Governance, Risk and Compliance

How to Improve Your Corporate Compliance Program

Habit is an incredibly powerful motivation. Bad habits can lead literally to the undoing of someone’s entire life, whereas good habits can transform a person from being overweight to running a marathon. Charles Duhigg’s book on the topic is a worthwhile read on how we can all use “keystone habits” to transform the way we live and work – and how many companies are doing exactly that.

Understanding how habits work and using that understanding to promote worthwhile behavior is often far more productive than trying to tell someone to do something because they won’t then feel like they are having to do something extra; it feels like part of a normal routine.

This is especially true of corporate compliance activities in the world’s big companies. Most firms only began to substantially invest in corporate compliance activities in the past decade or so, and this has led compliance programs to be kept largely separate from most routine business workflows. Although this approach helped compliance professionals build their programs quickly, it has created a largely “bolt-on” system, with compliance activities layered on top of existing processes.

Employees are then required to step outside of their daily workflows and make their way through numerous handoffs, processes, and approvals to satisfy compliance controls before they can get on with what they see as the day job.

From Bolt On…

This stand-alone approach to compliance has become unsustainable as everyone’s expectations change. First, regulators want compliance work to be part of regular business operations so that employees don’t skip compliance processes. Second, company boards have become frustrated with multiple and, often, conflicting security reports and want compliance integrated into all enterprise risk activity.

Third, senior line managers keep asking compliance teams to streamline their processes and demonstrate how and why all this increased compliance activity is helping the firm’s bottom line. Fourth, employees have become increasingly intolerant of all the extra work.

…To Built In

Compliance programs that are a part of business operations lowers the burden on employees by connecting their workflows to compliance activities. To do this, compliance teams should make three changes to their programs. Chart 1 provides a few examples of how to move from a “bolt-on” to “built-in” approach.

  1. Make compliance part of business workflows: Traditional compliance teams focused more on supporting employees through existing bolt-on processes. A better approach is to make activities natural parts of business workflows (i.e., avoid extra steps and handoffs), and design them  to support the achievement of business goals.
  2. Coordinate compliance with all other assurance activity: Compliance activities should be coordinated with similar assurance activities to avoid overlap and unnecessary burden on employees. Many compliance teams have created committees and avenues for ad-hoc information sharing but haven’t focused on the operational details needed for coordination.
  3. Assess ease-of-use of compliance activities: Integrating compliance activities with business operations is only one part of the equation. Compliance teams must continually assess how easy it is for employees to use and adhere to compliance activities.

Chart 1: Select Examples of Built-In Opportunities Source: CEB analysis

Contributed by CEB, a best practice insight and technology company. Read more CEB blogs here.

Sponsored by CEB, now Gartner

Leaders at more than 10,000 organizations worldwide rely on CEB services to harness their untapped potential and grow. Now offered by Gartner, CEB best practices and technology solutions equip customers with the intelligence to effectively manage talent, customers, and operations. More at