The 2008 LRN ethics and compliance risk management practices report

Download 2008 report »

REPORT OVERVIEW
This is the second annual LRN Risk Management Practices report. Combined with the 2007 LRN survey, it provides companies with insights into how others are progressing in their ethics and compliance risk management programs and allows them to assess where they are on the curve towards mastering best practices and creating corporate-wide ethical cultures. The 2008 survey questions largely followed the same set of survey questions offered in 2007. Direct comparison of the data provides the opportunity to spot key trends occurring in the industry.

• Key Findings present top-level insights into the results.
• Significant Trends follows which identifies the most distinctive patterns over the two years of survey data, allowing companies to assess which practices companies are increasingly (or decreasingly) using, as well as which challenges to ethics and compliance are improving or worsening.
• Discussion analyzes the holistic meaning of the data and offers an extended view of how companies can mature their ethics and compliance efforts and evolve into values-based ethical cultures that offer greater performance, profit and improved reputations.
• Detailed Results reviews the data survey question by question, providing cumulative results for all respondents with graphic visuals, along with any relevant trending graphs and, if useful, a breakdown of the data by company type – global companies vs. single-location companies. A brief commentary for each question synthesizes the analysis of each set of data results.
• Market Maturity Model reveals the progression from compliance to ethics, divided into four segments, each characterized by numerous common practices and activities.
• Respondent Profile provides the demographics of the company and respondents.

EXECUTIVE SUMMARY
Increased global competition, economic downturn and tighter regulation brought greater pressure on business and with it, greater risk. Both companies and governments worldwide had to make adjustments to cope with these changes in the business climate. Our 2008 Risk Management Practices research report shows great awareness of these issues - reporting substantive progress towards building more stringent programs to manage and mitigate risks, as tangible steps were taken to develop and nurture a more ethical and compliant business environment - at all levels of the organization.

Governments around the world strengthen their collaboration to legislate and enforce a stricter set of rules regulating many facets of business conduct at a global level. The U.S. and European governments tightened their monitoring of potential anti-bribery and anti-corruption violations. Companies doing business in the U.S. have had to respond to the new eDiscovery rule that went into effect in 2007, requiring them to account for and maintain all their internal electronic records including emails, instant messages, and electronic documents that might prove critical in investigations. New European regulations regarding electronic data privacy and data protection have affected companies doing business on the continent.

Faced with this surge of new regulatory compliance demands, as well as fresh ethical challenges posed by a more complex and global business environment, companies attempted to make necessary adjustments. 2007 brought with it new challenges to the business world and important lessons. Scandals like tainted pet food and lead paint in toys made in China were effective reminders about the need to manage and reduce ethics and compliance risks, not only within organizations, but also within their networks of supplier and business partners. The meltdown of the mortgage sub-prime and banking industries pushed businesses across all industries to re-examine their internal decision-making processes for the types of conflicts of interest and long-term ethical and reputational risks. This correlates with the increase in companies performing a corporate-wide "cultural assessment", indicating that they are moving beyond just compliance into recognizing that the entire company culture is at stake.

Our research shows that many companies made good progress in managing their ethics and compliance risks programs by conducting holistic business risk assessments, strengthening each of the five key steps of enterprise risk management and intensifying executive risk management training.

Increasingly more companies integrate their ethics and compliance risk assessments into their enterprise risk management process. Also, the vast majority of organizations have implemented at least some of the best practices in terms of defining and preventing risks, detecting violations and responding to them. Organizations with mature ethics and compliance functions appear to strongly benefit from their prior efforts, having developed critical experience and skills to assess risks, educate employees, and minimize violations. Organizations with newer ethics and compliance departments and those with fewer resources find themselves still with challenges.

Another critical step forward is that organizations appear to recognize the importance of making their ethics and compliance programs compelling, engaging, and comprehensive from the boardroom to the break room.

• Boards of Directors are increasingly involved in participating in educational activities and monitoring the ethics and compliance actions of their companies.
• Senior leadership, management and supervisors are being educated on the responsibility of being the preferred channels for reporting violations, and with it, the importance of awareness and education for their direct reports.
• Employees require that education be relevant to their work and learning style. As a consequence, we witnessed an emerging trend toward interactive educational learning methods such as interactive gaming and facilitator-led workshops to appeal to today's workforce. With increasing numbers of Millennials joining companies, organizations will need to offer more comprehensive, blended educational methods.

We have seen businesses make significant steps toward an optimized approach for managing ethics and compliance risks. Nevertheless, a concerted effort is needed to make the leap from a reactive approach to a strategic, values-based program that increases awareness and understanding of governance, risk management and compliance issues across the enterprise for a competitive advantage.

An integral component of enterprise risk management is to holistically build a strong control environment with a culture of corporate ethics, by defining, preventing, detecting, responding and evaluating as part of five key steps for building a sustainable compliance risk management process:

• Define business ethics and corporate compliance risks to create a comprehensive risk profile.
• Prevent ethics and compliance lapses/failures with hard and soft controls, including business ethics and corporate compliance training.
• Detect noncompliance with the law, regulations, company code of ethics and corporate governance practice via multiple reporting methods.
• Respond swiftly and publicly to allegations and potential violations.
• Evaluate results and make continuous improvements.

LRN'S APPROACH TO ETHICS & COMPLIANCE RISK MANAGEMENT
It is imperative that companies establish a well defined approach for managing their ethics and compliance program. LRN developed and refined this process incorporating over 14 years of experience and proven best practices. Working throughout the enterprise, each step is essential when developing a holistic approach to your program.

KEY FINDINGS
Ethics and compliance programs are maturing
Numerous survey findings demonstrate reasonably vigorous efforts to implement sound practices to manage and mitigate risks. It is encouraging to note, for example, that almost 9 in 10 companies perform a formal ethics and compliance risk assessment, with more than half integrating it into other business risk assessments. However, only half indicate their Executive Team or Board become involved in the assessments.

Similarly, more than 9 in 10 companies have codes of conduct or offer internal communications, and almost the same number offer online education courses. Significant increases since 2007 appear in the number of companies (nearly 8 in 10) that provide formal ethics and compliance education for their CEO and senior management, indicating a growing recognition of the critical importance of developing a strong tone from the top. However, multinational companies lag in providing the same level of ethics and compliance education in their regional offices.

Overall, there are positive signs that ethics and compliance efforts are progressing, with more companies developing confidence in their abilities to manage and mitigate risks. Nevertheless, companies cite numerous challenges - including lack of resources, low employee engagement, employee fears of retaliation, and lack of relevancy in educational materials - that suggest their organizations are not investing in and developing holistic programs that move their culture beyond compliance into values-based self-governance that drives superior business performance.

Companies identify their top two ethics and compliance risks as electronic data protection and data privacy
It was unexpected that the two leading perceived risks involved electronic data issues rather than anti-corruption/anti-bribery, given the heightened Department of Justice focus on FCPA violations in 2007 and early 2008. Among all respondents, electronic data protection led the list of concerns in perceived risk. Data privacy was the second leading challenge, along with conflicts of interest. These three risks far outpaced other perceived risks including sexual harassment, environmental safety & health issues, anti-corruption and bribery.

The increased concern about electronic data risk is the result of the growing amount of electronic data generated organization-wide, combined with new, more stringent regulations and requirements regarding the management and security of data. Businesses have had sound policies and procedures on processing, storing and protecting printed documents, many of them developed throughout decades. They have had to protect their trade secrets, customer data, and employee records, but now they must also comply with the eDiscovery Rule which went into effect in 2007. The eDiscovery Rule now requires them to manage and maintain all electronic data, including e-mails and instant messages, which might be relevant in future legal disputes. Global enterprises have to comply with new data privacy laws and regulations imposed by European governments. Germany, for example, has instituted specific new laws on data protection that go beyond existing EU data protection laws as well as the older German Federal Data Protection Act. In the U.S., 47 states have ratified separate data privacy laws protecting individuals from fraud and malicious use of their data.

Compliance with these electronic data protection and privacy laws is more complex and has migrated beyond traditional IT functions into legal compliance and ethics areas since the legal issues extend beyond their technical expertise. Banking, financial, insurance, and healthcare industries have more rules and regulations regarding data privacy than other industries.

To address these concerns, companies need to develop comprehensive privacy and security policies; conduct audits of their data practices including Internet activities, cross-marketing and data sharing with affiliates and partners; manage their internal data usage, such as handling of customer and employee personal data; and educate employees to prevent breaches or losses related to data privacy.

A majority of companies perform formal risk assessments involving multiple functions
Respondents are taking risk assessment seriously, with nearly 9 in 10 respondents indicating they perform risk assessments regularly. Slightly more than half say they integrate ethics and compliance concerns into other business assessments. Results indicate that depending on the nature of the risk, companies are utilizing one or more of the following departments in their risk assessments:

• compliance,
• legal,
• internal audit, and
• human resources.

 Most importantly, two-thirds of respondents share the findings of the risk assessments with their Board and their senior executives, ensuring that top leadership participates in the responsibility for building ethical and law-abiding business conduct. Furthermore, almost one-quarter also share their findings with employees, thereby reinforcing ethical awareness and demonstrating the company's commitment to fostering an ethical workplace.

Only 4 in 10 respondent companies involve their business managers in the risk assessment process. The middle managements’ proximity to operations enable them not only to have a more in-depth knowledge about where the ethics and compliance challenges may lie but also to gain the subordinates trust and become the channel of choice when reporting a potential violation. Not tapping into these two key advantages of middle management creates a critical gap in the risk assessment and detection processes. Furthermore, the survey results indicate that nearly all companies want supervisors to be a channel for employees to report violations, it is counterproductive to not involve them in the risk assessment process. Companies would benefit significantly by proactively including managers in every step of the risk management cycle and could substantially improve employees' willingness to report violations to managers.

Companies cite engaging employees and making education more relevant as their top challenges in prevention
In terms of preventing risk, respondents point to a lack of resources as their leading challenge, with nearly 6 in 10 companies marking it. However, beyond this perennial problem, the next two leading challenges reflect crucial factors that make or break getting employees motivated to take risk management personally: relevancy and engagement. More than 4 in 10 respondents indicate making the education relevant is their next most significant challenge, and one-quarter cited engaging employees.

The search for relevancy and engagement is critical in risk prevention. The learning theory states that adults pay less attention to information that does not directly affect their jobs than they do to information that has an immediate value to their day-to-day work. Numerous studies have also shown that engaging people in their learning boosts their interest in and ability to use the knowledge. Learning resources that allow people to control their own progress, interact with the materials, and gauge their learning through self-tests have proven to have higher impact on adults than one-dimensional lessons that workers passively read or listen to.

The most common risk prevention education is a code of conduct, in place at nearly all respondent companies followed by internal communications. The next two major methods of education were online and offline (classroom) education which may include interactive components to engage employees, such as discussion questions and debates.

There is increased focus on tone-from-the-top, with companies providing more customized education to their board and senior leadership. Among respondents, around three-quarters offer formal CEO/senior management development and management/leadership development programs. The popularity of both of these programs is up since 2007, with more companies offering them, suggesting that companies are recognizing the role that C-suite and senior management must play in establishing tone at the top and being up-to-date about the ethics and compliance issues that may affect their companies.

It is interesting to note a new educational method: Interactive Games which has been used recently for teaching employees about ethics and compliance issues with great success. The study shows that 10% of respondents use Interactive Games which suggests that there are early adopters tapping into new technologies and approaches to engage employees in less static, more personalized, interactive ways that make ethics and compliance education relevant and memorable.

There are two key trends that may explain the increased use of Interactive Games. Many industries frequently employ off-site workers or workers who don’t have time or regular access at their jobs to the Internet to participate in the usual types of online instruction in ethics and compliance. Interactive games delivered to laptops, iPhones, and other portable devices can provide a needed solution to keep these workers engaged even when they are not connected to the Internet. Alongside this trend, companies are faced with the need to accommodate a fast-changing workforce that includes more Millennial-generation employees who have grown up their entire lives playing video games. For these workers, interactive gaming is the most familiar and effective method of getting information - and they are often far more skilled at interactive gaming than they are at reading printed documents. We can conclude that, in fact, the use of Interactive Games to educate on ethics and compliance will expand exponentially in coming years as younger workers enter the workforce and information is presented in ways they prefer.

Detecting violations still presents a significant challenge
Despite the prevalence of anonymous reporting channels, employees fear retaliation and lack the motivation to report. Companies cited detection as their main challenge in 2007 and they do so again in 2008. In both years, nearly half of respondents indicate they have no significant problems in this area, while the other half cites a wide range of challenges that hamper their detection efforts. Topping the list, almost two-thirds of companies believe their employees fear retaliation, up from 2007. Meanwhile, half the companies cite employee lack of motivation to report violations, compared to just 3 in 10 in 2007.

The irony of these statistics about fear of retaliation and employee apathy is that organizations increased their efforts to communicate, educate employees about ethics and compliance, and ensure they have ready access to report violations. The survey results show that the nearly 9 out of 10 multinational companies offer at least three reporting methods for employees to use in their home region, and 7 out of 10 have at least three methods even in their field offices. Nearly all companies offer their workforce an anonymous or confidential channel to report ethics and compliance violations, and in 2 out of 10 of those enterprises, the company prefers the anonymous line to be its first line of reporting. In addition, 4 out of 10 companies also offer an internal ombudsman as a “go-to” person for reporting. Despite all these organizational efforts, employees remain reluctant to step forward to report violations.

Employees may be uncertain about whether their reports will truly remain confidential. Survey results show that few companies emphasize the use of the anonymous /confidential channel to report violations. Not even 2 in 10 companies list it as the preferred first reporting channel at their offices. This could mean that in too many companies, employees simply don't receive a clear message that confidentiality is valued.

Another possible cause of employee fears of retaliation or apathy to report violations might be the increasing number and complexity of regulations. More and more enterprises operate in multiple regions, and are subject to a wide range of laws, and employ a more diverse workforce. Such factors could fuel worker ignorance or confusion about what to report and what will happen should they do so. Survey results somewhat bolster this explanation. Nearly 3 in 10 companies say their employees just don’t understand the rules, suggesting organizations to do a better job educating their employees and inspiring them to take greater responsibility for helping to build an ethical culture.

Multinational companies face bigger challenges at their international regions than at headquarters
Creating a unified ethical culture everywhere around the world is a crucial issue for multinational companies operating in an era of increased global competition, greater use of foreign agents and partners, suppliers, as well as a diverse workforce spread around the world. However, survey results suggest that global companies still face greater challenges in their international regions than at headquarters.

In terms of overall capability, for example, multinational firms gave themselves lower ratings for both accuracy and timeliness of their risk management efforts at their regional offices than at their headquarters. Furthermore, the largest combined number of companies gave their home offices the highest ratings for timeliness and accuracy, and the largest number of companies combined gave their regional offices the lowest ratings.

Companies indicated they face more challenges with their regional offices and workers. In terms of providing ethics and compliance education, companies consistently offered fewer programs in the regions than they did at their home office, including white collar/managerial education, Board of Directors education, and Service Workers education. Multinational companies also offered fewer methods for reporting violations at their regional offices compared to their headquarters.

These results suggest that global companies consistently experience more difficulty managing risk the further away from headquarters employees work. Learning how to equalize risk management and mitigation across all company offices will thus remain a key goal for multinational organizations in the future.

Few larger companies actively manage ethics and compliance risks within their supplier and partners' network
Less than one-third of multinational companies are offering ethics and compliance building activities to parties that work closely with them, even though their violations would directly affect the company. Roughly speaking, only 1 in 10 multinationals offer education to resellers, 2 in 10 to suppliers and 3 in 10 to business partners in their headquarters area, and the results were even lower in their regional locations.

This lack of coordination with partners and supply chain should be a red flag as companies increasingly build or utilize overseas manufacturing plants, make deals with foreign governments and companies using agents and partners, and transact financial exchanges with parties whose inner operations they may not know. It is well known that the Department of Justice has little tolerance for fraudulent transactions, even those performed unwittingly. Ultimately, enterprises need to make greater efforts to ensure their agents, resellers, distributors, consultants and suppliers possess the same high degree of ethical conduct and compliance with the law that they hold up for themselves.

Lack of resources - budget and staff - continues to be the leading challenge in conducting risk assessments and in implementing prevention programs
Half the respondent companies cited lack of resources as the primary challenge they face when doing risk assessments, far surpassing other challenges, including obtaining accurate and quantifiable information, difficulty in conducting a global assessment, analyzing and applying the findings, and insufficient technology. Lack of resources also topped the list in providing ethics and compliance education and/or certification activities and programs. Almost 60% of companies marked it more frequently than the other possible challenges, such as cultural differences among workers, regulatory differences, and the need for translated materials.

The slow economy and the need to comply with new and increasingly more regulations being issued by governments around the world are making companies to cite lack of resources as key challenge in all stages of risk management process. Another cause may be related to the fact that the U.S. Department of Justice and other governments are becoming more aggressive enforcing the laws, forcing companies to become more vigilant about their responsibilities. They need to hire more staff, purchase more education programs, communicate details about organizational hotline and education program, conduct risk assessments on a more regular basis - and lacking resources to do all that is fast becoming a real, not imaginary, deficit to success.

SIGNIFICANT RISK MANAGEMENT TRENDS 2007-2008
LRN's annual Risk Management Practices Survey provides an opportunity to evaluate trends in how companies approach their ethics and compliance efforts to better manage risks, year over year. Our analysis indicates that signifi cant trends are occurring across the lifecycle of ethics and compliance functions. Many indicate that corporate programs are becoming increasingly robust and expansive. The following provides an overview of the most salient trends captured by comparing the 2007 and 2008 data.

Defining Risks
Properly defining ethics and compliance risks usually requires the office in charge to use existing knowledge of potential risks to design a questionnaire or interview process that asks key business-unit employees to evaluate the prevalence of known risks, such as:

• Accounting breakdowns, including fraud, inaccurate record keeping, inappropriate record retention or destruction and noncompliance with the requirements of Sarbanes-Oxley
• Business ethics failures, such as the exposure of confidential client information, conflicts of interest and giving and accepting inappropriate gifts
• Employment related risks, like equal opportunity violations, workplace harassment and immigration offenses
• Fair trading laws, which cover price fixing, abuse of dominance and collusion
• Customer and workplace violations, for example, aiding and abetting illegal customer acts and creating unsafe workplace conditions
• Product issues such as product safety failures and intellectual property violations, patent infringement

Integrating ethics and compliance risk assessments into other assessments processes is rising - By comparison with 2007, there was a 12% increase in the number of companies that integrate ethics and compliance into other organizational assessments. The number of enterprises that integrate risk assessments is even slightly higher among lesser and non-regulated companies.

Involving boards and senior management in risk assessment process is rising - In 2008, more than three times as many companies involve their board of directors in the risk assessment process compared to 2007. Also rising was the involvement of the Executive Team.

Sharing information from assessments with employees is rising, but is falling for Boards, senior executives and managers - It is encouraging to see an increasing percentage of respondent companies sharing their fi ndings from risk assessments with employees. Informing employees about ethical issues occurring within the company is an effective method of demonstrating the company’s commitment to an ethical culture, as well as motivating employees to report incidents. However, there was a drop in companies sharing information from assessments with their Board and/or senior executives and with managers.

Conducting a global risk assessment is easing - Multinational companies are becoming better at conducting the risk assessment in their international regions. In 2008, only 35% of multinational companies reported having difficulty obtaining accurate, reliable information vs. 40% in 2007. Similarly, only 26% indicating being challenged to conduct a global risk assessment vs. 34% in 2007.

Preventing Risks
The laws, regulations and guidance reflect an evolution in regulatory philosophy. When determining fines, conditions of probation and other punishments for felonies and Class A misdemeanors, federal judges must consider whether an organization has promoted "an organizational culture that encourages ethical conduct and a commitment to compliance with the law."¹ Education is a key element in any program designed to build an ethical corporate culture. So, it is encouraging to note several positive trends towards improved educational efforts occurring in the period from 2007 to 2008.

Educating senior management of company is rising - Compared to the last year, more companies are emphasizing education for the top levels of their organizations. In 2007, only 67% offered formal CEO/senior management education, growing to 77% in 2008. Similarly, management/leadership development is now offered by more organizations: 70% in 2008 compared to 56% in 2007.

Educating board members increases - Among multinationals companies, a larger percentage of companies provide education to board members compared to 2007: 70% vs. 64% of respondents.

Detecting Risks
Providing self-reporting channels, establishing controls for rapid detection, conducting compliance monitoring and audits are all essential in detecting noncompliance with the law, regulations, corporate governance practice or code of conduct. In the realm of detecting risks, the trends revealed in the data are mixed; some are positive reflecting advances in detection. These results may suggest a more pragmatic view of being able to detect risks everywhere they exist, together with a greater sense of responsibility to circumvent them, is reflected in the increase challenges across the board.

More companies facing significant challenges to detection - More companies indicate having challenges detecting risks than in 2007. This suggests that companies are finding it difficult to establish reliable detection procedures which employees trust and feel inspired to participate in. Companies indicated having the following challenges in 2008:

• employee fear of retaliation,
• lack of employee motivation,
• inappropriate uses of reporting channels,
• lack of formal management process,
• employee lack of understanding, and
• insufficient staff to respond.

Increased use of internal ombudsman - Compared to 2007, more companies indicated having an internal ombudsman – responsible for investigating and resolving issues - as a potential channel for reporting violations, 40% in ‘08 vs. 29% in ‘07.

More Companies having set policies for reporting violations - Compared to 2007, the percentage of respondents indicating that their company has no set policies for reporting decreased by 60%. In 2007, nearly one-quarter of respondents had no set policy for reporting violations, whereas in 2008, only 17% responded having no reporting policy.

Evaluating Risks
Amendments to the US Federal Sentencing Guidelines call for organizations to "take reasonable steps to evaluate periodically the effectiveness of the organization's compliance and ethics program," including oversight by "high-level personnel."² Similarly, Sarbanes-Oxley Section 404 requires management to take responsibility for and assess the effectiveness of internal controls and procedures. Several trends in how companies evaluate their ethics and compliance programs point to weakening capabilities among companies to benefit from measuring their program effectiveness and using the results to create improvements. While some 2008 survey findings are positive, several key evaluation practices are declining when compared to 2007.

More companies using a formal cultural assessment - A significant increase occurred in the number of companies using a formal cultural assessment: 35% of respondents in 2008 vs. only 25% of respondents in 2007. The more common use of formal cultural assessments demonstrates that companies recognize the need to build awareness and create a value-based culture rather than basing their programs simply on ensuring compliance with regulations.

Companies increased their abilities to evaluate their data - Two measures suggest companies are improving their use of data collected in evaluations. First, nearly 40% fewer companies cite having difficulty in correlating evaluation data to results than in 2007, and similarly, nearly 25% fewer companies have problems correlating results to business improvements. Aggregating and analyzing data also improved, with about 20% fewer companies marking this challenge.

Continue to page 2 »