Today’s society is filled with different terms and definitions which are multi-faceted and difficult to explain in an understandable way. This is true especially in working life where different words pop up in the daily conversation, but do people really
- know how to explain them
- understand them in the same way?
I do not think so – that is the reason why I wanted to take a stab in explaining ‘compliance’ in a way that even the average Joe can relate to.
The Cambridge Dictionary defines compliance as follows: ‘the act of obeying an order, rule, or request’. Wikipedia states that ‘In general, compliance means conforming to a rule, such as a specification, policy, standard or law.’ Yes, you can get a sense of the meaning, but it is difficult to translate the meaning to practice, to something touching your daily life either at work or at home.
You would think that people working in compliance management would know, but it is surprising how narrow or restricted their view on the definition is – their view naturally is limited to how it manifests itself in their daily work. They talk about ‘regulatory compliance’, ‘integrated risk management’, ‘GRC’ or ‘quality management’ without realizing that they all equal compliance.
I am a newbie myself in the compliance management business – I stumbled into compliance the first time a few years ago and now work in a start-up company developing better tools and solutions for those who work in the field of compliance management. I have always wanted to really understand the business I am in, and that is why I have really wanted to find a way to explain the meaning of word ‘compliance’ when somebody asks me to do that. I actually had to do that when hiring two new technical team members that have not worked in the field of compliance before.
My first explanation of compliance was a combination of four base elements:
- Organization has a way of working they need to follow. The reason for that way of working, a process, may come from outside pressure (regulation, legislation, standardization etc.) or internal motivation (we feel that this is the most effective process for us).
- The organization needs to effectively train the personnel to follow that process and have evidence that the training took place.
- The organization needs a system or tools that help in following that process.
- The organization needs to have proof, evidence that they have followed the process.
But, I was not satisfied for that – it is vague, does not offer concrete examples etc. I decided to not to think about the definition too much, but it kept haunting me. Then I read the book The Grey Zone by Michael Ahlberg and Anna Romberg which had this wheel of a well-planned compliance program with the following components:
- Risk assessment
- Policies and Procedures
- Training and Communication
- Speak-Up and Investigations
- Disciplinary and Corrective Actions
- Third Parties
That gave me an idea – what if I translate these into something that everyone can understand, a family life? This is my new explanation of compliance, using curfew rules as the example:
- You know your kids and the friends they hang out – the risk that they do not come home early enough to handle all their responsibilities (chores, homework, hobbies etc.) is evident. Without curfew, there is a risk of them not succeeding in school, dropping out from hobbies etc. – you do your family risk assessment.
- You need to have an organization in the family – who is the boss making sure that the family functions etc. – you clearly define the compliance organization of the family.
- Based on the risks identified, you need to implement a policy for curfew containing times for school nights & weekends and you post it on the fridge door or some modern digital platform that are used today – you document a policy (i.e. curfew rules) for the kids.
- The kids need to understand the rules – you communicate and train the policy to them.
- Complying with the rules needs to take place. If kids come home when the parents are not at home, you report compliance e.g. in WhatsApp – you provide evidence of compliance.
- If you have more than one kid, siblings have a whistleblowing channel via which they can announce breaches in compliance and those breaches are investigated and analyzed – you provide speak-up and investigations framework(in this case without a guarantee of anonymity though…).
- If there are deviations for complying with the rules, there are consequences (i.e. losing allowance for a period of time, losing other privileges) – you apply disciplinary and corrective actions.
- There may be third parties involved (grandparents watching kids etc.) and those parties need to follow the same policy and guidelines – you manage your 3rd parties.
- You periodically go through how the rules have been followed and perhaps loosen up the rules or modify them as the operating environment changes – you ensure reporting channel for both direction & change management.
So, if someone tells you that compliance does not affect them and it is hard to understand the meaning of compliance, you can correct them with this ordinary life example.