Tosin Umukoro (tosin.umukoro@stryker.com) is the Senior Compliance Officer for Stryker Europe.
Over the years, corporate compliance programs have developed helpful frameworks of dos and don’ts for people in worst-case scenarios. Although generally considered effective in addressing significant and known risks faced by organizations, these programs, typically heavily rules-based, have been criticized for creating a series of box-checking routines, or so-called “paper programs,” primarily aimed at assuring legislators of the adequacy of self-policing and internal policies and procedures.
To create a culture of integrity, given the complex requirements governing business today, organizations need to continually evolve to address new and emerging risks and embrace both reactive and proactive approaches to compliance. In recent years, principles-based compliance programs have grown in prominence due to their potential to empower people to make the right ethical decisions, particularly in difficult or unique situations. This article presents some considerations for compliance professionals seeking to implement this approach to improve the effectiveness of their compliance programs.
The emergence of principles-based regulatory systems
Principles were introduced in the United Kingdom financial services regulation in 1990.[1] Essentially, this was a move away from dependence on prescriptive, detailed rules toward relying more on overarching, broadly stated principles that form the obligations of organizations to which they apply.[2] In the UK financial services regulatory regime, principles have several characteristics:
-
They are generalized, with the intention that they should be overarching requirements that can be applied flexibly to a rapidly changing business environment.
-
They contain terms that are qualitative, not quantitative: relatively general terms (“fair,” “reasonable,” “suitable”) as opposed to bright-line rules (“within two business days”).
-
They express the reason behind the rule.
-
They have very broad application in various scenarios.
-
They are largely behavioral standards.[3]
One of the compelling arguments for this strategy is that there is shift of emphasis from the process carried out by organizations toward the outcomes they seek to achieve.[4] A policy briefing from the Institute of Chartered Accountants states that rules-based systems can create a box-ticking mindset and compliance cultures, where the focus is upon meeting the letter rather than spirit of the regulation, or an attitude of anything goes so long as it is not prohibited.[5]
The limitations of a rules-based approach
In his white paper, Principles-Based Regulation and Compliance: A Framework for Sustainable Integrity, Harlan Loeb, a recognized expert in crisis and reputational risk management, highlights a Deloitte survey of global executives who list reputation risk such as ethics/integrity and cybersecurity among the most important risks their companies face.[6] Loeb advises that the increasing complexity of the global risk environment and the importance of corporate reputation as a strategic asset requires organizations to adopt pioneer thinking and innovation beyond product lines and services.[7]
Loeb asserted that as the focus of many global organizations is the efficiency of their systems and operations, the mindset and agility required to understand and address reputational risk and its underlying drivers was often not prioritized. In addition, Loeb warned that corporate dependence on rules-based compliance systems to manage risk compounded this challenge.
In contrast to a principles-based approach, rules-based compliance systems are solely motivated by legal and regulatory constraints rather than (and some would say, frequently at the expense of) moral and ethical imperatives. Although rules describe how to behave and require less interpretation, Black et al. argue that they are not a perfect regulatory instrument and have several limitations, including:[8]
-
Rules are just a “best guess” as to what is ahead, and therefore, new situations may occur that were not predicted when the rule was developed. Moreover, the rule may be construed and applied in ways that were not intended by the author.
-
Rules are underinclusive by either failing to catch things that the rulemaker might want to incorporate or overinclusive by incorporating things not intended when applied in specific contexts.
-
The impact of the rule on behavior does not depend solely on how prescriptive the rule is. The organization’s own approach to regulation and the incentive structures for compliance are also critical.
A principles-based compliance program: The positives
For professionals with compliance and ethics program responsibility, any approach that contributes to promoting a culture of ethics and achieving the objectives of programs will be attractive. Although initiatives such as introducing incentives to influence behavior are recognized as a hallmark of an effective compliance program,[9] external incentives alone cannot be solely relied upon to change behavior, and compliance professionals will need to employ a plethora of initiatives to help drive an effective program.
There is a growing body of evidence in the field of behavior sciences that suggests that, among other things, intrinsic motivation plays an important role in inspiring behavior, more so than extrinsic motivational factors.[10] In line with this, Loeb suggests that compliance professionals tasked with influencing the behavior of employees within organizations draw upon intrinsic motivational forces of their employees by structuring compliance standards and systems around core organizational values. This approach incentivizes employees within an organization in a way that effectively induces social norms. In their 2019 paper, Yamin et al. define social norms as “the behaviors that, among all those that are possible in a given situation, ‘others (as a group, as a community, as a society…) think are the correct ones, for one reason or another.’”[11] They underline and argue in favor of the many ways in which normative information can be leveraged to change behavior in the real world. As highlighted by Loeb years earlier, behavioral science continues to provide well-established lessons that can give important guidance in designing effective compliance programs.[12]
As the principles-based approach offers flexibility for the organization and/or employee in determining how to comply, compliance programs structured around organizational core or shared values can leverage the company’s core capabilities and competencies. Black et al. propose that this facilitates the development of, among other things, new strategies and internal processes, as—away from more prescriptive rules—organizations are free to find the most efficient way of achieving the outcome required.[13]
Principles put into motion
Google’s code of conduct has been hailed as one of the best in class.[14] Google adheres to five guiding principles: commitment, care, transparency, fairness & consistency, and accountability.[15] In his analysis, Sebastian Pistritto stated that through these high-level principles, Google imbibes across the organization the mission and the foundational belief that describes its approach to ethical, social, and environmental matters.[16] This approach produces ownership in the organization’s social norms among employees and provides much of the required corporate governance and standard laws by which Google operates.[17] These overarching principles also encourage employees to use good judgment and common sense in gray areas, the lack of which is one of the criticisms of heavily rules-based approaches. Google states that its approach facilitates the organization’s aspiration to live up to the intent, and not just the letter, of laws and regulations.[18]
Daimler, a multinational automotive corporation headquartered in Germany, has also adopted a principles-based approach to compliance.[19] Daimler’s integrity code emphasizes that its approach facilitates more than just obeying laws; it encourages employees to listen to their inner compass by adopting five corporate principles that it states are the foundation of all their actions.
-
We are profitable and are committed to people and the environment.
-
We act responsibly and respect the rules.
-
We speak openly about integrity-related issues and are firmly committed to transparency.
-
Fairness and respect are the foundation of our collaboration.
-
We put diversity into practice.
These principles, though high level, help to orient employees in difficult business situations, or the gray areas. Loeb is particularly complimentary of the Daimler approach and states that this approach enables the corporation to expand the existing compliance methodology into new areas of increasing importance to the organization’s global operations, such as human rights.[20] Moreover, embedding these principles into employees’ approach to daily activities is especially important in times of disruption, such as the recent global pandemic where new business risks have emerged. Daimler states that its principles-based approach to its compliance program is also helpful in responding to the transformation taking place in the automotive industry. The changes include digitalization and the related areas of connectivity, driverless cars, and electric mobility.[21] Daimler advises that although the new fields of business that are emerging offer tremendous opportunities, they also pose challenges about ethical and legal issues and require employees’ decision-making to be guided by the shared principles even when faced with novel situations.
Another example is Novartis, a global healthcare company based in Switzerland that introduced a new principles-based code of ethics in 2020. The new code is a collection of commitments to ethical standards that Novartis has made across the business and is anchored in behavioral science.[22] The four ethical principles are: be open-minded, honest, bold, and accountable. Novartis states that the principles help guide employees in their everyday decision-making at work. In addition, Novartis introduced an online interactive decision-making framework to support its employees. The aim of the framework is designed to drive meaningful conversations around ethics, help broaden perspectives, and encourage better understanding and application of the organization’s ethical principles in situations that are complex and unclear.
The approaches taken by Google, Daimler, and Novartis are similar in that they refocus the employee’s decision-making. This vividly illustrates a vital dimension of a principles-based compliance system: recognizing that ineffective solutions often trace to the inability of employees to think outside the box in a rules-based system.[23] The Novartis code of ethics uses a set of “why it matters” questions to get to the “reason behind the commitment” and is an effective driver of outside-the-box thinking and pioneering problem solving. This is advantageous against the backdrop of an ever-changing and complex business environment. To maintain a competitive edge and even survive in this environment, organizations need to create compliance systems that can grow organically.
When principles alone are insufficient
Despite the advantages stated for principles-based approaches, challenges and potential disadvantages to the approach do exist. For example, detailed rules can be used more effectively than principles to persuade uncooperative or cynical organizations (or internal leadership) of their need to change their conduct.[24] Consequently, detailed rules can empower internal compliance officers in certain circumstances, whereas principles will not since interpretations are debateable. There are also some scenarios, even in a predominately principles-based program, where some “fixed points” are needed: rules that set out in more detailed form what conduct is required in a more definite way than a principle or guidance can. For example, Daimler’s integrity code is supplemented by other internal guidance, such as the more detailed behavioral guidelines.[25]
Additionally, there are several other hallmarks of a well-designed compliance program, and these remain essential even in a predominately principles-based program. An effective risk management process remains foundational for the evolution of compliance programs and will also help to determine where guidance/principles should be established.[26] Investigations, hotlines, auditing, and monitoring will identify things that lessons in values cannot.[27] Even in predominately principles-based programs, there remains the need to develop criteria to identify the appropriate balance between principles and other types of rules. For example, rules may be necessary for particular areas such as where significant market failures have occurred or where certain types of conduct pose high risks and/or where the commercial incentives for an organization to do the right thing is weak.[28] It is prudent to introduce the additional direction that more prescriptive rules offer in these circumstances.
The compliance officer’s role
Compliance professionals need to be willing to get out and learn the business, and this is especially true when moving to a principles-based approach.[29] Proximity to the business is important in gaining the trust of employees and building partnerships throughout the organization. This in turn enables them to determine where the organization may be exposed or vulnerable and where overarching principles are required and will be most effective.
Moreover, a significant change in the skills, judgment, and mindset of the compliance function is necessary.[30] The shift from prescription to principles is not an easy one, and the compliance function will have to get out of the weeds, develop a more strategic role, and find an approach to inspire compliance in the absence of detailed rules. Specifically, compliance professionals need to truly understand the purposes and reasons behind the principles and develop the capacity to communicate and persuade effectively, elaborate on principles to reinforce their internal position, and be developed in such a way that they are confident and willing to make key judgment calls.[31]
Black et al. also stated that the compliance function’s role will need additional senior leadership support and to work hand-in-hand with the business, particularly when seeking to engage the business in discussions of whether a proposed behavior or strategy will be compliant with principles. This reinforces the importance of having sufficient seniority, access to leadership, and the organization viewing compliance as a business enabler.[32] Successfully partnering with leadership and ultimately the wider business in this manner—that is, developing a mindset that entwines integrity into the fabric of the organization—is vital if a principles-based approach is to be a competitive advantage for the organization and an overall success.
Final thoughts
Against the backdrop of an ever-changing and complex business environment, compliance programs need to evolve in order to effectively address new and emerging risks. Strategies, such as including more principles-based guidelines into corporate compliance programs—that is, reiterating the whys behind the rules—can help provide the framework for people to be more proficient in making decisions in line with an organization’s values in the absence of specific rules. Large organizations from different sectors have made this shift, with the aim of empowering employees and in an attempt to continue to promote the shared ownership of ethics and compliance. However, this shift does require ongoing use of existing, well-established compliance program strategies such as risk management, investigations, hotlines, and audit and monitoring. Moreover, there do remain some scenarios where some “fixed points” remain the most effective method of preventing and detecting misconduct. Striking the right balance between rules and principles is key. Compliance professionals also need to be suitably equipped to effectively manage and make the most of principles-based programs.
Takeaways
-
In compliance programs, principles are broadly stated guidelines to set the standards by which organizations conduct business.
-
Compliance programs predominately based on rules are critiqued for not addressing evolving risks.
-
When effectively incorporated into an organization’s values, principles can incentivize employees in a way that effectively induces social norms.
-
To make a success of principles-based programs, compliance professionals should develop the capacity to elaborate on principles to influence in the absence of rules.
-
The right balance between rules and principles is an effective driver of outside-the-box thinking and pioneering ethical problem solving.