UK SOX: five ways culture will be the key to compliance
28 May 2021
With a UK version of the Sarbanes-Oxley (SOX) act looming, what do business leaders need to consider when it comes to the culture of their organisation? We discuss why it matters and how to go about looking at it.
We believe there are two key points to consider when looking at culture and its role in driving compliance with regimes like UK SOX:
1 building a culture that understands and complies with the new requirements
2 embedding that culture to build consistency and alignment, reducing risk
So, what's the difference between just implementing a UK SOX plan and building SOX compliance into your culture?
Five steps for embedding a UK SOX culture
It's easy to just run your implementation plan as a project and step back, having delivered. But building a culture is more challenging and rewarding.
Building a compliant culture requires more focus and engagement across your organisation, but it's a longer lasting and more robust method of ensuring compliance.
Both methods require a clear plan, an understanding of what's needed, the goal your organisation wants to achieve, and how you measure success. But building a culture also needs to be clearly linked to your organisation's strategy itself, where good governance that aligns to your organisation’s values can be added.
Once this is done, there are then five key elements to consider:
1 Leadership and accountability
Leadership needs to take both demonstrable and personal accountability for your new culture. This involves communicating regularly and - crucially - as an ongoing part of how leaders speak to employees.
Leaders should act as role models for the required behaviours and recognise these in others.
2 Setting objectives
You should engage HR to ensure that objectives are set across your organisation in your performance management cycle and that these are reflected consistently in reviews and on into remuneration, both fixed and variable.
HR also needs to make sure that talent discussions and succession plans include those individuals who are role models for your new culture.
3 Learning and development
The new requirements need to be incorporated into learning programmes, including induction. And promotion decisions need to assess the understanding and role modelling of the requirements.
4 Embedding into core business activity
Consider how all this reaches across your organization. For example:
Procurement should assess the need to embed in your supply chain, both in selection of suppliers and in their ongoing management
Any project or programme managers need to understand the requirements and build them into any transformation or other changes going forward
Members of steering committees or working parties need to watch for the changes and ensure compliance is monitored and measured
Risk and compliance teams need to work to incorporate the new requirements fully into the second line
Internal audit needs to consider risk assessments and audits
And so on
Finally, both internal and external communication teams need to incorporate the requirements and any nuanced change of values on your corporate website, intranet, and other communications.
Using UK SOX to build a better culture
If you have a fully embedded culture, you'll be familiar with the need for the routes outlined above and will understand the consistency and alignment that it brings.
For those that still have some of this journey to go, using the need to embed the new requirements into your overall desired culture more fully can have benefits that go significantly wider than UK SOX requirements.
For support with embedding UK SOX compliance into your culture, get in touch.