“Culture of Compliance,” is this statement one or two concepts for risk managers.
I should have put this posting up sooner so that it would add some context to some of my comments
that I have posted and will be posting. When I read risk management oversight charters or the more
usually used ‘culture of compliance,’ I view these as two distinct concepts. The first concept being the
culture or people working for an organization. The second concept is being compliant to the systems,
policies and procedures that are in place. Compliance in my view is simply being compliant to the
process, and is separate from the culture, which is the people aspect of risk management.
By separating the culture of compliance into people and process, then the people aspect can be viewed
as how the people are being led, as in the corporate culture to be compliant which is separate from the
risk management process in place. All the leadership best practices and theories can then be brought in
to help with the people culture of the organization. Leadership theories like the tone for compliance is
set from the top of any organization.
I’ve experienced this separation first-hand recently, which has highlighted why risk managers need to
separate and focus on the people culture, separate from the policies and procedures. My experience in
the same location under the same risk management system, leadership has been divergent on the
cultural aspect. The divergence has been ranging from fully embracing and displaying a true culture to
risk management to the other end of the spectrum with a do what-ever, not really caring attitude. The
nonchalant attitude end of the spectrum would not instill a culture to be compliant.
Hopefully my stating that I believe separating the culture of compliance into people and process helps
with the postings that I’ve made and will be making. What are your thoughts or comments, please let
me know.