Compliance challenge or challenge compliance? There are two qualities that make it difficult to assess compliance in practice: general principles vs regulatory crowding out. Jochen Blaffert describes the challenges of being compliant and why compliance should be challenged.
Compliance Challenge
Compliance with laws, rules and regulations is challenging. Let alone acting in line with “soft law” rules (interpretations or policy preferences of supervisory authorities) and market practices. In larger organisations, it sometimes feels like a multitude of different obligations are scattered across business units, managers and other employees. Depending on the industry, the emphasis varies from health and safety to rules of market conduct. The consequences of non-compliance vary by industry as well. While some operate under the radar of active external influence, others have supervisory authorities glancing over their shoulder, and there are others who simply can’t do business without the right certifications.
For all these organisations compliance has become a part of daily corporate life over the recent decades: accepted by most, yet enthusiastically embraced by few. However, there are two qualities that make it difficult to be able to assess compliance in practice.
General principles
On the one hand there has been a shift towards a more principles-based (rather than rules-based) set of regulations, the development of which has been underway for years. Adhering to the “spirit of the law” above simply the “letter of the law”, “reasonableness and fairness” and “comply or explain” are some of the well-known concepts evidencing this move. With the right judgment call this should result in the right outcome for every occasion. The idea is that with general principles there is a certain flexibility to move in line with developments in society and the market, while maintaining the overarching principle as guideline on which to base one’s decisions. The question is, of course, whether each employee on the work floor possesses the tools to make these judgment calls on a daily basis.
Regulatory crowding out
On the other hand, there is a tendency to strictly fit compliance into control mechanisms. The compliance department, the enterprise/operational risk management department, or the internal or external auditor, all want to measure and establish that the organisation is “in compliance”, “compliant” or “in control”. Often an ingenious system of elaborate policy documentation combined with well described and sometimes tech-enabled controls is set up to be able to report that rules are being followed, controls are in place, and action is taken where necessary. Using the three lines of defence approach (first line: “the business”, second line: supporting units like compliance and legal, third line: internal audit), it must become clear that design and operating effectiveness (in Dutch: opzet, bestaan en werking) are up to par. The pitfall of all these controls is the “tick-box mentality” that emerges whenever there are (perceived to be) too many hoops to jump through to get things done or unclear reasons for controls being imposed. If this is the case, the compliance controls that are extended to the Board may give a false sense of security.
This regulatory crowding out effect is well described by professors Van de Loo and Winter: employees are no longer making a (moral) judgement call themselves but, as a result of many rules and controls, they solely focus on fulfilling the requirements of controls. Ticking boxes in this context is also referred to as “unconscious consent”, comparable with accepting general terms and conditions automatically when purchasing products via the internet. Besides the zero option, there is not really a choice to be had if the “system says no”.
Challenge Compliance
In our society, and in business, we see more and more community and platform-led and co-creation approaches, representing a move away from long-established and accepted hierarchical structures. This evolution is an opportunity to bring behaviour and culture in line with a true compliance spirit. So, stimulate conscious consent, avoid regulatory crowding out and create conduct awareness. Also, if all the control boxes have been ticked: be bold and challenge compliance.
