It’s easy to get stuck doing busywork. This morning, I caught myself trying to change a bank card on a subscription I won’t renew. Why? Because I’d received an email with legal language warning about the card’s expiry. I was complying without thinking.
Risk and compliance can get like that. We have so many forms, boxes, tracking tools, and so on. All this busywork can distract us from focusing on 20% of our organization’s work activities, creating 80% of risk. But how do we identify where to spend precious time without expensive and exhausting “assessments?”
Could you commit to two to three 30-minute weekly calls for a year? You already do. Some of those calls may be staggeringly unproductive as you and others draft emails, “doomscroll” social media, and contemplate running away to open a pet-themed beach bar. One of the best excuses to avoid these calls is to have a legitimate excuse: “I’ve got to drop for another call.” Take that option. Schedule two or three calls with people randomly selected from within your organization.
That’s what a head of ethics and compliance for a 29-country multinational did. He’d had enough of creating content in a void and trying to understand why a robust best practice compliance framework was spluttering. He set a target for 100 conversations in a year. The agenda was kept loose. He wanted to understand the other person’s compliance experience, challenges in their role, and support they needed (from him). At the end of the year, he had the following observations:
He understood the business, risks, and pressures people face much more deeply.
He built connections with people across the organization who continue to share information that helps us do better.
He had a better handle on what people needed and wanted from him.
The elegance of this approach is its simplicity. One-on-one chats—with no bosses or peers eavesdropping—allow a more honest and personal conversation. Functions at the center in (regional) headquarters can seem aloof, removed, and irrelevant. When we emerge from “The Death Star” (a former colleague’s name for HQ), we humanize our risk and compliance work. Unfortunately, our other appearances are often as enforcers (monitoring, investigation, risk assessment) or educators (training, communications, workshops). I’m not suggesting those can’t be collaborative and constructive. But we’re transmitting. There’s nothing quite like listening!
Some of you may wonder about skewed data. I would, too. The trick is not to extrapolate based on location, function, seniority, etc. It’s to look for trends that occur across the board. For more thematic and aggregated data, we need numbers—enter user experience surveys and speak-up data.