequences of certain decisions. It is important to find out what happens behind closed doors and to what extent the organizational culture forms a stable basic framework in order to prevent a “Just don’t get caught” or “The ends justifies the means” attitude from arising in the first place. When asked which value standards are more relevant to managers and employees as a decision-making aid ­– those of the individual or the company’s own – analyses by FTI Consulting have shown that the majority relies more on their personal values, which is especially likely to cause problems for globally engaged companies.

It is therefore essential to consciously and above all proactively shape all aspects of one’s organizational culture in order to ensure functioning compliance. This extends the revision of values and management guidelines to factors that influence the behavior of people in the company. There are three main challenges that must be addressed in the process:

1. Leadership’s certainty that they fully understand the company: Convincing top management that it is worthwhile to find out where pressure to disregard compliance rules within the company is coming from is essential.
2. Unconscious motives and drivers: The desire for political correctness can be so strong that managers and employees are not even aware of what really drives their decisions.
3. The understandable avoidance of “self-incrimination”: no one likes to admit to acting unethically or violating regulations.

FTI Consulting has developed an analysis and survey tool that addresses the last two challenges in particular, giving companies an honest and transparent picture of their compliance culture. “Many believe that culture can’t be measured – but it can,” affirms Ilona Indra.

Ultimately, it is of central importance that the responsibility for establishing and ensuring sustainable compliance is clearly defined. In view of the necessity for a strong organizational culture, this raises the question of who is actually responsible. One possible answer is: organizational culture concerns everyone. However, in order to avoid a diffusion of responsibility, a sponsor is needed in top management. It is usually a board member who bears the ultimate responsibility for compliance. The proximity to the supervisory board – and thus to the representatives of the investors as well as to the employees – ensures sustained support. Now, it is obvious that the respective board member cannot implement such a comprehensive task in day-to-day business by him or herself. However, there is a unique opportunity for a compliance officer to position the function in a new or different way and to support the board member in creating interfaces to all relevant functions. In short, the compliance officer should be responsible, but she or he can only meaningfully take on this role if top management demands and encourages collaboration with all relevant internal stakeholders. These include HR, Communications, Works Council, Corporate Security and Internal Audit.

In summary, compliance requires a holistic approach. It is crucial to understand that every company has a corporate culture, even if it is not actively managed. The corporate culture can therefore be a breeding ground for both compliant and non-compliant ways of thinking, behavior and decision-making. By actively shaping their compliance culture and doing so in a holistic manner that takes all four building blocks into account, companies gain more control over their compliance than compliance management systems and regulations alone can. If they do not do this, they give up a decisive control instrument for ensuring compliance.

This article is based on a presentation given by the authors at the 13th Anti-Corruption and Compliance Summit 2022 in Berlin in September 2022. To receive the full presentation “Control or Culture – What does Compliance need?” by Ilona Indra and Christoph Schlossarek, please contact the authors directly.

[1] For example: Volkswagen (2015), Wirecard (2019), DFB (2021), Axel Springer (2022).

[2] See, for example, the testimony of Deputy Attorney General Kenneth A. Polite in a March 2022 speech:”We are also interested in how a company measures and tests its culture-at all levels of seniority and throughout its operations-and how it uses the data from that testing to embed and continuously improve its ethical culture. ”

[3] Auditing Standard Compliance Management Systems (IDW EPS 980 n.F. (10.2021)): “The compliance culture represents the basis for the appropriateness and effectiveness of the CMS.”