Article

UK SOX: five ways culture will be the key to compliance

With a UK version of the Sarbanes-Oxley (SOX) act looming, what do business leaders need to consider when it comes to the culture of their organisation? We discuss why it matters and how to go about looking at it.

We believe there are two key points to consider when looking at culture and its role in driving compliance with regimes like UK SOX:

1 building a culture that understands and complies with the new requirements

2 embedding that culture to build consistency and alignment, reducing risk

So, what's the difference between just implementing a UK SOX plan and building SOX compliance into your culture?

Five steps for embedding a UK SOX culture

It's easy to just run your implementation plan as a project and step back, having delivered. But building a culture is more challenging and rewarding.

Building a compliant culture requires more focus and engagement across your organisation, but it's a longer lasting and more robust method of ensuring compliance.

Both methods require a clear plan, an understanding of what's needed, the goal your organisation wants to achieve, and how you measure success. But building a culture also needs to be clearly linked to your organisation's strategy itself, where good governance that aligns to your organisation’s values can be added.

Once this is done, there are then five key elements to consider:

1 Leadership and accountability

Leadership needs to take both demonstrable and personal accountability for your new culture. This involves communicating regularly and - crucially - as an ongoing part of how leaders speak to employees.

Leaders should act as role models for the required behaviours and recognise these in others.

2 Setting objectives

You should engage HR to ensure that objectives are set across your organisation in your performance management cycle and that these are reflected consistently in reviews and on into remuneration, both fixed and variable.

HR also needs to make sure that talent discussions and succession plans include those individuals who are role models for your new culture.

3 Learning and development

The new requirements need to be incorporated into learning programmes, including induction. And promotion decisions need to assess the understanding and role modelling of the requirements.

4 Embedding into core business activity

Consider how all this reaches across your organization. For example:

  • Procurement should assess the need to embed in your supply chain, both in selection of suppliers and in their ongoing management
  • Any project or programme managers need to understand the requirements and build them into any transformation or other changes going forward
  • Members of steering committees or working parties need to watch for the changes and ensure compliance is monitored and measured
  • Risk and compliance teams need to work to incorporate the new requirements fully into the second line
  • Internal audit needs to consider risk assessments and audits
  • And so on

5 Communicating

Finally, both internal and external communication teams need to incorporate the requirements and any nuanced change of values on your corporate website, intranet, and other communications.

Using UK SOX to build a better culture

If you have a fully embedded culture, you'll be familiar with the need for the routes outlined above and will understand the consistency and alignment that it brings.

For those that still have some of this journey to go, using the need to embed the new requirements into your overall desired culture more fully can have benefits that go significantly wider than UK SOX requirements.

For support with embedding UK SOX compliance into your culture, get in touch.

Article
Culture risk: hot topics on the agenda for 2021 Find out what you need to know