Ethics and compliance risk management
Ethics and compliance management is an ideal model and testing ground for a holistic, enterprise risk management (ERM) approach to risk management. It uses all the ERM components to achieve objectives in all the categories defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). This paper examines the five integrated process steps in building a lawful ethical culture - define, prevent, detect, respond and evaluate - providing practical suggestions and real-world examples. The conclusion discusses the bottom-line benefits of ethics and compliance management and how to market those benefits internally to create support for ethics and compliance initiatives.
Ethics and compliance risk management
Sarbanes-Oxley, the amended U.S. Sentencing Guidelines and the investigations by the Department of Justice - all outcomes of this decade's corporate scandals - are representative of a global trend toward more transparent and ethical business operations.
At the same time, new studies, surveys and empirical evidence from companies reveal that stock prices are higher, costs are lower and employees more satisfied at companies with reputations for ethical business practices and good governance. Not surprisingly, CEOs worldwide believe regulatory and reputation risks are the two most significant threats to business1.
In adapting to this new regulatory and legal environment, businesses have begun to move from philosophy to science in their approach to managing their ethics and compliance risk. What is remarkable about this move is that it is not simply a protectionist stance but rather a refocused effort to achieve greater business advantage through improved operations and management. Companies are increasingly recognizing that managing ethics and compliance risk holistically is key to fostering and sustaining a strong ethical corporate culture, and that by acting ethically, they have a greater opportunity to outperform their peers and win in the marketplace.
The enterprise risk management model
Enterprise risk management (ERM) is the process of aligning competitive strategy with the mechanisms that identify, aggregate, mitigate, avoid and transfer risk. The goal is to reduce losses while seizing opportunities. ERM is a disciplined approach to better manage the effects of uncertainty on an organization's capital and earnings. | "More than 90% of executives say they are building or want to build enterprise risk management processes into their organizations."2 Yet implementation is a challenge for most organizations. Ethics and compliance management is a model and testing ground for a holistic, ERM approach to risk management. It uses all the ERM components to achieve objectives in all the categories defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004. 3 (See Figure 1.) | |
 | ||
Ethics and compliance management also addresses the newest, most pressing risks to companies. According to the Economist Intelligence Unit, reputation (which is a function of perceived ethicalness combined with performance) and compliance with regulations are the areas most open to risk facing business today.4 View Figure 2.>>
Events that can damage a company's reputation and problems caused by new or existing regulations are the most significant issues facing business today.5
In theory, ERM guides directors and executives as they coordinate the myriad tasks to identify the potential risks encountered by individual employees, business units, geographic divisions and corporate leadership. The resulting portfolio of risk sets the stage for planning the avoidance, transfer and mitigation of risk so the uncertainty of achieving the expected outcome is reduced. Effectiveness is predicated on a process orientation, proper tools and high-quality information from operating units and individuals. In this regard, the "E" in ERM could just as easily stand for "employee." As the old adage says, an organization is only as good as its people. This is especially true in ethics and legal compliance, where successful management depends as much on how leadership and culture influences employee behavior as on quantifiable controls and procedures.
The ethical health of a company's culture has gained importance due to high-profile business failures where material weakness was found in the control environment. Control environments with strong cultures of compliance are conducive to the minimization of risk (a positive control environment), while those with a culture of non-compliance do little to reduce risk (a negative control environment). Widely accepted control models emphasize the importance of soft controls. The U.S. Sentencing Commission has recognized that compliance is an outcome of ethical behavior and requires a pervasive ethical culture with supporting business processes in place. The newly amended guidelines now require companies to expand their program beyond compliance to "compliance and ethics" as a means to prevent and detect criminal conduct and foster an organizational culture that encourages ethical conduct and a commitment to legal compliance.
An integral component of ERM is to holistically manage ethics and compliance risk to help shape and foster a strong ethical corporate culture. This paper examines the five integrated process steps in building a lawful ethical culture - define, prevent, detect, respond and evaluate - providing practical suggestions and real-world examples. (See Figure 3.) The conclusion discusses the bottom-line benefits of ethics and compliance management and how to market those benefits internally to create support for ethics and compliance initiatives.
 |
Five steps for building a sustainable ethics and compliance process
1. Define ethics and compliance risk
Many companies define their risks during the business planning process, specifically during budgeting. A chief financial officer or risk officer may call upon the heads of a company's operating units and functional areas (human resources, legal, etc.) to identify financial risks associated with their business plans. Legal departments also tend to drive risk assessment because the financial costs of transgressing applicable laws and regulations can be significant.Legal- and financial-driven assessments are good starting points for the holistic approach required to meet new expectations for ethics and compliance. General counsels, compliance officers and risk/financial officers can expand the scope of existing interviews and the types of employees targeted, in order to look beyond legal limits and financial costs to all of the internal and external factors that increase ethics and compliance risk.
Properly defining ethics and compliance risks usually requires two iterations. In the first, the office in charge uses existing knowledge of risks to design a questionnaire or interview process that asks key business-unit employees to evaluate the prevalence of known risks, such as the following:
- Accounting breakdowns, including fraud, inaccurate record keeping, inappropriate record retention or destruction and noncompliance with the requirements of Sarbanes-Oxley
- Business ethics failures, such as the exposure of confidential client information, conflicts of interest and giving and accepting inappropriate gifts
- Employment related risks, like equal opportunity violations, workplace harassment and immigration offenses
- Fair trading laws, which cover price fixing, abuse of dominance and collusion
- Customer and workplace violations, for example, aiding and abetting illegal customer acts and creating unsafe workplace conditions
- Product issues such as product safety failures and intellectual property violations, e.g., patent infringement
In the second iteration, the corporate ethics and compliance team cross-references data gathered from interviews in the business units to build a profile of enterprise-wide ethics and compliance risk. Often the seriousness of business unit risks is visible only to those with enterprise-wide data, who can see how risks from across an organization pool together. For example, assessing the risk of antitrust action generally requires a national picture of operations, and in the case of the European Union, an understanding of the markets of the member states where a company operates. Using this new risk profile to reorganize and expand the interview process, the corporate team returns to the original interviewees and targets additional personnel who may shed light on newly identified risks. The goal is to ensure employees with knowledge of all significant operating units and regions are involved, so that risks unique to particular locations or businesses will not be overlooked. Practically speaking, the majority of risk assessments that are performed today can be classified as locally driven. For example, a business unit may determine that a restrictive gifts policy is critical to the effectiveness of its compliance activities, however, that policy is not likely to be applied to the global organization's policies and practices. Communicating back with local stakeholders provides the organization an opportunity to reinforce the local business unit's role in the global ethics and compliance function. Stated another way, what happens locally impacts the company's ability to achieve overall business objectives and providing greater ownership for managing behavior locally provides advantage for companies in implementing global business plans. |
|
The ethics and compliance team analyzes the responses to the second round of interviews in order to create a ranked list of risks, which includes enterprise-wide issues as well as concerns specific to one operating unit or region. Each risk can then be matched to groups and levels of employees. This risk-employee match list will serve as the foundation of an ethics and compliance program that is specific enough to target individual employees for training and responsibilities.
The dialectic between employee-specific intelligence and enterprise-wide analysis continues for the life of an organization, constantly refining and readjusting the profile of ethics and compliance risk. The amended U.S. Sentencing Guidelines, Sarbanes-Oxley and the philosophies behind them are rooted in this model of constant refinement based on self-assessment. U.S. Sentencing Guidelines §8B2.1 advises judges to examine whether an organization has "periodically assess[ed] the risk of criminal conduct and...take[n] appropriate steps to design, implement, or modify" ethics and compliance programs.8
These guidelines recognize the basic limitation of legal boundaries: it is both impossible and unadvisable to try to create a rule for every situation. Ethical risks in particular, such as conflicts of interest, most often occur in the space between policies. Carefully defining and assessing risks allows companies to anticipate these grey areas and equip employees to make ethical decisions when they encounter them.
2. Prevent ethics and compliance lapses/failures
Past waves of reform focused on preventing misconduct through hard controls - processes and activities that can be objectively measured and quantified, such as controls on access to cash and reconciliations. Among more recent reforms, the U.S. Sentencing Commission, the Securities and Exchange Commission, and Congress have continued to mandate many specific systems and processes. For example, the U.S. Sentencing Guidelines §8B2.1(b)(4)9 names specific steps organizations can take to be considered ethical by the courts, such as periodically communicating with employees about "standards and procedures, and other aspects of the compliance and ethics program" and "conducting effective training programs."The new laws, regulations and guidance, however, also reflect an evolution in regulatory philosophy. When determining fines, conditions of probation, and other punishments for felonies and Class A misdemeanors, federal judges must consider whether an organization has promoted "an organizational culture that encourages ethical conduct and a commitment to compliance with the law."10 Mandating culture is a new approach. It recognizes that laws cannot account for every possibility and therefore requires companies to develop soft controls that prevent unethical behavior, which may or may not be illegal.
Designing a program with both hard and soft controls that prevents ethical and compliance failures begins with an index of existing business values, codes of conduct and compliance guidelines throughout the organization. Companies that have grown quickly or through acquisition should take particular care in comparing policies across regions and business units. When conflicts and gaps arise, company management will have to consult with the legal department and the relevant functions (e.g., human resources) in order to build consistent and comprehensive guidelines for employees.
Best practice: annual self-assessment |
|
The processes and policies in the index should be matched to the risk areas and compliance requirements detailed in the "define" stage of the ethics and compliance process (see above). This matching process is not a one-time event; rather it should recur periodically to expose high-risk areas and gaps in training as changes in regulation and compliance standards create them. Companies should consider implementing feedback loops that maintain constant supervision over business units, job functions and individual employees that matching identifies as high-risk. In the pharmaceutical industry, for example, public scrutiny of sales meetings with physicians has prompted many companies to require that salespeople register each interaction, reporting what and how many samples were provided and what was discussed.
5 Keys to effective education |
|
Nurturing the ethical ecosystem |
|
Codes of conduct |
|
3. Detect noncompliance
Sarbanes-Oxley and the U.S. Sentencing Guidelines requirements for anonymous reporting codify what companies already know from experience - anonymous reporting can reduce misconduct and save money. In its 2004 Report to the Nation on Occupational Fraud and Abuse, the Association for Certified Fraud Examiners found that the median financial loss due to fraud and abuse was more than twice as high among organizations with no anonymous helpline - $135,500 compared with $56,500 in organizations with helplines. The primary reason for the disparity seems to be that "Occupational frauds...were much more likely to be detected by a tip than through other means such as internal audits, external audits and internal controls."15The "procedures for the confidential, anonymous submission by employees...of concerns regarding questionable accounting or auditing matters," called for by Sarbanes-Oxley Section 301, are the foundation of an effective detection system. To retain the trust of employees, fulfill Sarbanes-Oxley, and most effectively respond to whistle-blowers, companies should be able to maintain confidentiality from the initial report through the archiving of a resolved case. Many companies and ethics officers, however, put their reputations and whistle-blower systems at risk when they offer to "do their best" to protect the identity of informants. This offer means little in the context of a regulatory investigation, subpoena or lawsuit that uses the discovery process to request the informant's name. Despite Sarbanes-Oxley, the equivalent of attorney-client privilege does not exist for ethics and compliance officers in the United States.16
United Technologies Corporation has defended the anonymity of whistle-blowers against discovery by routing anonymous communication through ombudsmen. UTC's ombudsmen differ critically from ethics and compliance officers because they are neutral liaisons between the employee and the company. They neither represent management nor consult in the investigations and disciplinary actions that may follow an anonymous tip. As a result, UTC has successfully argued that an ombudsman's files are not official records of company actions. UTC has also made the case for "an implied bilateral contract" between employee and ombudsman that is based on a mutual understanding of confidentiality. If this bilateral contract exists, then both parties must agree to break it. Further support for protection of confidentiality is supplied by the Federal Rule of Evidence 501, "which allows U.S. federal courts to recognize privileges as developed on a case-by-case basis under common law."17
To maintain a cordon of anonymity around an ombudsman or other anonymous reporting mechanism, all the technologies involved must be carefully constructed to avoid recording identifying information. Standard phone lines, chat rooms, instant messaging, and e-mail, for example, generally record information that can be used to identify at least the location of a user. PINs and access codes are also disallowed by Sarbanes-Oxley.18
Whether a company receives an allegation via Internet, letter, conversation, or toll-free phone line, it must first vet the communication. The ability to maintain confidential dialogue with the source allows the ethics officer or compliance specialist to ask follow-up questions that can provide a much more complete picture of the complaint.
This in turn allows faster, more accurate assignment of personnel and resources to address the issue. For global organizations that should maintain reporting processes in multiple languages, confidential, standby translation services also significantly reduce turnaround time.
In the age of globalization, an understanding of local cultures has become ever more important, as companies try to operate worldwide to a consistent standard of performance. Providing convenient access through local languages with locally available technologies and personnel that conform to local law is the second most important element of effective reporting. In France last year, for example, the issue of anonymous reporting appeared to stir memories of occupied France and the Reign of Terror among members of the Commission Nationale de l'Informatique et des Libertes (CNIL). The French data-protection commission refused to authorize anonymous helplines operated by McDonalds France and CEAC (a division of Exide Technologies) citing fears that anonymity could breed slanderous denunciations and prevent appropriate review of information in files. CNIL's objections recalled the denunciations encouraged by Nazi occupiers during World War II, as well as 1794's Law of 22 Prairial, which instituted one of the darkest periods in French history (the Reign of Terror) by requiring that every citizen denounce "conspirators and counterrevolutionaries" to the authorities "as soon as he knows of them".19
A well-publicized variety of confidential and nonconfidential communication lines, with guidance as to the type of issues generally considered appropriate for each channel, has the best chance of success both with employees and regulators. CNIL has recently offered new recommendations that do not forbid anonymous reporting, but require companies to limit the scope of whistle-blower systems, discipline "any abuse of the system," and "not encourage" anonymous reporting.20 With this in mind, a combination of telephone helplines, Internet communications and designated personnel, all of which maintain confidentiality but only some of which offer anonymity, has the best chance of encouraging reporting from all employees in all locations.
Building flexible anonymous reporting systems |
|
Ultimately, the reach of a company's ethics and compliance reporting should extend beyond employees to vendors, customers and even family members. Outsourcing has moved beyond traditional supply chain functions to core business processes, such as product development, human resources, customer service and auditing. As a result, the weakest link in a company's ethics and compliance regime is often just as likely to be a business partner as an employee. Data from the Association for Certified Fraud Examiners supports the idea that reporting can be completely understood only as part of an ethical ecosystem. The Certified Fraud Examiners found that "tips from customers, vendors, and anonymous sources...each account[ed] for between 10 and 20% of all tip cases in 2004 and 2002....indicat[ing] that any effective reporting structure should be designed to reach out to customers, vendors, and other third party sources as well."21 For companies that have tier-one suppliers who are bound by the company's code of conduct, the first logical step is to make the confidential helpline available to those suppliers. Scandals in the 1970s pushed the U.S. aerospace and defense industries to exert more control over suppliers. Today, defense contractors provide partners with access not only to helplines but to ethics and compliance training. As globalization charges forward, the risk from customers and suppliers will only increase. Someday soon defense contractors are likely to start covering the cost of supplier training sessions. In an age when consumer financial data is collected by call centers in India to purchase goods manufactured in Africa for U.S. customers, companies need far-reaching mechanisms and close participation from their suppliers in order to detect ethics and compliance breakdowns. |
|
The biggest challenge this system presents is educating part-time business practices officers, who have other full-time functions within the company and who tend to change about every 24 months. However, they are a vital two-way communications network that has thus far proved central to communicating management buy-in and understanding how to reach and inspire employees. One-way communications may have a limited ability to detect the most serious misconduct.
A "Contact the Board of Directors" link on the company's website adds another level of compliance with Sarbanes-Oxley Section 301. Responses through this link are screened and sent to the appropriate person within the company. The company keeps a log of this process, including case resolution, and provides it periodically to the board of directors.
4. Respond to allegations and violations
Ineffective enforcement can easily undermine the best definition, prevention and detection of ethics and compliance risk. In addition, ethics investigations that require formal response are already costly and can become even more so. Employees, regulators and prosecutors closely watch not just the equity but also the speed of responses to violations. A company's initial reaction to allegations can set its relationship with the government for the course of an investigation. The amended U.S. Sentencing Guidelines state: "The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility."22 The Department of Justice, the SEC, the NYSE, and the EPA have written that early cooperation is a significant factor in determining how to discipline companies.23Efficient response begins with establishing protocols, in advance, for applying expertise and objectivity to ethics and compliance allegations. Although cases differ, companies can create general guidelines for determining which level (e.g., corporate versus business unit) and function (e.g., general counsel, human resources, management or audit committee) will handle an issue and put a system in place to rapidly inform personnel. The guidelines should take into account attorney-client privilege, which the company may want to preserve by conducting the investigation through the general counsel's office.
A company should also make arrangements for having experts regularly evaluate whether the company requires outside counsel and what the company's obligations are to authorities. Other issues to consider in advance are how to communicate with employees not involved in an investigation (e.g., are employees informed about the course or just results?) and whether or not to write reports of investigation, which are likely to be requested by prosecutors.
Once an investigation is underway, companies commonly fail to collect documents and computer files immediately. The loss or destruction of information can create a serious problem with authorities later on and, in the case of Arthur Andersen, help precipitate a company's literal undoing. Conducting an impartial investigation means actually reviewing all the data collected and following leads beyond the targets. As the investigation expands, companies must maintain confidentiality, protect against adverse litigation and avoid retaliation.
Communication and data collection systems related to the investigation should segment access so that personnel know only the details appropriate to their function. Someone involved in the investigation usually must discover a source's identity in order to evaluate an allegation. Segmenting case details allows the company to proceed with a well-documented inquiry while assuring the source that his or her name will not become known to any of the parties involved in the allegation. In criminal or other serious matters, legal counsel may extend the parceling of case data to enforcement agencies, such as the Securities and Exchange Commission or U.S. Attorney's Office.
If, at any point, the investigators believe an interview target has criminal liability, the company must be careful to clarify that attorneys involved represent the company, not the employee. This practice is ethical, required by state law in most situations, and likely to reduce the chances of an employee suing because his or her communications with in-house or third-party counsel were privileged. Another source of legal liability is retaliation. Companies that allow retaliation against whistle-blowers make an unwise bet against numerous federal, state and local laws. The U.S. Department of Labor alone is responsible for 11 whistle-blower-related laws, including OSHA, the Clean Air Act and the Aviation Act. Sarbanes-Oxley broadens the definition of a whistle-blower to include any person who provides information to a supervisor regarding "conduct which the employee reasonably believes constitutes a violation" of law or regulation.24
Unfortunately for corporate boards and management teams, whistle-blower cases are often more complex than a good Samaritan reporting wrongdoing. Informants may be involved in the violation or headed for an unrelated disciplinary action. In the latter case, the employee may feel he or she has nothing to lose by speaking out or may actually be trying to game the system, invoking whistle-blower protection in order to avoid dismissal. The safe harbor for corporate informants in Department of Labor investigations places the burden of proof on the employer: The employer must demonstrate it would have taken the same action against the employee in the absence of the informing.
Whether or not the whistle-blower is involved in disciplinary action, the best protection against adverse litigation is comprehensive documentation and consistent adherence to publicized company policy including individual responsibility for enforcement. A company's recording process should clearly demonstrate not only the basis for discipline (e.g., violations of law or company policy) but also, wherever possible, a history of responding to violations with similar action. Making an individual ultimately responsible for the action helps establish a singular rationale. In retrospect, committee members tend to have differing and sometimes unclear memories about the case for action. Committees also tend to include members who are not specialists, so organizations should ensure they are supplied with all applicable internal precedents and policies.
To avoid the appearance of taking unjustified action, companies should document all disciplinary actions and processes, not just those that are whistle-blower related, including the original behavior, the action, any dissent to the decision and the resolution of the dissent. Employees can be supplied with a final appeal through certifications that ask whether the employee is either satisfied with the resolution or feels a need for further action. A standard reporting process for all disciplinary action and related dissents, combined with a robust detection mechanism for ethics and compliance issues, protects a company against retroactive complaints
Whatever the reason for a complaint, companies should consider investigating properly. Evaluating spurious claims demonstrates a sincere commitment to employee honesty and underscores the importance of ethics and compliance to top management.
| Consistent implementation and documentation of response mechanisms can make the response to wrongdoing a force for credibility and accountability. One of the most common complaints from employees is that wrongdoing often leads to no apparent action by management. Such a perception, whether true or not, quickly erodes faith in an ethics and compliance system, discouraging participation from its most important asset - its employees - and significantly increasing the company's compliance risk. It is difficult to satisfy prosecutors, regulators and judges with the idea that inaction was an appropriate response to misconduct. 5. Evaluate results and continuously improveIn the past, law and regulation created a paradox for companies considering how to evaluate ethics and compliance programs. Because evaluation was not mandated and many good business practices, particularly ethical ones, were not required by law, companies could actually increase their risk by uncovering problems they were not equipped or legally required to handle. In other words, a certain level of ignorance was bliss.In its investigation of ethics and compliance programs, the advisory committee to the U.S. Sentencing Commission uncovered this calculated ignorance. The committee found no empirical evidence that the widespread implementation of programs had actually resulted in effective programs.25 The U.S. Sentencing Commission codified this concern when they submitted to Congress their amendments to the Sentencing Guidelines. The amendments call for organizations to "take reasonable steps to evaluate periodically the effectiveness of the organization's compliance and ethics program," including oversight by "high-level personnel."26 Similarly, Sarbanes-Oxley Section 404 requires management to take responsibility for and assess the effectiveness of internal controls and procedures. As the evidence continues to build that ethical behavior is not only expected from regulators and prosecutors, but also provides a financially measurable competitive advantage, the ethics and compliance process is evolving into an element of company strategy. This graduation of ethics and compliance into a business process hinges on an effective feedback loop, which allows companies to continually refine and adjust the program as they would any other process tied directly to the bottom line. |
Best practice: effective investigations |
|
External, whole-company assessments employ third parties to evaluate the health of an organization through the use of statistical methods. They deliver a global view of the organization that is unbiased by internal agendas but must be carefully interpreted within the context of the company's own history and practices. If an external assessment finds a significant increase in calls to a company's helpline, this could be a warning sign or a benchmark of success. For some companies, it will correspond to an increase in risky behavior by employees. For others, it will validate changes made to increase the effectiveness of internal reporting mechanisms.
In the same way, an external assessment may track reports to the general counsel's office. If most of those reports are illegal acts or direct violations of accounting regulations, the company may have excellent ethical health or a serious weakness. A well-executed ethics and compliance program can eliminate a significant amount of improper behavior. Weak reporting mechanisms or compliance processes can produce a similar result by catching only the most serious infractions. Experience with a company's internal processes generally provides the context necessary to navigate among the possible interpretations of evaluation results. Internal evaluations of programs, issues, and business units help peal the statistical onion to identify root causes of ethical and compliance risks.
Effective internal evaluations generally use qualitative and quantitative tools to target both the ethics and compliance program and its results. Interviews and focus groups generate detailed responses, containing nuance and anecdotal information that is hard to uncover with surveys. They provide a narrow but deep perspective. In order to separate the idiosyncratic views from those that reflect the organization as a whole, quantitative surveys target a broader, representative set of employees and managers.
Various types of internal polls, surveys and data gathering allow the results of focus groups and interviews to be generalized (or discarded) with confidence. It is very important, therefore, when conducting broad-based data gathering that the company ensures its sample represents the full employee population and balances the need for confidentiality with the need for details that identify risks. Details about the location (both physical and organizational) and type of employee, for example, can separate a victory from an impending crisis. A company that certifies 90 percent of its employees on conflicts of interest could be on the road to robust ethical health. If the uncertified employees are concentrated in a particular unit or region, however, it could be a sign either of weakness in the program's localization or in the actual compliance systems of one business unit.
Historical context is also vital to understanding evaluations. Unless the company measured the level of certification before it began the program, it would be impossible to say whether a 90 percent response rate represented a laudable increase, the status quo, or a troubling decrease. Other types of "reality checks" for internal program evaluations include audits that compare program elements to external standards, such as the U.S. Sentencing Guidelines and Sarbanes-Oxley, and benchmarking, which is the process of comparing a company's ethics and compliance performance to that of industry peers as well as regional or global leaders. Benchmarking efforts should take care to ask questions that apply equally to the company and its peers, taking into account national trends.
Evaluation techniques |
|
 | A key challenge for companies today is keeping evaluations current in light of the "rapid and current" disclosure of material changes to financial condition or operations required by Sarbanes-Oxley §409. To keep up with the times, companies employ various technologies that help collect, analyze, and communicate data from both internal and external evaluations. |
The goal of distilling this data into a format that is simple enough for time-starved managers to digest quickly, but detailed enough to provide real insight into ethics and compliance risk, has inspired the management dashboard. (See Figure 4.) Dashboards focus on the leading indicators of ethics and compliance risk and provide access to in-depth analysis of root causes and trends. The dashboard of a fully integrated system also provides access to the many technologies that support ethics and compliance management, such as a case management database, a registry of potential conflicts of interest, and company policies and training modules.
As with any successful internal initiative, the most important influence on the success of evaluation is organizational culture. Whatever the company newsletter says, if employees believe their leaders are not behind the evaluation, then the evaluation will generate bad data. Companies should stress confidentiality and give employees enough latitude to share their unique perceptions. Disciplining employees who do not participate sends the message that the evaluation is central to business strategy, especially when managers and supervisors also explain why evaluations are relevant to employees in their everyday work (not just why management thinks they are important). Finally, do not forget to communicate the findings to employees when the survey is completed. The surest way to squander goodwill and make future evaluations difficult is to leave employees in the dark.
Conclusion: The return on ethics and compliance and importance of communication in ensuring effectiveness
Fear of legal action, financial loss and reputational damage has inspired more companies to pursue ethics and compliance, but as a business process, ethics and compliance management also generates considerable positive value. Companies have more satisfied, more productive, lower risk employees, and customers are more likely to buy their products and services. Seven in ten Americans, in fact, have decided against purchasing products or services from a company because of questionable ethics.27 Employees are similarly unresponsive to unethical behavior. Those who believe management endorses unethical conduct often disobey orders and instead do what they believe is right,28 and 80 percent of them would not recommend their company to recruits.29 Even best intentions mean little if employees are not educated properly. Among companies with all types of attitudes towards ethics, poor training is a leading cause of reporting and compliance failures.The virtuous ethics and compliance cycle makes a good starting point for communicating the importance of and gaining buy-in to an ethics and compliance program internally because it answers a basic question: How does this benefit me? (See Figure 5.) For employees, improved company and business-unit performance increases compensation and creates opportunities for promotion; for management teams and boards of directors in mature markets, effectively managing ethics and compliance is becoming a cost of staying competitive. The place to start with ethics and compliance communication is at the top. Managers, supervisors and executives will always be the cornerstone of successful ethics and compliance management. If management does not demonstrate a commitment to ethics and compliance, no employee will be inspired to care either.
 |
Best practice: effective evaluation |
|
It is clear that the decisions of investors, customers and employees in the United States and European Union now depend significantly on ethics and legal compliance. Ethics and compliance management provides an opportunity for companies to stay at the forefront of this long-term trend, while building shareholder value and increasing profitability.
While it is encouraging that the 21st century's most competitive companies are also likely to be highly ethical, ethics and compliance systems, no matter how well implemented, cannot anticipate every risk. As one vice president of business practices says, "The problem with my job is that I'm at the mercy of the dumbest person in the company." Holistic ethics and compliance management, however, is the best insurance policy against its own failure. Ethical organizations surround ignorant and malicious employees with colleagues who are motivated and empowered to stop risky behavior before it becomes a major crisis. And when unforeseen risks develop into crises, a sterling reputation speeds a company towards redemption with the market.
Six tactics to communicate the importance of ethics to employees30 |
|
End notes
1 Economist Intelligence Unit, "Global Business Risk Rose Sharply in First Quarter of 2005, According to New Corporate Risk Barometer," press release, 14 April 2005.
2 The Conference Board, "More Companies Using Enterprise Risk Management to Handle Risks," press release, 27 July 2005.
3 In their comprehensive and widely accepted framework for ERM, COSO defined four categories of objectives, eight components used to achieve them, and four levels of an organization in which the components are implemented. The interrelated stages of the ethics and compliance process defined in the paper affect all sixteen areas. Enterprise Risk Management Integrated Framework: Executive Summary, Committee of Sponsoring Organizations of the Treadway Comission, September 2004.
4 Economist Intelligence Unit, "Global Business Risk Rose Sharply in First Quarter of 2005, According to New Corporate Risk Barometer," press release, 14 April 2005.
5 Ibid.
6 Hard controls are generally considered to be processes that can be quantified, such as the existence of a security system that limits access to the general ledger to certain individuals. Soft controls refer to social interactions and environment conditions that shape organizational culture, such as tone at the top. See "Prevent" section below for more discussion of hard versus soft controls.
7 American Management Association, "Pressure to Meet Unrealistic Business Objectives and Deadlines Is Leading Factor for Unethical Corporate Behavior, New Survey Suggests; American Management Association and Human Resource Institute Provide In-depth Look at the Ethical Enterprise," press release, 17 January 2006.
8 "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005)
9 Ibid.
10 2005 Federal Sentencing Guidelines §8B2.1(a)(2). "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005)
11 LRN Customer Community Interviews, conducted during the week of October 3, 2005.
12 Ibid.
13 LRN, "Developing an Appropriate Code of Conduct for Your Company," presentation, 30 September 2004
14 Department of Health and Human Services, Office of Inspector General Compliance Program Guidance for Pharmaceutical Manufacturers, 68 Fed. Reg. 23731, 23733 (May 5, 2003)
15 Association of Certified Fraud Examiners, 2004 Report to the Nation on Occupational Fraud and Abuse (Austin: Association of Certified Fraud Examiners, 2004)
16 Patrick J. Gnazzo and George R. Wratney, Are You Serious About Ethics? For Companies that Can't Guarantee Confidentiality, the Answer Is No (New York: The Conference Board, 2006).
17 Ibid.
18 "Section 301 Reporting Solution Checklist" (Ethicspoint, 2004).
19 "Law of 22 Prairial" (Wikipedia, 2006).
20 Commission national de l'informatique et des libertés', "Guideline document adopted by the 'Commission national de l'informatique et des libertés' (CNIL) on 10 November 2005 for the implementation of whistleblowing systems in compliance with the French data Protection Act of 6 January 1978, as amended in August 2004, relating to information technology, data filing systems and liberties" (Commission national de l'informatique et des libertés, 2005)
21 Association of Certified Fraud Examiners, 2004 Report to the Nation on Occupational Fraud and Abuse (Austin: Association of Certified Fraud Examiners, 2004)
22 2005 Federal Sentencing Guidelines Chapter Eight, Introductory Commentary. "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005)
23 "In conducting an investigation, determining whether to bring charges, and negotiating plea agreements, prosecutors should consider the following factors in reaching a decision as to the proper treatment of a corporate target:... 4. the corporation's timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents..." from Memorandum from Deputy Attorney General Larry D. Thompson to Heads of Department Components and United States Attorneys, Re: Principles of Federal Prosecution of Business Organizations, 20 January 2003, United States Attorneys' Manual, tit. 9, Crim. Resource Manual, §§ 161-62. In "the Seaboard decision" the SEC did not take action against the Seaboard Corporation "given the nature of the conduct and the company's responses," which included rapid early disclosure. From "Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions" (Securities and Exchange Commission, 23 October 2001) "The [New York Stock] Exchange considers every case in terms of its particular facts and circumstances, and what constitutes an "extraordinary" case is not susceptible of generalization. Nonetheless, the following situations and factors are often considered by Enforcement in assessing a firm or individual's cooperation: Prompt, Full Disclosure Coupled with Thorough Internal Review...." from "Information Memo 05-65, Subject: Cooperation" (New York Stock Exchange, 14 September 2005) "To take advantage of theses incentives, regulated entities must voluntarily discover, promptly disclose to EPA, expeditiously correct, and prevent recurrence of future environmental violations." From "Compliance Incentives and Auditing" (U.S. Environmental Protection Agency, last updated 8 February 2006)
24 2005 Federal Sentencing Guidelines §8B2.1(a)(2). "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005) 25 LRN, "Auditing and Monitoring of Compliance Programs," presentation, 12 August 2004,
26 2005 Federal Sentencing Guidelines §8B2.1(b)(1)(B) and §8B2.1(b)(5)(B). "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005)
27 LRN, "New Research Reveals Business Impact of Ethics, Signals the Importance of Ethical Corporate Cultures," press release, 30 January 2006
28 Ibid.
29 "2000 Organizational Integrity Survey: A Survey Conducted by KPMG" (Bentley College Center for Business Ethics, 2000)
30 LRN, "Four Steps to Successfully Launching Your Compliance and Ethics Education Program," presentation, 02 December 2004,