A previous discussion with compliance expert and consultant Emily Wright highlighted the fact that at least some of her consulting work involves working with both the compliance and the human resources departments.
This piqued our interest as it has become quite clear in our coverage that regulatory interest in non-financial misconduct and organization culture from regulators is sparking renewed interest in building relationships between these two teams.
We asked Wright what she is seeing in the world of practice.
She started by pointing out that the concept of culture and conduct applies to both departments, but often means different things. For the compliance teams, culture and conduct are often about how people deviate from the rulebook. But human resources worries about “how people do things in terms of human interaction” and this includes “tone, language, judgment” which is not defined anywhere in any rulebook.
According to Wright: “That difference is easily illustrated by examining the concept of staff morale, which HR will be very concerned about, but compliance will not have to worry about at all – and there is no doubt that morale is important in an organizational context, as is hiring, promoting, engagement.
“An ideal outcome is both [compliance and HR] working alongside each other.”
Emily Wright
“So even though the language is often the same, the agenda of both teams can be very different and so can the data that they hold and have access to.” But herein also lies the opportunity suggests Emily because “the HR teams will have access to a wealth of data that compliance could readily benefit from analyzing.”
And the opportunities for closer collaboration between the two teams is not limited to simply data sharing.
Wright reminded us of the fact that not very long ago the compliance and legal teams were essentially the same department. There was a clear hierarchy in place with lawyers firmly in the driving seat. Separating the two functions was indispensable because it revealed “the huge cultural differences between lawyers supporting and protecting the business versus the compliance officers tasked with applying the actual regulations.”
With risk and compliance in the second line of defense businesses are in a better position and, according to Emily, “the other department that should sit in the second line of defense is HR” because if this function is positioned there you “get synergies in the same way as when you put compliance and risk together”.
“HR teams will have access to a wealth of data that compliance could readily benefit from analyzing.”
Emily Wright
According to Rob Mason one of the reasons why this has not yet happened is that currently the primary reason for internal monitoring of staff is to prove to the regulators the fact that the firm is adhering to the applicable regulatory regimes. According to Mason “no one monitors for adherence to internal policies” not because this would not make sense, but because these “encompass such a wide array, almost a kaleidoscope of ideas and aspects of the functioning of a complex corporate entity including general behavior by staff”.
Mason is careful to acknowledge that it is unrealistic for businesses “to monitor for everything.” The recent focus on non-financial misconduct illustrates the fact that there is reliance on surveillance teams in particular “to monitor for adherence to some policies including ensuring that people behave in accordance with expected norms.” For Mason, the issues that arise in connection with things like non-financial misconduct is where precisely a compliance mandate begins and where it ends, with the same question applying to HR.
Wright agrees that the crucial question of responsibility is one that cannot be avoided by either compliance or HR or, indeed, the business itself. In part this is being driven by FCA publishing findings in February this year of its D&I consultation paper, showing what are likely to become 2025 expectations and gender reporting requirements.
Wright adds that discussions on this “are still happening at institutions” because if “the CCO is reporting on D&I, NFM or gender representation and equal pay and has very little experience with, or expertise in, these areas, but is effectively representing the business in front of the regulator, then that can create real problems – not least of expectation setting and perception by the regulator of how well prepared the business is on these matters of non-financial risk.”
“No one monitors for adherence to internal policies” … because these “encompass such a wide array, of ideas and aspects of the functioning of a complex corporate entity including general behavior by staff.”
Rob Mason
This focus from the FCA is another reason, in Wright’s view, why the HR department being in the second line is critical. “With something integrated you also have a larger budget to fund the necessary tools and expertise”, says Wright, and asks us to consider how effective this approach would be in protecting the business, the shareholder and crucially both employer and employee – “what you can do with a surveillance program focused on broader non-financial misconduct where you have both the compliance and HR expertise using the same set of tools, accessing and analyzing the same set of data, would be to create a far richer, more accurate view of human risk in the business.” An ideal outcome, in her view, would be “both functions working alongside each other”.
Coloring much of the conversation was the fact that the risk environment as well as the scope of both functions, but particularly the compliance function, is changing very rapidly, in response to changing regulatory expectations as well as very divergent stakeholders.
Both Mason and Wright implied that against this backdrop of change one of the most valuable characteristics is adaptability and the ability to zero in on what needs to be done to support the business while “maintaining a degree of independence that is critical to the success of both functions” particularly as they are often looking to fulfil potentially conflicting objectives. For compliance these are “protecting the shareholder whilst facilitating business” and for HR “protecting employer whilst at the same time protecting employees.”
Other articles in this series
- Ensuring senior management follows the rules
- Compliance training and the promise of AI
- FCA non-financial misconduct survey
- Challenges and opportunities in surveillance today
Emily Wright is the Author of Behind the Screens: Understanding Employee Surveillance in Financial Services. She is former Global Head of Compliance Surveillance at Standard Chartered Bank. Emily has more than 20 years of financial services experience including senior roles across Compliance, Operational Risk and HR, within Standard Chartered Bank, JP Morgan, Lehman Brothers, ICAP PLC and Newedge Group. She has worked in London, Hong Kong, Singapore and Australia.
Emily has an MSc in History and Philosophy of Science from The London School of Economics and now offers consulting and executive coaching for financial institutions in surveillance and monitoring, regulatory compliance, and culture & conduct issues.
Rob Mason is the Director of Regulatory Intelligence at Global Relay. He has a wealth of experience across both banking and regulation, having undertaken senior compliance surveillance roles within UBS and Lloyds Banking Group, where he was responsible for the oversight, management, review and enhancement and operational effectiveness of the surveillance carried out, including navigating internal and external audits as well as regulatory visits.
Before his time within bank compliance, Rob spent five years at the FCA where, most notably, he was the Technical Specialist in the team initiated to supervise the MAR – reviewing and examining all regulated firms’ surveillance capabilities aligned with regulatory expectations. Prior to joining the FCA Rob had a trading background with 10 years specializing in trading and broking on-exchange derivatives.