WHITEPAPER The Compliance Imperative: Sustainable Compliance through Culture Monash University is undertaking an industry-based research project which aims to examine the concept of a compliance culture – its organizational and psychological dimensions, contributing factors and outcomes. The research project involves a joint collaboration between the Monash Centre of Organizational Research and Psychology and the Monash Centre for Regulatory Studies, and is supported by SAI Global Ltd. For more information about this project, contact Lisa Interligi, Project Manager at [email protected]

Introduction High profile corporate scandals involving compliance send shivers down the collective backbone of the corporate community. Such scandals serve as blunt reminders of the consequences of non-compliance. Internationally, companies have invested heavily on internal controls including technology to prevent such scandals and breaches. 1 However, there is a growing realization that success of compliance programs are subject to the engagement of employees. For example, legal scholars argue that simply implementing a compliance system will not lead to full or sustainable compliance.2 Furthermore, keen observers argue that organizational culture may be a leading risk factor in compromised compliance and corporate integrity. 3 In the recent HIH Royal Commission (2003), the Hon. Justice Owen claimed that the problems with the corporate culture at HIH which could be directly linked to poor decision-making were “blind faith” in an incompetent leadership.

Forensic analysis often follows high profile compliance breakdown and can provide insight into deviant corporate behaviour. Yet, there has been relatively little industry research investment directed toward understanding organizational behaviour and its relationship with general regulatory compliance within a ‘normal’ business context. 4 Specifically, what makes employees comply with organizational rules and standards, including those underpinned by legislation and regulation? What characterizes a ‘positive’ organizational compliance culture? And, importantly, what can corporate leaders do to encourage compliance behaviour through culture?



WHITEPAPER The Case for Culture in Compliance and Risk Management Managing ethical, social and legal obligations are increasingly complex tasks for organizations. Compliance is more challenging in a globalizing economy in which multi-national companies operate in a number of jurisdictions. 5 Furthermore, not only do regulators require companies to meet their formal obligations, stakeholder and community scrutiny increasingly demand that corporations act according to social norms and values. 6,7,8 A key point to note is that contemporary compliance has a much broader role than simply conformity with regulatory and legislative obligations. Compliance involves meeting standards, rules, processes, procedures and values that take their bases from a range of areas such as regulation, legislation, ethics, community values, industry development policy and organizational strategy. 9,10,11 This definition has been extended further to describe compliance as anticipating, identifying and resolving regulatory and ethical risks, and re-designing systems to improve compliance. 12,13 Legal scholars recommend more regulatory flexible responses to compliance that assist organizations to respond to external stakeholders, promote selfregulation and demonstrate a real commitment to regulatory goals which is deemed necessary for good regulatory practice. 14,15 Many companies adopt voluntary self regulation in order to go beyond legislative requirements, for example to meet social responsibility or ethical expectations. 16 The trend toward self-regulation has been facilitated by widespread regulatory reform which aims to reduce the perceived burden on business

while improving regulatory effectiveness. 17,18 However, self-regulation arguably places a greater demand on business. 19 For example, metaregulation, as an expression of self-regulation, “requires companies to take account of all risks to non-compliance through a comprehensive risk audit to ensure that all threats to compliance are recognized and risks minimized”. 20 Risk audits are only realistic and meaningful if threats can be defined, quantified and manipulated. Self-regulation is said to be achievable only if corporations are open to stakeholder values and expectations. 21 Parker referred to this as the ‘open corporation’, and contends that it is the most successful paradigm for self-regulation. 22 The open corporation must be able to ensure compliance with its own norms and values expressed in organizational culture, while balancing these with the interests of stakeholders. Scholars in ethics and social responsibility reason that implicit in the arguments for self-regulation is the assumption that managers have the skills and abilities to be moral agents in order to balance competing values. This belief that managers have a moral compass that helps them to balance values seems naive and unrealistic. 23 To bridge the gap, commentators propose that companies invest in cultural development to support consistent behaviour and assist employees in identifying potential risks before they occur. 24,25 Good regulatory practice, according to Haines and Gurney 26, focuses on higher level regulatory aims and principles, rather than taking a prescriptive or “tick the box” detailed perspective. These authors also argue that to achieve optimal compliance outcomes, organizations must nurture



WHITEPAPER a culture that endorses compliance behaviour and recognizes that it is consistent with organizational success. 27 By doing so, organizations are able to shape employee behaviour to act in accordance with rules and standards. 28 Therefore, in order to achieve, ‘good regulatory practice’ organizations must be able to manipulate culture to drive the right sort of employee behaviours. Industry has embraced the idea of a “compliance culture” as central to the success of contemporary compliance management. 29 But according to Haines and Gurney, the notion of a single ‘compliance culture’ is overly simplistic. 30 Organizations must balance multiple and sometimes competing or conflicting regulatory goals. Conflict, they argued, arises from competition between ideological approaches, values and ideals regarding conception and management of risk in organizations. However, existing cultural models, such as the Competing Values Model 31, recognize that organizations are subject to complex and often contradictory systems in which managers and employees must balance competing expectations. Therefore, the first critical need is to establish rigor and agreement among key stakeholders on what is a Compliance Culture. The second need is to create the context such that the definition holds for legal, policy, industry and scholarly contexts. The third step is to define the causes and consequences of a compliance culture and in doing so to finally provide the information and tools, such as assessment or diagnosis, needed achieve that state.

The First Imperative: Defining Compliance Culture The first priority before enabling organizations to manipulate their organizational culture to influence employee behaviour is to establish an agreed definition that can be used by industry, regulators and policy makers. Organizational culture: a psychological perspective Culture is defined in organizational psychology literature as shared assumptions among employees that have been learned through successful problem solving and experience and are taught to new employees as the correct way to perceive, think and feel in relation to those problems or situations. 32 It is a multi-layered concept that includes beliefs, values or corporate ideologies, behavioural norms, patterns of behaviour, corporate rituals and organizational artifacts, such as organizational processes. 33 Organizational psychologists propose that culture can be measured at different locations, and functional and hierarchical levels on an organization to identify dominant and subcultures. 34 Measurement of organizational culture usually involves its key dimensions: cultural content (for example specific values or behavioural norms); consensus (level of evidence of cultural elements, such as values), intensity (the extent to which employees agree on cultural content) and integration (the degree to which organizational groups share a common culture). 35



WHITEPAPER Legal and management scholars have struggled to settle of a consistent definition of culture. The Criminal Code Act (1995) s.12(3) defines culture broadly as an attitude, policy, rule, course of conduct or practice with the company generally, or within the section of the company that committed the offence. Compliance commentators describe compliance culture mostly in terms of values; for example, as “a mindset of individuals and organizational climate that promotes ethics, integrity, respect, trust and accountability”. Parker incorporated more tangible elements to the definition of compliance culture: a compliance system, available resources and skills, values consistent with compliance and a commitment to compliance. 36 For corporations to be made criminally liable for offences under the Criminal Code Act (1995) s. 12(3) due to corporate culture, it must be proven that a culture existed that encouraged non-compliance, or that failed to encourage compliance. In determining whether such a corporate culture existed, the courts can consider s. 12(4)(b): whether the employee who committed the offence reasonably believed that a high managerial agent of the company would have permitted the offence. This section of the law aims to capture ‘unofficial corporate practices’ that may be concealed by the implementation of complex compliance systems. The implication is that organizations and their senior representatives need not only to know what corporate culture is in the context of compliance, but how to measure, predict and manage such a culture. In terms of meta-regulation, these three elements are critical for being able to foresee and manage risks associated with culture.

A lack of clear and agreed definition has wide-ranging implications for legislators and regulators, company directors and executives. Such inconsistent approaches make valid and reliable measurement challenging. According to the old adage, “if you can’t measure it, you can’t manage it”. The lack of agreed definition and valid measurement threatens the viability of meta-regulation and other self-regulatory reforms. This gaping deficit also highlights risks for company directors and executive management in executing their fiduciary duties if there are potential gaps in management reporting on compliance and risk performance. Lack of definition, measurement and understanding of the levers of compliance culture also challenges the sustainability of compliance management. Furthermore, the absence of a consistent definition means that industry benchmarking and performance tracking is difficult for regulators and provides an open cheque book legal wrangling. Understanding the Dynamics of Compliance Culture Very little independent research has been devoted to understanding compliance management generally, including compliance culture. 37 This situation is despite the rapid development of a compliance industry. A lack of empirically-based, objective research and criticism of management in practice is untenable in times of abundant risk and litigation. Such a situation risks unsustainable, ineffective or non-replicable compliance management. 38,39 There are bodies of existing research that can inform compliance researchers and practitioners in the areas. Organizational and psychological studies have examined the concepts of



WHITEPAPER organizational culture and the related concept of climate, for the past four decades. 40 For example, organizational research has examined sub-cultures and climate associated with compliance with narrow and specific regulation, such as safety. Studies in these allied areas suggest that inputs to culture will include individual-level and organizational-level factors. Organizational antecedents to compliance culture may include organizational size 41, the complexity of the regulatory environment, strategic focus of the organization (communicated via organizational values), organizational structure 42, degree of globalization 43, financial stability 44 and the degree of centralization of organizational control and decision-making. Values that have been associated with perceptions of authorities as legitimate, acceptance of organizational policies and rules, and obedience include trust and fairness. 45,46 Organizational research has also sought to determine the quality of the employer-employee relationship that supports compliance behaviours. 47,48,49 This body of work provides a basis for building understanding the impact of the organizational environment on compliance outcomes. Leadership or establishing the right “tone at the top” 50 is central to establishing a compliance culture. Organizational researchers argue that senior leaders’ visions and behaviours are critical inputs and influencing factors of organizational behaviour. 51 Gaps between management values that are promoted (espoused values) and actual behaviours may undermine culture. For example, employees are more cynical about safety initiatives when they perceive a gap between what managers say about safety and what they do about safety. 52

There are a range of factors associated with individual employees that may influence compliance attitudes and behaviours. An employee’s level in an organization has been shown to affect their understanding of and attitudes to compliance and motivation to comply. 53 Personality and individual orientations, for example to ethics, may also affect an employee’s attitudes to compliance and compliance behaviour. 54,55 One of the other key considerations in understanding compliance culture is to identify appropriate indicators. What are the outcomes of a positive compliance culture? Deciding on key compliance culture indicators will facilitate industry benchmarking. Hard measures, such as performance data (reduced incidences of breach, number of violations recorded, breach resolution data, ratios of competed compliance tasks), may all indicate effective compliance. However, they may not provide be a valid measure of a company’s overall compliance performance. 56 For example they are likely to under-estimate the actual number of compliance breaches. They are also unlikely to provide the level of insight required to support emerging regulatory and compliance trends as it relates to compliance. Alternatives to actual compliance performance measures are subjective reports of compliance measures, such an employee perceptions of compliance performance, attitudes to compliance and regulation, awareness of rules and regulations, and intentions to comply. Intention to comply, for example, has been used as a predictor of actual compliance behaviour in healthcare and road safety. 57



WHITEPAPER Key Questions for Corporate Leaders 1. How do you define compliance in your organization and in your industry? 2. What are the characteristics of a pro-compliance culture in your organization? 3. How do you measure your culture in relation to compliance? 4. What drives a pro-compliance culture in your organization? 5. What are the indicators of a pro-compliance culture in your organization? Conclusion Globalization, changes to regulatory policy, public scrutiny and stakeholder expectations have increased the complexity of the regulatory environment for contemporary organizations. This expansion has created new challenges for managing compliance. The concept of compliance has significantly broadened beyond simply following the law. With these challenges, organizations will depend more heavily on organizational culture to guide and shape employee behaviour. Leaders will advisedly seek to shape culture to become effective self-regulators, and to respond in a balanced way to external stakeholders. To date there has been little empirical research to inform corporate leaders on the nature of compliance culture, its antecedents, influencing factors and its outcomes. Moreover, despite being embraced as a concept by industry, there is no clarity around the dimensions of

compliance culture. Compliance culture has become an imperative for corporate leaders, and research is required to assist them in delivering sustainable and effective compliance management. Therefore, it is timely to make significant inroads toward clarity by engaging key stakeholders in a rigorous process of definition and quantification of corporate culture of compliance that is acceptable across all domains. The gap between policy, research and practice of compliance culture Current compliance management practice, regulation and policy trends indicate that:

– Simply implementing compliance systems does not necessarily guarantee effective compliance



– Organizational culture plays a role in shaping employee behaviour and encouraging compliance



– Business leaders are held accountable for providing the ‘right’ culture for employees to discourage compliance breach



– Regulatory policy reform is increasing the emphasis on culture as a way to implement self-regulation and openness to stakeholder values.

Despite this: – There is no agreed definition of culture in relation to compliance

– This means objective and valid measurement of culture in industry is challenging



– This challenges effective and sustainable compliance management.



WHITEPAPER 1 AMR Research 2006, “AMR Research Reports Compliance Spending with Reach $27.3B in 2006”, http://www.amrresearcch.com/content/ prontversion.asp?pmillid=19239andprint=1 (accessed February 19 2007) 2 Christine Parker, “Corporate Law and Corporate Governance: Stocktaking on Compliance and Enforcement” in Corporate Law Teacher Association Conference, Melbourne, February, 2007. 3 David Gebler, “Is Your Culture a Risk Factor?”, Business and Society Review, 111, no. 3: 337 4 Peter Carroll and Myles McGregor-Lowndes, “Managing Regulatory Compliance,” in Current Issues in Regulation: Enforcement and Compliance Conference, Melbourne 2-3 September, 2002 5 Dallas Hanson and Robert White, “Regimes of Risk Management in Corporate Annual Reports: A Case Study of One Globalizing Company”, Journal of Risk Research, 7, no. 4 (2004) : 445. 6 Christine Parker, “The Open Corporation: Evaluation of Corporate Self-Regulation of Responsibility”, in The 2002 IIPE Biennial Conference, Brisbane, 4-7 October, 2002 7 O.C. Ferrell and Linda Ferrell, “Managing the Risks of Business Ethics and Compliance”, http://www.e-businessethics.com/Managing%20the% 20risks%20of%20Business%20Ethics.pdf (accessed19 February 2007) 8 Judith Petts, Andrew Herd, Simon Gerard and Chris Horne, “The Climate and Culture of Environmental Compliance within SMEs,” Business Strategy and the Environment, 8 (1999):14. 9 Carroll and McGregor-Lowndes, “Managing Regulatory Compliance” 10 Petts, Herd, Gerard and Horne, “The Climate and Culture” 11 Phillip Podsakoff, Scott MacKenzie, Julie Paine and Daniel Bachrach, “Organizational Citizenship Behaviors: A Critical Review of the Theoretical and Empirical Literature and Suggestions for Future Research”, Journal of Management, 26, (2002): 513. 12 Michael Rasmussen, “The Prescription for Risk and Compliance Myopia”, (Paper presentation for Forrester Research), March 23 2006. 13 C Veerschoor, “Interactions between Compliance and Ethics, Strategic Finance, June: 23. 14 Fiona Haines and David Gurney, “Regulatory Conflict and Regulatory Compliance: the Problems, Possibilities in Generic Models of Regulation”, in Regulation: Enforcement and Compliance, eds. Richard Johnstone and Rick Sarre (Canberra: Australian Institute of Criminology, 2004). 15 Parker, “The Open Corporation” 16 Haines and Gurney, “Regulatory Conflict” 17 ibid. 18 Carroll and McGregor-Lowndes, “Managing Regulatory Compliance” 19 Petts, Herd, Gerard and Horne, “The Climate and Culture” 20 Fiona Haines and David Gurney, “The Shadows of the Law: Contemporary Approaches to Regulatory Conflict, Law and Policy, 25, no.4 (2003): 353. 21 Parker, “The Open Corporation” 22 ibid. 23 T. Carson, 2003, ‘Self-interest and business ethics: Some lessons of recent corporate scandals’, Journal of Business Ethics, 43, :389 24 R. Berenbeim, ‘The Enron Ethics Breakdown’. (2002). Executive Action, 15: 1 25 Linda Treviño and Michael Brown, ‘Managing to be ethical: Debunking five business ethics myths’, Academy of Management Executive 18 (2004): 69. 26 Haines and Gurney, “Regulatory Conflict” 27 Haines and Gurney, “The Shadows of the Law” 28 ibid.

29 Rasmussen, “The Prescription for Risk” 30 Haines and Gurney, “Regulatory Conflict” 31 R Quinn, Beyond Rational Management: Mastering the Paradoxes and Competing Demands of High Performance (San Francisco: Jossey-Bass, 1988). 32 E Schein, Organizational Culture and Leadership: A Dynamic View, (San Francisco CA, Jossey-Bass, 1992) 33 Cheri Ostroff, Angelo Kinicki and Melinda Tamkins, “Organizational Culture and Climate”, in Handbook of Psychology: Industrial and Organizational Psychology, 12, eds. W Borman, D Ilgen and R Klimoski (NJ: Wiley and Sons, Inc., 2003) 34 Denise Rousseau, “Assessing Organizational Culture: the Case for Multiple Method”, ed. Bernard Schneider, Organizational Climate and Culture (San Francisco, CA: Jossey-Bass) 35 ibid. 36 Parker, “Corporate Law and Corporate Governance” 37 Carroll and McGregor-Lowndes, Managing Regulatory Compliance” 38 ibid. 39 J Anderson and N Johnson, “On the Relationship Between Work Contexts, Mandates and Compliance Behaviours of Supervisors, Journal of Change Management, 5, no. 4: 381. 41 Petts, Herd, Gerard and Horne, “The Climate and Culture” 42 Dov Zohar, “Safety Climate: Conceptual and Measurement Issues”, in Handbook of Organizational Health Psychology, eds. J Quick and L Tetrick, 123 (Washington, DC: American Psychological Association, 2003) 43 Hanson and White, “Regimes of Risk Management” 44 Zohar, “Safety Climate” 45 Tom Tyler, “Restorative Justice and Procedural Justice: Dealing with Rule-Breaking”, Journal of Social Issues, 62, no. 2 (2006): 307 46 K  Murphy, “The Role of Trust in Nurturing Compliance: A Study of Accused Tax Avoiders, Law and Human Relations, 28 , no. 2 : 187 47 J udd Michael, Demetrice Evans, Karen Hansen and Joel Haight, “Management Commitment to Safety as Organizational Support: Relationships with Non-Safety Outcomes in Wood Manufacturing Employees”, Journal of Safety Research, 36 (1999): 307 48 Janie Fritz, Ronald Arnett and Michele Conkel, “Organizational Ethical Standards and Organizational Commitment”, Journal of Business Ethics, 20 (1999): 289 49 Tyler, “Restorative Justice and Procedural Justice” 50 Lorie Richards, Instilling Lasting and Meaningful Changes in Compliance (Paper presented at the National Society of Compliance Professionals 2004 National Membership Meeting, Washington DC) 51 Osteroff, Kinicki and Tamkins, “Organizational Culture and Climate” 52 S Clark, “Perceptions of Organizational Safety: Implications for the Development of a Safety Culture, Journal of Organizational Behavior, 20: 185 53 Petts, Herd, Gerard and Horne, “The Climate and Culture” 54 Podsakoff, MacKenzie, Paine and Bachrach, “Organizational Citizenship Behaviors 55 Wallace and Chen, “A Multi-level Integration of Personality, Climate, Self-regulation and Performance”, Personnel Psychology, 59: 529. 56 V Nielsen and Christine Parker, The ACCC Enforcement and Compliance Survey: Report of Preliminary Findings, (Report by the Australian National University for the Australian Competition and Consumer Commission, December 2005) 57 M Elliott, C.Armitage & C. Baughan, ‘Exploring the beliefs underpinning drivers’ intentions to comply with speed limits’, Transportation Research Part F: Psychology and Behaviour, 8: 459