Why culture is king in information governance and privacy

There are regulatory, reputational, operational and financial risks associated with an organisation’s compliance culture. From a regulatory standpoint, governments are placing increasing emphasis and scrutiny on compliance across data privacy, ESG, AI ethics and proactive compliance programmes.

For example, in Europe, there is pending legislation that will govern the ethical and lawful uses of AI and likely require organisations using data-powered AI to ensure they are transparent and fully compliant with existing data protection and privacy laws.

Without a culture of compliance that ensures principles of ethics, data privacy and other obligations are built into the fabric of their technology development and business processes, organisations can face significant risk of running afoul of both regulatory requirements and customer expectations.

Innovation, growth and compliance: friends or foes?

As organisations look to pivot business models, build and implement new technologies and create disruptive products, compliance culture is going to be critical to minimise risk and also to fuel strategic objectives.

So, what practical steps can risk managers take to unify the seemingly opposing priorities of compliance and innovation? How can they achieve buy-in to build a strong, sustainable privacy-positive culture and leverage it for growth?

”Compliance culture is going to be critical to minimise risk and also to fuel strategic objectives”

To create a strong compliance culture, employees must understand how and why data (and data protection) are critical to the organisation, what is expected of them and most importantly, how their compliance mindset and behaviours can contribute to (or jeopardise) business goals.

Often however, employees have a very limited understanding of these key risks and their possible impact. Each business is different in the way it utilises and values data, so it’s important to establish alignment between compliance objectives, employee perceptions and organisational values.

Understanding how compliance culture manifests

When firmly embedded in the business model, a strong culture of compliance can be a competitive advantage and contribute to business performance.

But to get there, organisations must first understand what defines their compliance culture today (not on paper, but in the day-to-day decisions and behaviour of their people).

We believe that culture manifests across four dimensions:

• collectively in groups, both visibly (in strategies, processes, performance metrics as well as reward and recognition programs) and underlying (in group dynamics, office politics or shared unspoken values), and
• individually, both visibly (leadership- and communication style, performance) and hidden (cultural background, values, beliefs, mindsets).

Many compliance programs today measure operational risk factors, too few measure the impact of the human factor.

While organisations wouldn’t invest in addressing an operational issue without a clear, quantifiable understanding of the problem, many do so when it comes to investing in cultural ‘fixes’.

Understanding where the pressure is coming from to take risks or disregard compliance requirements is crucial in building a strong compliance culture, and by extension, successfully implementing compliance initiatives.

What you measure, you can manage.

As a first step to understanding the existing compliance culture and gaps, risk managers can conduct a culture assessment.

Measuring the current compliance culture will help bring the specific strengths, weaknesses and risks into clear view and help business leaders prioritise areas of improvement.

A detailed assessment should begin with interviews with leaders to understand their expectations and concerns related to risk and compliance, followed by a survey to gather anonymised feedback from across the organisation and focus groups to delve more deeply into issues identified in the survey.

With a benchmark in place, the risk team can then outline the roadmap for change, including training, awareness and internal communications campaigns that educate, engage and enable leadership and employees on key topics.

”With a strong compliance culture, risk can be effectively mitigated in a way that adds, rather than detracts from, business value”

Awareness campaigns must address mindsets, perceptions, assumptions and messaging across internal, external, collective and individual audiences. A holistic programme that defines values, desired behaviours and key messages for each audience will drive a shift toward the desired state of compliance and a culture that is reinforced by each employee and groups across the entire organisation.

As the compliance culture solidifies, Privacy by Design principles will then develop organically as part of new products, services, programmes and implementations.

When teams across the business are inherently bought-in to a culture of compliance as an enabler for the business, they will naturally recognise that data protection controls and considerations should be addressed at the outset of a new project, rather than as an afterthought.

This can eventually become a self-reinforcing process, in which data is consistently treated as the valuable, yet sensitive, asset that it is.

In today’s landscape, risk must be a consideration when strategic opportunities are assessed, but with a strong compliance culture, risk can be effectively mitigated in a way that adds, rather than detracts from, business value.