“We must all face the choice between what is right and what is easy”
— Albus Dumbledore, Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry
Beyond Checklists: Strategic Approaches to Financial Services Compliance
As the introductory article in this series outlined, becoming an effective compliance officer requires you to understand psychological, legal and management principles. In this article, we will explore strategic approaches that can help move compliance from a “tick the box” exercise to adding real value for businesses.
Command and Control vs Strategic Management
Traditionally, compliance has been viewed through a “command and control” lens, an approach that focuses on rules adherence and the punishment of non-compliant conduct. The appeal of this model is obvious, both immature and hierarchical businesses can benefit from compliance frameworks that minimise discretion and insist on consistency and homogeneity. However, in our experience, although these models minimise regulatory enforcement risks, this formal and bureaucratic approach discourages innovation, reduces quality and often causes “compliance” to become disconnected from the business.
A more strategic view, and a generally more successful approach, is to recognise compliance as a strategic management discipline that proactively manages risks and consistently improves business performance. This approach, which is also our approach, applies a holistic, risk-based model to compliance as part of an overall governance framework. The advantages of this approach are significant, it facilitates early integration of compliance considerations into strategic planning and ongoing decision-making processes but, more importantly, it embeds compliance as a sustainable part of the business’ culture. It transforms a reactive exercise focused on compliance with minimum standards into a cultural value that understands complexity and choice.
Traditionally, legalistic “command and control” models mandate and compel conduct by focusing on enforcement and deterrence, achieved by punishment or the fear of penalties. However, to be successful over the long-term, rules-based compliance models require simplicity, industrialisation and predictability as well active and effective enforcement. In a complex environment, people make internally-rational choices and act after weighing costs and benefits against the perceived chance of formal or informal sanctions.
In contrast, a well-designed strategic management model recognises, and optimises, agents’ calculus and, by focusing on intent and outcome, facilitates substantively better outcomes. Rather than reactively detecting and punishing misconduct, “compliance” is used to shape norms. By acknowledging representatives’ agency, and the context surrounding representatives’ decisions, compliance adds value and decreases operational costs; compliance ceases to be an external imposition because individuals feel internal moral pressure to obey norms.
Leading risk management standards, such as the Australian Standard for Risk Management (AS/NZS ISO 31000), provide frameworks for operationalising a risk-based approach by systematically identifying, assessing and prioritising compliance risks based on likelihood, impact and consequences. By doing this, compliance resources can then be proportionately and properly allocated.
The benefits aren’t only commercial. Based on our data, a risk-based based approach improves advice outcomes and the use of stronger preventative controls (with more active monitoring) reduces the business’ vulnerabilities and exposure to higher risk activities. Although these models are often more complex, routine controls may still be appropriate for inherent low-risk matters. An effective risk-based compliance framework is based on deep subject matter expertise, and this presents a real and profound challenge; formalism, in contrast, simply requires a checklist. The real ongoing challenge of these models is the need for ongoing refinement and recalibration; elements need to be regularly reviewed to account for changes to regulations, external events, market developments or other environmental changes. It requires a commitment to continuous improvement and a recognition that cultures of misconduct occur when oversight fails.
TIPS: In our experience, a risk-based approach is demonstrably more effective and more constructive, but it also requires more thought than binary models. If you’re looking for strategies to ensure your compliance arrangements avoid formalism and address substantive issues:
- Focus compliance monitoring and assessments on measuring outcomes like fair treatment of customers rather than just box-ticking processes.
- Encourage compliance staff to identify root causes of issues rather than just surface symptoms.
- Recalibrate compliance testing and file reviews to evaluate understanding and suitability of advice over administrative completeness alone.
- Set KPIs for compliance based on reducing substantively poor outcomes like valid complaints rather than number of audits conducted.
- Interview customers, audit advisory files qualitatively and review call recordings for substance over checklists.
- Allow for flexibility, exceptions and judgement calls in compliance where strict formal rules don’t suit unique circumstances.
- Foster a just culture where staff are comfortable escalating issues without fear of punishment to enable early substantive problem-solving.
- Empower compliance to work cross-functionally with advisers to resolve issues jointly rather than taking an accusing stance.
- Provide compliance training focused on ethics, conduct and behavioral drivers of poor outcomes rather than rule memorisation.
- Encourage compliance queries and collaboration with the business to gain a richer understanding of operational realities.
- Regularly review compliance program for opportunity to simplify or remove unnecessary formal steps that detract from focus on core conduct/integrity priorities.
Remember that, under a risk-based model, your goal is not to embed process legalism but to promote good outcomes and prevent client harm, loss or detriment.
Tone from the Top (or The Culture of Compliance)
Every cliche, and every stereotype, has a basis in reality so the idea that “a fish rots from the head down”, while unproven, effectively reinforces the relationship between organisational culture and leadership.
We may argue about how to define “orgnisational culture” and “leadership” but we believe that real cultural change starts from the highest levels of organisational leadership (and only continues while that emphasis is conspicuously sustained).
Strategic (or risk-based) compliance requires an unambiguous ‘tone from the top’; but this rhetorical flourish must be supported by concrete actions where senior management visibly model desired conduct and consistently, and predictably, reward good conduct and respond to misconduct (without stigmatising agents). This combination is what we call “compliance culture”.
At an operational level, this involves empowering compliance functions, actively incorporating compliance considerations into strategic decision-making, and expecting accountability for strong controls and effective governance and controls.
Overall, strategic risk-based approaches effectively, and demonstrably, elevate compliance beyond legal minimum standards only when it is substantively embedded throughout your systems, processes and daily business operations.
Transactional “box ticking” may be “simpler and easier” but, as Commissioner Hayne and Report 515 proved, it is manifestly ineffective. On the other hand, while strategic (risk-based) compliance may require more effort to establish, it is more likely to create value, realise commercial benefits and deliver meaningful risk optimisation.
If you need help, let us know.
For help designing a risk-based compliance framework contact Assured Support.