Considering The Human Factor In Your Compliance Program: Part One
Insights from psychodynamic management consultant Dr. Alexander Stein’s Star US User Conference Talk
At this year’s StarCompliance US User Conference, a program highlight was the session with Dr. Alexander Stein. Dr. Stein is Founder and Managing Principal of Dolus Advisors, a New York-based risk and psychodynamic-intelligence analysis consultancy, and also a Principal in the Boswell Group. He advises executives, boards, and entrepreneurs in areas of corporate and organizational life, and has extensive experience in leadership development and senior-team dynamics.
Dr. Stein specializes in helping organizations mitigate and resolve human-factor issues and is widely regarded as an expert in the psychology of fraud, insider threat, and white-collar misconduct. Following are excerpts and insights from his conference talk: Considering The Human Factor In Your Compliance Program. This is part one of a two part series. Read part two here. (To be published January 7, 2019. Link will be live then.)
THE GAP BETWEEN NOSE AND TAIL
“Compliance professionals today aren’t just enforcers of compliance regulations; they’re working at the front line of ethics, culture, and human behavior. The primary focus is—or should be—proactively helping people in organizations do the right thing, not just do what’s mandated or reacting when they misbehave. People are incredibly complex. So it’s crucial to pay attention to and try to understand why things happen. It’s not enough to only look at what and how something happened. For example, onboarding a new hire. Compliance specialists spend lots of time honing deliverables. You’ve thought through why you think someone needs to know certain things—policies, procedures, requirements, and so on. But what are your expectations regarding what’s supposed to happen after that first touch? In simple human terms, it’s the start of a new relationship. It’s an opportunity.”
“In human behavior, there’s invariably a gap between nose and tail. People can be incentivized and rewarded for doing good, and discouraged, restrained, or redirected against wrongdoing. But impulses can’t actually be legislated or regulated. As much as we might want people to function mechanically and predictably, they don’t. They won’t. So what else can you be doing to complement and enhance something—compliance—which ultimately pivots, succeeds, or fails on so much more than cognitive understanding to produce rational outcomes? Probably, no one’s going to get a job at your firm who won’t be able to comprehend what your documents say. But that’s no inoculation against unethical behavior. Writing smart policy and implementing strong guardrails designating what someone should or shouldn’t be doing are important but inadequate. How else can you close that gap?”
EVERYONE IS A POTENTIAL INSIDER
“That might sound paranoid. But it only means that anybody is capable of wrongdoing. Liars don’t look like Pinocchio and hackers don’t wear hoodies. There’s really no insider-threat profile. So I strongly recommend you don’t take the indoctrination approach—structuring a bulletproof compliance program and then convincing or threatening employees to adhere to it. No matter how well-designed your system is, workers will rebel against the tyranny, and accidental and negligent insiders will slip through cracks and fall behind blind spots. And a savvy insider, someone with malicious intent, will study your organization, find out what works and what doesn’t, and exploit the vulnerabilities. A professional fraudster is nearly impossible to stop. Determined actors will always find a way through or around a compliance system to do whatever it is they’re bent on doing.”
“While I don’t advise people to be suspicious all the time, being alert and skeptical, especially in the financial sector, are useful traits. There are negligent insiders—people who wind up causing harm—and malicious insiders—those who are oriented to willfully inflict damage. Both present risks. But different personality types make it challenging to spot the differences. For instance, someone who comes asking for guidance and permission—’can I do this or that?’—presents as a dutiful, ethical employee, maybe even a goody-two-shoes. But that could be a deception. It could be somebody testing, probing defenses and soft spots to find out what compliance leaders can or will pay attention to, what your bandwidth and tolerances are, how vigilant or interested you are, and what you’ll let pass. It can be a clever way to deflect attention. You think: ‘This person is concerned with doing the right thing, so there’s no need to be suspicious or worried.’ Maybe. But also, unfortunately, maybe not. And it’s not simple or easy to determine which it is, or develop systems to contend with both.”
>