In April this year, the International Organisation for Standardisation (ISO) released the new standard on Compliance Management Systems, ISO 37301:2021 replacing ISO 19600:2014.
A key emphasis of the new standard has been to elevate the role of culture in the compliance process, calling on organisations to actively measure and manage their culture of compliance. The opening sentence notes ‘Organisations that aim to be successful in the long term need to establish and maintain a culture of compliance, considering the needs and expectations of interested parties.’
This focus on culture reflects a growing understanding among compliance professionals, regulators, and the community, of the central role culture plays in the effective management of compliance by shaping the behaviour of employees throughout the organisation. Despite years of investment in compliance programs, culture continues to be cited as a causal factor in high-profile compliance failures. It is clear something has been missing from the approach.
In her recent speech to the Insurance Council of Australia, the Deputy Chair of APRA noted that ‘10 years on, [from the Global Financial Crisis] there continue to be major risk and compliance weaknesses’ with a need for ‘instilling stronger risk culture across the business.’1
The new standard calls on organisations to think differently and to ‘develop and spread a cultivate positive culture of compliance’, not just as a defence against potential sanctions or reputational damage, but as a critical step towards building sustainable and trustworthy businesses.
This article will explore:
Like the concept of risk culture, compliance is one just lens through which to view the culture of the organisation. It is the influence of the shared values, norms, mindsets and behaviours of people within the organisation (the organisational culture) on the compliance process. Understanding the culture of compliance means understanding how culture influences the overall compliance process.
At its most basic, compliance is a process of adopting the expectations of external stakeholders and enacting them through the organisation to govern the behaviour of employees. It is a two-stage process involving; first assessing external stakeholder expectations; and second, adopting them by setting organisational expectations, through both explicit processes, such as policies and procedures and via implicit mechanisms such as shared values, norms and behaviours.(Figure 1)
The culture of compliance will shape, and be shaped by, the values expressed, and the decisions made at two critical points in the process; at the interface between the business and its external stakeholders, impacting decisions about which stakeholder expectations are prioritised and adopted; and at the individual level – influencing the extent to which individual employees adopt and adhere to the organisation’s expectations of them. ,
Understanding a culture of compliance, therefore, must focus not just on how compliance is managed and enforced internally, but also how the organisation understands and responds to the demands of its external stakeholders.
ISO 37301 requires organisations to take a wide view of their external stakeholders, considering the needs and expectations of ‘the people or organisations that can affect, be affected by or perceive themselves to be affected by the compliance management system’. It also recommends compliance obligations be viewed beyond not just what the organisation must do (set through laws and regulations), but also what it should do (those expectations the organisation adopts voluntarily through agreement or contract).
The requirements of the new standard reflect an intent to move beyond the notion that a culture of compliance means ‘just following the rules’ by emphasising the importance or organisational values, leadership’s role-modelling of the right behaviours, building broad awareness and understanding through training and communications and appropriate consequence management to address non-compliance.
For those organisations that retain a culture of compliance predominantly focussed on ‘just following the rules’, adhering to the new standards will require considerable rethinking and alignment. But there is value in doing so. Compliance cultures that focus on rule following are problematic given that rules, like laws, are generally reactive, being created after an event has occurred to prevent a reoccurrence. Relying on rules and adherence to them can drive ever increasing policies and processes making it difficult for employees to understand what is expected and, ultimately, reduce their efficiency, engagement, and ability to comply. Rarely are issues of non-compliance due to wilful breaking of the rules. Non-compliance more commonly occurs where the documented processes and procedures conflict with the shared norms, values and behaviours or where particular situations aren’t covered by the established rules.
Research in organisational psychology and business has identified four key dimensions that can be used to assess an organisation’s compliance culture (Figure 2)2.
These organisational dimensions shape the overall approach to compliance and how the organisation seeks to understand and enact the needs of stakeholders to influence the behaviour[A3] [A4] of its employees.
Figure 2. Key organisational dimensions of compliance culture.
Organisations can differ markedly across these four dimensions depending on their values and preferences, leading to a variety of different compliance cultures. While there is no perfect mix, organisations that follow a rules-based approach are often those that take an internal approach to evaluation, define compliance from the perspective of benefit to themselves, value stability in their assessment of expectations and show preference for structured controls and processes.
By emphasising values alignment and broader consideration of stakeholders, the requirements of the new standard encourage organisations to move towards compliance cultures that are more open to influence and go beyond a minimum requirements approach.
This does not mean organisations must adhere to the expectations of every stakeholder but that there should a deliberate process in place to assess what expectations are adopted as obligations. Ideally, the assessment should include consideration of the stakeholder’s needs, the information they need to inform decisions about how they want to interact with the company, as well as the way the organisation impacts upon the stakeholder.
Approaches to measuring compliance culture often rely on a combination of surveys, interviews and focus groups, as well as more tangible compliance data related to individual compliance (for example, whether employees are complying, meeting training requirements and if they understand the importance of compliance and their obligations). While these approaches give some insight into compliance at the individual level, a holistic assessment of compliance culture needs to consider how the organisation interacts with and relates to its stakeholders, how their expectations are assessed and adopted and whether stakeholders see the organisation’s efforts as adequate. It is entirely possible to have every employee living up to the organisation’s stated expectations, but still experience a failure of compliance because the approach does not meet external stakeholders’ expectations.
Assessment approaches that focus exclusively on internal processes of compliance are unlikely to yield the insights needed to identify the full range of potential issues.
Changing compliance culture needs to be targeted and values-based Just as all organisations are different, there is no perfect mix of the dimensions of compliance culture. Each organisation will differ depending on its unique features. As with any culture change program, it is important to define a target state which includes consideration of both the organisation’s desired relationships with external stakeholders and the expected behaviours of its employees.
The new standard outlines the importance of using the organisation’s values to align expectations and encourage consistent compliance. Research evidence shows employees are more likely to prioritise compliance when they perceive alignment between their personal values, the values of the organisation and whether they perceive their colleagues as living the values. A second article will focus on these individual factors of compliance in coming weeks.
Clear organisational values can also be a foundational tool for assessing how aligned an organisation’s views are with those of external stakeholders. Used effectively, they can provide the basis for meaningful discussion and alignment as part of the assessment process, creating create a sense of shared value and building trust.
Developing a roadmap for change needs to be based on a clear understanding of the current culture and the desired culture to identify and prioritise actions with the greatest chance of delivering sustained change. By emphasising culture, the requirements outlined in ISO 37301 encourage organisations to think broadly about their stakeholders, understand the current culture of compliance and to embrace both the letter and the spirit of their obligations.
ISO 37301 highlights a number of areas for focus to deliver effective compliance, including ‘culture’ as a critical pillar. Please contact Murray Lawson or Victoria Whitaker or Heather Loewenthal to discuss how Deloitte can supports clients to understand and strengthen their compliance cultures. In addition, Heather Lowenthal participated in the ISO working group and can help you with all aspects of the standard.
|Culture of compliance||Readiness for ISO 37301|
|Ethical frameworks||Compliance maturity assessment and gap analysis|
|Risk culture & leadership||Technology solutions aimed at increasing
 Rowell Helen, H.R. (2021, October 13). Insuring Australia: Are you the best you can be?
 Interligi, L. (2010) Compliance Culture: A conceptual framework, Journal of management & Organization, 16, 235-249