The Ethics and Compliance Initiative has released a report of its blue ribbon panel on the Principles and Practices of High-Quality Ethics & Compliance Programs, designed to provide practical guidance for companies that want to establish high-quality programs – effective programs that involve more than just “check-the-box” E&C efforts, but rather make E&C “central to their business strategy.” According to the report, effective programs have been shown to reduce misconduct by as much as 66% and to increase reporting of wrongdoing to management by 88%. But these outcomes are highly dependent on the quality of “program implementation and ongoing commitment” of management. For companies that are serious about implementing E&C programs, the report is definitely worth a look.
Although programs vary, according to the report, the fundamental purposes of these programs are basically the same:
- “Ensure and sustain integrity in the organization’s performance and its reputation as a responsible business;
- Reduce the risk of wrongdoing by parties employed by or aligned with the organization;
- Increase the likelihood that, when it occurs, wrongdoing will be made known to management within the organization;
- Increase the likelihood that the organization will responsibly handle suspected and substantiated wrongdoing; and
- Mitigate penalties imposed by regulatory and governmental authorities for violations, if they occur.”
These programs seek to achieve their goals by assessing and abating the company’s legal, ethics and other compliance risks and establishing and perpetuating “an organizational culture that prizes ethical decision-making and the raising of concerns without fear of retaliation.” These cultures also hold themselves accountable for prompt action when misconduct occurs and document, measure, evaluate and consistently improve the strategies that they implement. Historically, the standards for E&C programs have been defined by organizations such as the U.S. Sentencing Commission and the Organization for Economic Co-operation and Development (OECD).The report argues that these frameworks, although important, articulate only the minimum standard. Instead, the report articulates “the principles and key practices that are common to high-quality ethics and compliance programs (HQPs) in order to offer actionable ideas that other organizations can adopt.”
The report identifies five principles and a variety of objectives that characterize high-quality programs:
- Principle 1: Ethics and compliance is central to business strategy.“Leaders and E&C personnel partner to ensure that ethics and compliance is an integrated and essential element in the successful operation of the organization and in its message and actions externally.”
- Principle 2: Ethics and compliance risks are identified, owned, managed and mitigated. “Risk assessment is a foundational activity that involves and leverages every employee in early understanding and mitigation of risk and E&C programs have an important role to play in those efforts.”
- Principle 3: Leaders at all levels across the organization build and sustain a culture of integrity, “a daily habit and expectation of openness. Leaders walk the talk of integrity as a value and the organization consciously builds the capacity and confidence of every employee to speak up when something does not seem right.”
- Principle 4: The organization encourages, protects, and values the reporting of concerns and suspected wrongdoing. “The organization’s processes and actions are designed to demonstrate to employees that reporting is valued and to ensure retaliation for reporting is detected, punished and prevented going forward, so chilling effects are mitigated.”
- Principle 5: The organization takes action and holds itself accountable when wrongdoing occurs. “The organization handles wrongdoing in alignment with its values by responsible, timely and thorough action that transparently deals with those responsible and focuses on prevention going forward.”
Generally, the report indicates that, in HQPs, E&C is both a separate function and an essential element within every other operation, responsible for compliance by serving as a resource and advocate for leaders across the company to help them understand their role in setting the standard for integrity. In addition, E&C is given the resources and access to leadership necessary to ensure proper integration and an independent voice, including regular access to the board or audit committee and participation in key strategic decisions. While organizational values are primary, the risk assessment process is foundational, providing a critical early warning system for current and emerging risks.
The process must identify, prioritize and mitigate risk consistently, including at third-party agents, vendors and acquisitions. When potential risks, such as compliance failures or employee fear of reporting, are identified, HQPs reach out on a targeted basis to attempt to prevent them from materializing and to respond to any that occur. The process requires that leaders take ownership for the ongoing identification and mitigation of relevant risks, with support from the HQP.
In addition, HQPs recognize that culture is the largest influencer of business conduct and that leaders are “the primary drivers of that culture.” As a result, in HQPs, leaders are committed to making ethical conduct central to the organization, and managers and supervisors understand those values, are given support to act, and held accountable for acting, in alignment with those values.
All employees are trained to understand the “importance of acting in accord with shared values, seeking help and speaking up.” Fear, reluctance or inability of employees to relay suspicions of wrongdoing to management might be the greatest E&C risk. Accordingly, HQPs focus on establishing an environment where issues can be raised before they materialize into misconduct. HQPs also train supervisors to respond appropriately, if employees do raise concerns, to avoid creating a culture of intimidation, to treat all reporting employees fairly (to prevent a chilling effect) and to avoid retaliation, including monitoring and punishment for violators.
Because of the importance of accountability, when misconduct does occur or is alleged, organizations with HQPs conduct timely, neutral, thorough, competent and consistent investigations. In the event an actual violation is found, “the organization responds with appropriate consequences, regardless of the level of violator. The organization maximizes learning from every substantiated case, including conducting root-cause analysis, and it acknowledges issues to employees in order to reinforce the message that integrity matters.” HQPs perform regular testing of crisis management and response protocols and, where appropriate, disclose issues to and cooperate with regulatory and governmental authorities.
At 60 pages, the report and its instructive appendix delve into substantial detail regarding all of these principles, providing examples of best practices that support the E&C objective. In addition, the appendix provides practical examples of how various HQPs implemented the practice and identifies common pitfalls to avoid.
For example, under Principle 3, one of the supporting objectives is that leaders are expected and incentivized to personally act with integrity and are held accountable if they do not. Below are the leading practices implementing that objective identified in the report:
Leaders at all levels model integrity by:
- Talking about the importance of ethical conduct and referencing organizational values as a framework for their decisions;
- Exemplifying the conduct they expect of their employees; and
- Holding subordinates accountable for ethical behavior.
Leaders’ behaviors (as above) are a significant consideration in employment and promotion decisions.
No “waivers” of integrity standards are given to more senior personnel.
E&C performance affects compensation, advancement and retention of all employees.
A high-level committee reviews significant matters and cases involving senior leaders to ensure neutral investigation and consistency in consequences.”
In addition, the appendix identifies these illustrations of how the practices were implemented and potential pitfalls:
“Examples from HQPs:
The CEO of a global multinational regularly discusses integrity and compliance at meetings of the top leaders of the organization, specifically discussing expectations and making clear that, at this level, failures related to integrity will result in This discussion is mirrored in subsequent individual meetings with business unit leaders and their teams and ethical failures are discussed and reported in routine business performance discussions throughout the year.
In one conglomerate, performance metrics for all senior executives and managers include talking about the importance of ethics; modeling ethical conduct; holding employees accountable to the organization’s standards; and providing support for the E&C function. Compensation for these leaders and managers is affected by sub-standard evaluation on these E&C areas.
In one publicly traded organization, an E&C steering committee convenes regularly to provide guidance to the E&C program. When issues arise involving senior leaders, the issue is reviewed by the steering committee, to ensure that appropriate action is taken.”
“Common Pitfalls to Avoid:
Executives speak about ethics but are not visible in E&C awareness activities. Their actions do not mirror their words.
Leadership tolerates ethical misconduct in “big producers.”
Succession and promotion decisions do not take into account unfavorable ethics and compliance track records.
Performance metrics for leaders do not include any expectations for ethical conduct, or responsibility for the E&C effort.”
Similarly, under Principle 4, a supporting objective is that leaders create an environment where employees are prepared and empowered to raise concerns, and resources are provided to support employees in ethical decision-making. The report identifies the following as leading practices, examples of implementation and pitfalls:
- Questions from employees are solicited and listened to; raising difficult issues is expected and recognized as excellent performance.
- Employees are made aware of available resources to support their speaking up. Awareness training addresses making ethical decisions in alignment with shared organizational values; seeking guidance; and the process that takes place when a report is made.
- Employees are aware of the organization’s policy on “no retaliation.”
- Leaders are skilled at responding well to issues raised by employees, and their employee feedback measures and case resolutions demonstrate this. Leaders are required to complete training and have easy access to guidance on responding to issues raised by employees consistently and fairly and creating a speak-up culture.
- Leaders’ performance in creating a speak-up culture is measured and managed.
- Leaders speak regularly with employees about – and formally recognize the value of – raising issues.
- Courage in raising concerns is broadly and publicly recognized and individually rewarded in employee performance reviews.”
“Examples from HQPs:
- An organization in the energy sector invests in a robust employee concerns program (ECP), which focuses on providing employees avenues by which they can raise issues and be treated consistently and fairly by the organization. Among its tasks, the ECP provides resources to managers to help them encourage the raising of concerns.
- A mid-sized company in the utilities industry has developed an ombuds program, designating individuals throughout the organization who serve as resources to employees who have issues to raise.
- A defense firm provides its managers special training on building employees’ capacity and willingness to speak up. Managers reflect on their own history with speaking up and discuss when speaking up was easy and why, and when it was difficult and why. The training also addresses effective ways to respond to employees when they come forward to report suspected violations.
- A number of organizations ensure ethics and compliance awareness training is led by leaders with their teams. Training is scenario-based, tailored to their organizations and permits employee interaction and discussion about the material. When leaders facilitate, they demonstrate their commitment to the activity and learn firsthand how employees view situations and what questions come up.”
“Common Pitfalls to Avoid:
Leaders do not recognize their responsibility for the creation of an environment where concerns can be raised. They are, therefore, ill-equipped to encourage employee reporting. The organization is silent on the process that takes place when employees raise suspected violations. No communication takes place around the organization’s intolerance for retaliation against employees who raise When employees come forward to report wrongdoing, they are not treated respectfully and are isolated or in some other way ostracized for coming forward.
E&C training is exclusively online with little assessment of effectiveness or leader involvement in dissemination.
Employee survey data indicating a fear of reporting or lack of trust in supervisors is not addressed.
Individuals who come forward to report are viewed as problem employees, rather than being treated with respect and rewarded for demonstrating
Human resources or other support functions are disconnected or misaligned with respect to ensuring reporting and preventing retaliation and may be perceived as untrustworthy in handling retaliation claims.”
The report concludes that, although E&C programs do not appear to directly affect the bottom line, companies that take a “broader and deeper view” also see “effective and transformational results,” not just in reducing wrongdoing, but also in energized the company and generating “trust, collaboration and pride that comes daily – even when no one is watching – because enterprise-wide stakeholders are doing the right thing.”