The government is not alone in facing compliance issues, but its frequent and repeated compliance breaches are truly concerning and would not be tolerated at a private sector organisation. Stories abound of MPs, Ministers and advisors either not knowing, forgetting or flagrantly breaching their own Covid-19 rules.
Contracts have been awarded without a transparent procurement process, top jobs given to cronies, personal conflicts of interest ignored and cash for influence. All of which reduces the public’s confidence, trust and most importantly - compliance.
People expect the PM, as the head of government, to be in charge and point the finger at them for every breach in any government department. But this is not how it works in private companies. The CEO has a role in leading by example and setting the ‘tone from the top’, but the job of educating, monitoring and enforcing policies and rules is entrusted to an independent Head of Compliance, who ultimately reports to the Board.
We have identified six areas (drawn from the government's own guidance) where a Head of Compliance (HoC) could improve compliance for the UK government.
- Top-level commitment
- Risk assessment
- Proportionate procedures
- Due diligence
- Communication & training
- Monitoring & review
1. Top-level commitment
Communication plays a vital role in creating the right culture and tone from the top, as well as clearly setting expectations. A Head of Compliance would not only obtain top-level commitment to compliance, but also articulate that into clear messages that foster a culture within government where breaches are never acceptable.
- Aim for tailored communications - Not everyone needs the exact same message - some team members benefit from short, catchy and timely reminders (think Hands-Face-Space) while others require all the detail.
- Lead from the front - A message from the CEO upfront can make all the difference and demonstrate a real commitment to compliance initiatives. If it matters to you, it matters to them.
- Take ownership and show you care - The HoC could also provide effective leadership and top-level involvement in decision making where there are risks. Leaders play a vital role in initiating, developing and implementing procedures and also lead on measures such as Code of Conduct, raise awareness by encouraging dialogue and sharing policies throughout the government, provide high-profile and critical decision making, liaise with external bodies, and provide oversight of breaches in procedures.
- Don't make compliance ‘them’ and ‘us’ or have tiered systems - Compliance applies to everyone or no one. Senior managers must ‘walk the talk’; if they don’t, the compliance message is completely undermined. That goes as much for Covid-19 restrictions as it does for property development. Poor role models just make it harder for everyone else to comply.
2. Risk assessment
Like a lot of businesses, government faces compliance risks from all quarters. Sometimes it’s not practical or feasible to tackle all risks in one go. A Head of Compliance could assess the nature and extent of exposure that departments, Ministers and advisors have to potential internal and external compliance risks. This assessment would be periodic, informed and documented to encourage transparency.
- Be vigilant - Look for internal compliance risks (eg poor systems, lack of training or controls) as well as external ones (eg country, sectoral, partnership and associations).
- Be aware that the level and type of risk can change so conduct regular risk screening to forewarn of incoming compliance risks - Obviously, you can’t always predict so-called ‘black swan’ events (unpredictable events with severe consequences), like coronavirus. But you can conduct regular assessments to identify gaps, vulnerabilities or preparedness and must address any deficiencies. Look at any past compliance issues or near-misses, and consider what parts of the organisation may be prone to lapses.
- Use the risk matrix - This would help the HoC identify and establish compliance priorities (i.e. what is both urgent and important?).
- Follow the 4Ts model (Transfer, Tolerate, Treat and Terminate) to decide how best to manage compliance risks - For example, the HoC may assign the risk to someone else in your team (eg MLRO) to be responsible for it, introduce extra measures to reduce the likelihood of it occurring or minimise its impact, or accept the risk and take no further action.
- Fix any deficits which may put the organisation or government at greater risk - eg a lack of training, skills or knowledge, a culture that rewards risk, inadequate controls, unclear policies and procedures, etc.
3. Proportionate procedures
Policies and procedures are a necessary evil to prevent non-compliance, but they will only deliver results if they are proportionate and correctly implemented. Too many rules (Covid-19 lockdown rules being an obvious example) will confuse or overwhelm people; this results in inertia as nobody knows what’s expected of them.
Following on from the risk assessment, a Head of Compliance could review and refresh procedures for supporting individuals to comply with the rules. A HoC could ensure that these procedures are proportionate to the risks being faced, and to the nature, scale and complexity of its operations.
Procedures must be clear, practical, accessible, effectively implemented and enforced. In addition, extra procedures may be needed to manage the compliance risks of particular groups (e.g. third parties or associates).
- Create procedures and priorities assigned to compliance risks - Use the risk matrix to differentiate between significant and limited risks.
- Make it real - It’s vital to bring policies and procedures to life or they ultimately become meaningless. They should be useable, relevant and reflect current practice, with clear links to business activities and risk areas. Scenarios, storytelling and gamification can enhance engagement with core messages and check people’s understanding in real-life situations.
- Take the team with you - Rules work best, not when they are imposed unilaterally but when people are consulted, when they take ownership and agree the best way forward. Poke a stick at society by imposing Covid-19 restrictions without consultation and people will bite back.
- Assess your team for the three compliance personas - People respond to rules and compliance matters in different ways. Think about the compliance personas of each person in your team. Who is habitually compliant, wilfully or accidentally non-compliant? All may need a slightly different response to get them to follow procedures or ‘nudge’ them back to compliance.
- Introduce incentives to do the right thing - How do you respond to compliance and non-compliance? Do you incentivise adherence to the rules? For example, do people get praise, recognition or reward for doing the right thing?
- Deal with breaches and poor behaviour - Do you unwittingly reward non-compliance - by ensuring there are no sanctions for getting it wrong, with cover-ups or by quietly waiting for the fuss to die down? If so, you have a problem. Non-compliance only leads to more compliance. Before long, you’ll be playing the compliance equivalent of Whack-A-Mole with compliance issues popping up all over the place. Make the ethos ‘more carrot, less stick’.
- Use technology to streamline paper-based processes - compliance can be made easier by using technology to do some of the heavy lifting. Online RegTech tools, such as gifts and hospitality registers and conflicts of interest questionnaires, offer inexpensive, time-saving and robust mechanisms for compliance management within the organisation.
4. Due diligence
As every HoC knows, due diligence is a key element of good corporate governance, enabling you to both assess and mitigate risk. The HoC could put in place due diligence procedures to minimise the compliance risks posed by associated persons.
These procedures need to be commensurate with the level of risk faced. The HoC could ensure particular care is taken with business relationships, procurement and contracts etc to avoid conflicts of interest, bribery and corruption, and also a perception of impropriety.
- Be aware of the need for initial and ongoing checks - Due diligence is required from the outset, with frequent and ongoing checks undertaken throughout the course of the relationship.
- Conduct direct and verification checks - A HoC could ensure that associates provide their credentials, as well as background information, including relevant expertise and experience, and they would also verify this information through research and follow-up references.
- Adopt a proportionate risk-based approach - While standard checks may be appropriate for most associates, the HoC could also introduce heightened checks for high-risk groups (eg enhanced checks for PEPs, parties subject to sanctions or where there is a risk of corruption).
- Identify red flags - such as having no track record in the industry in which it operates, being able to bypass legal or bureaucratic hurdles with no questions asked, seeming to fulfil no other role than facilitating a deal, etc.
- Incorporate checks into other processes so they are embedded as ‘business as usual’ - including recruitment, procurement, etc.
5. Communication & training
Communication and training are vital in combatting compliance risks. Few people deliberately set out to break the rules. More likely, they stray inadvertently into non-compliance when faced with a risky situation, causing them to panic and respond inappropriately.
A Head of Compliance could ensure that policies and procedures are embedded and clearly understood throughout the government through internal and external communication, including training, that is proportionate to the risks being faced.
Not only do people need the education, but also they need practice in applying the rules in a safe space to avoid misinterpretation and violations in the real world. The HoC could institute a compliance e-learning programme.
- Provide consistency and clarity - This ensures everyone is clear about the rules, our expectations and values, what to watch out for, when to get help and where to take their concerns.
- Provide simple information to reinforce core compliance messages - Mixed messages lead to inertia and inaction - if no one’s quite sure, they won’t respond. They become passive bystanders. The government’s Behavioural Insights Team found that bright infographics with minimal text worked best to get the handwashing message across. And who can forget the memorable slogan of Stay Home - Protect the NHS - Save Lives? What key compliance slogans or messages might you use in your compliance session?
- Check the content, language, format and tone of communication - Identify the target audience (different audiences may have different needs!); different messages and tone may also work better for different compliance risks. Should the tone be gentle and coaxing (eg a Code of Conduct or Ethics course), or something more robust and no-nonsense (eg a zero-tolerance anti-bribery module)? Again, it depends on the audience.
- Provide timely reminders of rules and expectations to keep them ‘top of mind’ - The HoC could provide briefings on compliance topics to kickstart each day, or introduce a weekly or monthly theme. Also with the prevalence of remote working, the HoC may also hold webinars to share lessons learnt and help everyone understand the very real consequences of non-compliance.
6. Monitoring & reviews
Finally, effective compliance requires ongoing effort and continuous improvement. Even with the right systems and procedures in place, monitoring and review are vital to confirm that those systems and procedures are still fit for purpose and work as intended.
A HoC could have complete oversight and collect data to monitor the effectiveness and quality of systems and the complete compliance landscape. Informal feedback from colleagues - via surveys, questionnaires, focus groups and interviews - would also provide important insight and lead to continuing improvements, alongside periodic reviews by management.
- Benchmark your progress against companies operating in the same sector or using guidance from trade bodies - The HoC could highlight good and poor practice.
- Don't ignore red flags - When concerns are raised about misconduct or impropriety (whether it's money in envelopes or questions of personal conduct), rectify; don't stonewall in the hope they will go away. The HoC has a duty to other employees, the company and the wider public to investigate. Otherwise, the consequences and reputational fall-out may be exacerbated.
- Admit past errors - Encourage people to speak openly about past mistakes, let them express their opinions candidly and be honest about the integrity challenges they face. Closing down discussions, failing to acknowledge integrity issues and leaving misunderstandings unchallenged merely undermines the compliance effort and stops everyone moving on. Whistleblowers should be listened to, not gagged.
- Learn lessons from other breaches or errors - This provides crucial insight as well as being a powerful way to deliver change. As CEO Peter Löscher put it following Siemens' bribery scandal, "Never miss the opportunities that come from a good crisis". According to Matthew Syed, having the right attitude to failure can transform the way we work.
It's especially important with 'Never' events, i.e. the "kind of mistakes that should never happen again" (examples from the NHS include an operation on the wrong eye, the wrong patient or a surgical instrument is left inside someone). It's also vital in black box thinking - where catastrophic failure occurs (e.g. in aviation).
Looking for more compliance insights?
If you'd like to stay up to date with best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech, and RegTech news, subscribe to Skillcast Compliance Bulletin.
To help you navigate the compliance landscape, we have collated searchable glossaries of key terms and definitions across complex topics, including GDPR, Equality, Financial Crime and SMCR. We also track the biggest compliance fines, explaining what drives them and how to avoid them.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!