Managing Compliance in the Public Sector

They are not alone in facing compliance issues, but their frequent and repeated compliance breaches are truly concerning and would not be tolerated in private sector organisations.

Stories abound of MPs, Ministers and advisors either not knowing, forgetting or flagrantly breaching their own Covid-19 rules. Contracts were awarded without a transparent procurement process. Top jobs were given to cronies, and personal conflicts of interest and cash for influence were ignored. All of which reduces the public's confidence, trust and, most importantly - compliance.

Drawn from the UK Government's own guidance, we have identified the key focus areas for those leading compliance in the public sector and government.

1. Top-level commitment
2. Risk Identification
3. Risk Management
4. Proportionate procedures
5. Due diligence
6. Communication & training
7. Monitoring & review

Key Steps to Public Sector Compliance Success

1. Top-level Commitment

Communication is vital in creating the right culture and tone from the top and clearly setting expectations.

Compliance leaders in the public sector need to obtain top-level commitment to compliance in their organisation and then articulate this via clear messages that foster a culture where breaches are never acceptable.

1. Aim for tailored communications - Not everyone needs the exact same message - some team members benefit from short, catchy and timely reminders (think Hands-Face-Space), while others require all the detail.
2. Lead from the front - A message from the CEO upfront can make all the difference and demonstrate a real commitment to compliance initiatives. If it matters to you, it matters to them.
3. Take ownership and show you care - Compliance leaders should provide effective leadership and top-level involvement in decision-making where there are risks. They play a vital role in initiating, developing and implementing procedures relating to a Code of Conduct, raising awareness by encouraging dialogue and sharing policies throughout the organisation, providing high-profile and critical decision-making, liaising with external bodies, and providing oversight of procedure breaches.
4. Don't make compliance 'them' and 'us' or have tiered systems - Compliance applies to everyone or no one. Senior managers must 'walk the talk'; the compliance message is completely undermined if they don't. That goes as much for Covid-19 restrictions as it does for property development. Poor role models make it harder for everyone else to comply.

2. Risk identification

Public sector organisations must be compliant to function effectively and protect their citizens' interests. By managing compliance risks, they can help ensure that they uphold the law, protect public safety, and promote economic prosperity.

We have identified nine key regulatory training areas public sector organisations need to pay closer attention to because of the increased levels of risk.

1. Corruption: This is the abuse of public office for private gain. It can take many forms, such as bribery, extortion, nepotism, and embezzlement. Corruption can undermine public trust in government and lead to economic inefficiencies.
2. Financial crime: This includes activities such as money laundering, terrorist financing, and fraud. Financial crime can pose a serious threat to national security and financial stability.
3. Data privacy and security: Public sector organizations collect and store vast amounts of personal data. This data must be protected from unauthorized access, use, or disclosure. Data breaches can have a significant impact on individuals and businesses and can also damage a government's reputation.
4. Environmental protection: Public bodies are responsible for protecting the environment by ensuring that economic development does not come at the expense of natural resources. This can involve regulating pollution, managing waste, and conserving energy.
5. Human rights: Public sector bodies are obliged to uphold the human rights of their citizens. This includes ensuring that everyone has access to education, healthcare, and housing and is protected from discrimination and abuse.
6. Cybersecurity: Public sector organizations are increasingly targeted by cyberattacks, which can disrupt critical infrastructure, steal sensitive data, or spread misinformation.
7. Procurement: Public sector organizations must ensure that their procurement processes are fair and transparent and that they do not give preferential treatment to certain businesses.
8. Terrorism: Public sector organizations must take steps to prevent and respond to terrorism by sharing information with other governments and strengthening border security.
9. Economic sanctions: Public sector organizations may be subject to economic sanctions imposed by other countries. These sanctions can significantly impact the organization's operations, and it is important to be aware of the risks and take steps to mitigate them.

3. Risk management

Like many other sectors, the public sector faces compliance risks from all quarters. Sometimes, tackling all risks in one go is not practical or feasible.

Compliance leaders in the public sector must assess the nature and extent of exposure that departments, public officials and advisors have to potential internal and external compliance risks. This assessment should be periodic, informed and documented to encourage transparency.

1. Be vigilant - Look for internal compliance risks (e.g. poor systems, lack of training or controls) and external ones (e.g. country, sectoral, partnership and associations).
2. Conduct regular risk screening as risk types and levels may change - You can't always predict so-called 'black swan' events (unpredictable events with severe consequences) like Coronavirus. But you can conduct regular assessments to identify gaps, vulnerabilities or preparedness and must address any deficiencies. Look at any past compliance issues or near-misses, and consider what parts of the organisation may be prone to lapses.
3. Use the risk matrix - Helps compliance leaders to identify and establish compliance priorities (i.e., what is urgent and important?).
4. Follow the 4Ts model (Transfer, Tolerate, Treat and Terminate) to decide how best to manage compliance risks - For example, the HoC may assign the risk to someone else in your team (e.g. MLRO) to be responsible for it, introduce extra measures to reduce the likelihood of it occurring or minimise its impact, or accept the risk and take no further action.
5. Fix deficits that may put the organisation or government at greater risk - e.g. a lack of training, skills or knowledge, a culture that rewards risk, inadequate controls, unclear policies and procedures, etc.

4. Proportionate procedures

Policies and procedures are a necessary evil to prevent non-compliance, but they will only deliver results if they are proportionate and correctly implemented.

Too many rules (lockdown rules were an obvious example) confuse or overwhelm people; this results in inertia as no one knows what's expected of them.

Following a risk assessment, public sector compliance leaders should review and refresh procedures to support individuals in complying with the rules. Then, ensure that these procedures are proportionate to the nature, scale and complexity of the operation's risks.

Procedures must be clear, practical, accessible, effectively implemented and enforced. In addition, extra procedures may be needed to manage the compliance risks of particular groups (e.g. third parties or associates).

1. Create procedures and priorities assigned to compliance risks - Use the risk matrix to differentiate between significant and limited risks.
2. Make it real - It’s vital to bring policies and procedures to life, or they ultimately become meaningless. They should be useable, relevant and reflect current practice, with clear links to business activities and risk areas. Scenarios, storytelling and gamification can enhance engagement with core messages and check people's understanding of real-life situations.
3. Take the team with you - Rules work best, not when they are imposed unilaterally but when people are consulted when they take ownership and agree on the best way forward. Poke a stick at society by imposing COVID-19 restrictions without consultation, and people will bite back.
4. Assess your team for the three compliance personas - People respond differently to rules and compliance matters. Think about the compliance personas of each person in your team. Who is habitually compliant, wilfully or accidentally non-compliant? All may need a slightly different response to get them to follow procedures or ‘nudge’ them back to compliance.
5. Introduce incentives to do the right thing - How do you respond to compliance and non-compliance? Do you incentivise adherence to the rules? For example, do people get praise, recognition or reward for doing the right thing?
6. Deal with breaches and poor behaviour - Do you unwittingly reward non-compliance - by ensuring there are no sanctions for getting it wrong, with cover-ups or by quietly waiting for the fuss to die down? If so, you have a problem. Non-compliance only leads to more compliance. Before long, you'll be playing the compliance equivalent of Whack-A-Mole, with compliance issues popping up all over the place. Make the ethos' more carrot, less stick'.
7. Use technology to streamline paper-based processes - compliance can be made easier by using technology to do some of the heavy lifting. Online RegTech tools, such as gifts and hospitality registers and conflicts of interest questionnaires, offer inexpensive, time-saving and robust mechanisms for organisational compliance management.

5. Due diligence

As every compliance leader knows, due diligence is a key element of good corporate governance, enabling you to assess and mitigate risk. Public sector compliance leaders should put in place due diligence procedures to minimise the compliance risks posed by associated persons.

These procedures need to be commensurate with the level of risk faced. The compliance leader could ensure particular care is taken with business relationships, procurement and contracts to avoid conflicts of interest, bribery and corruption, and also a perception of impropriety.

1. Be aware of the need for initial and ongoing checks - Due diligence is required from the outset, with frequent and ongoing checks undertaken throughout the course of the relationship.
2. Conduct direct and verification checks - Public sector compliance leaders should ensure associates provide credentials detailing relevant expertise and experience verifying this information through research and follow-up references.
3. Adopt a proportionate risk-based approach - While standard checks may be appropriate for most associates, the compliance leader should also introduce heightened checks for high-risk groups (e.g. enhanced checks for PEPs, parties subject to sanctions or where there is a risk of corruption).
4. Identify red flags - such as having no track record in the industry in which it operates, bypassing legal or bureaucratic hurdles with no questions asked, seeming to fulfil no other role than facilitating a deal, etc.
5. Embed checks into other processes to make them ‘business as usual’ - including recruitment and procurement.

6. Communication & training

Communication and training are vital in combatting compliance risks. Few people deliberately set out to break the rules. More likely, they stray inadvertently into non-compliance when faced with a risky situation, causing them to panic and respond inappropriately.

Public sector compliance leaders should ensure that policies and procedures are embedded and clearly understood throughout the government through internal and external communication, including training, that is proportionate to the risks being faced.

Not only do people need education, but they also need practice in applying the rules in a safe space to avoid misinterpretation and violations in the real world. A compliance e-learning programme can support this.

1. Provide consistency and clarity - This ensures everyone knows the rules, our expectations and values, what to watch out for, when to get help and where to take their concerns.
2. Provide simple information to reinforce core compliance messages - Mixed messages lead to inertia and inaction - if no one's quite sure, they won’t respond. They become passive bystanders. The government's Behavioural Insights Team found that bright infographics with minimal text worked best to convey the handwashing message. And who can forget the memorable slogan of Stay Home - Protect the NHS - Save Lives? What key compliance slogans or messages might you use in your compliance session?
3. Check the content, language, format and tone of communication - Identify the target audience (different audiences may have different needs!); different messages and tones may also work better for different compliance risks. Should the tone be gentle and coaxing (e.g. a Code of Conduct or Ethics course), or something more robust and no-nonsense (e.g. a zero-tolerance anti-bribery module)? Again, it depends on the audience.
4. Provide timely reminders of rules and expectations to keep them ‘top of mind’ - Public sector compliance leaders should provide briefings on compliance topics to kickstart each day or introduce a weekly or monthly theme. Also, with the prevalence of remote working, they should hold webinars to share lessons learnt and help everyone understand the consequences of non-compliance. 

7. Monitoring & reviews

Finally, effective compliance requires ongoing effort and continuous improvement. Even with the right systems and procedures in place, monitoring and review are vital to confirm that those systems and procedures are still fit for purpose and work as intended.

Public sector compliance leaders should have complete oversight and collect data to monitor the effectiveness and quality of systems and the complete compliance landscape.

Informal feedback from colleagues via surveys, questionnaires, focus groups and interviews also provides important insight and leads to continuing improvements, alongside periodic reviews by management.

1. Benchmark your progress against companies operating in the same sector or using guidance from trade bodies - Public sector compliance leaders should highlight good and poor practices.
2. Don't ignore red flags - When concerns are raised about misconduct or impropriety (whether it's money in envelopes or questions of personal conduct), rectify them; don't stonewall in the hope they will go away. The compliance leader has a duty to other employees, the company and the wider public to investigate. Otherwise, the consequences and reputational fall-out may be exacerbated.
3. Admit past errors - Encourage people to speak openly about past mistakes, let them express their opinions candidly and be honest about the integrity challenges they face. Closing down discussions, failing to acknowledge integrity issues and leaving misunderstandings unchallenged merely undermine the compliance effort and stop everyone from moving on. Whistleblowers should be listened to, not gagged.
4. Learn lessons from other breaches or errors - This provides crucial insight and is a powerful way to deliver change. As CEO Peter Löscher put it following Siemens' bribery scandal, "Never miss the opportunities that come from a good crisis". According to Matthew Syed, having the right attitude to failure can transform how we work.

It's especially important with 'Never' events, i.e. the "kind of mistakes that should never happen again" (examples from the NHS include an operation on the wrong eye, the wrong patient or a surgical instrument being left inside someone). It's also vital in black box thinking - where catastrophic failure occurs (e.g. in aviation).

Looking for more compliance insights?

We have created a series of comprehensive roadmaps to help you navigate the compliance landscape, supported by e-learning in our Essentials Library.

We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!

Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.