HOME arrow INSIGHTS arrow BUSINESS ETHICS arrow Risk Practices

The LRN ethics and compliance risk management practices report
Print E-mail

LRN 2008 report now available »

Download 2007 report »

More than ever before, companies must advance business cultures that value legal and ethical business conduct. Regulators, investors, business stakeholders and the public are increasing their demands for companies to conduct business with integrity, honesty and trust. Growing data demonstrate a link between ethical business cultures and corporate success, indicating that companies that operate with high standards of legal compliance and ethical conduct can enhance customer loyalty, build investor confidence and strengthen employee recruitment and retention.

Increasingly, nurturing a strong corporate culture is recognized as a key element in managing ethics and compliance risk. To be effective, however, ethics and compliance risk management requires a systematic, holistic approach. Companies must implement integrated risk management processes that work together in complementary fashion to define and identify risks, educate workers, detect violations, conduct investigations and continually fortify the corporate culture.

In the past decade – and especially since the revised U.S. Federal Sentencing Guidelines – companies have put in place a wide range of ethics and compliance risk management practices. In an effort to measure how widespread risk management efforts have become, which practices are most commonly followed, and whether companies are truly moving toward an integrated, systematic process, LRN conducted a survey of senior personnel from ethics and compliance, legal, risk and audit departments. This report presents the results of the LRN survey and analyzes the data for patterns and trends. The findings can help ethics and compliance professionals gain valuable insight into how others are managing their ethics and compliance risks. Comparing practices employed in other organizations can help ethics and compliance professionals benchmark their own programs, assess their overall effectiveness and target improvements. In addition, companies with operations outside the United States will find the results useful in contrasting their practices at headquarters with those at international operations.

The LRN survey found numerous challenges still remain in implementing effective ethics and compliance risk management programs. The discussion section at the end of this report highlights those challenges and proposes solutions that ethics and compliance professionals can integrate into their efforts to improve risk management and advance their goal of developing strong ethical business cultures. The LRN ethics and compliance risk management survey will be conducted annually and broadened to provide regular comparison of ethics and compliance practices and to chart progress over time.

RESPONDENT PROFILE

Title and role of respondents
All respondents had senior titles in one of the following fields: ethics, compliance, legal, risk or audit. Sixty-four percent of respondents had primary responsibility for their organizational ethics and compliance initiatives.

Size of companies
Survey respondents represented companies ranging in size from a few thousand employees to more than 10,000. The majority of respondents, 54 percent, were from large companies with more than 10,000 employees.

Location of headquarters and presence in global regions
The majority of respondent companies (90 percent) were headquartered in the United States, with others headquartered in Canada, Europe, Asia/Pacific and Africa. Nearly two-thirds of respondents had operations in multiple (two to seven) regions of the world.

The table below shows a breakdown of the number of regions of operation among respondents according to the location of their headquarters.


Number of regions of operation
Location of headquarters:
1
2
3
4
5
6
7
US
38
15
12
13
19
12
36
Canada
0
0
0
0
1
1
0
Europe
1
1
0
0
2
1
5
Asia/Pacific
0
1
0
0
0
0
1
Africa
0
0
0
0
0
0
1

*No respondents were headquartered in the Middle East or South America/Central America/Caribbean

Industries represented
The survey participants represented organizations from a broad range of industries, including:

  • Aerospace and defense
  • Agriculture
  • Banking
  • Chemical
  • Communications, media
  • Consumer products and electronics
  • Energy, power, oil and gas
  • Financial services
  • Government
  • Healthcare
  • Information technology and technology services
  • Insurance
  • Manufacturing
  • Pharmaceuticals
  • Retail
  • Transportation

SURVEY METHODOLOGY

Conducted in October–November 2006, LRN e-mailed an invitation to complete the survey to 1,839 senior ethics, compliance, legal, risk and audit professionals, of which 161 completed the survey. The survey was completely anonymous and each respondent could take the survey only once. (A possibility exists that there might be multiple responses from one company, though LRN estimates this number to be extremely limited). The survey questionnaire included multiple choice questions developed in collaboration with experts in the ethics and compliance risk assessment field.

Significance has been analyzed using the chi-square statistics. The threshold for reporting differences or relationships as statistically significant is: p < 0.05. This survey was self-administrated using the Instant Survey online tool from GMI (Global Market Insite, Inc.). Rounding may occasionally cause some total results to add up to greater than 100 percent.

1. Ethics and compliance risk assessments are sometimes integrated with other company risk assessments, but the majority of companies do not involve their executives and business managers in the risk assessment.

About half of the surveyed companies integrate their ethics and compliance risk assessments with other business risk assessments. However, in the risk assessment process, only 42 percent obtain input from their executives and only 37 percent obtain input from their business managers.

2. Companies regularly report the results of their ethics and compliance risk assessment and the evaluations of their prevention programs to senior leadership, but lag in reporting to operational managers.

Most companies (80 percent) share the findings from the risk assessment process with their top executives. Almost all companies (95 percent) make relatively frequent reports on the progress of their ethics and compliance education programs to their senior executives and board. However, they involve management far less frequently, with only half of companies (51 percent) sharing the risk assessment results with business managers.

3. Most companies have multiple functions collaborate in the ethics and compliance risk assessment process and in investigating violations.

More than three-quarters of companies involve the legal department in performing ethics and compliance risk assessments and in investigating reports of incidents and potential violations. Two-thirds of companies involve internal audit in assessments and investigations. Close collaboration between the legal, internal audit and/or compliance department in the risk assessment process is also highly common.

4. Companies offer a wide range of risk prevention programs such as online education and certifications, but programs are consistently less robust at international locations than at headquarters.

Companies with international operations employ a spectrum of prevention programs (e.g., online or on-site education, certification and performance reviews). The most common prevention effort is a code of conduct, offered by all respondents (100 percent) at their headquarters operation. However, reported results for every type of prevention program are consistently lower for companies’ international locations than for their headquarters.

5. Many companies still express concerns that employees fear retaliation for reporting incidents, despite the prevalence of anonymous reporting technologies.

Almost all (98 percent) respondents offer an anonymous phone line or a confidential reporting channel. However, almost two-fifths (39 percent) of companies believe their employees still fear retaliation for reporting.

6. Detecting ethics and compliance violations presents a significant challenge for companies.

About three-quarters of companies report significant difficulty in detecting ethics and compliance violations, both in their home markets (67 percent) and in their international operations (73 percent). The reasons cited include employees fearing retaliation by the company, feeling unmotivated or failing to understand company policies.

7. Many companies are confident in their ability to conduct effective investigations.

Conducting investigations received the highest percentage of companies (32 percent) reporting no significant challenges compared to other risk management processes, perhaps because companies have greater experience in investigating than in defining, preventing, and detecting ethics and compliance risks. However, the remaining respondents cite a range of challenges, including lack of resources and a scarcity of qualified investigators. Companies with operations in multiple regions also cited problems investigating incidents occurring at international locations.

8. Compliance professionals frequently cite a lack of resources (budget and staff) as their leading risk management challenge

About half of ethics and compliance officials named inadequate resources as their biggest challenge in conducting the risk assessment (49 percent) and in implementing prevention programs (53 percent). Lack of adequate resources was also cited as the second biggest challenge in investigating allegations.

9. Companies attempt to accurately evaluate the effectiveness of their ethics and compliance programs and use the data to improve their programs.

A majority of companies use qualitative (63 percent) or quantitative (52 percent) measures to evaluate the impact of their ethics and compliance process, and 47 percent use internal program/process audits. With the data collected, 82 percent of companies attempt to improve their process.

10. Despite the prevalence of strong program evaluation efforts, some companies find the interpretation, analysis and application of the data collected challenging.

Even with the above qualitative and quantitative evaluations, many companies cite challenges in correlating the data captured to results (38 percent), as well as correlating the results to business improvements (33 percent) and aggregating and analyzing data (29 percent) across programs.

DEFINING ETHICS AND COMPLIANCE RISKS

1. Is your ethics and compliance risk assessment process integrated with other risk assessment processes within the enterprise?

Most companies perform ethics and compliance assessments and a slim majority integrate them with other business risk assessments in the company.

Historically, ethics and compliance officers were viewed as specialists in responding to allegations of wrongdoing. However, this narrow view of ethics and compliance is changing. A substantial majority of companies performs an ethics and compliance risk assessment, and a slim majority now recognizes the value of integrating ethics and compliance risk assessments with other risk assessment processes. Integration helps deepen the company’s understanding of the risks it faces, allowing more effective prevention techniques. Existing risk assessments also tend to overlap in some areas with ethics and compliance, so integration creates a more efficient process.

2. What types of ethics and compliance risks does your company examine as part of its risk assessment process?

U.S. companies examine a broad array of ethics and compliance risks at home but are less comprehensive in their operations abroad.

Given that 88 percent of the multinational participants worked in companies headquartered in the United States, this result generally reflects practices at U.S.-based companies with international operations. The reduced levels of risk assessment internationally may reflect cultural and legal differences that act as obstacles to implementing U.S. standards and guidelines abroad. Decentralized ethics and compliance functions that are not able to coordinate well across international borders may be another barrier to consistent international practices.

Across all regions, supply chain/sourcing compliance received the least amount of attention from ethics and compliance risk assessments. More than half did not examine them at home, while even more – about two-thirds of respondents – did not examine these issues in their foreign regions of operation. The apparent low interest in the supply chain risk assessment may reflect the inherent difficulties of balancing the independence of suppliers with the enforcement of mutual standards. Suppliers based entirely in a foreign country, for example, may be under no legal obligation to follow the standards of their customers, nor have the appropriate systems or procedures in place to meet them voluntarily. However, the risks of supply chain/sourcing channels are equally critical for companies to consider.

Despite these challenges, separate research by LRN, combined with the fact that just over half of respondents are considering supply chain compliance, suggests that there is an upward trend in ethics and compliance toward assessing risk throughout the extended enterprise.1 Such a trend may reflect the influence of the U.S. Federal Sentencing Guidelines which counsel large organizations to “encourage small organizations (especially those that have, or seek to have, a business relationship with the large organization) to implement effective compliance and ethics programs.”2

1. Source: LRN client community interviews, conducted during the week of October 3, 2005.

2. Source: “2005 Federal Sentencing Guidelines Manual and Appendices” (United States Sentencing Commission, effective 1 November 2005) http://www.ussc.gov/guidelin.htm.

3. Who is involved in performing your ethics and compliance risk assessment?

Despite their proximity to operations, business managers are often not involved in risk assessments.

Integrating business managers into the risk assessment process appears to be lagging. The fact that little more than one-third of respondents reported involvement of business managers suggests that integration of the risk assessment process down to the business unit level may not yet be a recognized practice. However, business managers are closest to the day-to-day operations of the company and often have the greatest knowledge of potential risks. Including business managers in risk assessments would likely strengthen the process.

Otherwise, companies generally reported involving multiple departments in assessments – as shown in the following table – often using a combination of legal and compliance or internal audit. A significant number of respondents reported using teams composed of all three departments: compliance, legal and internal audit. Legal’s involvement likely reflects the fact that ethics and compliance are so often a part of the legal function.

Departments involved in ethics and compliance
Responses
% Total
Legal and compliance
85
60%
Legal and internal audit
79
56%
Compliance and internal audit
67
47%
Compliance and legal and internal audit
59
42%
Totals among companies that assess ethics
142
100%

4. How often do you conduct your ethics and compliance risk assessments?

Performing an annual risk assessment is the most common practice.

Companies appear to practice risk assessments on a regular, consistent basis.

5. How do you use or apply information from your ethics and compliance risk assessment?

Ranking and mapping risks are not yet common practices.

Almost half of respondents do not apply any type of ranking methodology to the risks uncovered in their assessments. Ranking is a useful practice because it not only identifies possible immediate trouble spots but helps ensure that education curriculums and other prevention techniques are targeted at the risks most likely to occur or those with the potential for greatest impact. The current difficulty of mapping risks to specific employees or groups may explain why it is even less implemented than ranking. One reason is that HR systems are typically not equipped to capture activities associated with specific risks. However, leading companies are increasingly using automated tools that allow them to survey employees to capture responsibilities and map risks in a bottom-up fashion.

The popularity of sharing findings with boards and senior executives is understandable, given that government regulations place ethics and compliance responsibilities on these officers. Looking back at who is involved in conducting assessments (16 percent of boards, 42 percent of executive teams, 37 percent of business managers), and when assessments are conducted (46 percent annually, 9 percent more than once per year), it might be concluded that most boards see only the annual results of assessments while a solid majority of executives see more regular updates even though they are not engaged in guiding the assessment process in a significant way.

6. What are the biggest challenges you face in conducting your ethics and compliance risk assessment?

 

Constrained resources and collecting accurate data challenge risk assessments.

Lack of adequate resources was cited as the leading challenge in conducting risk assessments. One solution to this reality is for the ethics and compliance function to reach out to other functions in the organization in order to establish a wider base of leaders and business managers who can champion the importance of the risk assessment and help the process gain support, momentum and assistance.

The second leading challenge, obtaining accurate and quantifiable information, points to the need for companies to enhance their use of automated systems to collect ethics and compliance risk assessment data (versus paper-based methods that many companies are still using). As companies increasingly turn to advanced analytics and metrics, automated systems will aid greatly in capturing accurate and quantifiable information that can drive the risk assessment process.

The third most commonly cited challenge is conducting global evaluations. This response may help explain the earlier finding that fewer types of risk assessments are done in the foreign operations of most companies compared with their headquarters.

PREVENTING ETHICS AND COMPLIANCE RISKS

7. What activities or programs does the company have in place to educate and/or certify employees in specific ethics and compliance risks at the headquarters and in international regions?

Activities and programs to educate or certify employees

 

Activities/programs in place to educate/certify employees in ethics and compliance risks
Headquarters
International
Code of conduct/ethics
100%
86%
Internal communications efforts
90%
77%
Online education
88%
70%
Electronic certifications/attestations
81%
64%
In-person education
76%
63%
Formal CEO/senior mgmt involvement
67%
56%
Written certifications/attestations
62%
57%
Management/leadership development
56%
46%
Site visits
57%
48%
Employee performance reviews/other incentives
51%
38%
No formal programs in place
7%
7%
Other
3%
2%

Among respondents with multinational operations, a first tier of prevention stood out, including the use of a code of conduct (100 percent locally, 86 percent internationally), internal communications (90 percent locally, 77 percent internationally), and online education (88 percent locally, 70 percent internationally).

The next tier of prevention methods included electronic certifications (81 percent locally, 64 percent internationally) and in-person education (76 percent locally, 63 percent internationally).

The following activities were less commonly implemented: formal involvement of the CEO and senior management (67 percent locally, 56 percent internationally), written certifications or attestations (62 percent locally, 57 percent internationally), management and leadership development (56 percent locally, 46 percent internationally), site visits (57 percent locally, 48 percent internationally), and employee performance reviews and other incentives (51 percent locally, and 38 percent internationally). Only 7 percent of respondents said their companies had no formal education or certification programs in place.



Most companies approach prevention using a variety of means, though headquarters locations consistently report higher levels of prevention activities than international locations.

The high percentage of respondents who cite education activities both locally and internationally demonstrates a positive trend toward using multiple means of risk prevention.

 

Certain types of prevention activities are less frequently implemented, perhaps because they require greater investment, personalization or resources, such as management/leadership development and site visits. Of particular note is the lesser emphasis placed on two types of management activities: formal CEO/senior management involvement (67 percent locally, 56 percent internationally) and management/leadership development (56 percent locally, 46 percent internationally). This result is deserving of further study given how important management education can be in prevention and in communicating the importance of prevention to frontline employees. Likewise, incorporating ethics issues into employee performance reviews is an effective way for companies to link their risk concerns with employee behavior.

The findings also point out that companies do not yet offer the same scope of prevention methods in their international locations. Causes may reflect the challenge of deploying efforts globally (e.g., translating education and certification programs into preferred languages, identifying culturally relevant experiences, and reaching a dispersed workforce).

8. To which non-employee groups do you provide the ethics and compliance education and/or certification activities/programs

Almost all executives and managers are being reached by ethics and compliance education efforts.

Regulations requiring that companies encourage an ethical corporate culture and establish effective compliance programs have clearly inspired leadership to consistently infuse ethics and compliance education throughout the organization. Somewhat surprising, however, is the lesser degree to which board members receive education, given the U.S. Federal Sentencing Guidelines, which assign ultimate responsibility to the board. Board education is an area to watch for future development.

Meanwhile, suppliers and partners are the least targeted groups for education. They are likely to become important elements of effective ethics and compliance education in the future for two reasons. First, the U.S. Federal Sentencing Guidelines suggest that large organizations encourage smaller partners to “implement effective compliance and ethics programs.” Second, the public doesn’t differentiate between the actions of a company and those of its suppliers and partners, expecting ethical business conduct from both.

 

Download PDF to access the complete list of key findings and the full report.

 
 

APPEARANCES

Watch LRN CEO Dov Seidman discuss HOW on Charlie Rose »


Seidman tells BusinessWeek to out-behave, not outperform »


Good Morning America shares an excerpt from HOW »

NEWS

Ethics and Compliance: Are We There Yet?


Electronic Data Protection, Data Privacy are Top Business Risks


Dov Seidman on BusinessWeek.com: The Era of Inspiration


LRN Engages the Global Enterprise with New Online, Offline and Experiential Learning Offerings


BusinessWeek.com Debuts New HOW Column by LRN CEO Dov Seidman


LRN and GeneEd Partner for Business Ethics Education Solution

WEBINARS

Oct. 16, 2008
Managing Ethics and Compliance During a Recession

SPEECHES

Sept. 24 - 26, 2008
Ethics and Compliance Officer Association
© 2008 LRN | contact us toll free: 1 (866) 439-3071 | Terms and Conditions | Privacy Statement | Security | Site Map

Proper and ethical corporate governance is a high priority topic. With LRN's compliance program, your business can continue to adhere to the ever changing business code of ethics.

When dealing with compliance in corporate email, remember to focus on the ethical standards laid out by LRN, a leader in compliance management.

Constructing effective safety training courses is an integral task in developing a comprehensive regulatory compliance training program. For ease of mind, consider the safety training standards described by the innovators at LRN.