More Thoughts on Policies

Today I want to return to that study we discussed last week, questioning whether corporate policies make much difference to encourage employees’ compliance behavior. There is still a lot to discuss from that study, and compliance professionals’ reaction to it, in the pursuit of good insights about policy management and employee training.

For those who missed our original post on the study, the gist of it was this: several academics worked with a global technology company to see whether the design of corporate policies might help to improve employees’ knowledge of policies — and found that by and large, the design of your policies makes no difference. On the contrary, they found that providing anti-corruption policies to employees produced results no better than not giving employees any policy to study at all. 

The researchers did find, however, that social norms about bribery are the best indicators of whether employees will engage in bribery. That is, if employees perceive bribery as something disgraceful, with a social stigma attached to it, they’ll be more likely to understand how to avoid corrupt behavior and more likely to do so. The policies you give them aren’t maps to guide employees on that journey, so much as they’re just luggage incidentally brought along for the trip.

Of course we all should take these findings with a grain of salt; it was one study, at one company, looking at how employees learned and absorbed one compliance policy. (Joe Murphy, éminence grise of corporate compliance, wrote an excellent analysis of my first post striking some of those cautionary notes.) But so far, none of the many commenters on my first post disagree with the basic premise, that policies aren’t instrumental to developing a strong culture of compliance. Instead, policies often consume more of a compliance officer’s time than they deserve.

If that premise is correct, what does it mean for a compliance officer building and managing a corporate compliance program?

Why Do We Have Policies, Really?

Let’s begin with a look at what some people said in response to my first post:

  • One person wrote on LinkedIn, “I wonder whether many of us see having the policies as a comfort blanket — at least we told everyone” what the policy is.
  • Another emailed me privately to say, “We have policies so we can point to something when we tell an employee, ‘This is why you’re getting fired. We told you not to do this thing, and you did.’”
  • A third person wrote, “Companies need policies mostly as a signal that compliance is important and to make regulators happy.” 

The subtext in all three comments (and others I received) is that policies exist to give the company legal maneuvering room. They exist to shift liability for misconduct onto someone else (“At least we told everyone”), or to reduce the company’s exposure to a wrongful termination lawsuit (“This is why you’re getting fired”), or simply to show that you read the Justice Department’s guidelines for effective compliance programs (“Make the regulators happy”). 

That’s fine; companies do need mechanisms to reduce legal liability — but that’s not the same as mechanisms to encourage more ethical conduct

And that’s the real issue here, isn’t it? Compliance officers want to know which of the many elements in your compliance program — policies, workflows, audits, training, executive messages, disciplinary action — are the best mechanisms to encourage more ethical conduct. Only then can you make the best decisions about how to budget your program, how to explain the logic of your program to senior executives, and even how to structure the tasks that fill your day. 

Our study mentioned above suggests that compliance policies aren’t terribly important mechanisms to drive ethical conduct among employees. Policies might be valuable for the legal and HR teams, because policies help them assure consistency, fire wrongdoers, and avoid lawsuits; but the implicit point there is that the wrongdoing has already happened. 

You, the ethics and compliance officer, must also strive to prevent the wrongdoing from happening in the first place. And perhaps there are better mechanisms to achieve that. 

Examples, Pedestrian & Otherwise

If we’re looking for more effective ways to encourage ethical conduct among employees, where might we find them? 

For starters, compliance officers could look at procedures rather than policies. A company could design and build automated workflows that either greatly reduce the chance of non-compliance, or perhaps even foreclose the chance completely.

For example, a company could configure its accounts payable function so that no payments go to a third party that hasn’t completed due diligence and onboarding. That’s possible in SAP and Oracle, and many large companies already do this; more should. Or you could configure financial disclosure processes so that no critical accounting estimates go into the 10-Q without ample documentation to show where those estimates came from; or you could configure sales processes so that no requests for “discounts” to high-risk customers are granted without documentation about why such discounts are necessary.

We’ve seen issues like this time and again in accounting fraud and FCPA enforcement cases: The company has manual workflows that allow humans to exercise bad judgment or simply make mistakes. The more you automate those workflows to seal up the cracks, the better. 

Compliance officers and senior executives can also think about how to develop those “social norms” I mentioned earlier — norms to cultivate the perception within your company that corruption (or anti-retaliation, or harassment, and so forth) is a shameful thing. Ironically, policies do play a role here: policies about compensation, that include incentives for cooperation and good conduct; policies for discipline, to hold wrongdoers accountable. 

Those policies, however, are just words on paper without substantive executive commitment to enforce them. So we’re back to the importance of hiring the right people, talking about the importance of ethics, and other non-policy factors; those are the forces that bring an ethical culture to life, not policies. 

Leave a Comment

You must be logged in to post a comment.