Principal Consultant, Liz Hornby, examines the critical role frontline staff play in mitigating compliance risk and how to empower them to take action. Liz designs, writes, and delivers Governance, Risk and Compliance (GRC) training. She also authors many of our generic courses.
Ahead of the relaunch of a range of our generic courses focusing on financial crime, operational risk, and market conduct, we sat down with Liz to discuss the role compliance training has in supporting an organization’s first line of defence.
Q: What is ‘the first line of defence’ and why is it now a key focus for compliance risk management?
Liz: The three lines of defence model has been a mainstay in risk management methodology for some time. But in recent years, increased importance has been placed on the role of the ‘first line’—namely, frontline staff.
There is growing recognition that many compliance issues can be most effectively identified—and, indeed, mitigated—by those undertaking the day-to-day roles in the business.
While second and third lines of defence such as Compliance and Internal Audit teams have an important role to play, it is the first line that perhaps provides the most important barrier against compliance risk.
This shift has been further reinforced by the introduction of regulations that aim to increase individual accountability and standards of behavior, such as the Senior Managers and Certification Regime (SMCR).
Q: Why are staff such a critical component of the first line of defence?
Liz: Organizations can’t just rely on policies and procedures to manage compliance risk. Compliance policies and processes are designed to prevent the compliance problems of the past: outlining what action should be taken to manage or prevent the issues that have been faced by the organization or the industry before.
But when faced with rapidly evolving business operations (such as ongoing digital transformation and disruption) and an ever-changing legal/regulatory landscape, managing compliance risk effectively increasingly means giving staff the tools to identify and mitigate the problems of the future.
This means empowering and motivating them to play an active role in compliance risk management, as well ensuring they have the knowledge they need.
Staff need to be able to use their judgment to make the right decisions in scenarios that may not yet have been considered and to apply principles and values to new situations. They also need to be able to identify ‘red flags’ (potentially problematic situations) effectively and feel empowered to raise concerns.
Frontline employees are the eyes and ears of your business. Their conduct and awareness is your best defence against compliance risk issues now—and in the future.
Q: How can you practically strengthen your first line of defence to effectively manage compliance risk?
Liz: Essentially it requires targeting behavioral change at all levels of the organization to create a workplace where everyone is equipped and motivated to make the right decisions—and feels empowered and supported in doing so.
There are perhaps three stages to this:
- Staff must be engaged and feel responsible and accountable for their actions and the actions of others
- Staff must be aware of the compliance issues and risks relevant to their role and be able to spot ‘red flags’
- Staff must know how to escalate issues and concerns and feel confident and protected when doing so
Q: What are some of the problems in achieving this in practice?
Liz: As an industry, financial services has found it difficult to both create and sustain a culture where employees feel comfortable raising concerns. It’s important for organizations and managers to acknowledge that mistakes happen and respond well when they do. A lot can be learned from the ‘no blame’ culture adopted by airlines and air-traffic controllers.
Concerns over the consequences of speaking up can be problematic to this messaging, particularly in highly-regulated environments where the threats of fines and prosecution are ever-present. But it’s critical that staff feel able to raise concerns.
Q: What role does training play in managing compliance risk?
Liz: Training has a really important role to play. A well-designed training course is really the first step.
It can introduce and cover the three stages I mentioned earlier: accountability and responsibility, knowledge, and escalation points and processes. It can also enable staff to practice making judgments and responding to scenarios in a safe environment.
But for training to have long-lasting impact, it really needs to be backed up by a shift to a wider workplace culture of accountability and shared responsibility.
Training needs to be supported by strong leadership that creates trust between staff and the firm. That trust can take a long time to build, but only moments to destroy.
One senior leader who does not set the right example or responds inappropriately to a compliance issue will completely undermine the training’s messages. So it’s important that compliance messaging and conduct standards are embedded at every level of the organization.
Find Out More
Our off-the-shelf eLearning courses are a great first step to strengthening your first line of defence. We have courses focusing on the following key areas:
- Financial crime
- Market conduct
- Operational risk
These new courses have been redesigned to be more user-friendly and engaging. They also feature scenarios to give learners practical experience of issues they may face in their day-to-day roles, as well as the consequences of poor decisions—a key tool to help embed new behaviors.