Published

Ethics, Risk and Compliance Roles in the U.K. – Part 2

We were delighted to interview Kevin Parle – Fellow of the International Compliance Association (ICA) and Deputy Chair of the Data Protection Forum – for insights and observations of whistleblowing roles within U.K. organizations. Kevin has worked in financial services, retail banking and insurance for over 20 years, bringing his knowledge and understanding of these sectors and ideas that other sectors might implement to this article. This is part two of two. You can find part one here.

Please note that Kevin’s thoughts and opinions discussed in this interview are his own and not representative of the views of the Data Protection Forum or the ICA.

How can companies ensure that employees who might not have anything to do with ethics and compliance directly are aware of their responsibilities in upholding them?

If we focus on frontline employees, the managers who may initially handle whistleblowing issues (concerns raised by their staff) daily will rely on credible whistleblowing policy and ethics (ESG) policy. Effective functions carrying these responsibilities are led by the ethics officer, whistleblowing champion and whistleblowing officer, who must also do their parts.

It is immediately doomed to failure if you do not have credible training for these policies. If the organization can’t uphold a speak-up culture, and if communication audit trails aren’t present amongst your frontline staff, then the attainment of these important goals will also fail; they must be lived and breathed across the whole of the organization.

Secondly, if we’re talking about a large organization, you may have an ethics officer completely separate from your whistleblowing champion, officer, and potentially even your compliance officer. So, in that case, how do you get frontline staff engaged between multiple roles communicating different aspects of a shared program?

These roles must engage with each other and send consistent messages to frontline staff. If you’ve got opposing messages being communicated, then staff in the frontline will not be invested. Sometimes this is easier said than done and this will only happen with the active cooperation of the key stakeholders.

How might these roles differ, and how can you effectively align them when they may be involved in different tasks within the business?

The compliance officer ensures that the company complies with legal and regulatory obligations. Even so, compliance involves a certain level of practicality about what is realistically achievable to the best of the organization’s abilities with minimal impact on profitability or staff’s ability to fulfil their roles.

On the other hand, the ethics officer operates in a way that requires them to think in a more abstract sense of broader, non-regulatory ethical questions. These two roles will not be saying the same things because they are different roles with different objectives. However, if they are saying opposite things, then it puts the organization and its staff in a challenging situation. The two roles must work well together in tandem, align through regular meetings, and ensure they send consistent messages to employees in the frontline to get them invested in the process and culture around risk, compliance and ethics.

The role of leadership in alignment

Overall, investment in these objectives comes from the top. Your leadership team – including your CEO, whistleblowing champion and ethics officer – must use the language, on a day-to-day basis which reinforces the importance of achieving those objectives and communicating in ways that front-line staff will recognize and understand. Senior management must be willing to have difficult conversations transparently and to set an example for frontline staff that speaking openly about ‘concerns’ is OK, or the program objectives will not be successful. Imagine senior management down to middle management using ethical language in the day-to-day delivery of products and services, in how they talk to and about their customers – that’s the ideal route to a successful ethics and compliance program.

What that does not mean is using complex language. These themes and expectations must be accessible to all staff, using everyday language and easily-understood concepts. And ultimately, common sense should take care of itself. If your staff feel uncomfortable about a specific concern and get the gut feeling that something just isn’t right, they should feel that they can speak up or ask about it, even if they aren’t sure if it is a reportable problem or not.

What mechanisms would you suggest for organizations to promote compliance amongst their workers?

Large-scale town halls are a valuable means to promote a particular business objective. These should be structured as a special event that staff should be encouraged to attend, highlighting that senior management and leadership teams will also be present.

These should last a few hours – over lunchtime would be appropriate – and might take place in a designated conference room or nearby hotel. Staff tend to like these events as they are also networking opportunities, and those who are too busy or unable to show up in person can catch up virtually at another time, as the event should be recorded.

Another suggestion, in my experience, is to make sure your intranet is regularly used to promote specific compliance and ethical goals. Having these messages available and accessible in a front-page intranet format, which staff will see each time they log on,  ensures the visibility of goals and achievements in delivery across the business.

Is there anything else organizations and role holders within whistleblowing, risk and compliance can be doing to reinforce the merit of a good risk and compliance program?

In reality, the critical thing is to ensure ongoing and in-depth communication from senior management to their staff. There’s no point in having set training once per year that is then put back on the shelf until the next time. It must be regularly reinforced by management that if any member of staff raises a concern, it will be taken seriously – and they will not be negatively labeled or discriminated against. Instead, it should be demonstrated that a person who raises a concern, is a valued member of staff who has helped avoid real risks materializing in the organization.

One of the most valuable actions an organization can take in this sense is to have senior leadership bring transparency to the benefits brought about by people raising concerns. Regardless of the nature of the concern being raised, you want staff to be in a position where they feel safe enough to tell you of potential business risks.

Cases of people speaking out should be celebrated. For example, ‘this helped us avoid a crash on the stock market for shares in our business’ or ‘this report helped us avoid being subject to regulatory enforcement action’ or ‘we did the right thing by our customers as the result of the concern being raised’.

This kind of messaging needs to come from senior management as a powerful reinforcing signal of real organizational heroes that bring about positive change.

These examples of positive action are significant for more junior staff as it will foster confidence that they won’t be ostracized, labelled, or have their career progression stalled if they raise a concern. Building trust means that all staff – including your junior staff members who might otherwise be too worried to speak out – will use the organization’s legitimate whistleblowing routes to raise a concern. This is far preferable to them going to a regulator, or the press, to publicly voice their concerns. Without confidence in business processes and integrity within the frontline staff, internal reporting will never happen.

All of the above suggestions speak to nudging the culture within the organization, via the re-enforcement of the importance of achieving key compliance and ethical goals, so that board-level goals can be achieved, and the long-term viability of the organization can be assured. 

Kevin Parle Deputy Chair, Data Protection Forum & Fellow of the ICA

The DP-Forum welcomes new members to its ranks. If you are interested in finding out more, them please see www.dpforum.org.uk.  


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.



CPRA Regulations & Requirements: Understanding the California Privacy Rights Act

On Jan. 1, 2023, the California Privacy Rights Act (CPRA) will take effect, placing newly enhanced data privacy and notification requirements onto businesses that handle the personal information of California consumers. This post covers what you need to know to meet the requirements to avoid the consequences of non-compliance.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

NAVEX R&C Benchmark Finding – Regulatory Compliance is a Top Priority

NAVEX publishes the Definitive Risk and Compliance Benchmark Report each year, surveying over 1,100 industry professionals. This post explores one of the report’s key findings: regulatory compliance is a top priority.

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Subscribe Now!
Definitive Guide to Compliance Program Assessment
Download Guide