Changing the Compliance Culture - Leadership Series
Rutherford's Leadership Series is a series of interviews with key players within the compliance, financial crime, legal and cyber security sectors. These informal conversations will serve as an opportunity for professionals to get insights on the trending topics and challenges within their field and learn from high profile individuals with impressive track records.
Culture is increasingly becoming a hot topic within the compliance world: in the past few years, firms that have been under fire by regulators have commonly had culture pointed out as point of failure. As Chief Compliance Officer, what can you do to effectively change a culture when joining a new firm - especially when there has been no intervention or pressure from regulators? In our next Leadership Series instalment, we discuss with David Young, a senior risk, compliance and governance specialist, how to effectively change a compliance culture when joining a new firm.
Through your work as a consultant, you have seen situations where firms had to change their culture from a compliance perspective. Are there any tools or options available for Compliance Officers to efficiently implement this type of change?
There are some basic tools that you can use. It is of course helpful if there has been regulatory pressure or even regulator intervention, because that gives a firm some very clear external powerful signals about why it needs to change. It is more difficult though when there hasn’t been any external intervention: in this instance, you have to carry that message internally.
What can you do in such a situation?
There is a lot of wreckage you can point to, historically, of the firms that have fallen foul of the regulators - where culture is commonly pointed to as a point of failure.
As a starting point, I think one very important tool is making sure there is a clearly articulated three lines of defence that is accepted from the Board downwards. This will lead you to things like articulating a clear compliance framework. You need to make sure this is not just being written down on a piece of paper: you actually need it to be discussed, accepted and approved. Once you have that, everything from policy creation down should flow from there.
Surely, the introduction of SMCR must have changed the way firms address compliance culture?
People have really begun to understand where accountability for compliance lies. While SMCR does affect the CCO, I believe it is very much going to affect the whole concept of where ownership for compliance lies. Accountabilities are documented, and members of the executive know that they are accountable for making sure that the functions they manage comply with the regulatory obligations, as far as those obligations apply to those firms. You have got to be careful.
Hence why you should start with those informed three lines of defence.
Exactly. It is fundamentally important that when you first join a firm, you understand its current culture in order to create appropriate lines of defence. You need to understand what the business is, how it is run, how it operates, what its strategies are. You must meet the executive members and, in some cases, their immediate subordinates.
You must spend some time with the team you’re inheriting and start building a relationship with them. After all, you can’t spend your first week talking to the executive and ignoring your staff: it’s a balance between both.
You also need to spend some time gathering core documentation that is going to help you understand where the business is and what challenges it is facing - whether they are strategic challenges, challenges in terms of the business plan, regulatory issues and so on. You should absorb all of this documentation, all while seeking to meet members of the Board for broader understanding of the firm.
So going back to this overall process of getting to know a business - is it an informal thing, or is it something that you subscribe to? Could you perhaps have a grace period for a Compliance Officer of let’s say 12 months whereupon they are given the time to properly embed themselves and understand the business and start implementing changes? And what if there are regulatory issues or reporting failings or any other skeleton in the closet, at what point does it become under your watch?
If you look at it from the FCA point of view, there is no grace period, full stop. They will understand, just like the executive of the board - that there is a learning process to go through and that you need to have the space to undertake the said learning process. But you have to keep in mind that it is all about prioritizing. If the world is on fire when you walk through the door, you don’t ignore the fire and go on a handshaking tour of the business. You start by dealing with the issue.
A clear example of that was when I had just joined a firm when the EU referendum took place. Within two weeks of joining, we were into the immediate post-Brexit vote crisis in real estate. The firm hadn’t done anything wrong at all, but it was still a crisis to deal with immediately.
Meaning the road map changed?
Yes - the sequence meeting, the handshaking tour, it somewhat changed and was spread over a longer period of time. In cases like these, you must be flexible and adapt your game plan.
Rutherford is a boutique search firm located in London. Our consultants are the executive specialists in compliance recruitment, and also in financial crime, legal and cyber security, all within the financial and professional services sectors in the United Kingdom and New York. We use our carefully curated relationships, networks and market knowledge to find the best fit for the clients in hand. We work with a wide range of clients, spanning from advisors, management consultants, corporate and commercial banks, brokers, exchanges, MTFs and financial tech, through to global investment managers, hedge funds, private equity firms, investment banks and technology firms. We began as a compliance recruitment firm in London and expanded to offer new resourcing expertise across legal and cyber recruitment. We have been a leading legal and compliance search agency in London for a decade and are excited about bringing our expanded offering into the technology area.