HOME arrow INSIGHTS arrow RISK MANAGEMENT arrow ERM
Print E-mail

Ethics and compliance risk management

Sarbanes-Oxley, the amended U.S. Sentencing Guidelines and the investigations of New York State Attorney General Eliot Spitzer - all outcomes of this decade's corporate scandals - are representative of a global trend toward more transparent and ethical business operations.

Download PDF>>

At the same time, new studies, surveys and empirical evidence from companies reveal that stock prices are higher, costs are lower and employees more satisfied at companies with reputations for ethical business practices and good governance. Not surprisingly, CEOs worldwide believe regulatory and reputation risks are the two most significant threats to business1.

In adapting to this new regulatory and legal environment, businesses have begun to move from philosophy to science in their approach to managing their ethics and compliance risk. What is remarkable about this move is that it is not simply a protectionist stance but rather a refocused effort to achieve greater business advantage through improved operations and management. Companies are increasingly recognizing that managing ethics and compliance risk holistically is key to fostering and sustaining a strong ethical corporate culture, and that by acting ethically, they have a greater opportunity to outperform their peers and win in the marketplace.

The enterprise risk management model
Enterprise risk management (ERM) is the process of aligning competitive strategy with the mechanisms that identify, aggregate, mitigate, avoid and transfer risk. The goal is to reduce losses while seizing opportunities. ERM is a disciplined approach to better manage the effects of uncertainty on an organization's capital and earnings.


"More than 90% of executives say they are building or want to build enterprise risk management processes into their organizations."2 Yet implementation is a challenge for most organizations.

Ethics and compliance management is a model and testing ground for a holistic, ERM approach to risk management. It uses all the ERM components to achieve objectives in all the categories defined by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in 2004. 3 (See Figure 1.)

Ethics and compliance management also addresses the newest, most pressing risks to companies. According to the Economist Intelligence Unit, reputation (which is a function of perceived ethicalness combined with performance) and compliance with regulations are the areas most open to risk facing business today.4 View Figure 2.>>

Events that can damage a company's reputation and problems caused by new or existing regulations are the most significant issues facing business today.5

In theory, ERM guides directors and executives as they coordinate the myriad tasks to identify the potential risks encountered by individual employees, business units, geographic divisions and corporate leadership. The resulting portfolio of risk sets the stage for planning the avoidance, transfer and mitigation of risk so the uncertainty of achieving the expected outcome is reduced. Effectiveness is predicated on a process orientation, proper tools and high-quality information from operating units and individuals. In this regard, the "E" in ERM could just as easily stand for "employee." As the old adage says, an organization is only as good as its people. This is especially true in ethics and legal compliance, where successful management depends as much on how leadership and culture influences employee behavior as on quantifiable controls and procedures.

The ethical health of a company's culture has gained importance due to high-profile business failures where material weakness was found in the control environment. Control environments with strong cultures of compliance are conducive to the minimization of risk (a positive control environment), while those with a culture of non-compliance do little to reduce risk (a negative control environment). Widely accepted control models emphasize the importance of soft controls. The U.S. Sentencing Commission has recognized that compliance is an outcome of ethical behavior and requires a pervasive ethical culture with supporting business processes in place. The newly amended guidelines now require companies to expand their program beyond compliance to "compliance and ethics" as a means to prevent and detect criminal conduct and foster an organizational culture that encourages ethical conduct and a commitment to legal compliance.

An integral component of ERM is to holistically manage ethics and compliance risk to help shape and foster a strong ethical corporate culture. This paper examines the five integrated process steps in building a lawful ethical culture - define, prevent, detect, respond and evaluate - providing practical suggestions and real-world examples. (See Figure 3.) The conclusion discusses the bottom-line benefits of ethics and compliance management and how to market those benefits internally to create support for ethics and compliance initiatives.

 

Five steps for building a sustainable ethics and compliance process

1. Define ethics and compliance risk

Many companies define their risks during the business planning process, specifically during budgeting. A chief financial officer or risk officer may call upon the heads of a company's operating units and functional areas (human resources, legal, etc.) to identify financial risks associated with their business plans. Legal departments also tend to drive risk assessment because the financial costs of transgressing applicable laws and regulations can be significant.

Legal- and financial-driven assessments are good starting points for the holistic approach required to meet new expectations for ethics and compliance. General counsels, compliance officers and risk/financial officers can expand the scope of existing interviews and the types of employees targeted, in order to look beyond legal limits and financial costs to all of the internal and external factors that increase ethics and compliance risk.

Properly defining ethics and compliance risks usually requires two iterations. In the first, the office in charge uses existing knowledge of risks to design a questionnaire or interview process that asks key business-unit employees to evaluate the prevalence of known risks, such as the following:

  • Accounting breakdowns, including fraud, inaccurate record keeping, inappropriate record retention or destruction and noncompliance with the requirements of Sarbanes-Oxley
  • Business ethics failures, such as the exposure of confidential client information, conflicts of interest and giving and accepting inappropriate gifts
  • Employment related risks, like equal opportunity violations, workplace harassment and immigration offenses
  • Fair trading laws, which cover price fixing, abuse of dominance and collusion
  • Customer and workplace violations, for example, aiding and abetting illegal customer acts and creating unsafe workplace conditions
  • Product issues such as product safety failures and intellectual property violations, e.g., patent infringement

In the second iteration, the corporate ethics and compliance team cross-references data gathered from interviews in the business units to build a profile of enterprise-wide ethics and compliance risk. Often the seriousness of business unit risks is visible only to those with enterprise-wide data, who can see how risks from across an organization pool together. For example, assessing the risk of antitrust action generally requires a national picture of operations, and in the case of the European Union, an understanding of the markets of the member states where a company operates.

Using this new risk profile to reorganize and expand the interview process, the corporate team returns to the original interviewees and targets additional personnel who may shed light on newly identified risks. The goal is to ensure employees with knowledge of all significant operating units and regions are involved, so that risks unique to particular locations or businesses will not be overlooked. Practically speaking, the majority of risk assessments that are performed today can be classified as locally driven. For example, a business unit may determine that a restrictive gifts policy is critical to the effectiveness of its compliance activities, however, that policy is not likely to be applied to the global organization's policies and practices. Communicating back with local stakeholders provides the organization an opportunity to reinforce the local business unit's role in the global ethics and compliance function. Stated another way, what happens locally impacts the company's ability to achieve overall business objectives and providing greater ownership for managing behavior locally provides advantage for companies in implementing global business plans.


Shaping the interview process

Because ethics and compliance management depends heavily on soft controls6, an effective assessment of ethics and compliance risk must take into account employee behavior and organizational culture. When interviewing employees about ethics and compliance, companies should keep in mind three basic questions:

1. What has hurt us in the past?

Leverage historical data, internal experts and employees who witnessed past ethics and compliance failures to reveal weakness in systems or job functions intended to promote ethics and compliance.

2. What is hurting us day-to-day?

Compile and interpret "real-time" ethics and compliance data, such as helpline calls and cases under investigation. When no data exists, audit relevant functions to track ethics and compliance issues.

3. What might hurt us in the future?

Analyze current events to identify trends in law, regulation, business culture, and industries that affect ethics and compliance. Places where current events intersect with known risks should draw heightened scrutiny. For example, a recently released survey added additional support to the idea that managers who pressure employees to meet unrealistic goals are likely to encourage unethical behavior.7

 

The ethics and compliance team analyzes the responses to the second round of interviews in order to create a ranked list of risks, which includes enterprise-wide issues as well as concerns specific to one operating unit or region. Each risk can then be matched to groups and levels of employees. This risk-employee match list will serve as the foundation of an ethics and compliance program that is specific enough to target individual employees for training and responsibilities.

The dialectic between employee-specific intelligence and enterprise-wide analysis continues for the life of an organization, constantly refining and readjusting the profile of ethics and compliance risk. The amended U.S. Sentencing Guidelines, Sarbanes-Oxley and the philosophies behind them are rooted in this model of constant refinement based on self-assessment. U.S. Sentencing Guidelines §8B2.1 advises judges to examine whether an organization has "periodically assess[ed] the risk of criminal conduct and...take[n] appropriate steps to design, implement, or modify" ethics and compliance programs.8

These guidelines recognize the basic limitation of legal boundaries: it is both impossible and unadvisable to try to create a rule for every situation. Ethical risks in particular, such as conflicts of interest, most often occur in the space between policies. Carefully defining and assessing risks allows companies to anticipate these grey areas and equip employees to make ethical decisions when they encounter them.

2. Prevent ethics and compliance lapses/failures

Past waves of reform focused on preventing misconduct through hard controls - processes and activities that can be objectively measured and quantified, such as controls on access to cash and reconciliations. Among more recent reforms, the U.S. Sentencing Commission, the Securities and Exchange Commission, and Congress have continued to mandate many specific systems and processes. For example, the U.S. Sentencing Guidelines §8B2.1(b)(4)9 names specific steps organizations can take to be considered ethical by the courts, such as periodically communicating with employees about "standards and procedures, and other aspects of the compliance and ethics program" and "conducting effective training programs."

The new laws, regulations and guidance, however, also reflect an evolution in regulatory philosophy. When determining fines, conditions of probation, and other punishments for felonies and Class A misdemeanors, federal judges must consider whether an organization has promoted "an organizational culture that encourages ethical conduct and a commitment to compliance with the law."10 Mandating culture is a new approach. It recognizes that laws cannot account for every possibility and therefore requires companies to develop soft controls that prevent unethical behavior, which may or may not be illegal.

Designing a program with both hard and soft controls that prevents ethical and compliance failures begins with an index of existing business values, codes of conduct and compliance guidelines throughout the organization. Companies that have grown quickly or through acquisition should take particular care in comparing policies across regions and business units. When conflicts and gaps arise, company management will have to consult with the legal department and the relevant functions (e.g., human resources) in order to build consistent and comprehensive guidelines for employees.

 

Best practice: annual self-assessment
A multinational conglomerate employs a business conduct self-assessment to maintain and continuously improve its culture of legal compliance and ethical business conduct. Undertaken annually, the four-stage assessment encompasses all of the company's divisions, subsidiaries and staff functions in more than 60 countries.

Stage 1: Overview of ethics and compliance in business units

The general counsel's office and its compliance team begin with the business model (e.g., direct sales versus wholesaling to distributors) and organizational structure (e.g. matrix versus traditional functional lines), in order to identify the personnel, functions and third parties (such as resellers) that have responsibility for and/or contribute to risk exposure. The overview then analyzes industry-specific ethics and compliance risks with an emphasis on changes that might bring about new risks. For example, a new product line may create the potential for risks that the company has not experienced before. Also considered are changes and practices that tend to create risk in most industries, such as operational changes (e.g. mergers, acquisitions, integrations, restructuring and outsourcing), sales to government agencies, regulatory violations, and factors that create the danger of a product recall. Finally, the compliance team uses data from employee performance reviews to examine how effective leadership, training and culture have been at promoting ethical behavior.

Stage 2: Risk assessment worksheet

The conglomerate has developed a list of approximately 25 major ethics and compliance areas, such as the Foreign Corrupt Practices Act, antitrust violations, environmental issues, business gifts, lobbying, advertising and harassment. Business leaders rate the risk of each area as high, medium, or low for their industry and then describe in detail how they are managing medium- and high-risk areas.

Stage 3: Analysis of existing metrics

The company catalogues and compares audit reports, external evaluations (e.g., FDA inspection reports, OSHA reports), business conduct violations, online compliance training completion rates and summaries of significant litigation in order to reveal trends and pools of risk. The results of regular opinion surveys are also added to the mix of information. These surveys include several questions on division management's leadership and commitment to ethical and compliance issues.

Stage 4: Development of control plans and presentation of findings

Data from the above three stages are combined into a final analysis of risk priorities for each business unit and proposed action plans to address them. These business unit results are then rolled into a company-wide timeline for action that prioritizes risk for regional, corporate and functional groups. In the final step, a business conduct committee reviews the plans and monitors their progress on a quarterly basis. The processes and policies in the index should be matched to the risk areas and compliance requirements detailed in the "define" stage of the ethics and compliance process (see above). This matching process is not a one-time event; rather it should recur periodically to expose high-risk areas and gaps in training as changes in regulation and compliance standards create them. Companies should consider implementing feedback loops that maintain constant supervision over business units, job functions and individual employees that matching identifies as high-risk. In the pharmaceutical industry, for example, public scrutiny of sales meetings with physicians has prompted many companies to require that salespeople register each interaction, reporting what and how many samples were provided and what was discussed.

 

 

The processes and policies in the index should be matched to the risk areas and compliance requirements detailed in the "define" stage of the ethics and compliance process (see above). This matching process is not a one-time event; rather it should recur periodically to expose high-risk areas and gaps in training as changes in regulation and compliance standards create them. Companies should consider implementing feedback loops that maintain constant supervision over business units, job functions and individual employees that matching identifies as high-risk. In the pharmaceutical industry, for example, public scrutiny of sales meetings with physicians has prompted many companies to require that salespeople register each interaction, reporting what and how many samples were provided and what was discussed.

 

5 Keys to effective education
Traditionally, companies have measured the success of their ethics education programs by employee completion rates. However, today ethics and compliance education is no longer about simply complying with guidelines and numeric targets. Rather, it is about instilling the underlying values of an ethical business culture. Here are five keys to do so effectively.

1. Engage corporate leadership to drive successful ethics education

Employees are more receptive to ethics-based change when their leaders not only talk about values, but embody them in practice. Corporate leadership's reputation for ethical behavior can engender pride, enthusiasm and desire to become better corporate citizens. Therefore, corporate leaders who seek to build a more ethics-based workplace must live their creed. While an ethical business culture must be developed up, down and across the organization, a clear and convincing desire to foster such a culture should start at the top.

2. Promote the benefits of interactive engagement drawn from new developments in e-learning

Ethics education should engage employees and challenge them to reconsider the ethical quandaries of the business world. Advances in interactive technology now permit online ethics education to function as a two-way form of communication, giving the programs greater acculturating power. Interactive programs make passivity difficult by demanding responses to questions; by employing simulations to show that ethical choices have consequences; and above all, by enabling participants to navigate ethical quandaries and reflect on the assumptions underlying their decisions.

3. Combine the geographic breadth of ethics education with a focus on professional relevance

Some businesses are heavily regulated, some have especially vulnerable corporate reputations, and the fortunes of others may depend on the vagaries of climate, currency values or geopolitics. The challenges of ethical decision-making will vary accordingly. Therefore, educational material should address the specific ethical quandaries a particular audience is likely to face. This will make ethics education seem more relevant to employees and, therefore, more likely to inspire careful consideration.

4. Move beyond the "carrot-and-stick" approach

To be effective, ethics and compliance education should appeal to our noblest aspirations. But it is too often focused on the fear of getting caught. Ethics education should help foster a culture in which employees don't simply acquiesce to externally imposed rules but rather define themselves by values - values that inspire them to not just follow the law, but to respect it and to ensure that their colleagues do so as well. For this reason, ethics and compliance education must move beyond the "carrot-and-stick" approach.

5. Create certification programs that attest to effective education and compliance

In companies with broad certification requirements, employees attest to being in compliance with policies concerning situations such as conflicts of interest, insider trading and other complex areas of business practice. But they must understand these practice areas before they can meaningfully attest to complying with them. In this way, ethics education and certification are complementary. An effective education program teaches employees the risks, liabilities and corporate interests at stake in the ethical quandaries they face. In turn, certification allows a company to make known its measure of compliance, while helping to ensure that compliance reflects a thoughtful, collective appreciation of the values underlying the relevant issues.

 

 

Nurturing the ethical ecosystem
Currently companies are focused on getting their own houses in order, but in the next two years many plan to begin including business suppliers, sales partners and other third parties in prevention activities.11 The biggest challenge to managing this extended enterprise is the difficulty of influencing organizational culture in independent companies. Vendors should not be expected to match the ethical standards of all of their customers, so partners must strike a balance between independence and mutually beneficial cooperation over standards. Industry groups can be a great help by establishing guidelines for a level playing field.

Many companies have or expect to establish a disciplined approach to improving their entire ethical ecosystem. Using some of the following methods, companies are encouraging ethical behavior among partners based on the model of the safety movement, in which audits of supply chains, clear standards, intense training, developed processes and roles, and formalized expectations and certifications define the scope of relationships with third parties.
  • Involve partners in risk assessment activities and risk response planning.
  • Train partners in the supply chain, including providing certifications, on an annual basis with regard to expectations of behavior and business practices, such as safeguarding proprietary information and avoiding fraud and conflicts of interest.
  • Use industry conferences as opportunities to train suppliers and other partners in ethics and compliance.
  • Help small to midsize partners create codes of conduct and compliance programs.
  • Train employees to incorporate ethics and compliance in work with the supply chain.
  • Conduct ethics discussions as part of pre-relationship due diligence to ensure there is the understanding of abiding by standards of conduct.
  • Assess the maturity and effectiveness of suppliers' compliance programs through surveys and research of supplier history.
  • Promote codes of conduct and reporting helplines regularly with business partners.12
Codes of conduct, business values and ethics and compliance communication programs should look beyond legal and regulatory boundaries to tone at the top, employee buy-in, motivation and promotion programs, and other factors that influence organizational culture. Statistics such as percentage of participation and the number of training modules conducted are vital for overall program evaluations, but they should be treated only as indicators. The ultimate goals are qualitative - open dialogue and a culture of accountability. With this in mind, some companies have gone beyond traditional training and elected to rotate business managers through one of their ethics and compliance oversight functions. This type of on-the-ground experience engenders ethical behavior as natural instinct for rising leaders, allowing them to make decisions in cases where clear right or wrong does not exist.

 

 

Codes of conduct
Exhaustively detailed codes of conduct encourage acquiescence and bureaucracy but fail to inspire employees with the spirit of ethical behavior.13 The most effective codes of conduct function not as rulebooks but as constitutions "that detail the fundamental principles, values and framework for action within an organization."14

Whereas rulebooks fail when the rules are ambiguous or when no rule exists, a constitution invites dialogue about new situations and allows recourse to the spirit of its fundamental principles. Constitutions are also living documents that take their authority from mutual agreement, not simply from those in authority. Rather than handing down the Code of Conduct, management should explain the rationale and inspiration for the company constitution, which can be amended to reflect changing values and business realities. Most important, management should be able to articulate how the code of conduct is central to the company achieving its business goals.

Asking for employee buy-in, explaining the code of conduct in terms of performance objectives, and demonstrating expectations for probity and responsible conduct can bring about a fundamental alignment between employee values and the company's. The most effective code of conduct, after all, is not a document, but a set of values shared by all employees.

 

 

3. Detect noncompliance

Sarbanes-Oxley and the U.S. Sentencing Guidelines requirements for anonymous reporting codify what companies already know from experience - anonymous reporting can reduce misconduct and save money. In its 2004 Report to the Nation on Occupational Fraud and Abuse, the Association for Certified Fraud Examiners found that the median financial loss due to fraud and abuse was more than twice as high among organizations with no anonymous helpline - $135,500 compared with $56,500 in organizations with helplines. The primary reason for the disparity seems to be that "Occupational frauds...were much more likely to be detected by a tip than through other means such as internal audits, external audits and internal controls."15

The "procedures for the confidential, anonymous submission by employees...of concerns regarding questionable accounting or auditing matters," called for by Sarbanes-Oxley Section 301, are the foundation of an effective detection system. To retain the trust of employees, fulfill Sarbanes-Oxley, and most effectively respond to whistle-blowers, companies should be able to maintain confidentiality from the initial report through the archiving of a resolved case. Many companies and ethics officers, however, put their reputations and whistle-blower systems at risk when they offer to "do their best" to protect the identity of informants. This offer means little in the context of a regulatory investigation, subpoena or lawsuit that uses the discovery process to request the informant's name. Despite Sarbanes-Oxley, the equivalent of attorney-client privilege does not exist for ethics and compliance officers in the United States.16

United Technologies Corporation has defended the anonymity of whistle-blowers against discovery by routing anonymous communication through ombudsmen. UTC's ombudsmen differ critically from ethics and compliance officers because they are neutral liaisons between the employee and the company. They neither represent management nor consult in the investigations and disciplinary actions that may follow an anonymous tip. As a result, UTC has successfully argued that an ombudsman's files are not official records of company actions. UTC has also made the case for "an implied bilateral contract" between employee and ombudsman that is based on a mutual understanding of confidentiality. If this bilateral contract exists, then both parties must agree to break it. Further support for protection of confidentiality is supplied by the Federal Rule of Evidence 501, "which allows U.S. federal courts to recognize privileges as developed on a case-by-case basis under common law."17

To maintain a cordon of anonymity around an ombudsman or other anonymous reporting mechanism, all the technologies involved must be carefully constructed to avoid recording identifying information. Standard phone lines, chat rooms, instant messaging, and e-mail, for example, generally record information that can be used to identify at least the location of a user. PINs and access codes are also disallowed by Sarbanes-Oxley.18

Whether a company receives an allegation via Internet, letter, conversation, or toll-free phone line, it must first vet the communication. The ability to maintain confidential dialogue with the source allows the ethics officer or compliance specialist to ask follow-up questions that can provide a much more complete picture of the complaint.

This in turn allows faster, more accurate assignment of personnel and resources to address the issue. For global organizations that should maintain reporting processes in multiple languages, confidential, standby translation services also significantly reduce turnaround time.

In the age of globalization, an understanding of local cultures has become ever more important, as companies try to operate worldwide to a consistent standard of performance. Providing convenient access through local languages with locally available technologies and personnel that conform to local law is the second most important element of effective reporting. In France last year, for example, the issue of anonymous reporting appeared to stir memories of occupied France and the Reign of Terror among members of the Commission Nationale de l'Informatique et des Libertes (CNIL). The French data-protection commission refused to authorize anonymous helplines operated by McDonalds France and CEAC (a division of Exide Technologies) citing fears that anonymity could breed slanderous denunciations and prevent appropriate review of information in files. CNIL's objections recalled the denunciations encouraged by Nazi occupiers during World War II, as well as 1794's Law of 22 Prairial, which instituted one of the darkest periods in French history (the Reign of Terror) by requiring that every citizen denounce "conspirators and counterrevolutionaries" to the authorities "as soon as he knows of them".19

A well-publicized variety of confidential and nonconfidential communication lines, with guidance as to the type of issues generally considered appropriate for each channel, has the best chance of success both with employees and regulators. CNIL has recently offered new recommendations that do not forbid anonymous reporting, but require companies to limit the scope of whistle-blower systems, discipline "any abuse of the system," and "not encourage" anonymous reporting.20 With this in mind, a combination of telephone helplines, Internet communications and designated personnel, all of which maintain confidentiality but only some of which offer anonymity, has the best chance of encouraging reporting from all employees in all locations.

 

Building flexible anonymous reporting systems
Given the legal and cultural borders that many organizations cross, helplines or other communication systems for anonymous reporting systems must be flexible; in fact, the flexibility to accommodate both local culture and applicable law is exactly what the amended U.S. Sentencing Guidelines recommend. The following six suggestions for building whistle-blower systems are effective and likely to be approved by authorities globally:

1. Design the reporting system to complement, not replace, other direct reporting means.

Companies should train and publicize multiple employees and job functions - supervisors and business practices specialists - as avenues for reporting wrongdoing or raising questions about business ethics. Employees should be educated to understand that reporting mechanisms serve as backups when these primary communication channels are unavailable, for example because of a serious breakdown in management or intimidation by a perpetrator.

2. Reserve anonymous reporting for serious complaints, while offering openness and discretion for all complaints.

Companies should make clear that the reporting system is not appropriate for minor grievances, which are best aired in staff meetings, evaluations with supervisors and other traditional forums. To increase the chances of satisfying regulators, companies operating in the European Union should consider identifying the specific anomalous behaviors, such as bribery or accounting violations, for which anonymous reporting is considered appropriate.

3. Establish trust by keeping promises.

The primary concerns for whistle-blowers who reach out to a confidential resource are exposure, embarrassment and retaliation at the hands of superiors or suspected wrongdoers. In the cases of anonymity and protection from retaliation, good intentions can be dangerous. Ethics officers and management who sell employees on these privileges must be certain their companies can provide them.

4. Be transparent.

Transparency builds trust and encourages buy-in from management. Personnel at many levels fear false claims, either by an individual seeking to damage a reputation, or by an employee trying to avoid dismissal. Management also worries that encouraging whistle blowing will prompt employees to approach the authorities, media or other third-parties first, causing the company to lose the consideration for self-reporting offered under the U.S. Sentencing Guidelines. To respond to these concerns, the designers of a reporting system should be specific about the mechanisms that protect anonymity, how confidentiality can still be maintained without it (e.g., by providing identifying information only to certain investigators), how reporting systems can actually increase a company's chance of self-reporting, and what procedures are in place to ensure that allegations are carefully verified before the company takes action.

5. Conduct the investigation quickly.

A quick response, no matter the severity of the incident, reinforces the importance that management places on its employees' concerns. Companies need to set a reasonable time to respond to employee concerns and abide by those response times consistently, whether it's a low-risk activity, such as a complaint about parking accommodations, or a high-risk activity, such as an antitrust violation. Especially in the case of serious allegations, however, a slow response encourages the employee to seek remedy outside the company by creating the perception that the issue is either not being taken seriously or being covered up. Swiftly launching an investigation creates the potential to catch wrongdoers in the act, control information, anticipate adverse reactions within the company, exonerate the innocent quickly, and where necessary, inform prosecutors and regulators before they launch their own investigation.

6. Use the data collected from the reporting system to plan risk management.

Non-identifying data collected from the reporting system (including types, frequency, and the regional, business unit, or job function origin of complaints) can be used to develop the company's risk profile and adjust the system.

 

Ultimately, the reach of a company's ethics and compliance reporting should extend beyond employees to vendors, customers and even family members. Outsourcing has moved beyond traditional supply chain functions to core business processes, such as product development, human resources, customer service and auditing. As a result, the weakest link in a company's ethics and compliance regime is often just as likely to be a business partner as an employee. Data from the Association for Certified Fraud Examiners supports the idea that reporting can be completely understood only as part of an ethical ecosystem. The Certified Fraud Examiners found that "tips from customers, vendors, and anonymous sources...each account[ed] for between 10 and 20% of all tip cases in 2004 and 2002....indicat[ing] that any effective reporting structure should be designed to reach out to customers, vendors, and other third party sources as well."21

For companies that have tier-one suppliers who are bound by the company's code of conduct, the first logical step is to make the confidential helpline available to those suppliers. Scandals in the 1970s pushed the U.S. aerospace and defense industries to exert more control over suppliers. Today, defense contractors provide partners with access not only to helplines but to ethics and compliance training.

As globalization charges forward, the risk from customers and suppliers will only increase. Someday soon defense contractors are likely to start covering the cost of supplier training sessions. In an age when consumer financial data is collected by call centers in India to purchase goods manufactured in Africa for U.S. customers, companies need far-reaching mechanisms and close participation from their suppliers in order to detect ethics and compliance breakdowns.


 

Best practice: multitiered, global detection
A leading U.S-based aerospace and industrial products company has built a multilevel, worldwide detection system that includes confidential and nonconfidential mechanisms. Employees are encouraged to ask questions and report ethics and compliance concerns through the following channels:
  • Supervisors and colleagues, including direct supervisors, human resources contacts, legal contacts, environmental health and safety specialists, and business practices specialists
  • Toll-free anonymous phone helpline
  • Anonymous web-based system that uses chat and e-mail and allows responses to be returned confidentially if the employee desires
  • Specially trained, neutral ombudsmen who accept telephone calls, in translation if necessary, and funnel concerns to management for response
  • Network of part-time business practices officers
  • A governance tab on the company website that has allows the user to send e-mail to the board of directors

 

The biggest challenge this system presents is educating part-time business practices officers, who have other full-time functions within the company and who tend to change about every 24 months. However, they are a vital two-way communications network that has thus far proved central to communicating management buy-in and understanding how to reach and inspire employees. One-way communications may have a limited ability to detect the most serious misconduct.

A "Contact the Board of Directors" link on the company's website adds another level of compliance with Sarbanes-Oxley Section 301. Responses through this link are screened and sent to the appropriate person within the company. The company keeps a log of this process, including case resolution, and provides it periodically to the board of directors.

4. Respond to allegations and violations

Ineffective enforcement can easily undermine the best definition, prevention and detection of ethics and compliance risk. In addition, ethics investigations that require formal response are already costly and can become even more so. Employees, regulators and prosecutors closely watch not just the equity but also the speed of responses to violations. A company's initial reaction to allegations can set its relationship with the government for the course of an investigation. The amended U.S. Sentencing Guidelines state: "The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility."22 The Department of Justice, the SEC, the NYSE, and the EPA have written that early cooperation is a significant factor in determining how to discipline companies.23

Efficient response begins with establishing protocols, in advance, for applying expertise and objectivity to ethics and compliance allegations. Although cases differ, companies can create general guidelines for determining which level (e.g., corporate versus business unit) and function (e.g., general counsel, human resources, management or audit committee) will handle an issue and put a system in place to rapidly inform personnel. The guidelines should take into account attorney-client privilege, which the company may want to preserve by conducting the investigation through the general counsel's office.

A company should also make arrangements for having experts regularly evaluate whether the company requires outside counsel and what the company's obligations are to authorities. Other issues to consider in advance are how to communicate with employees not involved in an investigation (e.g., are employees informed about the course or just results?) and whether or not to write reports of investigation, which are likely to be requested by prosecutors.

Once an investigation is underway, companies commonly fail to collect documents and computer files immediately. The loss or destruction of information can create a serious problem with authorities later on and, in the case of Arthur Andersen, help precipitate a company's literal undoing. Conducting an impartial investigation means actually reviewing all the data collected and following leads beyond the targets. As the investigation expands, companies must maintain confidentiality, protect against adverse litigation and avoid retaliation.

Communication and data collection systems related to the investigation should segment access so that personnel know only the details appropriate to their function. Someone involved in the investigation usually must discover a source's identity in order to evaluate an allegation. Segmenting case details allows the company to proceed with a well-documented inquiry while assuring the source that his or her name will not become known to any of the parties involved in the allegation. In criminal or other serious matters, legal counsel may extend the parceling of case data to enforcement agencies, such as the Securities and Exchange Commission or U.S. Attorney's Office.

If, at any point, the investigators believe an interview target has criminal liability, the company must be careful to clarify that attorneys involved represent the company, not the employee. This practice is ethical, required by state law in most situations, and likely to reduce the chances of an employee suing because his or her communications with in-house or third-party counsel were privileged. Another source of legal liability is retaliation. Companies that allow retaliation against whistle-blowers make an unwise bet against numerous federal, state and local laws. The U.S. Department of Labor alone is responsible for 11 whistle-blower-related laws, including OSHA, the Clean Air Act and the Aviation Act. Sarbanes-Oxley broadens the definition of a whistle-blower to include any person who provides information to a supervisor regarding "conduct which the employee reasonably believes constitutes a violation" of law or regulation.24

Unfortunately for corporate boards and management teams, whistle-blower cases are often more complex than a good Samaritan reporting wrongdoing. Informants may be involved in the violation or headed for an unrelated disciplinary action. In the latter case, the employee may feel he or she has nothing to lose by speaking out or may actually be trying to game the system, invoking whistle-blower protection in order to avoid dismissal. The safe harbor for corporate informants in Department of Labor investigations places the burden of proof on the employer: The employer must demonstrate it would have taken the same action against the employee in the absence of the informing.

Whether or not the whistle-blower is involved in disciplinary action, the best protection against adverse litigation is comprehensive documentation and consistent adherence to publicized company policy including individual responsibility for enforcement. A company's recording process should clearly demonstrate not only the basis for discipline (e.g., violations of law or company policy) but also, wherever possible, a history of responding to violations with similar action. Making an individual ultimately responsible for the action helps establish a singular rationale. In retrospect, committee members tend to have differing and sometimes unclear memories about the case for action. Committees also tend to include members who are not specialists, so organizations should ensure they are supplied with all applicable internal precedents and policies.

To avoid the appearance of taking unjustified action, companies should document all disciplinary actions and processes, not just those that are whistle-blower related, including the original behavior, the action, any dissent to the decision and the resolution of the dissent. Employees can be supplied with a final appeal through certifications that ask whether the employee is either satisfied with the resolution or feels a need for further action. A standard reporting process for all disciplinary action and related dissents, combined with a robust detection mechanism for ethics and compliance issues, protects a company against retroactive complaints

Whatever the reason for a complaint, companies should consider investigating properly. Evaluating spurious claims demonstrates a sincere commitment to employee honesty and underscores the importance of ethics and compliance to top management.

Case management: five fundamentals

1. Data collection methodology

Establishing a consistent methodology to record ethics and compliance cases ensures that comprehensive data is collected in each case, cases are classified consistently and progress reports contain quality analysis. For example, a methodology may stipulate that each initial case report, regardless of the perceived merit of the allegation, should include a narrative of the case details, lists of witnesses (unnamed if anonymous) and their statements, list of ethics officers involved, third parties involved and their roles, and a classification of the case according to an approved list of categories and subcategories. The methodology should also address data that may be collected through the life cycle of the case, such as records of the company's response, legal opinions and actions, and documents supporting the final settlement.

2. Standardized workflow

To maintain impartiality in handling ethics and compliance cases, workflows should map how cases are assigned, who is notified at various stages of a case's development, and critically, who is responsible at each stage for moving the case forward within certain time limits.

3. Centralized organization

While certain types of documents may best be stored in business units or functional departments (e.g. legal), every company should maintain a database of case files that contain key data and indicate where all supporting documentation is stored so ethics officers can efficiently track the progress of individual cases and the company's ethics and compliance program as a whole.

4. Statistical reports

Ethics and compliance specialists are required by the amended U.S. Sentencing Guidelines and Sarbanes-Oxley Section 404 (see below under "Evaluate") to develop periodic reports that provide statistics to help audit committees, management teams and boards of directors to evaluate the effectiveness of their programs.

5. Security and need-to-know access

Both electronic and physical security systems are necessary to prevent identities from being revealed, inappropriate employees from becoming involved, and case details from being released prematurely to the media, authorities, and plaintiffs' lawyers.

 


Consistent implementation and documentation of response mechanisms can make the response to wrongdoing a force for credibility and accountability. One of the most common complaints from employees is that wrongdoing often leads to no apparent action by management. Such a perception, whether true or not, quickly erodes faith in an ethics and compliance system, discouraging participation from its most important asset - its employees - and significantly increasing the company's compliance risk. It is difficult to satisfy prosecutors, regulators and judges with the idea that inaction was an appropriate response to misconduct.

5. Evaluate results and continuously improve

In the past, law and regulation created a paradox for companies considering how to evaluate ethics and compliance programs. Because evaluation was not mandated and many good business practices, particularly ethical ones, were not required by law, companies could actually increase their risk by uncovering problems they were not equipped or legally required to handle. In other words, a certain level of ignorance was bliss.

In its investigation of ethics and compliance programs, the advisory committee to the U.S. Sentencing Commission uncovered this calculated ignorance. The committee found no empirical evidence that the widespread implementation of programs had actually resulted in effective programs.25 The U.S. Sentencing Commission codified this concern when they submitted to Congress their amendments to the Sentencing Guidelines. The amendments call for organizations to "take reasonable steps to evaluate periodically the effectiveness of the organization's compliance and ethics program," including oversight by "high-level personnel."26 Similarly, Sarbanes-Oxley Section 404 requires management to take responsibility for and assess the effectiveness of internal controls and procedures.

As the evidence continues to build that ethical behavior is not only expected from regulators and prosecutors, but also provides a financially measurable competitive advantage, the ethics and compliance process is evolving into an element of company strategy. This graduation of ethics and compliance into a business process hinges on an effective feedback loop, which allows companies to continually refine and adjust the program as they would any other process tied directly to the bottom line.

 

Best practice: effective investigations
A leading chemical company employs the following six-step process when conducting investigations into ethics and compliance allegations:

1. Preliminary assessment

The company quickly determines whether an allegation represents a personal grievance or signals a violation of law or company policy.

2. Complete assessment and notification of appropriate personnel

Complaints that contain any hint of a violation are subject to a thorough evaluation of the nature of the complaint, who may be involved, and potential sources of evidence. The case is then entered into the company's ethics database. The ethics and compliance office also considers who should be informed and who should take charge of the investigation, consulting subject matter experts as necessary.

3. Investigation strategy

The personnel charged with the investigation develop an investigation strategy that outlines what information the company will need to gather, which questions it will need to answer, who it will interview initially, and whether or not it should inform the employees involved. Alerting targets of an investigation may be necessary to gain cooperation or fulfill internal policies and external laws. It may also lead to evasion such as evidence destruction that can cause serious problems for the investigators and for the company if authorities become involved.

4. Document collection and interviews

The company moves quickly to collect any documents or electronic files that may support or disprove the allegations. The company also conducts impartial, one-on-one interviews, which presume the innocence of all parties involved. The company reminds each interview subject of the company's confidentiality and nonretaliation policies, and of the company's code of business conduct, which states that all employees must cooperate fully with any investigation. When necessary, the company also expects full cooperation from vendors, contractors and their employees. As the investigation produces evidence, the investigators may add interviewees and expand document collection, being sure to continue considering whether the board, audit committee, or outside counsel should be called in.

5. Written report and presentation of findings

The investigator sends a written report and recommendations to the management team or committee responsible, but plays no part in making the decision of what action to take. The investigator presents his or her findings in person to the decision makers, in order to allow for questioning, and then the decision makers determine what remedial action (e.g., training and enhanced controls) or disciplinary action is required. Referring to the company's ethics database, the decision makers can see what actions were taken in similar cases and ensure the company maintains a consistent pattern. In cases where disciplinary actions are required, the company may also involve an employee review committee consisting of management, human resources, and legal.

6. Report to employees

After stripping out identifying information, the company shares the results of cases with employees to demonstrate commitment to ethics and compliance and further education about specific issues.

 

 

External, whole-company assessments employ third parties to evaluate the health of an organization through the use of statistical methods. They deliver a global view of the organization that is unbiased by internal agendas but must be carefully interpreted within the context of the company's own history and practices. If an external assessment finds a significant increase in calls to a company's helpline, this could be a warning sign or a benchmark of success. For some companies, it will correspond to an increase in risky behavior by employees. For others, it will validate changes made to increase the effectiveness of internal reporting mechanisms.

In the same way, an external assessment may track reports to the general counsel's office. If most of those reports are illegal acts or direct violations of accounting regulations, the company may have excellent ethical health or a serious weakness. A well-executed ethics and compliance program can eliminate a significant amount of improper behavior. Weak reporting mechanisms or compliance processes can produce a similar result by catching only the most serious infractions. Experience with a company's internal processes generally provides the context necessary to navigate among the possible interpretations of evaluation results. Internal evaluations of programs, issues, and business units help peal the statistical onion to identify root causes of ethical and compliance risks.

Effective internal evaluations generally use qualitative and quantitative tools to target both the ethics and compliance program and its results. Interviews and focus groups generate detailed responses, containing nuance and anecdotal information that is hard to uncover with surveys. They provide a narrow but deep perspective. In order to separate the idiosyncratic views from those that reflect the organization as a whole, quantitative surveys target a broader, representative set of employees and managers.

Various types of internal polls, surveys and data gathering allow the results of focus groups and interviews to be generalized (or discarded) with confidence. It is very important, therefore, when conducting broad-based data gathering that the company ensures its sample represents the full employee population and balances the need for confidentiality with the need for details that identify risks. Details about the location (both physical and organizational) and type of employee, for example, can separate a victory from an impending crisis. A company that certifies 90 percent of its employees on conflicts of interest could be on the road to robust ethical health. If the uncertified employees are concentrated in a particular unit or region, however, it could be a sign either of weakness in the program's localization or in the actual compliance systems of one business unit.

Historical context is also vital to understanding evaluations. Unless the company measured the level of certification before it began the program, it would be impossible to say whether a 90 percent response rate represented a laudable increase, the status quo, or a troubling decrease. Other types of "reality checks" for internal program evaluations include audits that compare program elements to external standards, such as the U.S. Sentencing Guidelines and Sarbanes-Oxley, and benchmarking, which is the process of comparing a company's ethics and compliance performance to that of industry peers as well as regional or global leaders. Benchmarking efforts should take care to ask questions that apply equally to the company and its peers, taking into account national trends.

 

Evaluation techniques

Common ways to assess programs

  • Conduct a baseline survey of employees about their awareness of standards and regulation, the impact of training, their use of various ethics and compliance resources, and the effectiveness of communication about ethics and compliance.
  • Structure surveys as safe, encouraging environments that move from low-risk to high-risk topics so that employees will also honestly discuss
    • levels of actual misconduct;
    • readiness to handle warning signs; and
    • willingness to report infractions.
  • Match programs to requirements of Sentencing Guidelines, Sarbanes-Oxley and industry specific regulations.
  • Record quantitative barometers of implementation, such as the percentage of employees trained and certified, the number and type of helpline complaints and allegations, and the speed of response and case resolution.
  • Compare the program with industry best practices, such as helplines, web-based education, and localization, and quantitative benchmarks such as the number of compliance officers versus company size, and the program budget versus total revenue in a peer group.
  • Use results to inform future evaluations. For example, if employees most commonly report violations to immediate supervisors be certain to ask those managers how well they feel prepared to address reports.

Common ways to gauge results

  • Survey the perceptions of clients and key stakeholders with regard to the company's reputation and customer satisfaction.
  • Record the level of misconduct over time and the perceived level of pressure to act ethically or bend the rules.
  • Measure the change in ethical culture through focus groups and surveys. Common topics include the perceptions of tone at the top, of risks and rewards for ethical behavior, and of the increase or decrease in high-risk behavior as a result of training.
  • Develop an accounting process that estimates the ethics and compliance program's return on investment.
  • Compare results to industry peers through the blind sharing of information (benchmarking).

 

A key challenge for companies today is keeping evaluations current in light of the "rapid and current" disclosure of material changes to financial condition or operations required by Sarbanes-Oxley §409. To keep up with the times, companies employ various technologies that help collect, analyze, and communicate data from both internal and external evaluations.

The goal of distilling this data into a format that is simple enough for time-starved managers to digest quickly, but detailed enough to provide real insight into ethics and compliance risk, has inspired the management dashboard. (See Figure 4.) Dashboards focus on the leading indicators of ethics and compliance risk and provide access to in-depth analysis of root causes and trends. The dashboard of a fully integrated system also provides access to the many technologies that support ethics and compliance management, such as a case management database, a registry of potential conflicts of interest, and company policies and training modules.

As with any successful internal initiative, the most important influence on the success of evaluation is organizational culture. Whatever the company newsletter says, if employees believe their leaders are not behind the evaluation, then the evaluation will generate bad data. Companies should stress confidentiality and give employees enough latitude to share their unique perceptions. Disciplining employees who do not participate sends the message that the evaluation is central to business strategy, especially when managers and supervisors also explain why evaluations are relevant to employees in their everyday work (not just why management thinks they are important). Finally, do not forget to communicate the findings to employees when the survey is completed. The surest way to squander goodwill and make future evaluations difficult is to leave employees in the dark.

Conclusion: The return on ethics and compliance and importance of communication in ensuring effectiveness
Fear of legal action, financial loss and reputational damage has inspired more companies to pursue ethics and compliance, but as a business process, ethics and compliance management also generates considerable positive value. Companies have more satisfied, more productive, lower risk employees, and customers are more likely to buy their products and services. Seven in ten Americans, in fact, have decided against purchasing products or services from a company because of questionable ethics.27 Employees are similarly unresponsive to unethical behavior. Those who believe management endorses unethical conduct often disobey orders and instead do what they believe is right,28 and 80 percent of them would not recommend their company to recruits.29 Even best intentions mean little if employees are not educated properly. Among companies with all types of attitudes towards ethics, poor training is a leading cause of reporting and compliance failures.

The virtuous ethics and compliance cycle makes a good starting point for communicating the importance of and gaining buy-in to an ethics and compliance program internally because it answers a basic question: How does this benefit me? (See Figure 5.) For employees, improved company and business-unit performance increases compensation and creates opportunities for promotion; for management teams and boards of directors in mature markets, effectively managing ethics and compliance is becoming a cost of staying competitive. The place to start with ethics and compliance communication is at the top. Managers, supervisors and executives will always be the cornerstone of successful ethics and compliance management. If management does not demonstrate a commitment to ethics and compliance, no employee will be inspired to care either.

Best practice: effective evaluation
A leading diversified chemical company uses the following four tools for ethics and compliance monitoring.

1. Ethics and compliance survey

Once-a-year every employee must complete and sign an ethics and compliance survey that is compared to the baseline survey performed in prior years. Traditionally questions were about conflicts of interest, but more recently the survey's scope has expanded to include key ethics and compliance risk areas, such as government contracts, board membership, and trade association activities. The survey allows the company to target specific employees for ethics and compliance training.

2. Antitrust audit

After a Six Sigma evaluation of its antitrust audit revealed a somewhat haphazard process, the company redesigned the audit into an annual examination of one area in each of its businesses. Antitrust attorneys developed a tool kit, including check lists and certifications, which is provided to the audit team for each business unit. Led by a commercial attorney and an antitrust paralegal, each team focuses on key employees (generally six or seven) working in a risk area and reviews all of the employees' e-mails and documents. The research identifies high-risk areas, in which employees need additional online training, and types of new, more specialized education the company should develop. For obvious reasons, employees were initially skeptical about this level of scrutiny, but now many employees request an antitrust audit because they view it as a valuable training tool.

3. Lessons learned

The company's internal audit group maintains a database of all investigations on ethics and compliance violations. The database provides metrics for risk analysis and reports to management and the audit committee. It is also the source of one of the company's most effective compliance tools - regular news bulletins centered on a case pulled from the company's archives.

Without naming employees, the office of general counsel and internal audit describe the violation and its consequences both for the company and employees. Related ethics and compliance issues are also briefly discussed in the context of directing employees to related educational resources, such as legal specialists, training representatives, or specific training modules. To encourage a culture of accountability, the head of the business in which the violation occurred sends the case study to other business unit heads and corporate leaders, who then communicate with every member of their subgroups through meetings and e-mail. As a result, the bulletins simultaneously demonstrate management's active commitment, foster education in high-risk areas, and encourage open dialogue. The often-sighted risk of this practice is a lawsuit from the unnamed employee or a plaintiff's lawyer. In three years, the company has not had either problem.

4. Web-based education metrics

On-line education programs have introduced a new level of accountability and accuracy into the company's assessments. Statistics on the number of courses completed and, more specifically, the time spent completing them and which individuals were delinquent have allowed the company to pinpoint training breakdowns. The data form an important part of the chief compliance officer's presentation to the audit committee and are used to adjust available education to meet risks that emerge from other evaluation methods. For example, the company's antitrust audit revealed that unclear communication with business partners was a common cause of risk. In response, the company developed two education modules on clear written and oral communication, designed for different employee groups. As important as the metrics, however, is clear support from leaders. In the first year of the company's online education program the CEO mandated that two basic modules be completed by all members of senior leadership. He monitored progress weekly until the holdouts were embarrassed into compliance.

 

 

It is clear that the decisions of investors, customers and employees in the United States and European Union now depend significantly on ethics and legal compliance. Ethics and compliance management provides an opportunity for companies to stay at the forefront of this long-term trend, while building shareholder value and increasing profitability.

While it is encouraging that the 21st century's most competitive companies are also likely to be highly ethical, ethics and compliance systems, no matter how well implemented, cannot anticipate every risk. As one vice president of business practices says, "The problem with my job is that I'm at the mercy of the dumbest person in the company." Holistic ethics and compliance management, however, is the best insurance policy against its own failure. Ethical organizations surround ignorant and malicious employees with colleagues who are motivated and empowered to stop risky behavior before it becomes a major crisis. And when unforeseen risks develop into crises, a sterling reputation speeds a company towards redemption with the market.

 

Six tactics to communicate the importance of ethics to employees30

1. Create a communications plan that identifies audiences, objectives and messages.

Be certain messages address cultural, regional, industry and company specific questions. In other words, speak o personnel in the terms that matter to them - how ethics and compliance will keep employees out of trouble and help their careers. Make the communications plan relevant to the overall corporate strategy that is in place so the ethics and compliance messaging is clearly woven into the larger picture.

2. Plan for a roll-out across as many media as possible that continues in some form indefinitely.

Use multiple platforms, such as e-mail, posters, cafeteria table tents, pay envelopes, intranet banner ads, and live events to meet the basic rule of advertising: You need three impressions to make an impression.

3. Use consistent branding, including the company logo.

Create an easily identifiable look for ethics and compliance training and communication in order to remind employees who are not paying attention that the company regularly addresses ethics and compliance and therefore takes it seriously. Don't forget to include the company logo, which many employees use as a litmus test for whether or not something is important.

4. Weave ethics and compliance into regular communications.

Show that ethics and compliance management is integral to company strategy and let employees convince themselves of its importance. Build ethics and compliance into new product or strategy presentations, allowing employees to make their own connections between personal goals and ethical behavior. If a sales meeting treats ethics only in a stand-alone presentation, employees will naturally think of ethics as standing apart from sales strategy.

5. Make an emotional appeal.

Balance fear with appeals to the greater good, fairness and the desire to be a good person. Demonstrate the serious consequences of violations with real-world examples from company history and the news. Tap sources of loyalty or nostalgia, such as a popular CEO, a flagship product, or historical roots, to lift employees out of their short-term mindset into a sense of long-term purpose. Reward good behavior with incentive and internal award programs that recognize sound ethical decision making.

6. Localize, localize, localize.

Don't take English for granted because employees who are conversant in English are not necessarily comfortable training in English. Consult local personnel about content and presentation so the company doesn't create another "Nova." (In trying to export its Nova passenger car to Italy, an auto giant discovered that the name made Italians think of "Non va," meaning "It doesn't go.")

 

 

End notes

1 Economist Intelligence Unit, "Global Business Risk Rose Sharply in First Quarter of 2005, According to New Corporate Risk Barometer," press release, 14 April 2005.

2 The Conference Board, "More Companies Using Enterprise Risk Management to Handle Risks," press release, 27 July 2005.

3 In their comprehensive and widely accepted framework for ERM, COSO defined four categories of objectives, eight components used to achieve them, and four levels of an organization in which the components are implemented. The interrelated stages of the ethics and compliance process defined in the paper affect all sixteen areas. Enterprise Risk Management Integrated Framework: Executive Summary, Committee of Sponsoring Organizations of the Treadway Comission, September 2004.

4 Economist Intelligence Unit, "Global Business Risk Rose Sharply in First Quarter of 2005, According to New Corporate Risk Barometer," press release, 14 April 2005.

5 Ibid.

6 Hard controls are generally considered to be processes that can be quantified, such as the existence of a security system that limits access to the general ledger to certain individuals. Soft controls refer to social interactions and environment conditions that shape organizational culture, such as tone at the top. See "Prevent" section below for more discussion of hard versus soft controls.

7 American Management Association, "Pressure to Meet Unrealistic Business Objectives and Deadlines Is Leading Factor for Unethical Corporate Behavior, New Survey Suggests; American Management Association and Human Resource Institute Provide In-depth Look at the Ethical Enterprise," press release, 17 January 2006.

8 "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005)

9 Ibid.

10 2005 Federal Sentencing Guidelines §8B2.1(a)(2). "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005)

11 LRN Customer Community Interviews, conducted during the week of October 3, 2005.

12 Ibid.

13 LRN, "Developing an Appropriate Code of Conduct for Your Company," presentation, 30 September 2004

14 Department of Health and Human Services, Office of Inspector General Compliance Program Guidance for Pharmaceutical Manufacturers, 68 Fed. Reg. 23731, 23733 (May 5, 2003)

15 Association of Certified Fraud Examiners, 2004 Report to the Nation on Occupational Fraud and Abuse (Austin: Association of Certified Fraud Examiners, 2004)

16 Patrick J. Gnazzo and George R. Wratney, Are You Serious About Ethics? For Companies that Can't Guarantee Confidentiality, the Answer Is No (New York: The Conference Board, 2006).

17 Ibid.

18 "Section 301 Reporting Solution Checklist" (Ethicspoint, 2004).

19 "Law of 22 Prairial" (Wikipedia, 2006).

20 Commission national de l'informatique et des libertés', "Guideline document adopted by the 'Commission national de l'informatique et des libertés' (CNIL) on 10 November 2005 for the implementation of whistleblowing systems in compliance with the French data Protection Act of 6 January 1978, as amended in August 2004, relating to information technology, data filing systems and liberties" (Commission national de l'informatique et des libertés, 2005)

21 Association of Certified Fraud Examiners, 2004 Report to the Nation on Occupational Fraud and Abuse (Austin: Association of Certified Fraud Examiners, 2004)

22 2005 Federal Sentencing Guidelines Chapter Eight, Introductory Commentary. "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005)

23 "In conducting an investigation, determining whether to bring charges, and negotiating plea agreements, prosecutors should consider the following factors in reaching a decision as to the proper treatment of a corporate target:... 4. the corporation's timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents..." from Memorandum from Deputy Attorney General Larry D. Thompson to Heads of Department Components and United States Attorneys, Re: Principles of Federal Prosecution of Business Organizations, 20 January 2003, United States Attorneys' Manual, tit. 9, Crim. Resource Manual, §§ 161-62. In "the Seaboard decision" the SEC did not take action against the Seaboard Corporation "given the nature of the conduct and the company's responses," which included rapid early disclosure. From "Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions" (Securities and Exchange Commission, 23 October 2001) "The [New York Stock] Exchange considers every case in terms of its particular facts and circumstances, and what constitutes an "extraordinary" case is not susceptible of generalization. Nonetheless, the following situations and factors are often considered by Enforcement in assessing a firm or individual's cooperation: Prompt, Full Disclosure Coupled with Thorough Internal Review...." from "Information Memo 05-65, Subject: Cooperation" (New York Stock Exchange, 14 September 2005) "To take advantage of theses incentives, regulated entities must voluntarily discover, promptly disclose to EPA, expeditiously correct, and prevent recurrence of future environmental violations." From "Compliance Incentives and Auditing" (U.S. Environmental Protection Agency, last updated 8 February 2006)

24 2005 Federal Sentencing Guidelines §8B2.1(a)(2). "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005) 25 LRN, "Auditing and Monitoring of Compliance Programs," presentation, 12 August 2004,

26 2005 Federal Sentencing Guidelines §8B2.1(b)(1)(B) and §8B2.1(b)(5)(B). "2005 Federal Sentencing Guidelines Manual and Appendices" (United States Sentencing Commission, effective 1 November 2005)

27 LRN, "New Research Reveals Business Impact of Ethics, Signals the Importance of Ethical Corporate Cultures," press release, 30 January 2006

28 Ibid.

29 "2000 Organizational Integrity Survey: A Survey Conducted by KPMG" (Bentley College Center for Business Ethics, 2000)

30 LRN, "Four Steps to Successfully Launching Your Compliance and Ethics Education Program," presentation, 02 December 2004,

 
 

APPEARANCES

Watch LRN CEO Dov Seidman discuss HOW on Charlie Rose »


Seidman tells BusinessWeek to out-behave, not outperform »


Good Morning America shares an excerpt from HOW »

NEWS

Ethics and Compliance: Are We There Yet?


Electronic Data Protection, Data Privacy are Top Business Risks


Dov Seidman on BusinessWeek.com: The Era of Inspiration


LRN Engages the Global Enterprise with New Online, Offline and Experiential Learning Offerings


BusinessWeek.com Debuts New HOW Column by LRN CEO Dov Seidman


LRN and GeneEd Partner for Business Ethics Education Solution

WEBINARS

Oct. 16, 2008
Managing Ethics and Compliance During a Recession

SPEECHES

Sept. 24 - 26, 2008
Ethics and Compliance Officer Association
© 2008 LRN | contact us toll free: 1 (866) 439-3071 | Terms and Conditions | Privacy Statement | Security | Site Map

Proper and ethical corporate governance is a high priority topic. With LRN's compliance program, your business can continue to adhere to the ever changing business code of ethics.

When dealing with compliance in corporate email, remember to focus on the ethical standards laid out by LRN, a leader in compliance management.

Constructing effective safety training courses is an integral task in developing a comprehensive regulatory compliance training program. For ease of mind, consider the safety training standards described by the innovators at LRN.