Brian W Tang is Managing Director and Founder of Asia Capital Markets Institute , a professional education and policy platform. Find out more about this author below.
The US Securities and Exchange Commission and Department of Justice have long identified the code of conduct as being one of the hallmarks of an effective governance, risk and compliance (GRC) program. Since the financial crisis, banking and securities regulators worldwide have also focused on culture, values and ethics to address conduct risk.
As of 2014, all Fortune 500 company codes can be found on the University of Houston Law Center’s searchable database. However, herein lies an inconvenient truth: how many dead letter codes exist to which few employees actually refer? Are codes and their corollary trainings perceived predominantly as mere “tick the box” exercises that distract business unit (BU) leaders from meeting their important targets and satisfying clients, and senior management from satisfying shareholders?
It’s little wonder that the pendulum seems to be swinging back, with the Financial Times recently featuring commentary that called for Barclays’ new CEO to “ditch his inexcusable focus on value.”
In acknowledging these challenges, this primer hopes to encapsulate some accumulated learnings to help bring your organization’s code to life:
1. Draft your code to your audience and business, and make it no longer than it has to be.
Codes are no longer seen as immutable. Fifty-eight percent of Ethisphere Institute’s 2015 World’s Most Ethical Companies have a written requirement stating how often their codes should be updated, and industry studies show, on average, updates every two years.
There is no magical length. Last year, Eaton shortened its code to a three-page principles-based framework to make it more easily accessible in high-risk countries. Conversely, Western Digital increased its 2012 code from 15 to 51 pages by adding more photos, scenarios and white space for better readability. Comparing Barclays’ and RBS’ recent code redrafts highlights their different mixes of wholesale and retail banking employees.
Everyone agrees that the language should be simple, non-legalistic and easy to refer to when an employee is faced with a decision or dilemma, and at the same time should inspire and enable principled performance.
Corporate Communications or an external vendor can help with plain language drafting and presentation, especially localization for employees of different cultures, languages and generations. And web-enabled interactive codes provide user-friendly access that bridges values and policies and provides practical on-demand guidance to employees.
2. The “tone from the top” must have authenticity and longevity.
Authentic leadership requires a strong alignment of the code that symbolizes the company’s commitment to its shared values and behavioral expectations with its three lines of defense:
- BU leaders should report on code values adherence at regular management meetings as an explicit part of their key performance indicators. Mandatory manager rotations, such as those conducted by 3M, can also help promote a stronger company-wide culture.
- GRC leaders from each of Risk, Legal and Compliance should, directly or indirectly, have a seat at the table, and their professionals be respected as guardians of the organization’s longevity.
- The Board’s audit committee, including through its oversight of Internal Audit, should ensure ongoing focus on the company’s culture.
Companies should also consider integrating GRC leadership with external accountability mechanisms to external stakeholders. For example, Xilink’s Director of Global Corporate Compliance concurrently leads its corporate responsibility reporting.
3. Communicate in many different ways, often, and at all levels.
Employees need to hear consistent messages from the Board Chairperson and CEO, whether via regular email blasts, town halls and/or internal and external branding and communications such as company-wide awareness months.
Yet the “mood in the middle” and behavior of middle managers is pivotal. They must “walk the talk” and be coached as role models to be able to communicate and address difficult questions. Given the necessary but impersonal nature of compliance e-learning, some companies mandate annual facilitated workshops with managers and their teams to discuss the code’s application to their daily work.
Commitment devices should also be tailored to resonate with employees, and can range from employee signature requirements and desktop and mobile device screen savers to workplace handheld fans.
4. Maintaining culture is not GRC’s job, it is everyone’s job.
In addition to BU and GRC leadership, other corporate functions should be coordinated across silos to bring the code to life, including:
- Human Resources (HR) to ensure that talent acquisition, retention, training, compensation and incentives align with the code;
- Finance to ensure budgets and targets do not apply undue pressure to increase corner-cutting risks; and
- Corporate Communications and Marketing to craft and hone the code’s business case for clients and shareholders beyond fending off regulatory costs and risks.
5. Carrots are as important as sticks for cultural change.
Punishment is a critical deterrent against bad behavior, whether through “naming and shaming,” bonus clawbacks or sacking. However, companies can benefit from using more incentives in the form of financial and non-financial awards and recognition (including competitions to recommend worthy colleagues). And big data collection can only improve tracking and measurement challenges.
6. Educate, not train, for cultural change.
Subject matter expert trainers who focus on rule compliance risk exposing some employees to information overload and encouraging others to game the system. Employees must be immersed in compelling, engaging, fresh and relevant content and experiences to learn to:
- identify the high and emerging risks (such as through regular prompts of public headlines that reinforce business risks and videos of fellow employees voicing their own experiences);
- develop situational awareness of social psychology phenomena, such as uncritical obedience to authority, peer conformity and bystander inhibition; and
- develop techniques to “give voice to values” to make tough judgment calls in tough situations.
7. A community of practice can help to prevent a race to the bottom.
Highly competitive industries face greater pressures to race to the bottom in standards, and the LIBOR and FX scandals revealed such weaknesses in the financial industry. A community of practice reinforcing positive behaviors can help rebuild trust that will benefit the entire industry.
Brian W Tang is Managing Director and Founder of Asia Capital Markets Institute , a professional education and policy platform that fosters capital markets professionalism, efficiency and innovation to facilitate capital formation and allocation and market integrity. Brian is a corporate finance lawyer who was previously at Credit Suisse in Hong Kong with responsibilities covering investment banking across the Asia Pacific region and at Sullivan & Cromwell in New York and Silicon Valley.