If you’ve been in security or compliance long enough (and by that I mean approximately a week), you’ve heard the old adage that our largest vulnerability are our people. Firewalls don’t just randomly open ports. Email clients don’t just decide to send proprietary and sensitive information to third parties. These are actions, sometimes deliberate and sometimes accidental, taken by the human assets within our companies, not the technological ones. Technology is not imbued with the ability to autonomously break laws or divulge sensitive information. Technology largely does what it’s programmed to do. People – these are the elements that cannot really be controlled or predicted. Of course, we can implement technology to mitigate the risk presented by human nature. But at the end of the day, a determined individual can still wreak a lot of havoc. This argument is often made just to make that point that we can’t be complacent. And to a very large extent, it’s correct. But I would posit that people can also be one of our biggest assets with respect to maintaining compliance and ethics programs.
I watch a lot of what my husband refers to as “murder shows” – Forensic Files, 20/20, and the like. My favorite, though, is Dateline when the story is presented by Keith Morrison. He has a way of telling a story. Don’t believe me? I give you proof.
What I’ve learned about watching so many of these programs is that people often get caught because other people watch. They notice the things that just seem…off. That unusual turn of phrase, or the behaviors that are just out of character for a particular individual. Something that no detective would necessarily see as important, but that are glaring red signs to the people that are in that individual’s sphere on a regular basis.
Compliance and Ethics are no different. Compliance professionals cannot be everywhere, all the time. We must rely on the culture that we, and our senior management create, to help prevent or detect non-compliant or unethical activity. They may notice the transaction behavior that doesn’t fit with that merchant, but wasn’t necessarily flagged in the monitoring queries. They would be more likely to notice a co-worker getting improper gifts from vendors, or bypassing an approval process to “just get this partner live credentials so that they can do some test.” We need people to feel free to come to our doors and ask questions. Or to say that they feel uncomfortable with something that’s happening in the office. We see the signs in all the airports, bus stations, entertainment venues and anywhere else that people gather that proclaim “If you see something, say something.” That should be our motto in the office, as well. And not just as it pertains to physical security. That should be our motto around non-compliant and unethical behavior.
I confess that I am a control freak with a Type A personality. (Full disclosure: I believe that is a job requirement for Compliance and Ethics professionals, so I’m not too far out of the ordinary). I am risk averse and sometimes believe that no one else is. (Again, I believe that to be a hazard of the profession). But that makes it so much more incumbent upon compliance professionals to create an environment in which everyone in the organization understands what is expected and how to report something that they feel is not appropriate. We do that through proper, regular training and by following process.I may be flogging a dead horse on this point, but training is so much more than a check the box exercise and it needs to be engaging, relevant, and interactive. That doesn’t mean that it has to be face-to-face, though you may find that works best for your organization. But it does mean that it’s more than just cutting and pasting a regulation onto a PowerPoint slide. What does that regulation mean to our company, my department? How can I help to ensure that what I (my team, our organization) am doing is the right thing?
Following on from that last question, where do I turn if I see someone doing the wrong thing? This is component is vitally important. Without that feedback loop, you can’t be sure that the training is effective or that the policies and controls that have been implemented in the organization are working appropriately. And even with the best will in the world, the best policies, timely compliance testing and auditing, someone, somewhere will either make a mistake or take a deliberate action to contravene company policy or regulation. Everyone in our organization must feel that they know enough about what is right or wrong to make an informed judgement about the situation, and then be aware of the process that exists to report something that they believe is a risk to the organization.
We know that, despite promises the contrary, regulation isn’t going away. With the rapid advancement of technology and the almost instantaneous impact it has on business models, the scope of the compliance professional’s job is only going to grow apace. We need force multipliers. Empowered and informed employees can help create and maintain a culture that rewards doing the right thing. It’s time that we start allowing employees outside of formal compliance jobs to take ownership of compliance within their spheres of influence.