HOME arrow INSIGHTS arrow COMPLIANCE MANAGEMENT

How to create an effective ethics and compliance process
Print E-mail

Download PDF >>

An effective ethics and compliance process helps companies meet compliance regulations, including the Federal Sentencing Guidelines and offers distinct business advantages. Growing data demonstrates a link between ethical business cultures and corporate success, and indicates an ethical culture enhances business performance. Benefits include reduced risks and costs associated with noncompliance; stronger relationships with customers, employees and partners; increased revenue and shareholder value; and an enhanced corporate reputation.

To achieve these results, leading organizations build ethics and compliance into a cycle of oversight that promotes a culture of principled performance throughout the business operation. A business process approach to compliance proactively manages ethics and compliance risk throughout the lifecycle of: define, prevent, detect, respond and evaluate.

Define legal and ethical risks.

An effective approach to compliance management begins with defining risks through a comprehensive assessment process. Companies must take stock of and evaluate the potential ethical and compliance risks they may encounter in the course of their business operations.

In performing a risk assessment, companies should understand the nature and scope of the obligations they face. Conducting legal research helps ensure the company has an accurate understanding of its legal responsibilities, including those in each jurisdiction in which it plans to operate. And conducting it proactively helps the company anticipate noncompliant incidents, avoiding costly last-minute legal research in response to investigations or litigation.

In addition to a legal assessment of risk, the definitional phase also includes an internal process to identify both enterprisewide and specific risks applicable to individual operating units, locations, employee groups or employees.

An effective risk assessment engages managers and employees at various levels to ensure all risks are identified and fosters a sense of personal awareness and accountability at the individual level. Such a team may include professionals from multiple areas of the company, including individuals from compliance and legal, as well as leaders from various operating units and functional areas and even staff-level employees. This team approach also offers valuable front- line insights into how legal, ethical or compliance failures can occur.

Next, the team performing the risk identification process must cross- reference and rank the data gathered to build a complete profile of the company’s ethical and compliance risks. It can be especially valuable at this time to correlate risks to specific employee groups and levels. This “match-up” list becomes the basis for more effective education and communication programs that target specific groups, or even individual employees, to reduce such risks.

The definition phase should not be considered a one-time exercise. Assessing risk must be a dynamic, continual process that requires an organization’s ongoing attention to be as comprehensive, accurate and effective as possible.

Prevent risks from becoming liabilities.

Once risks are known and understood, it is important to devise strategies to prevent them from occurring.

Top executives play a very important role in risk prevention by living and acting on the values and behavioral standards to which the organization aspires. This concept is often referred to as “tone at the top,” but research indicates that “top” is relative to where an employee sits within an organization. The tone from a middle manager may be equally, or perhaps more, valuable since employees tend to follow the behavior of their closest managers and colleagues. Thus, both leadership and management must constantly reinforce the company’s values through their communications to employees and their behavior.

Another valuable way to mitigate ethics and compliance risks is to create and publicize an effective code of conduct. The most effective codes clearly communicate the organization’s values to employees such that, when faced with a dilemma, they are in a better position to navigate the gray areas because they understand the company’s expectations for appropriate behavior. However, a code is of no benefit on a shelf or in a desk drawer. To be effective, the code’s messages must be continually reinforced through communication and education programs.

Leading companies skillfully use education to raise awareness and understanding, communicate corporate values, set expectations for ethical behavior, clarify legal issues, address consequences and provide employees with the necessary information to make good decisions. The best education programs actively engage employees in interactive, scenario-based learning that encourages them to think critically about the issues, not just memorize a list of rules by rote.

Finally, codes of conduct and ethics education should be supported by a “certification” mechanism that emphasizes the employees’ role in preventing risks. A certification entails employees confirming their compliance with regulations and policies and disclosing potential instances of noncompliance.

These elements – tone at the top, codes of conduct, education, certification – all work together to help prevent ethics and compliance failures while providing a solid infrastructure that supports the formation of ethical, self-governing corporate cultures.

Detect ethics and compliance issues before they become serious matters.

Despite an organization’s best prevention efforts, ethics and compliance lapses can occur. When they do, leading companies use specific mechanisms to detect breaches early, before they grow into legal problems or actionable violations. Such mechanisms include certification programs, registry programs, helplines and open-door policies, all of which are aimed at enabling employees to raise concerns, seek guidance and report suspected misconduct without fear of reprisal.

In particular, helplines have become widely used since the passage of the Sarbanes-Oxley Act of 2002. Helplines provide an easy and confidential way for employees to report possible wrongdoing while protecting themselves if they wish to remain anonymous.

To work as intended, employees must feel comfortable using these tools. Earning trust through active communication is key. Managers should communicate the value of the helpline to the workforce and provide specific details and examples of how it works. Employees also need reassurance from the start that their identity will be protected when they use the helpline anonymously, that they will not be subject to any form of retaliation and that the company will respect and respond appropriately to their report.

Certification and registry systems are other effective tools to monitor and detect potential compliance problems. In a certification, employees acknowledge receipt of policies, procedures and codes of conduct; affirm compliance; and explain instances of potential nonconformity or conflict. Leading companies now use automated programs to manage and track certifications efficiently and effectively. In addition, an effective certification process targets specific employee segments and develops a focused process for each segment to address high-risk areas.

Similar to certification, registry applications allow employees to initiate their own declarations or register certain personal events that might have ethical or compliance implications for the company. For example, an employee who buys stock in a client company might be required to register the action within a week of acquiring the stock.

Finally, leading companies are turning increasingly to technology, such as a “compliance dashboard” to integrate their applications and processes. A compliance dashboard provides executives with a comprehensive view of all compliance initiatives in real time by integrating data from disparate programs and tools. Tracking capabilities of the dashboard allow managers to confirm compliance certification levels as well as to detect less than satisfactory participation in compliance initiatives. In this way, a dashboard solution helps managers correlate data for new insights, helping them identify troublesome trends at the earliest stages and take corrective action as needed.

Respond quickly with corrective action.

When possible wrongdoing is detected, it is essential to respond quickly. This holds true whether information about a potential incident comes to light through the certification process, a confidential reporting mechanism such as a helpline or by accidental discovery.

An effective response requires companies have a set of guiding principles and protocols in place to manage reports of incidents consistently and timely. A swift and consistent response, no matter the severity of an incident, sends an unambiguous message that management places the highest emphasis on ethical behavior.

What makes an ethics and compliance program effective?

According to the revised Federal Sentencing Guidelines for Organizations (FSGO), it comes down to seven specific elements:

  1. Standards and procedures.

    Ranging from the code of conduct that highlights core ethical standards to specific internal controls for key risk areas, standards and procedures are the backbone of an effective program.

  2. Accountability at the top.

    The governing body must be “knowledgeable” about the program, designate a specific leader with overall responsibility and provide reasonable oversight of the program’s “implementation and effectiveness.”

  3. Care in delegation.

    Each company must use reasonable care to not grant substantial authority to people who have engaged in illegal activity or other conduct inconsistent with the program.

  4. Education and communication.

    Effective education programs and other communications of standards and procedures to employees, officers, directors and even, as appropriate, agents are essential for a successful program.

  5. Business processes.

    These processes include monitoring, auditing and periodically evaluating the program. A company must also provide a well-publicized system for employees and agents to report potential violations or to seek guidance without fear of retaliation. Such a reporting system usually includes anonymity and confidentiality.

  6. Personal accountability.

    Companies must provide discipline for violations and incentives for adherence to standards and procedures.

  7. Response to problems.

    A company must respond appropriately when criminal conduct is detected, including instituting measures to prevent similar occurrences.

Leading companies establish rules to quickly classify reports based on their nature – financial, personnel, environmental, etc. – and their potential seriousness. The allegations can then be routed to the right channel for investigation, whether this is to the audit committee, the risk and compliance team, human resources or outside counsel.

An effective incident management system also includes clear policies designed to protect the integrity of investigations, guard against retaliatory actions and document and report findings to all key stakeholders. In addition, companies must respond to ethics and compliance violators consistently, applying the same procedures and corrective actions to each individual, regardless of whether the allegations or findings of wrongdoing involve executive or staff-level employees. Corrective actions might range from something as simple as additional education to something far more serious, such as immediate termination for violating guidelines or laws.

Evaluate risks and continually improve process management.

The final phase of an integrated business process approach to compliance management focuses on measurement, benchmarking and evaluation of the prior phases. This phase effectively returns the loop to the definition phase, and thereby enables companies to make continual improvement in their risk management cycle.

In this phase, companies need performance measures to assess the effectiveness of their risk management efforts. The selection of specific measures depends on which goals are most critical to the success of individual programs, the ethics and compliance management process, and the business as a whole. For example, a company might gauge the effectiveness of its education program by measuring whether there is a reduction of related incidents.

Having chosen which performance measures to track, companies establish baseline measures to capture the current status of their programs and then use these baselines to provide comparative historical data to track. Companies can then benchmark qualitative and quantitative performance measures among their own business units – or chart progress against peer companies with recognized ethics and compliance programs – to set new goals for the future.

Many new technologies are now available to support this integrated approach to compliance and ethics management. Leading companies are increasingly using automated, comprehensive governance, risk and compliance tools integrated with an electronic management dashboard. Such tools provide a centralized capability for synthesizing data and evaluating the cultural health of the organization at any given time.

By following a business process approach and using technology, managers can arm themselves with the information they need to make better decisions, manage risks effectively and improve the overall performance of their compliance and ethics process.

 

 
 

APPEARANCES

Watch LRN CEO Dov Seidman discuss HOW on Charlie Rose »


Seidman tells BusinessWeek to out-behave, not outperform »


Good Morning America shares an excerpt from HOW »

December 9, 2008
Managing Ethics and Compliance During a Recession

A significant article by Pulitzer Prize winning author Thomas L. Friedman appeared in the New York Times and references the HOW philosophy as being more relevant than ever.

"Detecting Ethics & Compliance Risk: Clues to Strengthening Detection", ACC Docket, The Journal of the Association of Corporate Counsel

Ethics and Compliance: Are We There Yet?

Electronic Data Protection, Data Privacy are Top Business Risks

LRN Engages the Global Enterprise with New Online, Offline and Experiential Learning Offerings

BusinessWeek.com Debuts New HOW Column by LRN CEO Dov Seidman
© 2008 LRN | contact us toll free: 1 (866) 439-3071 | Terms and Conditions | Privacy Statement | Security | Site Map

Proper and ethical corporate governance is a high priority topic. With LRN's compliance program, your business can continue to adhere to the ever changing business code of ethics.

When dealing with compliance in corporate email, remember to focus on the ethical standards laid out by LRN, a leader in compliance management.

Constructing effective safety training courses is an integral task in developing a comprehensive regulatory compliance training program. For ease of mind, consider the safety training standards described by the innovators at LRN.