The True Cost of Compliance
Survey reveals that doing the bare minimum is roughly the equivalent of an invitation to financial disaster.
The problem with focusing intensely on rules enforcement is that you tend to develop a culture where folks comply only out of fear, not because it's in everyone's best interest. As Saint Paul advises, "the law is not made for a righteous man, but for the lawless and disobedient."https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Of course, you aren't likely to hire only "righteous" job candidates - no offense intended, HR screeners - and so corporations find themselves on something of a roller-coaster when it comes to finding the cultural sweet spot in their governance, risk and compliance (GRC) programs.
This dilemma is the source of a lot of hand-wringing in trade press, but Dov Seidman, the founder and CEO of enterprise software vendor LRN, provides some of the best examples of the phenomenon in a recent post at Forbes. The home run in the lengthy column comes toward the end, where Seidman draws on the two disasters in the U.S. Space Shuttle program as prime examples of how organizations react, and perhaps over-react, to system breakdowns. The Challenger explosion in 1986 was ascribed to quality control and other governance issues, and as a result NASA became one of the most stridently self-regulated outfits on the planet. Seven years later, when Columbia was destroyed on re-entry, the disaster was ascribed to an overly locked-down culture where people did not communicate.
Seidman cites other common issues, including suppressed innovation, as reasons that the cyclical focus on "doing" compliance creates an:
"either/or" approach to resiliency and growth no longer maps to a world in which volatility and uncertainty pervade.
His answer is for companies to move away from a lone focus on GRC toward what he calls a "governance, culture and leadership" approach. It's nothing that hasn't been advocated before - it dates at least to the first century, as noted earlier - but it is noteworthy that this call for a little less focus on rules and machines to enforce them comes from the CEO of a company that has a lot of skin in the GRC game.
On the leadership front, Seidman advocates - wait for it - "transparency" and collaboration when working with peers and more importantly (since his column is targeted at CIOs) reports down the corporate tree. At the very least, going beyond a "need-to-know" stance when communicating goals and strategy should go a long way toward cultivating a culture where employees feel comfortable speaking up when something is awry. An unspoken rule of silence was cited as a root problem in more than one financial institution meltdown during the recent crisis. But it's hard to codify open communication in a policy.
That's the real dilemma in building a "culture of compliance" - there's just no clear tactical roadmap to get there, even though the general wisdom behind the goal can't be (or at least is seldom) denied. CFO Magazine gave it a shot last year with a list of five tips for highly placed executives (specifically, the financial officer) that includes building high-level allegiances with the legal department and simulating a crisis at the C-suite level. But it also suggests investing in face time with staff members to really drive home the compliance message.
Obviously, there's no easy answer. And as Seidman notes in his column, "Journeys are more arduous than programs."