Categories
Innovation in Compliance

Innovation in Compliance: Rethinking SpeakUp: UX, Trust, and AI in Whistleblowing and Investigations with Tim Morss

Innovation comes in many areas, and compliance professionals need to not only be ready for it but also embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. In this episode,  host Tom visits with Tim Morss, CEO at SpeakUp, about the evolution of speak-up systems from the employee perspective.

Morss describes his background in compliance technology and SpeakUp’s global footprint, emphasizing that employee expectations favor frictionless, mobile-first, intuitive reporting with transparency and feedback over 800-number hotlines and complex forms. He notes common program gaps: hard-to-find reporting channels, poor mobile experiences, overreliance on telephony (especially problematic for non-English speakers), insufficient guidance on what to report, and weak trust due to lack of follow-up and perceived inaction. They consider generational preferences, privacy-aware deployment, such as QR code placement, and AI use cases such as multilingual voice intake for illiterate supply-chain workers, while cautioning against unsafe AI practices and autonomous decision-making. Morss highlights investigative management as a major opportunity beyond basic case repositories and forecasts greater AI-driven integration with in-house systems amid geopolitical and regulatory divergence.

Key highlights:

  • Employee Expectations Shift
  • Common SpeakUp Mistakes
  • Trust and Anti-Retaliation
  • Gen Z Reporting Channels
  • AI Voice for Workers
  • One Practical CCO Tip

Resources:

Connect with Tim Morss on LinkedIn

SpeakUp

Innovation in Compliance was recently honored as the Number 4 podcast in Risk Management by 1,000,000 Podcasts

Categories
Blog

AI Governance and Speak-Up Culture: The Earliest Warning System May Already Be in Your Workforce

There is a hard truth about AI governance that too many companies are still avoiding: the first people to spot an AI problem are usually not board members, not senior executives, and not even the governance committee. It is the employee using the tool, reviewing the output, dealing with the customer, watching the workflow break down, or seeing the machine produce something that feels off. That is why AI governance is not only about policies, models, controls, and oversight structures. It is also about culture. More specifically, it is about a culture of speaking up.

If employees see an AI tool making questionable recommendations, generating inaccurate summaries, mishandling sensitive information, producing biased outcomes, or being used beyond its approved purpose, do they know that this is a reportable issue? Do they know where to raise it? Do they believe someone will listen? Do they trust that raising a concern will help rather than harm their career? Those are not soft questions. They are governance questions.

In anti-corruption compliance, we have long since learned that hotlines, reporting channels, and anti-retaliation protections are not mere ethical ornaments. They are detection mechanisms. They are how organizations surface risks before they become scandals. AI governance now needs the same mindset. If your employees are your earliest warning system, then your speak-up culture may be one of your most important AI controls.

Why Employees See AI Failures First

AI rarely fails in the abstract. It fails in use. A board deck may describe a tool in elegant terms. A vendor demo may look polished. A pilot may be carefully supervised. But once a system enters daily operations, it interacts with real people, real data, real pressures, and real shortcuts. That is when the problems begin to show themselves.

An employee may notice that a tool is confidently wrong. A manager may realize that staff are over-relying on generated summaries without checking the source material. Someone in HR may see that a screening tool is producing odd results. A sales employee may notice that a customer-facing chatbot is inventing answers. A compliance analyst may find that an AI-assisted monitoring process is missing obvious red flags. A procurement professional may discover that a vendor quietly changed a feature set or data practice.

In each of those examples, the problem shows up at the point of use, not at the point of approval. That is why the old compliance lesson still applies: the people closest to the work are often closest to the risk. In AI governance, that means employees are often the first line of detection. But detection is useless if the culture tells them to keep their heads down.

The Governance Blind Spot

Many organizations are investing significant effort in AI principles, governance committees, acceptable-use policies, and risk classification. That is all important. But many of these programs have a blind spot. They are built as if AI risk will reveal itself only through formal testing, audit reviews, or leadership dashboards. It will not.

Some AI failures will surface through monitoring and controls. But many will first appear as employee discomfort, confusion, skepticism, or observation. Someone will notice that a tool is being used in a way that feels wrong. Someone will catch a factual error before it leaves the building. Someone will realize that human review is not actually happening. Someone will see mission creep. Someone will spot a gap between policy and practice.

If the governance model does not actively encourage employees to raise those concerns, the company has built an AI oversight program with one eye closed. That is a dangerous place to be because AI risk is often cumulative. A small issue ignored today becomes a larger issue tomorrow. An inaccurate output tolerated in a low-stakes setting becomes normalized in a higher-stakes one. A quietly expanded use case becomes a de facto business process. Silence is how minor flaws become systemic failures.

Speak-Up Culture as an AI Control

Let us be clear about terms. Speak-up culture is not simply a hotline number posted on the intranet. It is the set of signals an organization sends about whether employees are expected, supported, and protected when they raise concerns.

In the AI context, a healthy speak-up culture means employees understand that reporting concerns about AI outputs, use cases, data handling, or control failures is part of responsible business conduct. It means managers know that AI concerns are not “just tech issues” to be brushed aside. It means investigators and compliance teams are prepared to triage and assess AI-related reports intelligently. It means retaliation protections apply as much to someone challenging a machine-enabled workflow as they do to someone reporting bribery, harassment, or fraud.

This matters because AI can create a special kind of silence. Employees may hesitate to challenge a system that leadership has praised as innovative. They may worry that questioning the tool makes them sound resistant to change or insufficiently sophisticated. They may assume someone more senior has already validated the output. They may think, “Surely the machine knows better than I do.” That is exactly the kind of cultural dynamic compliance should distrust.

Machines do not deserve deference. Controls deserve scrutiny. A mature AI governance program, therefore, needs to treat employee reporting as a formal part of its control environment. Speak-up culture is not adjacent to AI governance. It is part of AI governance.

What CCOs Should Be Asking

If you are a Chief Compliance Officer, there are several questions you should be asking right now.

First, do employees understand that AI-related concerns are reportable? Many organizations have not made this explicit. Staff know they should report harassment, bribery, theft, and retaliation. They may not know whether to report unreliable AI output, a suspicious recommendation, a data input concern, or a business team using a tool outside its approved scope. If you have not told them, do not assume they know.

Second, are your reporting channels equipped to receive AI-related concerns? Hotline categories, case-intake forms, and triage protocols may need to be updated. If an employee reports that an AI tool is generating misleading outputs in a regulated workflow, who receives that report? Compliance? Legal? Security? IT? HR? Some combination? If ownership is unclear, reports will stall, and stalled reports teach employees not to bother.

Third, are managers trained to respond appropriately when AI concerns are raised informally? This is critical. Many concerns will not begin in a hotline. They will begin in a meeting, a hallway conversation, a team chat, or an email to a supervisor. If the manager shrugs, dismisses, or minimizes the issue, the detection system fails before it starts.

Fourth, are anti-retaliation protections being reinforced in the AI context? Employees who challenge AI use may be questioning a high-profile project, a popular vendor, or a senior executive’s initiative. That can create subtle pressure to stay quiet. Compliance should be ahead of that dynamic, not behind it.

Building an AI Speak-Up Framework

What does a practical approach look like?

The first step is to define what types of AI concerns employees should raise. Be concrete. Tell them to report suspected misuse of AI tools, outputs that appear inaccurate or biased, use of AI in sensitive decisions without proper review, input of restricted data into unapproved systems, unauthorized expansion of use cases, missing human oversight, and vendor or system changes that appear to alter risk.

The second step is to build AI examples into training and communication. Employees need realistic scenarios, not vague encouragement. Show them what an AI red flag looks like. Show them what “raising a hand” looks like. Show them where to go and what happens next.

The third step is to update the hotline and investigations protocols. Add intake categories if needed. Develop triage guidance. Decide when AI matters should be handled as compliance cases, operational incidents, model-risk issues, or cross-functional reviews. The goal is not bureaucracy. The goal is clarity.

The fourth step is to train managers as escalation points. In every effective compliance program, middle management is the translation layer between policy and daily operations. AI governance is no different. Managers need to know when a concern can be resolved locally, when it must be escalated, and when the pattern itself suggests a control problem.

The fifth step is to close the feedback loop. Employees are more likely to report concerns when they believe reporting leads to action. That does not mean revealing confidential case details. Communicating that the company takes these issues seriously, investigates them, learns from them, and improves controls as needed. Silence from management breeds silence from employees.

What to Monitor in an AI Speak-Up Program

Here is where compliance can bring its trademark discipline. Track the volume and type of AI-related concerns. Look for concentration by business unit, geography, or tool. Monitor whether concerns are coming in through formal hotlines or informal channels. Review time to triage and time to resolution. Look for patterns involving data handling, output reliability, human review failures, or scope creep. Compare the reported concerns with the company’s list of approved use cases. If you see repeated confusion or repeated exceptions, that tells you something important about your governance design.

Just as importantly, look for the absence of reporting. If your company has materially deployed AI tools and no employee has ever raised a concern, I would not automatically celebrate. I would ask whether employees know what to report, trust the channels, or believe leadership wants candor. In compliance, no reports can mean no problems. It can also mean no trust. Wise CCOs know the difference is everything.

Why This Is Good for Business

Some executives still hear “speak-up culture” and think of delay, friction, and complication. I hear something different. I hear early detection, faster correction, and better decision-making.

A workforce that feels empowered to raise AI-related concerns provides the company with a real-time sensing mechanism. It catches problems before they scale. It surfaces control failures before regulators, plaintiffs’ lawyers, journalists, or customers do. It gives management better information. It helps the board exercise real oversight. Most of all, it creates a culture where innovation is more sustainable because people are not afraid to challenge what does not look right. That is not anti-innovation. That is responsible innovation.

Compliance has always been at its best when it helps the business move fast without becoming reckless. Speak-up culture does exactly that. It does not tell employees to fear AI. It tells them to use judgment, raise concerns, and protect the enterprise when the technology does not behave as expected.

Final Thoughts

Every company deploying AI should ask itself a simple question: Who will notice first when something goes wrong? In many cases, the answer is your employees. The next question is even more important: have you built a culture where they will say something?

If the answer is uncertain, then your AI governance program has a serious weakness. You may have policies. You may have committees. You may have training modules and vendor reviews. But if employees do not feel empowered to raise a hand when they see a problem, then one of your most valuable detection controls is missing in action.

Categories
Upping Your Game

Upping Your Game: Crowd-Sourcing Risk Management Intelligence with AI

In February, the Trump Administration suspended investigations under and enforcement of the FCPA. Many compliance professionals have since wondered what this will mean for corporate compliance programs going forward. Hui Chen challenged compliance professionals with the statement, “It’s time to up your game.”

This podcast series, sponsored by Ethico and co-hosted with Ethico co-CEO Nick Gallo, hopes to meet Hui Chen’s challenge. We will discuss how compliance professionals can ‘Up Their Game’ by utilizing currently existing Generative AI (GenAI) tools to significantly enhance their compliance programs. As compliance professionals, it is critical to recognize that this moment is not merely about incremental improvements but about elevating our profession to an entirely new level of effectiveness, efficiency, and organizational value.

In this episode, hosts Tom Fox and Nick Gallo explore the revolutionary potential of AI for Speak Up Cultures by introducing risk intelligence directly into business operations. They discuss the intricacies of whistleblowing, speak-up culture, and the integral role of AI and machine learning in enhancing compliance programs. They highlight deficiencies in current systems and propose how AI can crowdsource risk intelligence at scale, improve case triage, and facilitate a collaborative environment. Key points include the importance of anonymity, efficient triage, and how AI facilitates communication with employees in their preferred settings. The discussion also explores transforming the culture of compliance into proactive risk management, ultimately driving efficiency, effectiveness, and a better corporate culture.

Key highlights:

  • Deficiencies in Whistleblowing Processes
  • Crowdsourcing Risk Intelligence
  • The Importance of Anonymity and AI in Reporting
  • Engagement and Communication Strategies
  • AI in Triage and Investigation

Resources:

Upping Your Game-How Compliance and Risk Management Move to 2030 and Beyond on Amazon.com

Nick Gallo on LinkedIn

Ethico

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Revolutionizing Speak Up: Ariel D. Weindling on Enhancing Whistleblower Systems

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, Tom Fox welcomes back Ariel D. Weindling, founder of NotMe Solutions, a whistleblower reporting solution, to discuss innovations and strategies for enhancing speak-up cultures in organizations.

Weindling, with a background in employment law, critiques current whistleblower systems for prioritizing regulatory compliance over genuine employee engagement. He shares insights on implementing effective speak-up programs, emphasizing the importance of trust, timely resolution, and a culture of listening. Weindling also highlights key findings from over 20,000 reports through NotMe Solutions, including common issues reported and the importance of leadership in fostering a culture of speaking up.

Key highlights:

  • Challenges in Current Speak Up Cultures
  • Building Effective Compliance Programs
  • Evaluating Existing Speak Up Systems
  • The Importance of Listening in Speak Up Cultures
  • Role of Leadership in Speak Up Culture
  • Innovations in the Speak Up Space

Resources:

Ariel D. Weindling on LinkedIn

Not Me (Company)

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on the use of AI in Compliance programs, see my new book, Upping Your Game. You can purchase a copy of the book on Amazon.com

Categories
Greetings and Felicitations

Compliance Lessons from Venice – Episode 3, How the Lion’s Mouth Informs Hotlines

Welcome to a short podcast series on doing compliance with a Venetian twist. This week, we will examine three areas where Venice’s time-honored methods inform modern compliance practices. Over the next 3 episodes, we will consider going back to basics in your compliance regime, the use of incentives and consequences to drive a culture of compliance, and how the Lion’s Mouth informs your modern-day whistleblower program. In this concluding Episode 3, we look at how the historical governance of Venice informs modern compliance programs by looking at Venice’s prototype whistleblower program, the Lion’s Mouth.

In this episode, Tom highlights Venice’s early whistleblower systems, symbolized by the lion of St. Mark, and their implications for creating effective and trustworthy hotline programs. This series also offers best practices for setting up and maintaining robust hotline systems to ensure confidentiality, avoid retaliation, and comply with legal standards. You will draw valuable lessons from Venice’s rich history to enhance your organization’s compliance framework.

Key highlights:

  • Historical Context of Venice’s Whistleblower System
  • Best Practices for Hotline Reporting Systems
  • Additional Tips for Effective Hotline Implementation

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

Compliance Lessons from Venice – Part 3: Straight from the Lion’s Mouth and Whistleblower Programs

In the final part of the Compliance Lessons from Venice series, we focus on one of Venice’s earliest tools for addressing misconduct: a reporting system predating modern whistleblower programs. Known as the Lion’s Mouth, this system encouraged citizens to report wrongdoing by placing written complaints in the mouths of lion-head statues stationed around the city. The symbolism is potent: Venice’s emblematic lion acted as a protector, allowing citizens to expose corruption and misconduct while contributing to the Republic’s stability. Check out the companion podcast series on the Compliance Podcast Network.

Today, a robust whistleblower program is one of the most essential components of a best-practices compliance program. The DOJ and SEC have clarified that effective compliance programs must include reliable, confidential, and trusted internal reporting mechanisms. Venice’s Lion’s Mouth reminds the modern-day compliance professional that encouraging transparency and protecting those who speak up has been crucial for centuries. In this blog post, we will explore some best practices for modern whistleblower hotlines and reporting mechanisms, along with insights from Venice’s historical approach.

Venice’s Lion’s Mouth: An Early Whistleblower System

The Lion’s Mouth of Venice functioned as an anonymous drop box where citizens could submit grievances and report misconduct. Initially designed to offer anonymity, this system later required that the complainant’s name be included, balancing confidentiality with accountability. Citizens could report fraud, bribery, and other forms of misconduct, trusting that their submissions would be considered seriously.

The modern equivalent of this system is the whistleblower hotline, an invaluable tool for compliance departments to detect and address issues early. Companies can foster a culture of openness and accountability by enabling employees and stakeholders to report suspicious or unethical behavior without fear of retaliation. This practice is essential for organizations subject to laws like the Foreign Corrupt Practices Act (FCPA), where transparency can mean the difference between compliance and liability.

Key Elements of an Effective Whistleblower Hotline

Building an effective whistleblower system means going beyond merely setting up a hotline. It is about creating a trusted channel that employees feel safe using, knowing their concerns will be handled with discretion and integrity. Here are seven best practices to establish or enhance your whistleblower program, inspired by the Lion’s Mouth and aligned with the DOJ’s most recent guidance from the 2020 FCPA Resource Guide, 2nd edition, and the recently released 2024 Evaluation of Corporate Compliance Programs(2024 ECCP). The 2024 ECCP states, “Another hallmark of a well-designed compliance program is the existence of an efficient and trusted mechanism by which employees can anonymously or confidentially report allegations of a breach of the company’s code of conduct, company policies, or suspected or actual misconduct.”

  • External Management of the Hotline

Many organizations find that outsourcing their hotline to a third party adds a layer of impartiality and anonymity. Employees are often more comfortable reporting through an externally managed system than an internal one. An external provider typically brings specialized expertise in handling confidential reports, ensuring compliance with local laws and regulations. This neutrality encourages employees to come forward with concerns, knowing the system is transparent and managed independently.

  • Detailed Information Collection

A hotline should support collecting detailed information from the first report to the resolution stage. By maintaining a consolidated record of each complaint, compliance teams can analyze data trends across departments, locations, and types of issues reported. This visibility helps the organization proactively identify and address potential risk areas, ensuring the compliance team has a complete, chronological view of each complaint to support thorough investigations and better decision-making.

  • Compliance with Data Retention Policies

With data privacy regulations such as GDPR, it is essential to ensure that all whistleblower reports adhere to the company’s data retention and privacy policies. Hotlines should offer secure, report-only access to data, ensuring that information is stored correctly and compliant with regulatory requirements. This reduces the risk of sensitive data breaches and ensures compliance teams can retrieve reports for future audits or legal inquiries.

  • Inspiring Employee Confidence in the Hotline

A hotline will be ineffective if employees lack confidence in it. Retaliation, or the perception of it, can quickly destroy trust in a whistleblower program. Employees should feel assured that they can report concerns without fear of retaliation and that their complaints will be handled fairly and objectively. The hotline should offer privacy, allowing employees to file reports from locations outside of their immediate workplace or chain of command. These features create an environment where employees feel safe and protected when reporting misconduct.

  • Support from Subject Matter Experts

A hotline is only as effective as the follow-up on each report. Once a complaint is entered, it’s crucial to ensure that subject matter experts or designated compliance officers address it promptly. Ignoring or delaying response times can damage trust in the hotline. Additionally, under the Dodd-Frank whistleblower provisions, there’s a short timeframe for internal resolution before an employee can seek benefits under the program, making prompt attention to complaints a legal and ethical priority.

  • Litigation Support and Document Retention Tools

A well-configured hotline should offer tools to meet the legal requirements for document retention and protect whistleblower submissions as attorney work product or under attorney-client privilege, if applicable. Implementing these legal protections within the hotline system mitigates potential legal risks and strengthens the organization’s ability to defend its actions should litigation arise. Outsourcing these functionalities to a third-party provider can save costs and ensure compliance with all necessary legal protections.

  • Direct and Transparent Communication with Whistleblowers

Employees need to feel their voices are heard at the highest levels of the company. A hotline that allows for direct, private, and anonymous communication with compliance officers gives employees confidence that their concerns are receiving appropriate attention. This visibility signals that the organization values transparency and accountability, even when uncomfortable. Providing employees with status updates on their reports can also reinforce trust in the system.

Additional Tips for Maintaining an Effective Whistleblower Program

Building a whistleblower program that employees trust requires ongoing effort. Here are a few additional considerations for making the program effective and trusted across your organization:

  • Publicize the Hotline. Ensure all employees know the hotline’s existence, how to use it, and the protections in place. This can be achieved through regular training, informational posters, and reminders from senior management.
  • Encourage Reporting Without Fear of Retaliation. It’s crucial to communicate a zero-tolerance retaliation policy and enforce it when necessary. When employees see that the company protects and respects whistleblowers, they’re more likely to trust the system.
  • Analyze and Act on Data Trends. The absence of certain reports may indicate areas where employees feel unsafe or unwilling to report. Use hotline data to understand the company’s culture and identify areas where additional support or training may be needed.

Lessons from Venice’s Lion’s Mouth for Today’s Compliance Programs

The Lion’s Mouth system exemplifies the importance of giving citizens, whether in Venice or within a modern corporation, a way to report misconduct. Venice’s willingness to create a system where concerns could be voiced without fear of reprisal, while imperfect, reflects an early understanding of the importance of accountability and transparency. Today, we see this principle in the FCPA’s guidance and the DOJ’s endorsement of anonymous reporting mechanisms as part of effective compliance programs.

In designing an effective whistleblower program, compliance professionals should remember that it’s not just about setting up a hotline but building trust. An effective system enables employees to raise concerns in a protected, confidential, and responsive environment, contributing to a culture where transparency and integrity are valued and protected.

Honoring Venice’s Legacy in Modern Whistleblower Programs

As we close out our series on compliance lessons from Venice, it is fascinating to reflect on how this unique city-state has influenced governance, law, and compliance even today. The Lion’s Mouth may have been a primitive mechanism by today’s standards, but its spirit lives on in the whistleblower hotlines that empower employees to report wrongdoing and hold their organizations accountable.

By providing a trusted platform for employees to raise concerns, compliance professionals can create a culture where doing the right thing is supported and valued. The message is clear: just as Venice’s Lion symbolized protection and justice, a well-constructed whistleblower system should stand as a testament to an organization’s commitment to ethics, transparency, and accountability.

Thank you for joining me in this special series on compliance lessons from Venice. These insights remind us that the best compliance practices are sometimes rooted in history and that we can learn from past innovations to create a safer, more ethical future.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Assess and Act on Internal Reports Thoroughly

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

The DOJ wants to know that companies take reports seriously. This means evaluating the seriousness of allegations promptly and thoroughly.

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Fostering a Culture of Speak Up

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we explore how the DOJ has placed significant emphasis on encouraging a culture where employees feel comfortable reporting misconduct.

Categories
Innovation in Compliance

Innovation in Compliance: Evie Wentink on Rethinking Compliance

Innovation comes in many areas and compliance professionals need to not only be ready for it but embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast.

In this episode, Tom welcomes back Evie Wentink to discuss the importance of rethinking ethics and compliance practices.

Evie shares insights from her recent LinkedIn articles on best practices for ethics hotlines and the importance of finding creative ways to engage employees in compliance topics. She reads a whimsical Dr. Seuss-inspired piece on reaching ethics hotlines and emphasizes the need for compliance messaging to be approachable and engaging. Additionally, Evie discusses the challenges compliance professionals face with limited budgets and offers practical solutions such as leveraging LinkedIn for networking and creating low-cost, effective compliance awareness tools.

The conversation also touches on the significance of changing the narrative around ethics and compliance for younger generations. Evie shares her experiences discussing compliance with her children and highlights the need for better education in schools to prepare future employees. She concludes by mentioning her new website, Ethical Edge Experts, and various platforms she’s using to spread compliance awareness. Tom and Evie agree on the necessity of continuous dialogue and innovation in the compliance field.

Key Highlights:

  • Rethinking Compliance Practices
  • Creative Messaging for Ethics Hotlines
  • Leveraging Low-Cost Resources
  • Engaging Managers in Compliance

Resources:
Evie Wentink on LinkedIn

Evie’s Top 10 Compliance Back to Basics

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Bank of America’s Corporate Culture Crisis: Part 4 – A Tale of Metrics and Misalignment: Lessons for Compliance Professionals

Compliance professionals constantly seek to understand how systemic issues within corporate hierarchies can lead to severe consequences. The recent revelations about Bank of America’s (BoA) persistent workplace culture problems are a powerful reminder of compliance’s critical role in safeguarding employees and the organization.

This week, I will explore the BoA failure around workplace culture from various perspectives articulated by the Everything Compliance gang, including Karen Woody, Jonathan Armstrong, Matt Kelly, Karen Moore, and Jonathan Marks. This exploration will include the failure of internal controls, failures by the Board and senior management, culture failures around highly driven, self-selecting employees, and the cultural miasma that is BoA from a perspective from across the pond. In Part 4, we consider a misconnection of metrics. This issue is not merely a question of productivity but a fundamental concern about corporate culture, ethics, and long-term sustainability.

In corporate governance and compliance, aligning business metrics and ethical obligations often defines a company’s culture’s success or failure. The recent Wall Street Journal (WSJ) article about BoA and its investment banking metrics sheds light on a crucial disconnect that compliance professionals must address: the disparity between business performance indicators and employee well-being.

At the heart of the issue is the nature of the metrics used to evaluate success in different industries. In investment banking, the primary focus is often on closing deals. The logic is straightforward: deals drive revenue, and revenue drives the bottom line. This singular focus on deal-making creates an environment where the end justifies the means, potentially overlooking the toll it takes on employees.

Conversely, in law firms, the metric of success is often billable hours. Lawyers are compensated and promoted based on the number of hours they bill, which can lead to a different, yet equally problematic, set of behaviors. Over-inflating hours or working excessive hours becomes the norm because that is the path to career advancement.

Both systems create perverse incentives: investment bankers might underreport hours to avoid raising HR flags, while lawyers might overreport hours to enhance their career prospects. These behaviors highlight a crucial point for compliance professionals: the metrics set at the top of an organization inevitably shape the behavior throughout the company.

One of the first steps in addressing these issues is understanding the available data and how it is used. Compliance professionals must ask themselves, “What data do we have, and how can it be used to monitor and manage risks effectively?” By focusing solely on deal closure, companies are potentially neglecting data related to employee well-being, such as hours worked or stress levels.

In contrast, law firms have systems that track the minutiae of an employee’s workday, from time spent on tasks to keystrokes made during document review. This data is invaluable for billing clients and identifying patterns that may indicate overwork or burnout. Compliance professionals in investment banking could learn from this approach, using technology to track hours worked or monitor workload distribution, ensuring that employees are kept within reasonable limits.

The core issue is more alignment between business metrics and corporate culture risks. Compliance professionals must ensure senior management acknowledges overwork as a significant risk and takes proactive steps to monitor and mitigate it. This involves tracking the traditional success metrics and implementing metrics that reflect the company’s values and culture.

For example, if overwork is recognized as a risk, metrics such as average hours worked, employee turnover rates, and employee satisfaction surveys should be regularly monitored and reported. This dual approach allows a company to pursue business success while ensuring its corporate culture remains healthy and sustainable.

The responsibility of aligning these metrics rests not solely with middle management, compliance officers, or senior management; it extends to the board of directors. The board’s oversight role is crucial in ensuring that the company’s culture is preserved in pursuing financial success. For boards everywhere, the recent scrutiny BoA received in the WSJ article serves as a lesson.

Board members must go beyond the surface level of management reports and delve into the realities of the workplace culture. This requires more than attending board meetings in luxurious settings and listening to pre-prepared presentations. It involves engaging directly with employees at all levels, understanding their challenges, and prioritizing their well-being.

A practical approach could involve the board requiring regular reports on employee well-being metrics, mandating internal audits focused on workplace culture, or even conducting anonymous employee surveys to get an unfiltered view of the corporate environment.

An effective compliance program also hinges on creating a culture where employees feel safe to voice their concerns. A speak-up culture is essential in identifying issues before they escalate into major risks. Management and the board should encourage employees to report inconsistencies between policy and practice and take these reports seriously.

For instance, if employees consistently report working beyond reasonable hours, this should trigger an investigation and subsequent action from the board. Such feedback mechanisms help identify risks and reinforce the company’s commitment to ethical practices.

Lastly, when issues do arise—such as the tragic death of a young employee in the Bank of America case—the board should conduct a root cause analysis. This analysis should not be limited to the immediate cause but should explore deeper systemic issues that may have contributed to the incident.

A comprehensive root cause analysis might reveal that the focus on deal closure at the expense of employee well-being is not an isolated issue but indicative of a broader cultural problem. The board could use this analysis to implement changes across the organization, ensuring that similar incidents do not occur in the future.

The lessons are clear: the metrics that companies use to measure success are powerful drivers of behavior. The challenge for compliance professionals is ensuring that these metrics align with business goals, ethical standards, and employee well-being. This requires a proactive approach, leveraging data to monitor business performance and corporate culture. It also requires a board that is engaged, informed, and committed to understanding the realities of the workplace.

In the end, compliance is not just about preventing legal and compliance risks but about fostering a corporate culture that values integrity, transparency, and the well-being of all employees. By aligning metrics with these values, companies can achieve sustainable success that benefits their bottom line and people.