Note-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part I of a Three Part Series…
We’ve talked a lot in our Tales from the Crypt about the signs to watch for that indicate something’s gone wrong, from minor cultural twists to lapses of integrity that are tantamount to criminal activity. We all wish we had a crystal ball we could peer into to predict how various maneuvers will translate into the larger universe of corporate culture. One of the best tools to use to gauge the cultural baseline is an organizational ethics audit, reminding yourself that “what gets reported gets measured.”
Your first hurdle, of course, is getting executive leadership to support the initiative. If they don’t support it, then you have your first cultural indicator. After all, if you have nothing to hide, you have nothing to lose by peering under the covers, now do you? So let’s assume your leadership is supportive of developing, and/or sustaining, a “high integrity” organization. So what do you want to measure? The ‘seven elements of an effective compliance program’ is a good start, but by no means exhaustive. After all, many organizations fulfill “ethics oversight” by having a CCO in title (usually, the GC or CFO), but the day-to-day oversight and management of the program is led by staff members who are not empowered to work towards positive change. You know who you are, you know the daily frustration of knowing what should be done, and what leadership will allow. So while “oversight” is met, is it really “effective?”
So let’s remind ourselves of the seven elements once again:
1. Establish Policies, Procedures and Controls
2. Exercise Effective Compliance and Ethics Oversight
3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals
4. Communicate and Educate Employees on Compliance and Ethics Programs
5. Monitor and Audit Compliance and Ethics Programs for Effectiveness
6. Ensure Consistent Enforcement and Discipline of Violations
7. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents
How do these elements translate into an organizational ethics audit? And how do our 10 rules of business conduct in the workplace (from our “Tales from the Crypt” series) fit in? Let’s break it down into manageable chunks.
1. Establish Policies, Procedures and Controls
Under this “bucket” include your Code of Conduct, your Vision and Values statements for your organization, and the various policies and procedures you rely upon to get business done. What you want to know, when conducting your audit, is not just do you have these, but
- Does your Vision statement create an actionable description of the future? If so, what is it, and more importantly, do your people know it, and understand what role they play in achieving that future?
- Is “Integrity” one of your Values?
- What’s the purpose and Focus of your Code of Conduct? What kind of tone does it set, is it widely distributed, prominently displayed, easy to read? Does it have learning aids, and examples of not only wrong doing, but “right” doing behaviors? What expectation does it set? Is it universal or have you caved to various constituencies and created multiple versions (not translations, but actual versions) to “meet the needs” of various cultures. If you have, then you are net setting a single standard that all can live by, and you will have people applying their own standard to their behaviors, not yours. Ethics should not be subject to interpretation, nor external pressures such as Worker’s Councils, unions, or special interest groups.
- Are your policies relevant to your business, or did someone just borrow something from an HR toolkit to get you started? Do you have a formal non-retaliation policy (and not just a nod towards the concept in your Code of Conduct), and formal procedures to deter retaliation. The rules in this area need to be cut and dry to make people know you “have their back” when the you know what hits the fan. You want to encourage people to step up, and the only way you can do that is a rock solid approach to non-retaliation.
- Last, but not least, are your policies “uniformly enforced?” Much like the sentencing guidelines, organizations, large and small alike, should be dealing with transgressions with an even hand to truly have an ethical culture. People like boundaries, like to know where the line in the sand is drawn. Trust me on this. So do you know exactly where your organization’s boundaries are? Or does the line move from incident to incident?
2. Exercise Effective Compliance and Ethics Oversight
As I mentioned before, many organizations have day-to-day oversight managed by staff, with a titular CECO residing with one of the executive leaders, like the GC or the CFO. Larger organizations have dedicated compliance officers who aren’t forced to wear multiple hats, who truly have teams of dedicated compliance officials reporting up to their organization. This is particularly true in highly regulated industries, such as finance, insurance, healthcare, food and drug manufacturing, where government oversight plays a large role in day to day business. It is fair to say that smaller organizations don’t need to have a dedicated compliance officer per se, but when you have a staff attorney, for instance, managing the day to day operations of your ethics and compliance program, you have put that person in a Catch 22. Period. You may want an attorney in that spot for attorney client privilege, but if you do that recognize that you’ve also handcuffed the person from being able to independently report wrong doing if something goes drastically wrong, as they are duty bound to keep matters confidential, even within the business.
So you want to measure whether or not the person with day-to-day oversight has the freedom (or mechanisms) to raise concerns.
- If it’s a staff attorney, is the job description written so that when wearing the compliance hat, the attorney hat comes off? Tough to do, but possible.
- Are there layers of management between the day-to-day person who is managing the ethics and compliance program, and the person with the “title” CECO?
- Are there many people with “compliance” in their title, and do they work together, or independently? I have worked in organizations where “compliance” was part of several functions, but the right hand, and the left hand, weren’t speaking to each other. Trade Compliance reported to one division, Environmental Compliance reported to another division, product compliance reported to yet a third division, HIPAA compliance to yet a fourth, and so on. None of these units worked together, some were staffed heavily, some staffed thinly, and the actual “head” of Integrity & Compliance was ineffective at convincing senior leadership that all compliance functions should be at least working towards the same goals in the organization. It all depended on the business leader at the top of the silo and whether or not they were effective in getting the support they needed to run their business. It also depended on whether or not the business unit was a profit center or a cost center, and if a cost center, where it reported up into the business – as a G&A expense, or an administrative cost aligned with operations. Those that were part of operations were well-funded, those reporting in on the administrative side as a pure cost center (including the “head”) were poorly resourced.
- Do you have an ethics steering committee or working group that represents all functions and business units, and is staffed by executive or senior leaders who are in a position to make decisions for the larger organization? This serves as a checks and balance that is critical if the day-to-day oversight is led by a staffer. The staffer can build consensus with a larger group that has a vested interest in the outcome by holding those critical meetings before the meeting to test run proposals, and receive important feedback on how to effectively present a proposal to the team to ensure acceptance and success. The staffer can also go to a trusted member of the committee if he or she feels that the CECO is not receptive to hearing concerns and serve as a sounding board. Hopefully, that is.
Tomorrow, elements 3-7.
Who are the Two Tough Cookies?
Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies. Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Their series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone…
This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.