By Tina Orem
Throw a large pebble onto the main entrance of an ant hill, and you’ll probably witness something amazing: dozens of ants will appear and magically coordinate to remove the pebble, which is undoubtedly hundreds of times heavier than they are. Best of all, they’ll do it without needing exploratory meetings, draft memos or PowerPoint presentations.It may seem like a trivial situation, but when that pebble is “compliance” and the ants are “bank employees,” their exertion suddenly becomes more meaningful. After all, it’s not the pebble’s weight that’s most fascinating—it’s the sheer complexity of the coordination to deal with it.
How ants pull this off is a mystery banks can relate to. For a long time, compliance in the average bank was a sequestered activity handled by a relatively tiny group. But today, carrying the regulation pebble requires a much more orchestrated, strategic effort from the entire organization. And for most banks, that requires a big shift toward creating a culture of compliance—that is, coordinating more ants to lift the pebble.
It’s a heavy one, too. A full 73 percent of bank executives in the Accenture 2015 Global Risk Management Study said infusing risk culture in their organizations was critical or important, yet only 11 percent said they had a consistent risk culture. And 37 percent said they believed human nature is stopping it from happening.
We asked compliance experts how banks can reshape their cultures so compliance goes from a back-office task silo to a pervasive set of behaviors and beliefs. Here are seven things they said make a difference.
1. Put compliance experts on the IT and HR teams, and other important places.
One of the first steps to creating a culture of compliance is to ensure that compliance people are embedded in the bank’s organizational machinery. Cara James, SVP and director of compliance at Arvest Bank in Tulsa, Okla., sits on her bank’s IT steering committee, for example.
“I am a voting member of a group that makes decisions around IT projects and prioritization in our organization, be-cause the need is there for a compliance perspective as we make decisions on where our IT dollars and resources are going to be applied,” she says. Bank teams and committees focused on government relations, strategic planning and special initiatives should also include compliance subject-matter experts, she added.
“Really the best way to make this happen is to become very business focused, to understand how the bank makes money, and to really align compliance efforts with business efforts so it becomes more seamless,” says James, who has worked in compliance for 24 years.
“It’s about developing relationships with management at all levels of the bank, and then using those relationships to take advantage of opportunities to ideally, in person, communicate and educate your business. That’s really where it starts,” she adds.
Compliance leaders often don’t have hiring and firing authority, says Greg Hahn, the national practice leader for regulatory compliance services at consultancy firm Crowe Horwath in Grand Rapids, Mich. (ABA endorses Crowe Horwath for compliance management solutions.) But part of building a culture of compliance is working with HR to establish guidelines for recommending dismissal or discipline on compliance-related matters and having the confidence that senior management will back it up when needed, he said.
2. Send the message from the top (and from the right address).
To create a culture of compliance, bank leaders also must explicitly tell teams that compliance is everybody’s responsibility and that it should be taken seriously. Email is often the most efficient way to send that message, says Lyn Farrell, managing director at Treliant Risk Advisors. But that email shouldn’t be from the head of compliance, she says.
“The top has to send that email. It can’t come from compliance,” she says. “Senior management has to send the email themselves.”
Why?
“If anybody below senior management sends a communication that’s not popular, people will feel free to ignore it,” she explains.
3. Look for red flags.
Telling people to care about compliance is much easier than getting them to actually do it, especially when revenue targets are a priority. So the next step in creating a culture of compliance is to identify and respond to members of the team who are skeptical about or resistant to the change.
One of the first things Hahn’s company does to spot those employees is to look at the testing process that comes after compliance training.
“You end up with a small population of folks that may delay taking the test, or may actually not take the test at all, or can’t do the training,” he says. “That’s an indicator of some concern that someone may not be taking them as seriously as they should.”
The actual test results are also important, he adds, because they can highlight or validate issues with training or that internal auditors are detecting in parts of the organization.
Employees resistant to compliance culture often try not to share information, Farrell explains, and they are resistant to suggestions or warnings about activities that might be high risk. “They do tend to get really upset about that.”
The old way of thinking is that compliance is “just government regulations” that don’t mean anything, Farrell adds. Nine dangerous words signal that thinking: “Show me where it says I can’t do that.”
Statements of cooperation that don’t result in execution are another red flag, James notes. “Sometimes that’s because maybe they’re ineffective at execution; sometimes that’s because they are a naysayer,” she says. And when the pushback goes on for an extended period of time, even after you have provided information that should have satisfied someone, that’s a red flag, too.
4. Know what you’re up against.
There are two root causes for compliance not taking hold culturally, James says: resistance and ignorance. Resistance is the harder situation to deal with, she said, but a culture of compliance has to be inclusive to be strong, and that means acknowledging and listening to adversaries.
“Sometimes pushback is very beneficial to the conversation, and they’re justified—they have good arguments,” James explains. “What that usually means is that you haven’t explained it well enough or you haven’t done your homework that you need to do on an issue.”
It starts with the board and senior management pushing the message, then backing it up with training and discipline when needed, Hahn adds. But resist the urge to lay out a welcome mat for a regulatory enforcement process so that you can teach resisters a lesson, he said. “Failure to comply in the financial services industry can lead to enforcement action, which affects the entire institution,” he explains.
5. Let technology help.
That may sound counterintuitive, given the interpersonal, emotional aspect of culture-building. But the truth is that manual compliance-related processes become weak points that get worse as a bank expands. Plus, they erode morale, Hahn says.
Regulators in internal audit tend to focus in on those manual controls, he explains, and those manual controls often can’t withstand the pressure that comes with growth. By automating certain controls and collecting information electronically rather than writing it down, banks can create analytical scorecards that take the pressure off some employees charged with managing that data, he adds.
At Arvest Bank, Cara James is hoping to do just that. Arvest is installing new compliance software, but it can be resource-intensive and will take a year to implement. “There are times I think when we got caught up in finding the next great solution and it’s easy to get distracted by that and not be as focused on the actual execution results of the work,” she says. “You have to find a balance.”
“You just have to be sure you do your due diligence to ensure that the payoff is worth it to you,” she adds.
6. Evaluate managers on their appetites for risk.
Hahn, who has worked in the compliance field for 15 years, says his firm has seen a lot of banks and financial services companies move to include compliance as a component of managers’ performance-based bonuses. Internal audit results are often also part of that assessment, he says, as well as testing results.
Only about half the 71 respondents in the 2015 Deloitte Global Risk Management Survey said their institutions’ risk management programs were responsible for reviewing compensation plans to assess their impact on risk appetites and culture. A full 72 percent of management compensation practices tied pay to overall corporate results, but only 28 percent used individual metrics tied to implementation of effective risk-mitigation strategies.
But “[i]t is likely that many of these practices will become more widespread over time as regulators focus on compensation as part of their increased attention to risk culture,” the study said.
One of the most innovative methods Farrell says she has seen in a few larger banks involves peer evaluations of the kinds of risks managers take. “I believe that it makes them stop and think.”
7. Perfection may be the standard, but accept that you will fall short.
“No institution is going to catch everything, find everything—there is human involvement, which in and of itself is going to cause an error, a mistake, a miss,” Hahn warns. An effective risk assessment is the key to honing in on the most likely trouble spots for an institution.
Nonetheless, most bank leaders probably won’t admit there’s room for error.
“One of the things compliance officers complain about is if there’s ever any error at all, the examiners will always cite training,” Farrell says. “They always complain to me that the examiners seem to think that if they just trained all the time or trained well enough, then there would never be a mistake made. But you know, you’re talking about people. So there are going to be mistakes made. We can’t be perfect.”
“I think that’s been the frustration of a lot of bankers in recent years,” James adds. “It seems that anything less than perfection is unacceptable to the regulators, and it used to not be that way. From a morale perspective both within the compliance department and generally within the company, that’s a tough nut to crack.”
Tina Orem is a freelance writer in New Mexico.
