Of course, trusting your staff to comply is one thing. But regulators want to see cold, hard evidence that this is really happening.
"It's easy to say you have the right culture," says Moffatt, "but very hard to evidence it. You've got to match the statements that you make to the culture that actually exists in your business, and that's quite a learning curve for some senior managers."
"First off," says Rasmussen, "you need good policy management. Communication, training, and also the ability to track who has actually read your policies."
But that's only the start. With senior managers now individually responsible for their area of responsibility, Rasmussen argues it's also critical to have visibility.
"As a senior manager, if we miss something and the regulator fines us, that fine is going to come out of my personal bank account now. So I need to make sure we're dotting our Is and crossing our Ts... perhaps through a dashboard where I can see at a glance how we're doing in all these different areas."
"Absolutely. And, hand in hand with policy management and training, there's also exception reporting and monitoring across your business, so that you can gather evidence that the things you've written down in your policies are actually being followed, because that's your control environment."