Search results

The increasing use of cost‐benefit analysis (CBA) in financial regulation is bringing a sharper focus on the benefits conferred by regulation. This paper addresses the impact of that sharper focus on the compliance culture of regulated firms. Why focus on the benefits of regulation? What does CBA have to offer to the compliance culture of authorised firms? How does the introduction of CBA fit in with other developments in the regulatory arena? This paper offers some tentative answers to these questions.

There is much talk of ‘compliance culture’ and, latterly, ‘compliance ethos’ and it is generally assumed that this is a good thing, by definition. This paper suggests that the existence of a compliance culture is never in doubt — all firms have one, the question is what is its orientation? The paper proposes three possible states of a compliance culture and suggests some qualitative measures of a positive or pro‐compliance culture. The paper is an extract from a submission made to NatWest Life's Audit and Compliance Committee in February 1995.

This paper aims to examine the individual and combined effects of organisational and behavioural factors on employees’ attitudes and intentions to establish an information security policy compliance culture (ISPCC) in organisations.

Based on factors derived from the organisational culture theory, social bond theory and accountability theory, a testable research model was developed and evaluated in an online survey that involves the use of a questionnaire to collect quantitative data from 313 employees, from ten different organisations in Ghana. The data collected were analysed using the partial least squares-structural equation modelling approach, involving the measurement and structural model tests.

The study reveals that the individual measures of accountability – identifiability (2.4%), expectations of evaluation (38.8%), awareness of monitoring (55.7%) and social presence (−41.2%) – had weak to moderate effects on employees’ attitudes towards information security policy compliance. However, the combined effect showed a significant influence. In addition, organisational factors – supportive organisational culture (15%), security compliance leadership (2%) and user involvement (63%) – showed positive effects on employees’ attitudes. Further, employees’ attitudes had a substantial influence (65%), while behavioural intentions demonstrated a weak effect (24%) on the establishment of an ISPCC in the organisation. The combined effect also had a substantial statistical influence on the establishment of an ISPCC in the organisation.

Given the findings of the study, information security practitioners should implement organisational and behavioural factors that will have an impact on compliance, in tandem, with the organisational effort to build a culture of compliance for information security policies.

The study provides new insights on how to address the problem of non-compliance with regard to the information security policy in organisations through the combined application of organisational and behavioural factors to establish an information security policy compliance culture, which has not been considered in any past research.

Organisational culture plays an important role in influencing employee compliance with information security policies. Creating a subculture of information security can assist in facilitating compliance. The purpose of this paper is to explain the nature of the combined influence of organisational culture and information security culture on employee information security compliance. This study also aims to explain the influence of organisational culture on information security culture.

A theoretical model was developed showing the relationships between organisational culture, information security culture and employee compliance. Using an online survey, data was collected from a sample of individuals who work in organisations having information security policies. The data was analysed with Partial Least Square Structural Equation Modelling (PLS-SEM) to test the model.

Organisational culture and information security culture have significant, yet similar influences on employee compliance. In addition, organisational culture has a strong causal influence on information security culture.

Control-oriented organisational cultures are conducive to information security compliant behaviour. For an information security subculture to be effectively embedded in an organisation's culture, the dominant organisational culture would have to be considered first.

This research provides empirical evidence that information security subculture is influenced by organisational culture. Compliance is best explained by their joint influence.

This paper aims to establish that employees’ non-compliance with information security policy (ISP) could be addressed by nurturing ISP compliance culture through the promotion of factors such as supportive organizational culture, end-user involvement and compliance leadership to influence employees’ attitudes and behaviour intentions towards ISP in organizations. This paper also aims to develop a testable research model that might be useful for future researchers in predicting employees’ behavioural intentions.

In view of the study’s aim, a research model to show how three key constructs can influence the attitudes and behaviours of employees towards the establishment of security policy compliance culture (ISPCC) was developed and validated in an empirical field survey.

The study found that factors such as supportive organizational culture and end-user involvement significantly influenced employees’ attitudes towards compliance with ISP. However, leadership showed the weakest influence on attitudes towards compliance. The overall results showed that employees’ attitudes and behavioural intentions towards ISP compliance together influenced the establishment of ISPCC for ISP compliance in organizations.

Organizations should influence employees’ attitudes towards compliance with ISP by providing effective ISP leadership, encouraging end-user involvement during the draft and update of ISP and nurturing a culture that is conducive for ISP compliance.

The study provides some insights on how to effectively address the problem of non-compliance with ISP in organizations through the establishment of ISPCC, which has not been considered in any past research.

This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers.

The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy.

The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance.

The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance.

Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations.

Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

The purpose of this preliminary empirical research study is to understand how environmental disruption such as brought on by the COVID-19 pandemic induces shifts in organisational culture, information security culture and subsequently employee information security compliance behaviour.

A single-organisation case study was used to develop understanding from direct experiences of organisational life. Both quantitative and qualitative data were collected using a sequential mixed methods approach, with the qualitative phase following the quantitative to achieve complementarity and completeness in analysis. For the quantitative phase, 48 useful responses were received after a questionnaire was sent to all 150–200 employees. For the qualitative phase, eight semi-structured interviews were conducted. Statistical software was used to analyse the quantitative data and NVivo software was used to analyse the qualitative data.

The pandemic-induced environmental disruption manifested as a sudden shift to work-from-home for employees, and relatedly an increase in cybercrime. The organisational response to this gave rise to shifts in both organisational and information security culture towards greater control (rule and goal orientations) and greater flexibility (support and innovation orientations), most significantly with information security culture flexibility. The net effect was an increase in employee information security compliance.

The vast literature on organisational culture and information security culture was drawn on to theoretically anchor and develop parsimonious measures of information security culture. Environmental disruptions such as those caused by the pandemic are unpredictable and their effects uncertain, hence, the study provides insight into the consequences of such disruption on information security in organisations.

To provide the investment management industry with a summary of the expectations of the Securities and Exchange Commission (SEC)'s examination staff with regard to the development of a culture of compliance.

A review of certain elements identified by an SEC staffer that are necessary for a firm to have a strong and effective control environment and culture of compliance was carried out. The article explores a firm's strategic vision or “tone at the top,” risk identification, establishment of controls, documentation, accountability and self reporting, and cooperation.

Confirmation that a firm's success in establishing a culture of compliance is difficult to prove and harder to document. However, an understanding of the concept of developing a compliance culture can allow compliance officers to demonstrate a commitment to ethical and compliant practices.

The SEC's new inspection program evaluates each firm's commitment to compliance and moral and ethical practices. This article provides a basic understanding of the minimum expectations of the SEC's inspection staff.

The concept of compliance is in danger of becoming obsolete as a result of its generalization and overuse. This paper aims to refine the concept of a culture of compliance and its effective implementation in association with financial regulations, in line with the societal expectations of compliance.

This paper begins by assessing the watershed reconception of compliance in light of the Global Financial Crisis of 2008 (GFC). The influence of financial incentivization and structural weakness is highlighted above all. Recommendations focusing on the significance of the corporate context are made from this and viewed in relation to the growing relevance of compliance in regulating cyberspace.

Individuals and their decision-making are heavily influenced by the culture of their environment. Clearly, defining the values behind regulations encourages employees to follow the rules based on the principles that underlie them rather than out of fear of punishment, risk aversion or a sense of the “tick-box” duty. This contributes to the longevity of healthy compliance rather than a compliance fatigue.

By casting a look back at the development of compliance, the modern social expectations of compliance can be elucidated and, in turn, translated into mechanisms for corporations to effectively use. The literature on compliance has grown substantially but often limits itself to commentaries on the history of non-compliance or sector-based investigations. Hinged between the past and future of compliance, this study contributes to bridging a considerable gap in the literature by using a wider lens and positive redefinition of compliance.

To analyze FINRA’s focus on broker-dealer culture in its 2016 annual priorities letter and the application of the concept in FINRA disciplinary proceedings, to explain how that focus will affect FINRA’s examinations of firms, and to provide recommendations as to how a firm can develop or improve its culture of compliance.

This article examines FINRA’s current and historic pronouncements about “culture” in speeches, guidance, and decisions in disciplinary proceedings, and looks for common themes that should guide broker-dealers’ compliance.

This article concludes that even if the focus on culture might be regarded as an unnecessary overlay to the panoply of securities laws and regulations to which broker-dealers already are subject, firms should still take it seriously. It is now a focus of FINRA examinations for the purpose of fact-gathering, but FINRA might well elevate their concerns about culture into examination findings or worse.

This article gathers together all available information about the concept of firm “culture” and examines what aspects of the current focus represents legitimate concerns, and what aspects are unnecessary. The article takes the best of the guidance about culture and offers suggestions about how to improve a firm’s culture and, correspondingly, its compliance.