Culture & Compliance Chronicles: Navigating Corporate Culture and Risk

June 12, 2024
31:34 minutes

Welcome back to the Culture & Compliance Chronicles, a podcast series brought to you by Ropes & Gray’s Insights Lab and Front-Line Anti-Bribery. Join Amanda Raad, co-leader of R&G Insights Lab and the firm’s global anti-corruption and international risk practice, Nitish Upadhyaya, R&G Insights Lab director of behavioral insights, and Richard Bistrong, an ethics and compliance consultant and CEO of Front-Line Anti-Bribery as they explore the constantly evolving challenges faced by professionals worldwide in managing risk and compliance. On this episode, they reflect on past developments, current trends, and the future of compliance. They also discuss the significance of culture in regulatory practices and how businesses can effectively integrate behavioral science, cultural psychology, and data visualization to address compliance challenges. Tune in to better understand how culture influences decision-making and the importance of listening to employees to foster an ethical workplace.


Amanda Raad: Hi, everybody. We are back with Culture & Compliance Chronicles, brought to you by Ropes & Gray’s Insight Lab. I’m Amanda Raad. I am one of the leaders of R&G Insights Lab and also Ropes & Gray’s anti-corruption and international risk practice. As you’ll see, our partner Richard Bistrong of Front-Line Anti-Bribery is here as well. Some of you may remember way back when, when we started out with this podcast trying to think about developments in compliance and managing risk, and talking to professionals all over the world about how they were trying to deal with some of these kinds of constantly moving targets and new challenges. Everything that we talked about always came back to one thing: the word “culture.” As you all know, that word is still front and center for so many of us, not just the regulators and enforcement authorities today, but also all of our clients, colleagues, and peers. And so, here we are—we are back ready to add some new chapters to the Culture & Compliance Chronicles. We’re joined by our co-host here, R&G Insights Lab director of behavioral insights, Nitish. Nitish, I’ll have you introduce yourself.

Nitish Upadhyaya: Thanks so much, Amanda. I’m really excited to be a part of this latest round of the Chronicles. I’m a lawyer by background. I’ve also been an innovation lead. I have an academic background in behavioral science. But my biggest interest is in using mixed methods—so not just behavioral science but cultural psychology, data visualization, and other techniques—to try and change the way in which we think about the world of compliance and conduct. I’m lucky at the Lab to work with so many incredible people in these spaces, like Dr. Caitlin Handron and David Yanofsky who bring their own unique perspectives to what we do.

When we all talked about this idea for the update to the series, I had asked you a little bit about where this all started. I know there are all of these different unique disciplines in how you got started. We’re going to give everyone a chance to hear that story, and then we’ll talk more about where we’re seeing culture intersect with compliance. Spoiler: it’s everywhere. I think one of the first collaborators that you had when we started this series is Richard Bistrong, who is chief executive officer of Front-Line Anti-Bribery. We’re delighted to be partnering with him again, and this collaboration for these Chronicles will be a joint effort between the two of us. I think I’m intrigued to hear Richard’s views on where we were, where we are now, and where we might end up. Welcome, Richard.

Richard Bistrong: Nitish and Amanda, thank you so much for the introduction. What a pleasure to rejoin the Culture & Compliance Chronicles—this is so exciting. Just speaking on a more personal side, Amanda has been so inspirational in my own journey from corruption to compliance. I’m reticent to date when we first started talking to each other because I don’t want to age ourselves, but I think it was around 2016 when I saw a piece written by Amanda on behavioral science and what inspires and influences ethical decision-making. At that time, Nitish, that wasn’t what people were talking about. It was more like, “How do we dissect the last enforcement action,” and, “How do we pull apart the DOJ’s evaluation of corporate compliance programs?” It was still so much of a ‘let’s view compliance through a criminal law’ lens. When I saw Amanda’s piece on, “Maybe we should talk about the human aspect of it,” I was just so intrigued, and there, we connected and started talking about it, and since then, have had the chance to podcast in London and New York. Again, such a pleasure to virtually meet you finally, Nitish, and so excited to restart and reengage our discussion today.

Amanda Raad: I think you’re exactly right, Richard. I think it was about 2016, which is extraordinary, honestly, when you think about all that has happened in the world since we first met. I love that we are back talking about this because I think so much has changed, and I feel like we’ve predicted some things and hopefully been a part of the conversation around some of these really important topics. So, I can’t wait to explore this together.

Nitish Upadhyaya: Let’s dive in. Tell me what you were talking about so many years ago. I’m intrigued because behavioral science was still—at least in the private sector—a new offering. People were thinking about different tool sets to identify misconduct. Talk me through the thought process and bring some of the listeners up to speed—maybe they weren’t aware of the Chronicles prior to this newest release.

Amanda Raad: It was probably right around the early days when I met Richard—probably 2015 or 2016—that we really started to explore in some of our client-facing work the role that data (and large amounts of data and understanding data), along with behavioral science could play in compliance. Like you said, we were looking around in the world and it was clear that corporations all over the world were using data and behavioral science expertise for all kinds of reasons but very rarely (if at all) for compliance and risk management. There was a lot of research out there around why behavioral science could be a very important and helpful tool to use in the compliance and risk management space, but there wasn’t much translating that research into practice. On a personal level, I was a psychology undergrad—I was signed up to get my PhD at the same time as I was exploring law school. It was near and dear to my heart—I was always fascinated by this. And so, trying to really figure out and explore, “Is there something here? Can we bring together the legal work that we do with the human element and these behavioral science theories, and can we do something here?”

Around that same time, I had an incredible client engagement where we worked with a behavioral scientist and made a real impact, and we also launched a huge research study where we partnered with FT Remark and surveyed executives all over the world about their thoughts on data and behavioral sciences in the risk and compliance space. The punch line really was people were interested, they heard about it, they had no idea how to use it or implement it, but they were curious. That was a launching pad, where Richard and I started exploring that in a whole array of situations. Maybe I’ll turn over to Richard for his memory, to see if it hopefully aligns with mine a little bit in those early days because it was a long time ago.

Richard Bistrong: Indeed. I think we all are a fan of Benjamin van Rooij, the co-author of The Behavioral Code (we’ll put some links to these books that we reference in the show notes). One thing that Benjamin talks about is there’s this deep academic peer-reviewed research on human behaviors. We have the lawmakers, the regulators, and then we have compliance leaders. As he recently pointed out, they tend not to talk to each other and to share what’s going on. I think, Amanda, that’s what we started to do back in 2016, where there were wonderful books like Blindspot, for example, and they really helped to explain through research, through data, what inspires and influences people and what are some of the biases that we are subject to, because as shared in Blindspot, the worst part of blind spots is that they convince us that we don’t have any. I think going back to 2016, we started talking about things like optimism bias, loss aversion, escalation of commitment, and all these—what might have been considered—sociological abstract terms. But how does that interplay with a workforce that might have had robust compliance training and tasked with aggressive commercial success in—what we might think of as—volatile and high-risk parts of the world? What does that feel like? What does that look like? What influences decision-making in those situations? I think our paradigm is—and Benjamin also has talked about this—if we think we’re not subject to risk is when risk sneaks up on us. So, I think that’s how it started, and then from there, Nitish, the Lab was instrumental in really starting to bring these fields together and to demonstrate how data, behavioral science, and compliance initiatives, all can speak to each other, intertwine, and interlock for the benefit of the organization and also for the benefit of the Richard Bistrongs out there in the world—the people that are working, living, and tasked with success in the middle of risk.

Nitish Upadhyaya: It’s such an interesting concept that it started with and fascinating to see how it’s developed. There are so many little threads that I could pull on there, and thinking about where we are now is probably the next place to take this. My question really is: Has anything changed? Are we still talking about using some of these mixed methods, not just behavioral science, but cultural psychology? Are they still buzz words in this piece or have things really moved on, and have we gone from novices to maturing as a compliance industry? What do you think?

Amanda Raad: We definitely started as novices for sure. Practically speaking, we could find like-minded people way back then, and we could find people that wanted to hear what we had to say and would join a discussion about it. But to actually find anybody that was really going to roll up their sleeves and say, “This is actually something of a priority issue for us that we actually have to figure out and want to figure out as a matter of priority,” that wasn’t really there. Then COVID hit, and there were so many priority things. Where I think we are now is in part aided by the regulators—it helps. It really does help that they’re telling us we have to figure this out and we can’t wait on them to tell us how to do this. The regulators want us to understand culture. They want us to find compliance solutions that actually work. In part because of all of those reasons and probably because people realize this stuff actually works, it’s moved up the agenda, and so, now, it feels like we have the ear of decision-makers in a way that we didn’t several years ago. We may have had the ear of many people working in this space but not those that control budget and were able to actually utilize some of these tools. I think we are getting there. We are not there. There is so much more that can be done, and I think will be done over time, but I think we have made really meaningful progress.

Richard Bistrong: I would echo that. One of my favorite—I think I’m just going to call them—“Amanda-isms,” to coin a new term, is your thoughts about we can’t expect individuals to keep up with this tsunami of regulations that are out there—it’s impossible, and there are more and more. Speaking to our European colleagues, there are new directives coming out. The DOJ has a constant stream of new guidelines and all of their pronouncements. How can we expect someone who’s working in the field to keep up with that? It’d be impossible for them to do their commercial work and keep up with that tsunami. So, I think what we have started to see is a shift to having culture as opposed to policies, rules, and procedure guide the workforce and guide and lead compliance programs. There’s a piece of LRN research—they’ve been tracking this for 10 years and it’s on their Program Effectiveness Report—we see greater differential now on the growth of culture being used to inspire and influence as opposed to policies, rules, and procedures. In my client work when I review codes of conduct, what I love to see—and I’m seeing more and more of it—is on page one, “There is not a rule for everything. This code cannot describe every situation that you will face. Most important is to think about our values, our mission, our purpose, and to call us if you have a question.” And, to me, that’s the most important statement and the most important reflection that we are moving toward more of a culture-centric than a criminal-law-centric approach to ethics and compliance and responsible ethical conduct and decision-making. So, it is a journey, but I love the direction that we’re heading in.

Nitish Upadhyaya: I think that’s one of the reasons why I said “maturing” because in some areas, such as senior leadership buy-in or even talking about culture, we’re certainly seeing big strides. On the flip side, I think then you dive into other rabbit holes. How do people actually interact with culture? Are they thinking about things at face value? Is culture just tone from the top, which again, in my view it’s not. It’s the patterns that are exhibited in the organizations, and those patterns are ever-changing. These organizations are complex systems, and every single interaction you’re making within them is changing the decision-making, the behaviors of individuals or groups within that organization. So, I think while the overall direction of travel is really exciting, we now have a lot of work to do in some of these key areas, like culture, to become experts and start to mature. How are you seeing people do that, I guess, is probably the next question?

Amanda Raad: As you were talking about the rabbit holes and the different places we can and should be going, I do think there’s still a little bit of reluctance to go too deep. And what I mean by that is, if you think about where companies were even with risk assessments 10 years ago, there was still a little bit of hesitancy for when you would do a proactive risk assessment because really people would tell you they were slightly afraid of what they might find. “So, we do this risk assessment. We find X, Y, or Z. Then what? What if we don’t do enough about it and then that is somehow used against us?” That was a real thing that concerned people. I think we’re there now on culture, in the sense that people want to use this but they’re afraid of what they’re going to find if they go too deep and afraid that it’s going be used against them. And so, I know we’ll get to the right place because we did in the risk assessment space—we do still have those discussions sometimes—but I think it’s going to take some time.

Richard Bistrong: Again, the key word being “maturity.” I think one of the areas where there’s some growth for maturity is there’s still—and there are a number of different research pieces that talk about—the leadership divide. When leaders are surveyed about how they feel about their culture, they’re scoring, Nitish, pretty high. They think, “We’ve got great culture.” Then, when you take that same set of questions in middle level management, it’s not quite as optimistic. And then, when you move down further into the org chart, it becomes less so. So, there does seem to be a little bit of room for growth in empowering middle level managers to think that the culture is as wonderful and great as their senior level managers do. I think there’s a little bit of room for maturity to make sure that culture and responsible leadership isn’t getting frozen in the middle of the organization. Those middle level managers are key to this entire enterprise. As I learned both as former commercial Richard and current compliant Richard, those middle level managers control culture. You can take the best tone at the top and those middle level managers can turn the volume up on that both internally and externally as it goes through the organization, but they can also discard, dilute, and discount culture not because they want to do anything wrong but because they want to get the business done. They’re distracted—they’re trying to recapture market share and they’re like, “No. Let’s turn the volume up on, ‘Get the business done.’ We don’t have to worry about how we’re getting it done right now.” So, I think those middle level managers are key in making sure that culture doesn’t get diluted as it moves through the org chart.

Nitish Upadhyaya: I think it’s such an interesting point. When I’m thinking about culture change and talking to clients about culture change, I often, much to their surprise, say, “We’ll do it middle-bottom-top.” People are so used to saying, “We need the senior leaders. We need to be talking about things in town halls or large communications.” But they often forget that middle managers sit at this real cusp, like you said, Richard. And to add to your point, they’re also sometimes a filter because they don’t let things get up to top management. You speak to senior management, and they say, “What? That happens at my business? I had no idea.” Because they don’t have the time or the ability to listen in at the stories that employees are telling. I think, Amanda, you mentioned that reluctance sometimes of people to go deeper, certainly part of the risks of doing so, but I think there’s also a reluctance, which is cracking slowly, about using not just quantitative methods but also qualitative methods, starting to think carefully about, how do I allow my employees’ voices to be heard? How do I take the power of narratives and ultimately the stories that people are telling at the water cooler, which, for me, are indicative—more than anything else—of culture, and how do I take a slightly more nuanced view of those stories and the context that they give me in the data that I’m seeing in my whistleblowing reports, in my retention figures, in my productivity or my complaint statistics? All of those things, I think, need to be taken together, which brings us to some of the bigger issues maybe that we’re seeing at the moment.

Over the last few years, we’ve seen regulators and enforcement authorities definitely talk about culture more in their speeches, in how they’re going about evaluating conduct. We’ve also seen a real growth in industry players talking about culture, in surveys, at conferences, or trying to get that word out there. What are some of the key trends that you folks are picking up on going forward—given we’ve talked about where we were and where we are now—where culture is going to play a really important role in the compliance world?

Amanda Raad: Circling back to the regulators, I think they’re using the word “culture” for the same reason that we launched the Insights Lab—that is to use it as a vehicle to bring together a lot of different risk areas and to have a forum for talking about why certain behavior and conduct is happening and how you can potentially impact certain behavior or conduct, so how you can really move the needle. We’ve known for a long time that regulators expect us to have a healthy speak-up culture, to have protections of whistleblowers, to have detective and investigation procedures that allow us to spot proactively issues and respond to issues when we see them, but most importantly, that we actually know how to fix them. The mediation that we do is perhaps one of the most important areas that a regulator can expect of us because, like Richard said earlier, it’s the people that think they aren’t in a risky situation that you have to really worry about. The truth is if you look at the Corruption Perception Index, and that’s just taking one risk area, there’s no doubt that there is corruption in every global business happening somewhere—that’s just a given. So, the question becomes: How do you identify that? How do you live with that? How do you work with that? And then, how do you actually fix it? What do you actually do to work as safely as you very possibly can? I think that is bringing culture into every one of those components, and that is what we’ve been doing at the Lab. It’s been thinking about: How do you infuse that into your speak-up policies? How do you infuse that analysis into the way you deal with a whistleblower? How do you use that in order to do a root cause analysis based on the investigation that you just did? That whole picture has to take into consideration the people of the organization who are underlying all of this. That also is what moves this all to the top of the agenda versus somewhere else because this isn’t a “nice to have,” this isn’t a fluffy thing—this is a “if you are going to operate on the global stage, you have to figure this out,” and really the best way to figure this out is to just roll up your sleeves and figure out what’s going on with your culture and infuse it into everything you’re doing. That’s where I want us to be. I don’t know that that’s where we are, but that’s where I think we need to be.

Richard Bistrong: Great points. I’m going to remember, Nitish: middle-bottom-top. When I think about culture, I was talking to a client and I asked him, “What’s different now in your compliance and ethics initiatives than 15 years ago?” And he said, “15 years ago, we were focused on the prevention and the detection of misconduct mostly for people who were trying to gain the system for themselves,” which was probably about right because that’s when we started to come into the tsunami of regulations. He said, “Now, it’s much more challenging because now we’re trying to figure out how to prevent and detect (what might be considered) well-intentioned misconduct because people are thinking that their decisions are benefiting the organization and taking the wrong ethical path. That’s much more difficult than the bad actor or bad apple syndrome because now you have people that think they’re doing the right thing to help the organization. So, it might be worth in the future exploring how do you influence people that might be taking a well-intentioned ethical misstep thinking that they’re doing the right thing—that’s complex.

I think the other thing in this journey—we can date ourselves, we’re in June 2024—think about the global, political, economic, and social tension, anxiety and stress that exists out there right now and what are leaders focused on? They’re focused on how to navigate that. How do they continue market share, where logistics or supply chains might be disrupting their operations? Getting their attention to be the ones that are setting ethical expectations to the organization, from what I have seen, it’s becoming more difficult. You might have a two-day global leadership meeting: “Here’s what we did last year. Here’s what we’re going to do next year. Here are our goals. Here are our challenges. We want to hear from ethics and compliance as well. We’ve given them 30 minutes over two days.” I think it’s becoming a little bit more of a compliance challenge and leading to a little bit of compliance fatigue. How do we get our business peers to appreciate that their voices sound so much louder than ours do when it comes to setting ethical expectations? So, I think enabling and empowering that voice of business in a time of economic, social, and political turmoil is also a challenge.

I think the third leg on this tripod would be we’re talking a lot about whistleblowing, we’re talking a lot about speaking up, and this is something that I learned from another mutual friend and fan of ours, Michaela Ahlberg, who was the co-author of The Grey Zone. If you think about whistleblowing, if you’re thinking about speaking up, and you’re thinking about open-door policy, who’s the pressure on? The pressure is on the person to speak up. The pressure is on the person to walk through the door. The pressure is on that person to blow the whistle. Why aren’t we spending more time on how to be better listeners and take some of the pressure off of the individual and show that we really do care what they have to say beyond an open-door policy? Again, potential point for future discussion.

Nitish Upadhyaya: Absolutely. There’s such richness in even just that single point. The focus that people have on individuals when it comes to misconduct or when it comes to values, we often find people forget about the organizational structure in which all of these folks operate in. We use a framework from cultural psychology called the “Four I’s” to try and help us get out of that mindset that it’s the individuals. Yes, the individuals are one part of that but also you have the ideas in the organization, you have the interactions between people, and you have the institutions, policies, and procedures—all of these things contribute to culture in the organization. And so, when we’re talking about something like whistleblowing, it is so very reductive to think about putting the burden on one person or creating one channel. I think that understanding of all of this as a much wider complex ecosystem is something that is funneling through slowly across our peers and I’m really excited to talk more about.

For those of you who are interested, the “middle-bottom-top” comes out of research done by Dave Snowden and the idea of complex adaptive systems. That’s where I want us to get to in the compliance space is treat our organizations in that way—and suddenly, we have a whole other situation of levers and options available to us to support individuals to do the things that they want to do and to then create some of the dampening effects on bad behavior or the opportunities for things that don’t quite align with the way in which the company wants to work through. So, I think there’s just a lot there, and I’m excited for the next number of episodes to dive into this and things that other people would like us to talk about—we’ve set the scene for where we’re going to go.

Thank you for all of our listeners for tuning in to the latest version of the Culture & Compliance Chronicles series. For more information, as Richard said earlier, about all of the points that we’ve talked about, there are going to be links to papers, ideas, and thoughts in the show notes. And we’d love you to subscribe to the series wherever you regularly listen to your podcasts, including Apple and Spotify. We’ll all be back soon for our very next chapter. If you have thoughts on what you’d like to raise or controversies that you’d like us to explore, then let us know—we’d love to hear from you. Thanks again for listening and see you all very soon.

Show Notes

The Behavioral Code, (van Rooij, Fine):

Why High-Performers are More Subject to Ethical Risks (Carucci, Denham-Smith, Bistrong):

LRN’s 2024 Program Effectiveness Report:

Granularity, Abstraction & Coherence (Snowden):

How Leaders Change Culture Through Small Actions (Snowden):

Richard Bistrong
Ethics and Compliance Consultant; CEO, Front-Line Anti-Bribery LLC
See Bio
Subscribe to Culture & Compliance Chronicles Podcast