We’re all talking about it more and more these days, with each other and in the media: violations, compliance with legislation and regulations, and how rules are getting tighter and tighter. Industry regulators are becoming stricter by the day and the number of vacancies in Compliance and Customer Due Diligence (CDD) continues to grow. Tighter regulatory controls and audits come with countless implications for companies, and major corporations in particular. These implications are twofold. One the one hand, companies tackle compliance issues by closely monitoring the conduct and culture in their internal organization. On the other hand, companies run more checks based on all kinds of checklists, which has created a tick-box culture at many companies.
The definition of ‘tick-box culture’
Working through checklists to check boxes (with green checkmarks) is what we call ‘tick-box culture’. Seeing as there is not yet a clear unequivocal definition, we are going to suggest one here. ‘Tick-box culture’ is when an organization monitors its processes and policy using checklists to show both the internal organization (employees, management, board, etc.) and the outside world (customers, industry regulators) that processes are in tip-top condition and fully compliant with legislation and regulations. However, in practice, these companies sometimes turn out to not really be compliant at all. Here’s an example to explain.
An employee of a major corporation takes the annual compliance test, which is made up of twenty questions. After he finishes the test, he is shown the result (fail) and all the right answers (a, c, c, b, a, etc.). When he then immediately takes the test again, he gets the exact same questions. So all he has to do now is copy the correct answers he’s just been shown to get a 100% score. It only took him 5 minutes and he didn’t have to know, read, or retain anything. He’s passed the test and gets that coveted green checkmark by his name.
Exaggerated example? Nope, it’s a true story, unfortunately. And this is not the only company that is getting it all wrong… Companies with a tick-box culture make sure things are ‘in order’ by working through checklists. To some degree, this is not a bad thing, as it stops you from missing things. However, companies sometimes hide behind these lists, without realizing that they actually give them a false sense of having their affairs in order. We are deliberately using ‘false sense’ here, because we feel that no matter how many boxes you check, it doesn’t necessarily mean that you are actually compliant. Although a checklist with only green checkmarks is a good indicator, there is no direct link between the checkmarks and actual compliance. Why? There are three reasons.
1. A checked box is merely a snapshot
It reflects the moment in time when you go through your checklist(s). This can be once a quarter, once a year, or even once every two or three years. In case of compliance checklists, employees will often first have taken awareness training and/or a test, for which they were overloaded with information. All useful information no doubt, because it’s about a serious subject, but can you be sure employees will actually retain all that information? Some employees will not find it engaging, don’t see the point of it, and will therefore only attend the training ‘physically’. A checkmark for attendance alone has very little significance. When they also have to take a test, employees will make an effort to retain as much information as they need to pass the test. This is often no more than a brief spike in their knowledge level, as they rapidly forget the knowledge after having taken the test. When they took and passed the test, that green checkmark by their name was well deserved, but what about the rest of time? Would everyone pass the test again a few months later, or will all the knowledge have faded by then?
2. Policy changes, the checklist doesn’t
So, a checkmark is a snapshot. You’re done until the next snapshot, or that’s what it feels like anyway. But what happens in the meantime – apart from the fact that knowledge will start to fade? Will legislation and regulations stay the same over that time? And what about all the procedures, will they remain unchanged? Won’t the policy change? Since rules change all the time, so should your checklist. If you wait until the next snapshot to show that all your processes and employees are compliant, you will by definition be non-compliant until then.
Did you know that positive exam results are false positives?
Read more about ‘the exam syndrome’
3. It’s all about behavior
So what happens when violations occur while all checkmarks were green? A green checkmark is not an excuse not to follow through and maintain compliance. Checkmarks or no checkmarks, adhering to policy is still largely down to humans. Even when awareness levels are high and everyone knows the rules, not all employees may actually act accordingly.
If they flout the rules, no checklist in the world will help. The problem will be much deeper then. It could be a manager who sets the wrong example or deep-rooted flawed procedures. As soon as you identify this kind of situation, you need to tackle the culture and the behavior.
How to get rid of false compliance
Add up the above points and you get a clear-cut case of ‘false compliance’: a checklist full of green checkmarks, but no actual compliance. The policy has changed in the meantime, employees have forgotten the rules, or they know them but fail to abide by them. You are compliant only on paper.
On a positive note, more and more companies are realizing that checking boxes is not the way to go to truly get their affairs in order. And this is when the most important question arises: how do you get rid of this tick-box culture? What we are advocating is to continuously keep up knowledge levels, regularly update the rules and procedures, and focus more on culture and behavior.
So, be honest. Are you still hiding behind a checklist?
Interested in reading more about compliance? Click here to download our Dutch whitepaper about the changing role of the Compliance Officer.