Extensive research to build a culture of compliance with practical advice to implement and measure it effectively.
Subscribe to get access to more posts like these!
Join Newton's newsletter to receive our blogs, templates, and the latest information right in your inbox. You can unsubscribe at any time.
The prevalence of corporate misconduct evidence is alarming, led by numerous high-profile scandals, to name a few: the Italian Parmalat to cover losses, Enron's debt to fabricate earnings, the Ponzi scheme of the investor Bernie Madoff, Wells Fargo's cross-selling fraudulent accounts, Volkswagen's deceptive emission levels, Wirecard fraudulent financial reporting, Samsung's legal violations, widespread bribery at Petrobras that damaged both the government and the economy of Brazil, Boeing's epic compliance failures. They all demonstrate how a corrupt culture pervades an entire organization. The recent Silicon Valley Bank collapse (check out our article) is the new update of these countless collections.
Despite making great headlines, these incidents demonstrate how a corrupt culture can permeate an entire organization. While one may be inclined to think of these as stories about single bad actors, they lay bare corporate failures to prevent, detect, and discipline at an institutional level.
Nearly half of all fraud cases go unreported to the public. GDPR enforcement in 2021/2022 saw landmark cases, including a record fine of €743 million. Additionally, according to EY's 2016 Global Fraud Survey, 42% of the 3,000 executives surveyed believed that unethical behaviour was justifiable to meet financial targets, and 38% of respondents stated that bribery/corrupt practices occur widely in business in their country.
These findings indicate that unethical practices continue to exist within private companies. To prevent white-collar crime, corruption, and other missteps, businesses must prioritize compliance and integrity from the top down. While compliance and legal departments work hard on these issues, it's not solely their responsibility. All members of an organization, including contractors, need to understand the importance of compliance. A proactive approach must originate from the C-suite to have a genuine impact. This article outlines why creating a compliance culture is crucial and offers practical advice on how executives can effectively implement it.
In this article, we will cover the following:
- Creating a culture of compliance
- Narrow down your compliance frameworks
- Ongoing risk assessment
- Governance and Compliance by Design
- Adopt engaging policy
- Strive for compliance success: communication, individual contribution, and data analysis
- Taking action on misconduct
- Adopting Newton for your governance
- Extra: Tracing the path that led to our current situation*
Creating a culture of compliance
Narrow down your compliance frameworks
It is extremely important to thoroughly understand the rules and regulations that apply to your industry and location. This knowledge will help you identify the specific obligations your business must fulfill for each code and create a plan to meet those requirements. Companies are often subject to multiple and overlapping regulations, which can make compliance a complex and challenging task. Therefore, it is essential to consider all relevant aspects, including but not limited to:
- Financial compliance refers to meeting the rules and regulations of your industry, nation, and other regulatory bodies to ensure you fully comply with financial regulations.
- IT and data compliance is relatively new but crucial, and businesses must ensure that they comply with the rules and regulations of the industry for cybersecurity and data management.
- Health and safety compliance involves ensuring that your physical workplace is safe and secure and following the national guidelines on safety practices, evacuation escape routes, and other related areas.
- Legal compliance involves abiding by legally binding contracts and agreements, seeking the advice of a qualified legal professional to ensure fairness and appropriateness like employment law or tax law.
- ESG responsibility is a set of standards that investors, consumers, and other stakeholders use to evaluate a company's social and environmental performance. Companies are expected to take proactive measures to reduce their carbon footprint, reduce waste, and use sustainable practices.
Ongoing risk assessment
A successful business must prioritize risk management with practices to identify, own, manage, and mitigate ethics and compliance risks. Risk assessments are a compliance program's foundation and starting point and must be unique to the organization's industry, history, maturity, and marketplace. It plays a crucial role in enterprise risk management, providing critical information to management and the board to avoid severe business disruption and loss.
The program establishes a shared responsibility for risk management, where leaders assume ownership for identifying and mitigating risks relevant to their areas. The compliance program must stay attuned to the most severe risks as they change over time to support this effort. Therefore, ongoing risk assessments are critical as they serve as an early warning system for current and emerging issues.
Check out an exciting conversation about risk assessment in complex industries between Nomsa Hoohlo, an anti-financial crime compliance and risk management expert, and Kudzai Chaka, a compliance risk management expert with tracked experience in JPMorgan and Barclays, among others.
From key risks identification to mitigation
After identifying and prioritizing risks, the usual approach involves creating policies to prevent and minimize the identified risks. Employees are given targeted training to prevent potential threats and are equipped to respond in the event of an incident. Additionally, the compliance program ensures employees can easily access the necessary information to reduce risks. Any failures, breaches, or near-misses are considered part of the organization's early warning system, and these events are continuously monitored to gain insights that could prevent future occurrences.
Merges and Acquisitions risks
The compliance program is critical beyond internal operations by encompassing diligence processes for vetting and integrating third-party entities. Additionally, the program includes explicit processes for the integration period following an acquisition, including testing and monitoring to confirm the timely integration of new entities. A well-structured compliance program is particularly crucial for investors interested in acquiring a business, as it provides them with the necessary assurance that the company is compliant with regulatory standards and ethical practices. At the same time, integrating acquired businesses is necessary to ensure that the organization operates as a cohesive entity.
Governance and Compliance by Design
Governance and compliance are closely intertwined and mutually reinforcing elements within an organization. Governance refers to the overall framework of rules, practices, and processes that guide decision-making and ensure accountability at all levels. Compliance, on the other hand, pertains to the adherence to laws, regulations, and internal policies.
An effective governance structure establishes the framework for compliance by defining the responsibilities, roles, and expectations of individuals within the organization. It sets the tone for ethical behavior, risk management, and transparency. Compliance, in turn, ensures that the established governance principles and guidelines are followed.
To understand this approach better, we suggest the work of Lisa Welchman, a pioneer in this topic and author of Managing Chaos: Digital Governance by Design. In her book, she gives a set of rules for considering governance at scale, substance, and ownership about strategy, policies, and standards in ways that meet ethical company standards.
Examples of Governance by Design
- Involve automatically applying retention policies for managing data throughout its lifecycle, including data collection, storage, use, sharing, and disposal. This ensures that data is handled in a secure and compliant manner.
- Applying security policies to restrict sharing of sensitive information ensures that only authorized users can access sensitive information. It can include role-based access controls, multi-factor authentication, and data encryption in transit and at rest.
- Setting up a change management process that includes a formal review and approval process for all changes to the design system. It ensures that any changes are carefully considered and vetted before being implemented.
- Launching business process workflows without user intervention, for example, automatic invoicing and payment processing.
By including these policies in the system's design and configuration, the burden of understanding and adhering to policies no longer lies with end users. This ensures that policies are working in the background, allowing users to focus on their job while maintaining compliance with governance policies.
Implement nudges and gamification
A nudge is a way of reframing a problem or question that individuals ultimately need to make. It's a handy concept worth digging into with Richard Thaler and Cass Sunstein's book Nudge while gamified policies through design, rewards, and sharing best practices increase a culture of compliance and accountability.
- Opt-out decision: in a policy program aimed at improving cybersecurity, a nudge could be to use default options that prioritize security, like the highest level of security features preset, and users would need to explicitly opt-out if they prefer a lower level of security. Research has shown that automated decisions increase optimal behavior by taking advantage of individuals' inertia and tendency to stick with default options.
- Personalization: a nudge could be to use personalized reminders, such as sending reminders of upcoming deadlines, highlighting the benefits of compliance, and providing information on the potential penalties for non-compliance.
- Gamification-design: a company could implement a gamified campaign that educates employees about data privacy best practices, such as handling personal data securely, obtaining proper consent, and reporting data breaches. Employees could earn points or rewards for completing data privacy tasks, passing quizzes, or identifying potential data privacy risks. For example, sharing the percentage of colleagues that already accomplished a task increases a sense of urgency and positive competition.
Therefore, it's crucial to thoroughly research and test nudges to ensure their effectiveness in achieving the desired policy outcomes while considering the ethical implications and potential unintended consequences.
Adopt engaging policy
Policy creation's playbook
- Clarify the purpose. Ensuring everyone understands the policy's purpose is essential to foster trust between you and your employees. Clearly explain the policy's necessity and its value to your company. Once the goal is established, ensure the policy's content is well-structured, dividing it into themes, procedures, and role-oriented information.
- Avoid technical language. Policies serve as internal documents that employees must understand (simple and multilingual) to ensure that company operations are carried out consistently and competently. However, policies also have an external function in the event of controls, such as audits or potential investigations by regulatory authorities. As such, policies must be crafted with a level of legal sophistication that meets the requirements of relevant laws and regulations to ensure that the company is adequately protected and prepared for any external scrutiny.
- Use real-life examples. Using real-life examples tailored to your company's day-to-day work, explain acceptable and unacceptable behavior in the workplace and address real risks.
- Define the policy's scope. Clearly define which employees must comply with the policy and which are not. If any person or group is excluded, ensure it is precisely defined to avoid misunderstandings in the future. Ensure that only relevant employees are asked to read the policy.
- Define and communicate consequences. Policies must clearly define the consequences of non-compliance for employees to be effective. Explain how employees should act if they see internal violations occurring.
- Focus on regulatory cores. Regulatory cores are concrete instructions that describe permissible actions or obligations. They can be categorized as authorization, command, exemption, and rights.
- Avoid restrictions. Avoid negative language and harsh restrictions. Instead, formulate policies as positive expectations, showing employees you trust them. Policies should highlight possibilities, stating what employees can do rather than what they cannot do.
- Revise policies to meet future needs. The fast-changing regulations, especially regarding privacy and security, require the creation of policies flexible enough to address present and future needs and implement a review culture to ensure that they are still relevant and effective. In this process, stakeholders' involvement ensures that the policies reflect the needs of the entire organization, not just one Department or group.
- Consistency. Different departments may use their solutions or free services, making it difficult to manage content and enforce consistent policies. The complexity in such an environment increase and become fragmented and stored in multiple cloud repositories. To address this challenge, companies should adopt a cloud content management system, like Newton, that can work with all their applications, reducing the number of repositories and the need for policy applications. Policies must consider three key factors:
- Data policies should limit access to personal data and clearly define its intended use.
- Exceptions should be made for legal holds, with policies that can interrupt automated content lifecycles in case of litigation.
- Policies should comply with newer regulations that require content deletion when no longer necessary, as keeping records for too long can be just as risky as deleting them too soon.
Simplify and categorize policies
As a rule of thumb, reducing the number of polices to fewer than 100 and moving towards a big bucket approach helps track their effectiveness better.
It's important to note that compliance requirements can vary greatly depending on the industry, jurisdiction, and specific applicable regulations. Therefore, the policies related to reducing and categorizing compliance requirements will also vary depending on the circumstances. Here are some suggestions for categorizing and benefits:
- Data retention policy: A company must reduce the amount of data it retains to only what is necessary for legal or business purposes. This can help reduce compliance requirements related to data protection and privacy regulations.
- Employee training policy: A company may consolidate its compliance training requirements for employees by conducting one annual training session instead of requiring multiple pieces of training throughout the year. However, it is important to note that certain regulations require specific training paths, and employees must demonstrate their compliance through training certificates that are clear and pertinent to the specific topic. For example, annual GDPR training may be necessary. Therefore, while grouping the training sessions may be practical, it is still necessary to provide different training paths to ensure that all compliance requirements are met.
- Vendor management policy: A company may reduce vendor compliance requirements by only working with vendors who have already demonstrated compliance with relevant regulations.
User-friendly and friction-free system
Effective governance and compliance require strict policies and guidelines and a user-friendly system that only creates a little friction. If the system is too complicated and slows down productivity, employees may seek out unauthorized methods, putting security and control at risk. This is a common problem, as executives, doctors, engineers, and others may find the system too cumbersome and opt for a quicker solution to meet their needs, potentially resulting in devastating consequences.
Stanford University' studies have shown that almost 90% of cyber-attacks are caused by human error or behaviour. To prevent this, compliance policies must strike a balance between security and ease of use, including appropriate guardrails that keep employees within policy boundaries.
These guardrails can also send notifications if someone accidentally steps outside the policy to protect content from leaving the system.
Strive for compliance success: communication, individual contribution, and data analysis
Compliance centrality to business strategy
Ensuring that everyone follows the rules is best achieved when leaders set a good example. Therefore, it's crucial for initiatives to come from high-level executives like the CIO (chief innovation officer), CCO (chief compliance officer), or CMO (chief marketing officer) or key figures like the head of legal or head of operations with the proper budget allocated for initiatives.
Good practices kick off projects with 90min meetings where all stakeholders are involved. If the round table shows up just the marketing or the IT team, we know there is an issue, stated Lisa Welchman. Digital, by its own nature, is a set of silos and an operational plan or externals can close the gap in the organization.
When it is clear that compliance is essential and that everyone has a responsibility to uphold it, the company might initiate senior management or legal department updates, newsletters, intranet, confidential hotlines or even consider having a compliance week each year where open communication and metrics are the baselines to evaluate policy success and mistakes and audit results related to priority compliance areas such as workplace safety, product safety, anti-corruption, financial controls, conflicts of interest, and so on.
The Role of the Board of Directors
The board of directors is knowledgeable about the impact of the compliance program. Accordingly, it actively monitors its implementation across the business through various leading practices, such as seeking and receiving comprehensive information about the organization's program, maintaining regular contact with the program stakeholders and their team, receiving regularly scheduled briefings on risk assessment processes and metrics, recruiting and retaining board members with compliance tracked expertise, and receiving periodic training tailored to their responsibilities as board members and any particular issues of relevance.
Use of surveys, a starting point for a compliance culture's shift
Gathering feedback internally and externally can provide insights into how well the governance policies are working and where improvements can be made. Anonymous feedback fosters a speak-up culture allowing employees to feel comfortable raising issues and reporting violations without fearing retaliation. Set the right expectation to implement and evaluate changes in 3-6 months in small companies to 12-18 months in larger ones. Some decisions can be challenged with satisfaction scores (net promoter score or similar), where contributors, users, and departments rate and provide feedback about new policies.
However, relying solely on surveys may yield flawed results due to self-reporting and self-selection biases. Employees who have witnessed unethical behaviour may hesitate to report it, leading to skewed results representing only part of the workforce.
Furthermore, senior employees or those involved in misconduct may be less likely to participate in such surveys, contributing to biased data. Therefore, it is crucial to acknowledge the presence of bias in the collected data when interpreting metrics.
As we love bootstrapped companies, we suggest Tally (we do not have an affiliate program) as they have many templates you can customize and make this process faster and for free or test out other widely known design-centered tools like Typeform. Make sure to comply with your security and storage policies.
Tracking compliance effectiveness with key KPIs
Deloitte and Compliance Week reported that just 70% of companies attempt to measure the efficiency of their compliance programs. Among those that do, only one-third feel confident or very confident about utilizing the right metrics.
Individual, Legal Department or company-wide success metrics can be established to measure the effectiveness of compliance training. However, there are better approaches than measuring success based on completion rates or training hours. While completion rates may be significant to track for other purposes, the effectiveness of the compliance program must be directly linked to a specific outcome, such as:
- Employees' comprehension of policies and procedures
- Acquisition of relevant skills to address anticipated scenarios or a change in behavior
- Percentage of employees who are following the governance policies
- Number of active employees on company channels where discussion happens
- Number of external contributions (this measures adoption and engagement)
- Hotline or other compliance initiative effectiveness on adoption, usage, and type of requests
- Time and resources required to implement and enforce governance policies
- The time it takes to identify and resolve incidents related to governance compliance can help identify areas where the guidelines may need to be updated or improved
- Number of open tasks on compliance
- Changes in the amount of time required to perform QA
- Measure risk reduction on non-compliance with regulations, data breaches, or other incidents that could harm the organization's reputation or financial stability
- Using independent and reliable auditors to assess the organization's compliance policies
- Percentage of internal audits completed
Implementing SMART Employee Performance Management
Discussing how each individual can contribute to the effort. Establishing and sharing SMART compliance objectives with the entire team is also essential. Doing so, can establish a culture where compliance is valued and everyone takes it seriously.
Here is an example of how to set up a SMART outcome related to data privacy:
- Specific: Reduce the number of customer complaints related to data privacy by 50% in the next quarter.
- Measurable: Track the number of customer complaints about data privacy and compare it to the previous quarter's data.
- Achievable: Implement new policies and training programs to improve data privacy practices, which have been proven effective in similar organizations.
- Relevant: Data privacy is a critical concern for our organization, and addressing customer complaints will help us maintain our reputation and avoid legal or financial consequences.
- Time-bound: The outcome will be achieved within the next quarter, with progress updates provided monthly.
Build multivariate regression analysis
Regression models allow an investigator to examine the impact of one variable while holding the others constant. Designing appropriate regression models takes time and experience (here is an in-depth guide), but it is the most reliable way to know whether to be reassured by or concerned about shifts for:
- Training effectiveness a regression model can help firms understand the link between training sessions and changes in employee behaviour. By controlling for the other factors that may contribute to policy violations, to test whether the individuals who undergo training become more or less inclined to break the rules.
- Employee expense reports for suspicious activity patterns to flag employees who consistently submit expenses that fall just below the threshold requiring manager approval or who always submit receipts at the maximum allowed amount.
- Analyze procurement data for signs of non-compliance, such as bid-rigging, price-fixing, or collusion among vendors. A regression model could identify unusual bidding patterns or suppliers that consistently win contracts even though their prices are significantly higher than those of competitors.
- Anti-money laundering in financial institutions to analyze customer transactions for signs of money laundering. A model could flag accounts with high volumes of cash deposits or withdrawals, transactions with counterparties in high-risk jurisdictions, or unusual activity patterns that may indicate attempts to conceal the source of funds.
- Insider trading One way to identify potential insider trading cases is by analyzing trading data. This involves looking for patterns in trades made by employees or executives before major corporate events, such as mergers or acquisitions, are announced. However, it's important to note that laws on an international level typically prohibit certain individuals from trading with company shares when they have knowledge of forthcoming operations. Companies often have internal policies and procedures to prevent non-compliance with the law. If executives buy shares when they are not allowed to, it is a serious breach of the law and can only be investigated by the authorities. Companies typically rely on written declarations from employees, executives, and shareholders to ensure compliance with regulations.
- Fraud detection analyzes data from multiple sources to detect patterns of behaviour that may indicate fraud. For example, a model could identify employees who frequently access sensitive data outside regular business hours or consistently submit false or misleading information on expense reports or timesheets.
Taking action on misconduct
The compliance program is committed to acknowledging and addressing misconduct within the organization. They conduct investigations of alleged wrongdoing in a timely, neutral, thorough, competent, and consistent manner. The program ensures that appropriate consequences are given to violators, regardless of their level or organizational status. This approach complies with EU Directive 1937/2019 and the whistleblowing procedure, which is mandatory in the EU.
The program aims to learn from every substantiated case and communicate the importance of integrity to employees. The organization is transparent in disclosing issues to regulatory and government authorities and works cooperatively to address their concerns.
Considering the fast-paced digital age, the program includes well-developed systems for escalating issues, chronic crisis management, and response testing. The organization is committed to making decisions based on its values, even during crises.
Although many companies view compliance as legal, it is more related to behavioral science. Managers must experiment and test their compliance programs to achieve a genuine impact. Codes of conduct must contain policies fundamental to a company's success, and legal support must not only record reports of misconduct but also help employees navigate difficult situations before making a misstep. To effectively reduce improper behavior, firms must develop better measures of effectiveness and adopt innovative and ambitious programs. With the numerous and complicated regulations governing businesses today, relying on a one-size-fits-all metric to determine compliance program success is unrealistic. Instead, successful compliance engineering needs creativity, experimentation, and careful model design to measure outcomes effectively.
A good compliance program can be summarized as a three-part approach. Firstly, it involves implementing policies and providing training to prevent non-compliance. Secondly, it requires finding ways to stay informed about what is happening within the company, such as establishing whistleblower programs. Finally, it involves managing any wrongdoing that does occur by finding solutions internally or, if necessary, reporting to the relevant authorities. The specific course of action taken will depend on the nature and severity of the non-compliance.
Adopting Newton for your governance
Newton delivers an easy and intuitive platform to manage and automate your legal entities' information, governance, and compliance. If your entity management processes have an essential role in the sustainability and performance of your business (which they do for most), be sure to get in touch to explore how Newton can help you have everything you need to be in control of your entity portfolio.
But that's not all. By partnering with Newton, businesses can establish internal compliance policies that cover a more comprehensive range of issues related to their dealings with customers and suppliers.
So if you're looking to help your business stay ahead of the curve regarding compliance and legal support, chat with our team about partnering with Newton today.
If you’re finding this newsletter valuable, share it with a friend, and consider subscribing if you haven’t already. You can unsubscribe at any time.
Extra: Tracing the path that led to our current situation*
Compliance programs began in the US in the 1970s and 1980s to respond to corporate scandals. Industry groups adopted internal policies and procedures to report and prevent misconduct, which helped to assuage legislators who had sought to regulate and penalize firms for dishonest practices. In 1991, the US Sentencing Commission amended its guidelines and offered firms reduced fines if they could demonstrate an "effective compliance program."
Other civil regulators, including the Securities and Exchange Commission, adopted this carrot-and-stick approach to compliance.
An industry quickly sprouted to provide compliance training programs, hotlines for whistleblowers, and risk assessments. Today, compliance programs are viewed as protection against worst-case scenarios, and employees are asked to sign lengthy codes of conduct and sit through training programs. However, even at firms spending millions of dollars annually on their programs, compliance often needs more substance. The DOJ (USA's Department of Justice) recognized that firms might be creating all the components of compliance programs but producing hollow facades.
The DOJ, in its 2008 update to the Principles of Federal Prosecution of Business Organizations explicitly instructs prosecutors to evaluate whether a company's compliance program is just for show or if it's been adequately developed, put into practice, considered, and improved as needed. In the same year, Siemens was fined $800 million by US authorities in a case where the prosecution highlighted the deficiencies of Siemens' compliance program as merely existing on paper.
A similar example of lack of program effectiveness happened when the DOJ in 2012 brought criminal charges against Morgan Stanley employee Garth Peterson, based in Singapore, for a real estate enrichment scheme and bribing a Chinese government official.
Despite receiving seven compliance training sessions and 35 related reminders to avoid such conduct, Peterson engaged in illegal activity. He stated that he viewed the compliance initiatives as pro forma and that people often deleted emails or checked boxes indicating compliance without actually listening or following through on the training.
The point is that policies are not effective if employees do not commit a crime, but if the company is the first to become aware of the crime committed inside the company and is allowed to take remedial action before the crime responsibility extends to the company or, worst case, lead to bankruptcy or similar disruptive event.
Evaluating a program required considerable time and expertise, which was challenging. In response, in 2017, the DOJ publicly released a document titled "Evaluation of Corporate Compliance Programs," which included a list of questions for prosecutors to consider when assessing compliance programs.
The compliance and risk survey (2016) conducted by Deloitte and Compliance Week showed how the prevailing method for measuring training effectiveness is to track completion rates and consider the training successful if a sufficient number of employees say 90% or 95%, complete it. However, this approach needs to take into account the quality of the training content, how relevant and beneficial it is, or its actual effectiveness, and how much employees retain and apply what they have learned.
Companies tend to use completion rates as a measure of success not because it has been proven effective but rather to fulfill regulatory requirements. For example, although some firms provide their employees with effective training on following rules, many others mistakenly believe their training is satisfactory simply because it has been completed. One of the reasons why companies continue to invest in compliance is that they need more appropriate measures to determine the effectiveness of their compliance efforts.
As a result, many companies equate strengthening compliance with hiring more managers, purchasing more software, and creating more policies, even when those actions are redundant, wasteful, or ineffective.
To avoid a process of tick-box exercise, the Principles and Practices of High-Quality Ethics & Compliance Programs (E&C program) report, released by the ECI's Blue Ribbon Panel in 2016, has become a benchmark for effective E&C program construction. The report focuses on five critical principles of a high-quality program and recommends techniques for practitioners to use when building out their own. These principles provide the standard framework for the development of an E&C program, and it was endorsed by the US Department of Justice (DOJ) in its 2020 guidelines for Federal prosecutors on evaluating the effectiveness of corporate compliance programs, setting the standard for all E&C programs, whether or not your company operate in the United States.
*This section is a summary with our integration and updates of an interesting article from Harvard Business Review. Written by Hui Chen, formerly the compliance expert at the U.S. Department of Justice, is an ethics and compliance consultant to government regulators and companies worldwide, and Eugene Soltes, Professor at Harvard Business School, where his research focuses on corporate misconduct. It gives an understanding of why compliance programs have been and keep being a tick-mark exercise and make the reader more conscious of the suggestions to achieve the best-in-class compliance programs.
About this article
Business Review (2018). Why Compliance Programs Fail—and How to Fix Them
Reangle (2020). Governance by design: Building successful design systems
Zeroheight (2022). Governance is a design system’s friend
International Compliance Association (2019). 10 ways to instill a culture of compliance
Kyung-Min Lee (2009). Application of multivariate statistics in a risk-based approach to regulatory compliance
ECI (2016). Principles and Practices of High Quality Ethics & Compliance Programs
EY (2019). How to drive the future of compliance, with integrity in the spotlight
Department of Justice (2020). Crime & Corruption
Jeff Hancock and Tessian (2020). Psychology of Human Error
Caitlin Handron, Nitish Upadhyaya, Scott Young (2023). Five insights and actions to enhance compliance programs
Christner, R. (2017, March 9). Chance encounter leads to concert by KC country pair. The Hutchinson News, n/a.
Lisa Welchman (2015). Managing Chaos
Andrew Hayward and Tony Osborn (2019). The business guide to effective compliance and ethics