Compliance, Technology, and a Culture of Collaboration

a finger touching a futuristic visual display

Thanks to modern technology, organizational collaboration in the workplace is happening on a scale never previously imagined. In recent years, tech companies have focused on developing collaboration and sharing programs, and made them a defining feature of modern tech. Just consider the prominence of such major sharing and collaboration platforms as Google Docs, Apple iWork, Dropbox, or Slack.

Collaboration is also one of the potentially most transformational aspects of legal (and compliance) operations. I am a fan of legal operations as a discipline because I don’t see it as something to be done just by an isolated team of specialists inside a large law department, but rather as a broader skillset all lawyers and law department staff should cultivate. And the building blocks of modern legal operations — knowledge management, change management, process management, project management, etc. — depend on systematic collaboration using modern technology both inside the law department, and between the department and its clients.

Collaboration is also the lynchpin of creating an effective compliance and ethics program and culture of compliance. Technology can play a huge role in building that culture.

Let’s consider this through the lens of the US Department of Justice Criminal Division’s Guidance Document, “Evaluation of Corporate Compliance Programs,” updated in April 2019 (GD). The GD lists the following items as the top three among the critical factors to be used in evaluating whether any corporation compliance program “is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.” JM 9-28.800:

  1. “[T]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.”
  2. [P]olicies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process.”
  3. “[A]ppropriately tailored training and communications.”

The GD emphasizes the importance of creating a genuine culture of compliance no less than eight times, and it is not alone. Simply put, unless you have a culture that “walks the talk” — in which employees are convinced that organizational compliance is important not only to the organization and its leaders but also to themselves, personally — you will not achieve an organization that behaves compliantly. And I believe that to build a true culture of compliance you also need to build a strong culture of collaboration.

Both kinds of cultures require fostering a fairly high level of trust among your employees. Collaborators must trust that colleagues will do their fair share of the work, will not take credit for work done by others, and will take responsibility for their own actions. They must trust that their colleagues will be honest, thoughtfully raising only truly constructive criticisms in ways that don’t sour the collaboration effort and will enable problems to be addressed openly and considerately.

In the compliance context, employees must feel empowered to report compliance issues without fear of unjust repercussion, trusting that their colleagues and managers will not make them scapegoats for those compliance issues even if they may inadvertently have been the source of those issues. They must also trust that punishments will be fairly administered and proportional to any infractions.

In both the collaboration and compliance contexts, employees must believe that senior leaders will actively encourage and reward both collaboration and compliance initiatives. Senior leaders must foster a collaboration and compliance mindset that will make collaboration and compliance the default reaction in making work decisions.

So now, let’s look at some of the elements that cultures of collaboration and of compliance have in common, and how they relate to the critical factors listed in the GD.

Risk assessments

Risk assessments are a process in which compliance professionals work with legal and their business colleagues to develop a register or inventory of the most critical compliance risk factors affecting the organization. Then they must periodically and systematically review and rate the likelihood and severity of those risks, the current mitigation efforts in place, and how those mitigation efforts should be improved.

Whether the risk register/assessment tool is developed in Excel, Word, SQL, or some other tool, it will require honest input and discussions between many knowledgeable employees.

This is typically a somewhat stressful process, because you are asking the business, legal, and compliance professionals to identify compliance gaps and some means to fix them that may create high friction or require material change with respect to what may be well-established and often very profitable business processes. Without a culture of compliance and a culture of collaboration, you are unlikely to achieve meaningful compliance improvements that will also enable your businesses to continue to run smoothly without a stutter.

Risk registers should be and usually are set up so that participants from all around the company can access the risk inventory, review and provide feedback on the register, and suggest mitigations that might make the risk mitigation easier or less expensive.

Better still, dashboards can enable business leaders and legal and compliance staff to stay alert of trending risks and mitigation processes in real time. You can even create smart guides to help walk those affected through the implications of the risks they are considering.

Policies and procedures

As a best practice, policies and procedures should be organic, evolving, breathing documents intended to remain in sync with the rapidly changing business practices of the company and the regulatory environment in which it operates.

You cannot keep such policies and procedures front of mind unless you have created a culture of compliance. In such a culture, policies and procedures are given high priority and employees are so well acquainted with them that they would immediately recognize when a proposed business change would require a change the corresponding compliance policy or procedure. Employees should innately examine the change through the lens of compliance before the tweak to business process design is consummated.

You could not achieve this kind of synergy unless you also maintain a culture of collaboration. In such a culture, it would never occur to legal and compliance professionals to make a change in policies or procedures without engaging businesspeople in the process, any more than it would occur to businesspeople to make a change without engaging the legal and compliance team.

Training and communications

Modern compliance is a labyrinth in motion, a rapidly changing mosaic of principles and requirements and jurisdictions that are difficult if not impossible to keep up with, even with the best of intentions. Compliance and legal professionals need to make it as easy as possible for businesspeople to understand what it means to comply. That requires superb training and communications on at least the most pressing compliance issues.

I have been in several companies in which the tone from the top was clear that the online training courses were a necessary evil, to be completed with as little interruption to your real work as possible. In such organizations, very little actual absorption of the subject matter usually occurs. These trainings served little actual purpose other than to check an item off a list of compliance formalities.

Furthermore, unless you have a culture of collaboration, how often is anyone likely to raise their hand and admit that some point or another in the training was unclear? A culture of collaboration is absolutely necessary if communications and trainings are to serve their intended purposes.

Finally, good technology can make training and communications easy to create, distribute, and absorb. When I was the head of compliance for one organization, we made a practice of creating short entertaining videos using our smartphones to get specific compliance points across to our clients. The videos were humorous or dramatic in a way that would stick with employees longer, better, and more quickly than any boring memo or “compliance alert.”

Compliance is important. Collaboration is too. If you have too little of either, consider how you might suggest using technology to make real and important changes. Trust me — doing that can be a lot of fun.