Compliance, as I never tire of telling people, is the business of influencing human decision-making. You can't just tell your organisation to be compliant - it's the people within it that will determine whether or not that's the case.
Yet many Compliance programs don't ever consider things from the employee perspective. They rely on the fact that as people are employed, they will do as they are told. Sometimes they will. But that can be a dangerous presumption - particularly if complying with the rules can't be monitored or has a qualitative element. People, unlike machines, are sentient beings that will react to their environment.
In most cases, we're better off if we can design a framework that means the employees have at least a modicum of, ideally, a huge amount of respect for our compliance program. This is why I'm a huge proponent of working with employees to ensure that, wherever possible, we pay attention to their perspective when designing or changing a compliance program.
Here are three ways you can crowdsource feedback from your employees that can help you to make your Compliance program more effective.
Learn from their behaviour
The first and most obvious way is to observe how your employees respond to your framework —paying particular attention to the rules they don't follow. You'll be doing that as part of your disciplinary processes. But you can also do it as a means of gathering feedback.
Because hidden in your breach data is valuable feedback about weaknesses in your program. On the face of it, when someone breaks a rule, it's a sign of bad behaviour. And if it is just one person, then there's a strong likelihood that fault lies with them. But if lots of people break a rule, then it's unlikely they are all badly behaved individuals. There's a good chance that the rule-breaking is more illustrative of a poorly designed rule. By exploring what might be driving the rule-breaking, you can identify and eliminate the incentives to do so.
👉If one of your rules has a higher than average rate of non-compliance, ask yourself what factors in the design, training, communication or implementation of the rule contribute to that. I guarantee you'll find something you can and should change.
Listen to them
The second way to crowdsource feedback is also obvious. Ask your employees for feedback. This isn't something that is often done — except, perhaps, for some consultation when first implementing new rules. That's understandable. Because employees must comply with compliance requirements, their views are often not considered. Since they don't have a choice, the logic goes, there isn't much merit in asking them what they think. But this is potentially a huge mistake. Because the feedback you'll gain could be extremely powerful.
Things that irritate us are (or become) things we don't respect - in Compliance terms, the things we'll try to find ways around. Getting insight into those things your employees don't like about your program is akin to activating an early warning system. When "push comes to shove", it is the areas of the program that aren't respected that are most likely to be ignored or circumvented.
👉Take time to ask your employees which of your rules they find the most demanding or irritating. Ideally, ask them WPYO - something I explain here.
The third way you can crowdsource is by actively co-opting them to help you. We're all familiar with the idea of ethical hacking - hiring people to find weak points in cybersecurity systems. Why not do the same with compliance? Rather than wait for someone to exploit a loophole, why not ask employees to help you find them? You could even go as far as offering some form of 'bounty' (not necessarily cash) to those who help you identify weak points in your compliance program.
👉 Think about actively tasking employees to find weaknesses in your control framework. Tell them you actively want them to share loopholes, vulnerabilities and unintended consequences.
These techniques, particularly the second and third ones, won't just help you identify weaknesses that might not be obvious. Even the most perfectly designed program can turn out have flaws. Doing these things also sends a powerful signal to your employees that you're open to changing things and welcome feedback. Which, in turn, will build a stronger relationship with them.
Speaking of feedback, I also value it.
👉 So please let me know what you think of this blog. Have you tried any of these techniques in your Compliance program? If so, what happened?