This autumn, I moderated two roundtables—one in Stockholm and one in Geneva—on the challenges of creating a speak-up culture. With nearly two dozen senior ethics and compliance professionals in attendance, it made for a very interesting dialogue, shedding light on the challenges that employers are facing in the E.U. and across the globe.
Below are a few of the most frequently-discussed challenges from the roundtables, along with some recommendations on tackling them.
1) What’s the Best Way to Launch a Compliance Programme in the E.U.?
There is no one “best” way to launch a compliance programme. The best programmes are built after a thorough risk assessment, and developed in the context of each organisation’s unique risks and culture.
The best programmes are also as comprehensive as possible. Starting with a foundation of a code of conduct, organizations should put policies in place that are up-to-date and have clearly defined rules and procedures, and secure attestation from all stakeholders. Compliance training should follow to ensure sufficient comprehension and ongoing compliance. Awareness materials, such as posters in break rooms or wallet cards, also help to reinforce key compliance messages. Communicating compliance messages in a variety of ways is key to making sure the message spreads across the organisation.
It’s often helpful to outline all of your communication plans into a roadmap that is spread out over a few years and broken up into quarters. However, if you put a compliance programme plan down on paper and agree to it, make sure you have the time and resources to follow through. Inaction on your plans will not be viewed favourably by a regulatory body.
2) How Can We Foster a More Open and Transparent “Speak-Up” Culture?
It is incredibly difficult to build an open culture of trust where one never existed—or worse, where a negative culture is entrenched. All leaders will say will say that misconduct is unacceptable at their organisation, full stop. But saying it is not enough, organisations—particularly senior leaders and middle managers—must walk the talk to shift both the culture and perceptions.
One key to begin shifting a corporate culture is to talk openly and consistently about your ethics and compliance programmes. One powerful way to achieve this is by using company newsletters or team meetings to talk about anonymised versions of investigations, which demonstrates to employees that reports are not only welcome, but that they will be thoroughly and rigorously addressed.
When it comes to culture change, I am reminded of the Forth Bridge in Scotland. The bridge is so long that it takes a year to paint—so long that when they are finished painting they have to start all over again. This is like compliance programmes—it’s a constant effort to turn talk into action, and can sometimes feel laborious, but it makes the difference between saying you have a culture of ethics and integrity and living it.
3) Do We Need to Localise Compliance Programmes?
The answer is absolutely yes. Connect with leaders in your organisation’s various regions to figure out how components of a compliance programme or rollout need to be localised. Many organisations give leaders each region a compliance toolkit with posters and other awareness materials, processes, procedures and policies, and training materials and let them mould it to meet their regional needs.
When localising roll-outs, it’s important that corporate compliance controls the message tightly. Doing periodic checks when traveling on site and/or conducting regular risk assessments are great ways to ensure the programme is being properly implemented. Consistency of a compliance programme across an organisation is important for legal defensibility.
4) How Can We Ensure We Are Getting as Many Substantiated Reports as Possible?
Roundtable participants noted that that a lot of reports they receive are actually HR-related matters (such as frustration with bosses, complaints over holiday time etc.). However, these reports are actually a is a good indication that employees feel comfortable reporting. An incident management system is a great way to route reports to the right department and let them address accordingly, leaving compliance teams to focus on the reports pertaining to them.
It’s also important to encourage employees to report to their managers, HR, legal or compliance directly. Hotlines should be seen as a last resort for those who don’t feel comfortable reporting face-to-face. Having clear policies, communications and processes in place will help to ensure that you get the highest number of substantiated reports coming through the system.
5) How Can We Measure Compliance Programme Effectiveness?
Measuring compliance programme effectiveness can be a significant challenge. To truly gauge effectiveness and perception of programmes internally, on key tool is an annual or bi-annual anonymous employee engagement survey. In this kind of survey, you can ask the hard questions such as, “Are you afraid of retaliation?” and, “Do you believe that incident reports will be acted on?” The results of this kind of survey are measurable and can show trends over time.
Further, there is a lot of hard data you can glean for your programmes if you have an incident management platform that captures the data coming in from reports. You can also use report forms that managers and others can use to document reports made to them directly, in-person. These can filter directly into an incident management platform the same way whistleblower hotline reports do. This will give a more complete picture of all reports, and get at some great analytics that can demonstrate programme effectiveness to the board, such as:
- Case resolution time
- Categories of reports
- Where reports came from (region, business unit, internal vs. external)
- How an issue was reported
Remember, despite the challenges in creating a speak-up culture, the greatest risk mitigation asset to any organisation is early knowledge and early detection of potential problems. Ethics and compliance hotline data that is carefully tracked, reviewed, benchmarked is worth its weight in gold when it comes to compliance visibility and legal defensibility.