Recently, the GRC Institute held their annual conference with the theme of 'audacity'. I had the opportunity to consider what audacity means in compliance. Here is my article:
Audacity is not normally a term that people associate with compliance, especially considering that according to the Oxford Dictionary, audacity means ‘a willingness to take bold risks’. And in general the word ‘risk’ does seem to have a negative connotation. So how does audacity apply to compliance?
Compliance must be able to raise difficult and unpopular questions. Everyone knows how hard it can be to ask an awkward question or raise what may be an unpopular concern, especially if no one else seems to be worried about it. How often do we just agree with a group just because this is easier than disagreeing, for example about how good a movie was? From a compliance perspective and in a business environment this is simply not an appropriate approach. Compliance must have the courage and be bold, to ask the difficult questions and be the devil’s advocate when necessary. Compliance must consider the risks and look at the worst case scenario.
In an ideal world, this would be a collaborative approach between all the relevant participants but most compliance professionals will face opposition, or concerns may be brushed aside with a ‘you worry too much’ approach. Or even worse, compliance may be accused of ‘stopping business initiatives’.
The opposite is actually the case, Compliance professionals want to business to succeed! But to be successful, business must also face the realities and compliance’s role is to be bold and not allow questions or concerns to be brushed aside. Because just as important as raising the concern is to ensure that the concern is addressed. Compliance should always ask for objective reasons and where possible evidence before accepting that the concern has been addressed. This does not mean that there may not be some form of risk that remains but compliance’s role is to ensure that the business understands the issue and accepts any risk by considering all available information.
Obviously this is not an ideal world, so at times the business may disagree with the concerns raised. When in such a situation, a compliance professional must carefully consider their approach depending on the concern and outcome, of course. At the very least compliance must document their concerns so that the business remains aware of the matter.
Compliance needs to challenge the way things are done. The words ‘this is how things are done here’ are dreaded by compliance professionals. It demonstrates a lack of willingness to question processes and often is a root cause of major issues. Compliance needs to challenge such attitudes as firstly if they are not compliant, there is an issue, and secondly, if something can be done more effectively, this will only improve the business.
And while challenging internal processes of other business areas is one aspect, compliance must also challenge its own approach. Compliance can just as easily reach a point where things are done a certain way.
Compliance needs to challenge the status quo in two ways:
Challenging the status quo of policies, procedures and processes is extremely important. Quite often, a review will start because something has gone wrong and compliance gets involved to assist in resolving the issue. In such situation businesses often are more receptive in challenging the existing processes because obviously there is an issue. But even then, it can be too easy for a busy to brush the matter aside as a ‘one-off’ incident rather than looking for the root cause. As previously mentioned, this is where compliance must be audacious in not letting the matter drop.
Compliance must also be the driver in reviewing policies, procedures and processes on a regular basis. This will ensure that these remain current and reflect how the business operates. The best policy and procedure document is useless if it is out-of-date and does not assist the business in achieving their outcomes. Compliance must be the driver of such reviews given that a business may not consider this a priority over meeting business as usual requirements.
Compliance needs to encourage and support all staff to be audacious. This is the third aspect of compliance being audacious. Fostering a culture where all staff can safely report concerns and raise ideas for improvement is extremely powerful. Some businesses already have a great culture of reporting but where this is not the case, compliance professionals should be a driver of change.
Firstly, compliance must demonstrate such behaviour itself by raising concerns where relevant as outlined above. This will demonstrate to other business areas that this is important and provides a platform for others to raise concerns, whether they are raised with compliance or as part of other reporting structures.
In addition, compliance must ensure that when issues are raised these are dealt with in a respectful and fair manner. Compliance must be approachable and not as an area looking to place blame. Everyone can make a mistake and by giving staff the confidence to report these, compliance can ensure a culture of disclosure.
A while back I had the opportunity to meet a whistleblower and understand what they had to go through as part of the whistleblowing process. They were actually just trying to do the right thing but it meant challenging the status quo of a company. This person had to take a bold risk and experience has shown that it isn’t an easy path and it is up to compliance to be supportive of such persons to ensure that other staff are not concerned about raising valid concerns.
Finding your way to be audacious. The manner in which compliance operates will differ between different compliance professionals and the business they are working with. The way in which the above can be raised and approached will vary a lot and it is up to compliance to find the best manner of being bold, with some very subtle and others more straight forward.
Compliance is so much more than just meeting regulatory compliance. Compliance is about working with the business to achieve business goals. Part of that responsibility is to be audacious to raise concerns, challenge the status quo where relevant and support those that wish to raise their concerns.
To be effective in the business, it is essential that compliance is seen as a valuable business resource, and the only way is for compliance to be audacious to ensure compliance is seen and heard.
Yes, audacity is definitely an essential aspect for any compliance professional!