Editor’s note: When all employees work remotely due to the global health crisis and many of them are under stress, employees are more likely to let compliance policies fall off their radar. Yet, at this time more than ever, organizations need to minimize risks, including risks prompted by lapses in attention span. For instance, when employees work from home outside of secure corporate networks, they become more susceptible to hacking attempts, including new schemes specifically attempting to exploit fear and panic. Therefore, on March 26 2020, Hyperproof has update this popular article with fresh information to show compliance professionals how they can creatively remind employees to follow compliance policies.
So much of a compliance officer’s job comes down to influencing people’s behaviors and getting them to do the right thing. Yet, this is one of the hardest parts of compliance, because there isn’t simply one approach that is guaranteed to work for every member of an organization.
Each individual is motivated differently. There are many reasons people do bad things and are non-compliant. Similarly, there are many reasons people do the right things and are compliant. If you want to minimize compliance violations, it’s important to understand what makes different people tick so you can provide the appropriate mix of reward and punishment to drive the right behaviors.
In this blog post, we’ll highlight eight approaches you can try to get employees to follow the policies and procedures you’ve set up in your compliance program. These approaches come from a few different fields including criminology, psychology, and sociology. They were presented by Andrew Kandel, a seasoned compliance officer and Lecturer in Law at the University of Pennsylvania Law School in a course called Effective Compliance Programs. Having knowledge of these theories can help you build a culture of compliance.
But first, we wanted to take a moment to level-set and discuss the common elements of an effective compliance program.
Components of a Successful Compliance Program
It’s all too common for companies to have compliance programs that are in-name-only. A compliance program is only effective when it impacts the way leaders and employees make decisions large and small. Creating an effective compliance program requires a few key elements, including:
1. A governance structure
To build a culture of compliance, you need a dedicated leader for your program. Because compliance issues have a material impact on a business, the compliance officer needs to have a direct line to the CEO and a company’s board, and adequate resources (staff, technology, budget) to do their job properly. Additionally, you want to have clear roles and responsibilities and regular and helpful communication between the key stakeholders with responsibilities for compliance.
2. Proper risk assessments and prioritization
Compliance programs must be customized to the needs and challenges facing each company and be comprehensive enough to deal with all of the risks the company deems material. An effective risk assessment should begin with a detailed picture of the compliance landscape your company operates in. The two questions to answer are 1) where are you doing business, and 2) what regulations cover businesses like yours?
An effective risk assessment must also include a clear picture of how your organization operates. In other words, you need to know the “who, what, where, when, and how” of the day-to-day operations happening on the ground in your company. Risks should be considered from multiple perspectives, including legal/regulatory, operational, cybersecurity, physical health and safety, reputational and financial.
Below, are some questions to consider in evaluating the quality of your risk assessment:
- Does your risk strategy include a comprehensive view that considers both existing and emerging risks?
- How are risk tolerance levels defined?
- Are key stakeholders involved in setting risk tolerance levels?
Additionally, the information gathered from risk assessments can become irrelevant as your circumstances change. Most compliance standards require that risks be re-evaluated on a regular basis, such as once a year. One key reason they require this is because risks can shift quite suddenly in crisis scenarios.
For instance, COVID-19 and remote work have brought to the forefront a new set of risks and vulnerabilities, such as fake COVID19 news messages that attempt to increase the odds of phishing succeeding and IT departments not having enough VPNs to give to employees. Compliance officers need to act fast to put in new policies, procedures and trainings to mitigate these new risks.
For more details on new risks and compliance challenges arising from the coronavirus, check out this article from our CEO, Craig Unger.
3. well-designed policies and procedures
Effective compliance programs require well-designed policies and procedures that are effective in identifying, preventing and correcting risks. At a minimum, each organization needs a code of conduct that reflects an organization’s daily operations, vision, mission, core values and overall company culture. Every organization also needs to have an information security policy that tells employees how to protect company-issued devices and access applications in a secure manner. These documents should be readily available to employees.
4. Compliance Training
One hallmark of a well-designed compliance program is appropriately tailored training and communication. Everyone at the company, including executives, needs to know what is in your code of conduct and your information security policy. In addition to knowing the rules they’re expected to follow, employees also need to know who they can turn to for guidance if they have questions about compliance and how they can report violations and concerns.
At a moment when your workforce is entirely remote, now is the time to remind employees of key security tips, as cyber attackers are looking to prey on people’s fear and panic. PivotPoint Security has published some short, educational videos to help educate your remote workforce on two of the most important security topics: avoid being phished and using strong passwords.
5. An established incident management and response process
Being prepared to handle compliance failures (including control failures) is as important as putting in place controls to mitigate compliance risks. Poor incident management can dramatically increase the costs a brand must pay for non-compliance, and it is often what gets brands into public headlines.
Whether you are dealing with someone who has violated a standard or a system issue that represents a compliance violation, having the steps laid out and understood in advance is key.
To learn more about how to develop a solid cybersecurity incident response plan, check out this article.
6. Governance and oversight of your compliance program
Governance and oversight is a key component of an effective program. At the highest level, senior risk leaders need the right information to effectively monitor the effectiveness of the compliance program and make adjustments as needed. Adjustments may include areas such as incorporating new controls to address emerging risks, redesigning weak control processes to make them stronger, or developing new training to improve security awareness among employees.
At a tactical level, a compliance manager needs another set of information to understand how prepared they are for upcoming audits or assessments, quickly see which controls they need to act on, and ensure that control processes are performed correctly and on time. They should also have visibility into the issues that need immediate attention or escalation.
Techniques for Compliance and Why They Work
1. The Nudge Theory
The Nudge Theory became popular with Richard Thaler and Cass Sunstein’s book called Nudge: Improving Decisions About Health, Wealth and Happiness. This book talks about how to keep a topic on people’s minds and help people build new habits (e.g. eating healthier). It asserts that using indirect encouragement, visual cues, and gentle pushes in the right direction can be effective in changing behaviors.
Although Nudge didn’t specifically address compliance, the nudge theory is still applicable. For example, in addition to having a policy that directs people to dispose of sensitive information by shredding the materials, it’s helpful to have plenty of shredding bins around the office. Instead of having certain messages come from the compliance department, it may be better for messages to come from other departments. For example, messages about compliance topics such as cyber-security alerts, email rules, and the proper use of passwords can come from the head of IT instead of the chief compliance officer.
Compliance officers can also use environmental cues to send a message of compliance. For example, Andrew Kandel designed a mouse pad that had his company’s general ethics principles and the phone number of their ethics hotline on it. These mouse pads were placed on every person’s desk after they completed the annual compliance certification process. This ensured that employees would see a compliance message many times a day, every single work day.
2. The Punishment, or “Scare Them”, Theory of Compliance
This theory asserts that punishment and scare tactics are effective deterrents for compliance violations. There are two parts to this theory: The first part involves punishing people when they violate compliance policies and procedures, including the code of ethics and business conduct. For example, someone who violates the password policy gets locked out of their computer and is forced to go to IT to resolve the issue. This inconvenience serves as a warning, or minor punishment. Someone who repeatedly violates a certain policy may receive greater punishment, such as the loss of a bonus or termination of employment.
The second part of the theory involves scaring people by using examples of regulatory or law enforcement actions. In practice, this could involve training sessions where you show people the results of compliance violations at other companies. After all, no executive wants their company to incur large fines or face prison sentences. To use this tactic effectively, the examples you highlight should include violations and issues the employees can relate to that are covered by your organization’s policies and procedures.
3. The Rules Theory
In any organization, you’ll find some employees who always follow the rules as long as they know exactly what they can and cannot do. Giving people guidelines and rules can certainly be helpful, but you want to make sure you aren’t creating loopholes or leaving big questions unanswered. It may be difficult to foresee every possible scenario and define all the rules that people need to follow. To make life easier, you can tell people that the published set of rules is not comprehensive and that if they have any questions, they should check with the compliance officer or another designated liaison such as the head of HR.
4. Ubiquity Theory
The idea here is that if people know the authorities are always watching, they will do the right thing. Thus, if you create the impression that your compliance team is everywhere, perpetually monitoring all aspects of business operations, employees may follow established policies and procedures more diligently. However, this shouldn’t be a one-way street. You also want to make sure employees perceive the compliance team as approachable so they are willing to raise questions when they have a concern.
There are lots of ways to create the impression of ubiquity. For example, you and your team could walk around the office, stopping at employees’ desks, asking them questions and having casual conversations. You may also consider sending out regular compliance alerts to remind people that compliance is all around them. Mr. Kandel also suggested monitoring employees’ emails and asking a few questions about why they wrote what they wrote in an email. He believes this is an effective way to remind people that the compliance team is reviewing their correspondence.
5. The “Reward Me” Theory
This is the idea that employees become more motivated to do the right thing when they see certain behavior rewarded. Are there employees within your organization who would feel amazing if they were recognized for going the extra mile to be compliant? Depending on the culture at your organization, it may make sense to institute an award that recognizes the most compliant employee each year.
6. Habit Theory
How many of us take the same route to work every single day? Chances are, most of us do because we’ve put our commute on auto-pilot. Habits, once formed, are hard to break. In compliance, if someone is accustomed to following a certain compliance policy or procedure, it’s likely they will continue that behavior. Thus, if you can make certain compliance procedures repetitive and expected with the goal of creating good compliance habits, it can lead to a practice of routine compliance.
Habits form more easily during certain occasions, such as onboarding. You can create positive habits early if you take the time to meet with each new employee to lay out the ground rules and expectations as soon as they join your organization.
We’ve seen that it can be very challenging for individuals responsible for performing compliance procedures (also known as controls) to actually perform controls on a consistent basis, at specific time intervals and in the same manner as controls were designed to.
Employees often change roles, leave your organization or take leave of absences. For instance, an Engineering Manager may be responsible for coordinating penetration testing with a third party provider once a year. Coordinating penetration testing is just one small part of that person’s job. When the individual leaves the company, they may forget to transition the coordination of penetration testing to someone else before they leave.
Hyperproof was built to support the formation of good habits when it comes to compliance-related work. Our continuous compliance software gives risk and compliance leaders visibility into the controls that are not being performed in a timely manner. The software provides dashboards so risk and compliance leaders can see who is responsible for operating each control, when they are supposed to perform the control process, and can be notified when the control process did not operate when it was supposed to. The data provided is up-dated in real-time.
To learn more about how Hyperproof helps organizations maintain effective compliance programs, check the article Four Signs of an Effective Compliance Program.
7. The Broken Windows Theory
The broken windows theory was first put in place in New York City by Police Commissioner Bratton and Mayor Rudy Giuliani back in the early 1990s, when crime in New York City was rampant. According to its Wikipedia page, the theory says that “visible signs of crime, anti-social behavior, and civil disorder create an urban environment that encourages further crime and disorder, including serious crimes”. However, if the police does not allow minor crimes such as vandalism, public drinking, and fare evasion to build up, they can prevent more serious crimes from occurring.
In compliance, the idea is the same: when you direct attention to even minor compliance violations and don’t let them build up, you can prevent more egregious violations.
Hyperproof was also built with the Broken Windows theory in mind. It helps organizations identify vulnerabilities due to failing controls in real-time, so control operators can remediate critical issues before it’s too late.
8. The Target Theory
Because compliance resources are finite, it’s important to focus on the individuals who are considered most likely to breach compliance policies and procedures. To put this in practice, you would identify a specific group of “risky” individuals and target your intervention on them. These employees could be considered “risky” for a number of reasons, like their job duties putting them at greater risk of violating a certain policy, them having a track record of not being compliant, or them not completing their compliance training on time. You may invest extra resources to educate these employees about certain compliance issues and then monitor them more closely than others, until they no longer need to be included in that target group.
Which Approach is Right for Your Organization?
Each of these approaches have their own merit (although we would recommend steering clear of any scare tactics) and may work better or worse under specific circumstances, In general, we would recommend that you combine the Habit Theory, Broken Window Theory, Target Theory and the “Reward Me” theory to get the best results.
One size doesn’t fit all
If you want to foster a culture of compliance, it’s important to embrace a diverse set of approaches tailored to your corporate culture and specific employee population. Compliance officers should recognize when to use rewards and when to use scare tactics, and figure out ways to make the compliance team or officer seem like they’re everywhere. By identifying what your employee population responds to and using a variety of compliance tactics, you can truly elevate your compliance program.
Hyperproof is offering our continuous compliance software subscription at no cost during the COVID-19 crisis to help all organizations stay compliant with disparate data privacy regulations at this challenging time:
- This includes our core platform and two compliance templates focused on privacy mandates passed in the U.S. and EU: The California Consumer Privacy Act (CCPA) and The General Data Protection Regulation (GDPR).
- We chose to make these specific programs available because of the increasing amount of personally identifiable information that needs to be exchanged at record speeds in order to protect our communities.
- The software also comes with video conferencing via Zoom to help companies’ compliance teams work remotely with auditors. The conferences can be stored within Hyperproof’s system of record.