Ready-Made Memos are topical best practice messages that are ready to be shared with your team when you want them and when you need them.
Choose from the topics below. Expand content using the arrows on the right. And copy and paste the messages into your internal newsletter and messaging to keep compliance top of mind with your managers and strengthen your organizational culture.
Copy-and-paste compliance communications for your company
You may have heard the term “tone in the middle” and its importance in creating a culture of integrity. But why is it important? And what exactly does a middle manager, squeezed between the frontline and the top tier, need to do to create the right tone?
Why It’s Important
Employees take their cues from you. If something is a priority to you, it’s a priority to them. As their leader, employees look at your attitudes and actions to answer the questions, “What’s really important around here?” and “How do we really do things in this organization?” The way the workforce thinks, behaves and works is the very definition of corporate culture. And your behavior is a key factor in shaping the culture.
Intentionally building a culture that has a reputation for ethics and integrity is hugely important for many reasons. But one of the most compelling is that research has shown that ethical companies are more financially successful than others. In the recent Institute of Business Ethics report “Does Business Ethics Pay?” research revealed that ethical companies succeed due to higher productivity, more loyalty from customers and investors, the ability to attract and keep the best employees, and increased trust and improved collaboration with business partners.
What You Can Do to Create the Right Tone
While building an ethical organizational culture may feel like an enormous responsibility, it is a natural outcome of good management. It is also a primary goal of an effective ethics and compliance program, in which you already play a part. There are several things you can do to set the right tone and actively support the compliance program:
As a manager, you play a pivotal role in building and sustaining our culture of integrity. Part of that role is supporting our ethics and compliance program. The outcome of your efforts will be a happier and more productive workforce and the increased economic success of our organization.
We expect employees to disclose conflicts of interest (COI) if and when they occur. This requires employee to know how to disclose and, more importantly, what to disclose. Whether it’s showcased as a dedicated policy or mentioned in the code of conduct, organizations often use a prescribed method for helping employees identify potential conflicts. Because so many fringe interests exist, many circumstances can surface where a policy provides little guidance for nuanced conflicts – making them difficult to manage. By including COI as a component of the larger compliance program, we can more effectively manage and minimize COI risk.
Let’s take a look at what the best compliance programs do to manage COI risk.
Conflict of Interest Risk Assessment
Start by assessing the overall COI risk experienced by the organization, specific departments and even individual functions. Most well-known risk areas naturally receive prioritized attention, so it’s important to get creative.
Think about circumstances involving monetary relationships that involve customers, competitors and suppliers – but also those that involve family employment issues. Assess the more common risk areas first, but ensure you are uncovering unknown risk areas, too. The goal of conducting a COI risk assessment is to gain a better understanding of who, what, where, when and why to create a tailored approach to both known and potential COI risks.
After carefully assessing risk areas, use this information to start designing risk prevention policies and procedures. Highlight the areas of the organization that are most vulnerable, with the most realistic risks, to best adjust a program and maintain its overall success over time.
Although this could be a stand-alone project, it doesn’t have to be. Try integrating the COI risk assessment as part of an overall compliance program assessment.
Conflict of Interest Policies & Procedures
Next, review all existing policies to ensure foundational support for COI inside the compliance program. Policies such as the code of conduct and the COI policy itself are good places to start. Note that the more complex an organization’s COI risk is, the more a standalone COI policy can be helpful. Typically, however, a section in the code of conduct is sufficient.
Once the policies and procedures reflect updated information, implement a disclosure process for employees to speak up in the event they identify potential conflict. The previous step – the risk assessment - will be helpful in uncovering high risk areas to implement a voluntary disclosure process. Sometimes, all employees should be given the opportunity to surface potential COIs, other times it may be more appropriate to only administer the disclosure to certain employees, departments or general risk profiles. It is good practice to administer these annually.
Compliance Training on Conflicts of Interest
After exploring risk profiles, policy specific language and disclose processes – it is critical to have a clear communication strategy to set employee expectations. Tailor training to specific job functions using the findings from the risk assessment. Low-risk employees should be given general code of conduct training, while higher-risk employees should receive in-depth, in-person training on COI. All managers should be trained on how to best handle situations where a disclosure is made directly to them. Providing employees with training using a risk-based approach helps make the training more valuable and increases the level of engagement by the learner. All this is done by providing relevant information to the right employees.
Automate Conflict of Interest Disclosure
While manual processes are a good start, automation saves companies time and money – all while improving efficiency. Using software to automate policy workflows, approval processes, voluntary disclosures and employee training can greatly benefit organizations. It provides robust tracking abilities that allow leadership to keep policies and attestations well-organized, keep policies up-to-date, all while effortlessly providing a tailored training experience to various departments and specific job functions. Overall, automation makes the effort toward building an effective COI program easier.
Audit & Improve
Continually assess and monitor COI program success. Regularly audit the program and ensure higher-risk areas are being continually monitored. Determining rate of assessment and other specific considerations should rely heavily on findings uncovered during the initial risk assessment.
COIs can surface anywhere regardless of industry, employee rank or functional expertise. Compliance must take a thoughtful, risk-based approach to management and build a proactive program that aims to minimize risks – both known and unknown. By following a thorough process for developing, disseminating and evaluating COI efforts, organizations will be better equipped to identify potential conflicts and have supporting internal controls in place when those efforts fall short.
Every employee should feel encouraged by their organization to raise workplace concerns using internal reporting channels, especially when instances of retaliation surface. Unfortunately, many organizations fall short when it comes to encouraging reports of retaliation. Managers and leadership alike own the responsibility to prevent retaliation and ensure that if, and when, it does occur, that employees feel safe notifying the organization and trust the issue will be responded to appropriately. Any underlying fear of retaliation ultimately undercuts processes supporting internal reports and severely limits compliance programs.
Let’s briefly review the current legal landscape of retaliation, and then discuss how you can help encourage reports of retaliation while discouraging retaliatory behavior.
Retaliation against employees who raise workplace concerns is not only illegal, it’s bad for business. It further enhances the external incentives employees have to skip internal reporting channels and go straight to regulators. The most recent example of this was the 2018 ruling by the U.S. Supreme Court that the Dodd-Frank’s anti-retaliation provision, does not apply to individuals who do not first report violations directly to the Securities and Exchange Commission (SEC).
Even with these incentives to report externally, time and time again, research shows that employees much prefer to report an issue to their immediate supervisor than to take it up the management chain or outside the organization. Agencies also report that employees often try to raise concerns internally before going to regulators. So even though employees are encouraged to report retaliation directly to regulators, organizations can reduce this legal risk by showing a commitment to retaliation prevention and effective correction.
Follow these key steps to empower employees and prevent retaliation:
Diversity and inclusion are highly discussed terms that are often used interchangeably. However, how those terms manifest in the workplace can be experienced very differently by employees. This becomes clearer when we apply accurate definitions for each.
According to Gallup, “Diversity represents the full spectrum of human demographic differences.” A number of these can been seen in the EEOC’s list of protected classes. Inclusion on the other hand refers to “a cultural and environmental feeling of belonging.” There is not a clean cut list for these feelings, which is why inclusion is often excluded from the conversation. That needs to change, especially if organizations hope to achieve the performance and engagement benefits that inclusive workforces promote.
It’s important to understand that diversity and inclusion are distinct concepts that require distinct efforts to achieve. Interestingly though, they are also, in many ways, dependent on one another. So how can we be successful in sharpening our focus on both components? And just as importantly, how can we accurately measure our efforts and overall success in these cultural areas?
The following three steps showcase how to build an inclusively diverse organization.
Step 1: Assess the Existing Level of Inclusion
Organizations, specifically managers and those in leadership roles, need to adapt to the behaviors and practices of others. This prevents us from developing strategies in a bubble. Being understood and appreciated by others helps employees feel integrated in the organization – like they have a voice and are connected to the greater business. Understanding employee’s subjective experience with inclusion is key.
Get to the root by asking the following questions about your workforce:
Take this further by including questions in your annual or semi-annual employee survey that drive at this sentiment. Research from Deloitte associates inclusive cultures with values like “fairness and respect; and value and belonging.” Tailor your questions to dig into these areas.
Step 2: Acknowledge Gaps & Drive Improvement
After hearing from employees, carefully review and internalize the feedback. Then identify areas for improvement. As an example, if you received low survey results, that shows that employees might not feel comfortable sharing their thoughts with the company. What are you going to do about it? The key is doing something. Inclusive cultures require action – that is how employees know their input and values have been acknowledged and included.
Step 3: Measuring Your Success
Understanding an individual employee’s perception of inclusivity and overall phycological safety can be difficult to accurately measure. Tangible, physical characteristics such as gender, race and personality type can be observed and accounted for when measuring diversity – not so much with inclusion.
This requires some ingenuity. Think back to the survey questions discussed in step one. These will give you some measure on the current state of inclusion in your workplace. By tracking these results over time, as well as cross referencing results with major work events (mergers, trainings, parties, etc.,) you can get a sense of which efforts are making an impact on the employee perspective. This will provide a working gauge of whether you’re moving in the right direction.
When it comes to owning compliance responsibility, it’s clear that the compliance department cannot be responsible for all compliance concerns. In the same sense, corporate civility and integrity cannot be wholly owned by an organization’s management. Here are several ways you can help encourage employees to take ownership of workplace integrity and amplify your ability to foster a civil work environment.
Acknowledge & Live into Core Values
While there are many critical components of a successful E&C program, building a culture that reinforces an organization’s core values requires more than just some online training, a code of conduct and some legal input. Leadership, from the board of directors down, must be committed to building and enforcing an effective E&C program.
Instructing employees to “just do the right thing” does not go far enough. Corporate culture is created through the expression of actions, symbols, words, stories and values at all levels of the organization. This requires everyone in leadership, from the c-suite down to the frontline managers, to be walking examples of your core values. Policy, procedures, investigations, and response to corporate misconduct, all need to reinforce these values as well. As soon as employees see conflict between values and actions, culture is threatened.
Provide Integrity Training to Managers
Setting the right tone and culture within an organization is not just the responsibility of senior management. Frontline managers – often a firm's go-to individuals – have a key role to play in becoming a part of the organization’s DNA. Unfortunately, managers often lack the required training to effectively manage pressure, communicate clear expectations or even respond appropriately to employee concerns. Managers need to be trained on how to have those hard, yet critical conversations with those they manage. They must also be aware of their own personal ethics and be aware of how those ethics are interpreted by other employees.
Evaluate Leadership’s Commitment to Core Values
Imagine stepping into one of your employee’s shoes, specifically one who has a very high ethical standard. Then imagine seeing a manager in the organization get away with some form of misconduct such as bullying, dishonesty or harassment. Imagine the resentment that would start to grow. Especially after they were just trained on leading with integrity. Managers, just as much as employees, need to be held accountable for upholding corporate core values. This is best achieved through 360-degree reviews in which employees evaluate how their managers are living into core values. Incorporating the ability for anonymous reviews from subordinates is key for honesty and accuracy of evaluations.
Blend Your Code of Conduct & Core Values
A code of conduct is not just a powerful tool, it is a corporation’s constitution. It should be designed to set the tone for the organization’s culture and provide a platform for every other policy to stand on. It not only informs everyone in the organization about how business should be done, but also sets an expectation for how employees will conduct themselves. In a way, it’s the most important policy. It should convey core values such as integrity, civility, respect and any other values that the organization firmly believes in. It should also communicate the weight the organization puts on these values including hiring and firing based on its values. Regularly reviewing the code can help ensure that core values are always top-of-mind for both managers and employees.
Promote Civility & Be Present
What used to be commonly held and cherished interactions are now being threatened by dependency on nonessential technology. We’ve entered an era where we check our phones before meetings instead of exchanging pleasantries with colleagues. Sending instant messages to coworkers is now easier than walking to their desk. And we find it more convenient to send an email instead of making a phone call and having a verbal conversation. Largely, we now see coworkers as part of the corporate architecture rather than as human beings who share a world outside of the office walls. In our effort to re-humanize business, people will again begin to see themselves as responsible for values like civility, integrity and respect and the cost to the workplace will begin to flatline.
According to groundbreaking research on the ROI of whistleblower hotlines by Kyle Welch, supported by George Washington University and the University of Utah, we now have quantifiable evidence that more internal reports create real business value for organizations. If you have not familiarized yourself with the data, you can download NAVEX Global’s summary of the key findings to get up to speed.
In general, the research shows that hotline reporting activity and return on assets are always positively correlated. Simply put, the more hotline activity, the greater the ROA.
To get the full ROA of whistleblower hotlines, we first need to ensure we get the raw material incident management programs run on – employee reports. And before we consider the report, we must consider the employee. Do they have the necessary trust in the organization, comfort in their immediate environment, and proper understanding of the incident management process to actually make a report? Creating a workplace culture where you can honestly answer “yes” to each of those questions is key to getting the significant value whistleblower hotlines can have for the organization.
Steps to Create a Speak-up Culture
When it comes to speaking up, there are two main reasons employees do not report. First, they believe that nothing will be done about the issue. This is either because management sees reports as an attack on the organization or, just as harmful, management is apathetic to employee concerns. Second, employees fear retaliation. The possibility of personal or financial retribution for reporting their concerns will effectively remove internal reporting as an option for employees. To overcome these two nonstarters, organizations need to put special care into learning how to listen and understanding what motivates whistleblowers.
There is a difference between employees who know how to report an incident and those who do report an incident. The difference is the trust they have in their organization and leadership. This put the onus of driving a speak-up culture directly on organizational management, not the employee.
Think of it this way. Internal reporting is a three-part process that starts and ends with management.
Step 1: The tone from the top has to create a safe environment in which employees feel comfortable and encouraged to report issues. This tone from the top should ensure employees know that the organization sees them as part of the solution, not part of the problem.
Step 2: Employees report concerns through appropriate channels.
Step 3: Management, supported by its compliance and HR teams, take action to investigate reports, follow up with employees, and resolve cases in a timely manner.
If step one or three fail, so will step two.
Understand What Motivates Employees to Report
Awareness: To be comfortable in their reporting, employees need to be confident in their understanding of what is and is not an issue. This starts with a clear and well-distributed code of conduct that identifies behaviors that are not tolerated. This is reinforced through corporate policies and procedures that further outline issues that need to be identified. Finally, all these written standards need to come to life through effective compliance training.
Empowerment: If employees have the courage to raise their voice, they need to be assured that their action will trigger corporate action to resolve the issue. They also want to see that their ethical conduct is rewarded, or at the very least not punished. “Rewarded” does not have to have a monetary connotation, but simply needs to make the employee know that their efforts are appreciated.
Safety: A sense of safety is the opposite of a fear of retaliation. If retaliation is even in the back of an employee’s mind, reporting will be far from it. Organizations need to over compensate for this by creating environments in which employees feel as safe as possible. General awareness efforts stated above are key, but safety is further reinforces by the cues (intended and unintended) that they get from their direct managers. Managers at all levels of the organization need to be properly trained on how to be drivers of their corporate speak-up cultures as well as how to handle reports when they receive them directly from employees.
Like compliance professionals have been saying for years, hotlines are the canaries in the coalmine that let organizations know of issues before they become major problems. To get the most value out of those hotline and incident management programs, we need to make sure our employees know they are the most important part of that process.
It is critical to understand why managing third-party risk isn’t just about staying out of trouble – it’s about maximizing the return on investment while strategically applying the cost of due diligence. Taking the time to thoughtfully select our business partners will provide us the greatest benefits for our organization. Coupled with a strategic approach to our vendor selection process, we will not only be able to minimize our initial investment in due-diligence, but also maximize the overall business value generated by our risk management program.
Maximizing the ROI: Establishing Fruitful, Long-Term Relationships
Proper due diligence is key to successful third-party risk management, but also simply for building successful third-party relationships. Developing these relationships is costly. Those costs turn into losses rather than investments when relationships fall through or prove to be unfruitful for any number of reasons. Preventing a compliance failure is only part of the equation. The business case should include revenue associated with third parties, the cost of those partnerships, and the advantages of establishing long-term relationships with trusted partners. Proper due diligence with our third-party risk management should create real value for the organization outside contingency plan for potential litigation.
Minimizing Investment: Stratification, Context & Information Management
Third-party risk management has evolved beyond just identifying red flags. Mature programs not only know how to surface green and yellow flags, but they also know how to do so with economy. This prioritization of risk enables programs to apply resources and man-hours appropriately to the due diligence process.
Economical risk managers are astute information managers. Compliance programs are achieving this by properly identifying sources for risk intelligence, vetting results and filtering that intelligence through unique organizational risk profiles. This ability to risk-rank each third party is called stratification, which employs contextual cues to focus risk mitigation efforts on key areas of interest. This maximizes impact by minimizing noise, which is key to logical, risk-based decision making. This is also one of the ways third-party risk management programs maximize their ROI, by accurately allocating their investment of time and resources.
Programs can begin stratifying their risk by understanding three major risk management components:
1. Known Risks
Our known risks are defined by regulatory bumpers such as the Foreign Corrupt Practices Act (FCPA) or Transparency International’s Corruption Perception Index. Looking at the FCPA Guide, the known risk will be colored by geography, type, contract value, and relationship with governmental agencies.
2. Business Justification
These risks need to be measured alongside our organization’s original business justification for working with a third party. Some questions will begin to surface such as: Do these regulatory standards apply to the scope and complexity of our third-party engagement? If so, can the engagement be modified to address the potential risk? Determining the answers to these questions is why we need to go beyond the traditional red flag.
3. Reputation Screening
Finally, we need to source the right information from reputational screening. This includes adverse media, sanctions and politically exposed person (PEP) lists. This is one of the more trying aspects in the decision-making process. Finding reliable information among large volumes of potential sources is the top challenge for many due-diligence programs.
Any single component of our third-party risk management program viewed in isolation does not provide enough clarity for decision making. Viewed together, however, they enable us to score third parties and position each accurately in the organization’s risk hierarchy, as well as capture the greatest benefits from each partner engagement. Whether you call it stratification, context or information management, this is how programs shrewdly maximize their return by applying appropriate levels of due diligence to the partners they work with.
With trust in institutions at an all-time low, compliance programs and their organizations have an uphill battle to rebuild credibility with their stakeholders in the event of a compliance failure. Consider these steps when you have to prove your organization is not defined by an unfortunate misstep.
Create a Public Relations Strategy for Employees
After a compliance failure, the organization needs to make systemic changes that ensure the failure does not happen again. Just as important, however, is making the organization aware of those systemic changes. These efforts need to be sincere; they need to show acknowledgement of the incident; and they need to convince employees and customers that the organization is going above and beyond to rectify the situation.
One way – although a hard way – is to make resolutions to substantial missteps highly visible to your internal base. When a senior leader is caught up in a scandal and the issue is swept under the rug – or even appears to be – employees grow cynical. These high-level cases will have the most impact on employee perception and are the ones they will watch most closely for indication of what the organization truly believes. Whenever your organization is digging out from a compliance failure, try to publicize (when possible) the steps it is taking for resolution.
Rally the Right People
Your PR strategy has to go beyond the compliance and executive team. In his book, The Tipping Point, Malcom Gladwell identifies a group of people called “connectors.” These are the individuals who effectively influence large numbers of people organically. A lot of times, these are your directors and senior managers, but not always. These are the people at your organization who are simply better at communicating their ideas and beliefs than others. These are the folks you need to get on board to understand and evangelize the systemic changes taking place at your organization.
Develop Focus Groups
Making business changes at an organization can be done in a boardroom. Making culture changes requires getting all the individuals in the organization invested. The best way to do this is making people feel like part of the solution – as they should be. Going beyond the employee survey is helpful here. Small in-person or virtual focus groups will give employees a chance to voice their support or concern for the corporate changes on the table. Furthermore, as being part of the group that has worked on developing the changes, your focus group members will be part of your internal influencers reinforcing the validity of the changes.
Focus on the Problem not the Channel
In our social media age, many compliance failures are aired out over the social media channels of both employees and customers. Sometimes the company may not even learn about an issue until finding it on social media. The key here is to not be distracted by the technology that is propagating the issue, but instead stay completely focused on the issue itself. Responding to issues found on social media with more stringent policies for social media use tells employees that you don’t really care about solving the issue, you just care about making it go away. The optimal solution would be to follow the previous three steps in such a way that employees start to share the good work that your company is doing on their social media channels. That is how you rebuild your reputation.
Bob Corlett, President and Founder of Staffing Advisors and HRExaminer Editorial Advisory Board Member may have said it best: “Bad online reviews are not an online problem. They are a real life problem. If you own a restaurant, the solution to your bad restaurant reviews is not found online – you solve it in the kitchen.”
An outstanding board engagement strategy can help ethics and compliance professionals build credibility with their boards and gain significant program support. Conversely, board strategies that are not finely tuned can unintentionally downplay or even undermine an ethics and compliance program’s effectiveness – no matter how successful the program truly is.
Becoming a strategic business partner to the board requires making the most of each engagement. Avoid the mistakes below to help your department get the most from its top executives.
1. Not Making Sense of Culture
“Culture” is one of the squishy terms we use that can represent a number of different things, even to those who work in compliance. It nonetheless has a tremendous impact on the goals of the larger organization and needs to be made a priority for the board. Therefore, the compliance officer has to not only tout the importance of culture, but also explain why it’s important. One way is to ensure that the board understands the difference between compliance and ethics. Getting employees to be compliant is the goal, however, more time and money will be spent driving compliance in a weak culture than in one that is strong and self-governing.
More importantly, boards need to know about the specific culture at your organization and how it manifests throughout different levels. According to the National Association of Corporate Directors Public Governance Survey, 82 percent of board respondents would not rate their understanding of the “buzz at the bottom” as high. Talking about culture across the entire organization can lead to sweeping generalizations – so breaking it down to highlight potential trouble areas in departments, regions or hierarchy keeps your board message focused.
2. Reporting on Activity Rather than on Results & Strategy
One of the biggest issues compliance officers face when reporting to the board, is the data dump. Compliance has access to a lot of data; however, that data alone is not impressive nor instructive to the board. It can even have a numbing effect. To avoid this problem, set the stage for your report with a high-level executive summary that outlines key points. This should clearly show where your program is most effective and how it ties into overall company strategy and KPIs.
Furthermore, do not provide data without context. Incident management reporting rates, policy attestations, and compliance training completions mean little to board members unless they know what the data suggests and why. Clearly connect these numbers back to anchor points in the board’s mind. For instance, the organization wants to reduce legal risk. This requires knowing and resolving issues before they exit the building and turn into lawsuits. The board most likely already knows that the hotline is key to identifying these issues early on within the organization, but they need to know if the current reporting rate signals strong or poor performance toward that goal. Industry benchmark reports also provide additional context for these numbers as well as grab the attention of directors by showing immediate comparisons to peers.
3. Reporting Too Much or Too Little
Boards should receive reports regularly on ethics and compliance program results. The industry best practice is to deliver at least quarterly reports in addition to an annual report. Consistency is key for a number of reasons. Quarterly reports keep E&C issues top of mind for the board and make it easier to connect the dots on how data points trend quarter over quarter. Regular, on-time reports also builds the professionalism of the compliance brand in the board’s mind. Missed or late reports draw into question the effectiveness of the team. On the other hand, inundating the board with too many reports, can be overwhelming and reduces the impact of each report.
The best way to know the optimal frequency for sending reports is to simply ask your board what they prefer.
4. Being Overly Deferential
This is a tricky one. While you should always be respectful of their roles, your job is to help board members understand their responsibilities and risks. You cannot effectively communicate this information if you start from a position of perceived weakness. Be confident in your content and delivery. Too much deference may translate as uncertainty or that the concepts you are speaking to are not critical. Authority respects authority, so the way you present your ideas are just as important as the ideas you present.
Today’s relentless business environment continues to pressure organizations to continuously innovate all aspects of business operations. Similarly, as a risk manager, you’re expected to continuously protect the organization from excessive risk and avoid various pitfalls, compliance failures, lawsuits and other damages. While some studies show strategic innovations reduce risk, others claim that innovation increases vulnerability. Striking a balance between risk and reward for any organization can be challenging, but we have to challenge ourselves to keep pace with innovation while accounting for our company’s risk appetite.
Think about it this way – if you’re not innovating how you manage business risk, you’re not innovating as a business and someone else will overcome you in the market. Alternatively, if you’re innovating recklessly, you place your organization at unnecessary risk. Risk management strategies have to keep pace with business innovation, while not allowing innovation to outpace risk management capabilities. The risk manager’s goal is to increase mitigation capabilities rather than stifle business innovation.
Let’s take a look at the five ways you can drive your organization to flourish in both innovation and risk aversion:
1. Promote a Culture of Risk Awareness
Train your leadership on proper methods of risk analysis and educate them on the reasons they are used for your enterprise. Create alignment from your organization’s tone from the top that embed tolerance levels into decision making throughout the entire organization. Ensure that strong messaging is relayed to midlevel managers and other key areas of the organization to ensure proper oversight. The goal here is to create links between the risks associated with innovation and how they fit into the overall strategic business plan.
2. Regularly Assess & Adjust Desirable Risk Tolerances
An acceptable level of risk may not be possible for all regions, industries or projects; however, we need enough due diligence to not only rule opportunities out, but to also rule them in when possible. Risk tolerances should be referenced through all stages of the planning process. Higher risk appetites also require increased periodic reviews to make sure the project stays aligned with the original scope of the innovation strategy.
3. Participate Across Project Life Cycles
Support your risk managers with a reputation of being strong, strategic contributors of calculated innovation within your business. From the beginning stages to the final rollout, encourage risk managers to engage with functional teams throughout the entire life cycle of new projects to timely assess and direct potential business risks. Over time, this type of consistent involvement from risk managers will imbed risk awareness into daily operations and business critical decision making.
4. Regularly Evaluate Risk Management Tactics for Effectiveness
Using multiple methods for gauging the effectiveness of your risk assessment strategy allows you to diversify the source informing your risk calculations. Transparency International’s Corruption Perception Index is a key source for regional risk concerns, but make sure to use politically exposed persons list, media archives as well as other objective, unbiased sources of information to curate an accurate picture of the immediate risk environment. The more accurate your risk assessment, the more nimble your organization can be.
5. Innovate Your Own Risk Assessment Toolkit
Start exploring and taking advantage of new innovative technologies that are being developed and made available to risk managers to more efficiently identify and address business risks. These tools shouldn’t eliminate human oversight, but remove the burden of administrative tasks to create more time for deeper oversight. Then, take the time to teach stakeholders on the benefits of these new tools, metrics, measurements and methods. Once familiar with risk analysis technologies, explore how you can pull real-time data to drive real-time responses as concerns arise.
One of the top priorities for E&C programs is increasing awareness of policies across the organization, according to the 2018 Policies & Procedure Management Benchmark Report. Regulators are looking for the tie between your compliance program and the type of conduct you are trying to impact. Hui Chen, former compliance counsel for the U.S. Department of Justice, may have put it best: “…companies use to bring in binders full of their policies…I really don’t care what the policy says…I’m more interested in how the policies actually operate.”
This requires policies to go beyond simply words on a page and instead properly package and distribute guidance in ways that effectively transfer concepts into the minds of readers. Consider the steps below to craft, share and train on smarter policies.
An effective policy statement is clear and unambiguous, providing an explanation of how the organization wants employees, contractors and third parties to behave and not just provide a list of things they can’t do. This allows employees to understand the intent of each policy and how it aligns with the values of the organization. In the rare instance in which circumstances create a situation where a policy and values conflict with incentives or other opportunities, understanding intent will equip employees with the behavioral expectation that properly represents the organization.
Beyond simply editing and distributing policies, automated policy management solutions can provide explicit evidence of attestations, comprehension quizzing, and data around third parties. It ties together with the government’s current recommendation to demonstrate compliance program effectiveness, providing an audit trail if regulators come knocking. Organizations need to be able to demonstrate that the conduct under investigation was prohibited by a specific policy and procedure and provide proof that policies and procedures have been effectively implemented.
Accommodate Employee Preferences
Policies need to be adapted for the intended audience. The harassment policy for an international employer might have to be tweaked to address social realities in Scandinavia versus Saudi Arabia, for example. Policies regarding the Foreign Corrupt Practices Act may have to be more detailed for employees dealing with international customers and suppliers than a retail clerk in Iowa.
Be Able to Answer Yes to the Following Questions:
Senior leadership and board members need to take ownership of the issue of sexual harassment in their workplaces. The tone at the top determines the tolerance a workplace has for sexual harassment. Cultures that truly do not tolerate any form of harassment have senior leaders that go beyond quoting their zero-tolerance policies – they take the necessary actions to weed out bad actors and create workplace environments that are preventative rather than responsive.
Consider the steps below to create a tone at the top that supports harassment-free workplaces.
Make the Tone at the Top Visible
If employees only get training, policies or emails about sexual harassment, they see the buck being passed down the line. Instead, seeing members of the C-suite and the board actually champion the messages behind these tactics reinforces the support from the top and cuts employee cynicism.
Corporate leaders should state their commitment to harassment free environments in town halls and in newsletter updates. This is even more powerful when done onsite during annual kickoffs or social events. Also, consider adding quotes from board members in your policies and include images or videos of board members in your harassment prevention training programs. The tone at the top needs a face, name and authenticity for it to permeate throughout an organization.
Not every sexual harassment case allows for quick processing and resolution. But do your best to ensure swiftness for those that do. Employees need immediate gratification to believe that things are actually changing.
According to LegalZoom’s 2018 Workplace Insight Report, “only 26 percent [of employees] believe their employers can take swift action to address a workplace misconduct scandal.” This statistic must change to ensure the preventive effects of speak-up cultures can thrive. Speak-up cultures drive corporate transparency, which ensures bad behavior like sexual harassment isn’t allowed to fester in dark corporate corners.
Make High-Level Cases of Harassment Highly Visible
Nothing is more harmful to your work than employees thinking that certain individuals get special treatment. If a senior leader is caught up in a scandal and the issue is swept under that rug, or at least appears to be to the larger employee population, cynicism sets in.
These are the cases that have the most impact on employee perceptions, and the ones they will be watching attentively to see if their organization really practices what is preaches.
Understand the Soft Skills of the Workplace
Let’s set aside, for a moment, any arguments about doing the right thing for its own sake. We’re well past the point where companies can ignore the financial burdens of a huge reputational hit. And members of boards have a fiduciary duty to prevent financial setbacks.
With that in mind, corporate leaders need know the climate of their workplace as it relates to sexual harassment. Accurately answering the following questions provides a good representation of your culture.
Setting up your toll-free hotline number and creating a website are only the first steps of implementing an effective incident management program. Those are the tools, but what’s more important is the people and the process. Consider the following components necessary to transform reporting tools into a comprehensive program that helps organizations learn about misconduct, build trust between organization and employee, and demonstrate organizational commitment to an ethical culture.
1. Secure Top-Down Support
Incident management programs don’t just need tacit support from organizational leadership, they need visible top-down support. This support from the top is the only way a program can influence and modify employee behavior. If a program is seen as unimportant or a nuisance to top management, employees will share that distrust. Encourage leaders to regularly highlight the various reporting channels and benefits of reporting to the workforce.
2. Clearly Define Stakeholder Involvement
Each stakeholder needs to have and understand their role within the incident management system. Common stakeholders include: legal, finance/audit, HR, risk management, loss prevention, operations, IT, communications and compliance. Each stakeholder should be aware of how the program is being implemented and communicated, as well as have clear expectations for processing and responding to reports. Stakeholder involvement should also be defined in investigation plans, protocols and triage processes.
3. Consider Offering One Reporting Ecosystem
Having multiple reporting numbers and sites for different issues is not only a burden for program administers, but it can also be confusing to employees, suppliers, consumers and stakeholders. Organizations can even alienate potential reporters in cases where complaints regarding discrimination and sexual harassment – both high-liability issues – are turned away because the website and hotline are “for corruption and bribery complaints only.” It is better to learn about high-liability issues as early as possible so the organization can investigate and remediate issues quickly to avoid legal action. A single, unified system provides a better reporting experience for employees and a better opportunity to limit liability for the organization.
4. Capture the Most Complete & Accurate Information
Especially in the case of anonymous reporters, there may never be an opportunity to ask clarifying questions. Top-tier third-party hotline providers are well equipped to ensure that all important details are captured by trained interviewers and offer web reporting tools that protect the identity of confidential reporters. When follow-up is necessary, third-party providers also have systems in place to offer unique identifier codes so anonymous reporters can get back in touch.
5. Know the Regulatory Requirements that Could Affect the Program
Whether it is data privacy and protection, allowable and non-allowable reports in the EU, or required protections against retaliation, there are a number of regulations that impact the operation of an incident management program. Ensure that planning addresses all regulatory requirements early in the process to avoid costly and time-consuming delays during implementation.
Delivering on these fundamental incident management components will allow your program to be ready to receive information from across the organization as well as drive credibility of the program within all levels of operation.
*Concepts in this Ready-Made Memo to Managers was sourced from NAVEX Global’s Definitive Guide to Incident Management.
By 2020, Millennials will make up 50 percent of the global workforce. Our youngest generation, “the Nexters,” will also be out of school and making up 20 percent of the employee population. This means that organizations will be operating with up to five generations of employees. Moving forward, compliance professionals must learn to drive programs that support ethics and compliance efforts effectively for each generation.
This unprecedented change carries its fair share of challenges, but also offers some very unique opportunities. Our job is to mitigate the fissures generational gaps can create within organizations while simultaneously amplifying the positive byproducts. To do this, we must identify natural alignments among generations to maximize engagement opportunities. This interplay can lay the groundwork for dynamic and thriving workplace cultures.
Consider the ideas below as you develop an effective cross-generational compliance program.
The Power of Rewards
Whether it’s a growing social media culture, the prevalence of interactive design or the gamification of everything, people of all generations have grown accustomed to being rewarded for their efforts. As with gamification, these rewards don’t always have to be significant compensation increases or title changes. Rewards just need to be simple positive reinforcements that confirm to an employee that they have made progress toward a goal and their progress has been noted. Compliance can use this trend to shake its nickname of the “No Police” and become the “Congratulation Cops” – although there is probably a better name for it.
Attention Spans Can Be Misleading
We have all heard about shrinking attention spans in our era of distraction. This is very true as digital media, email notifications and the like have all conditioned our attention spans to be effectively ephemeral. However, we are still very well equipped to pay attention to things that interest us – consider the phenomena of binge-watching a TV series. According to Dr. Gemma Briggs from Open University, our attention spans are “very much task dependent. How much attention we apply to a task will vary depending on what the task demand is.” Similarly, “How we apply our attention to different tasks depends very much about what the individual brings to the situation.”
This tells us to be cautious when we default to creating shorter, smaller, quicker pieces of compliance content for our employees. This technique is often correct, but we need to ensure our training topics, compliance messaging and general employee communications still encourage the necessary behavior change they are designed to produce. In short, our goal is not to develop compliance programs that fit into diminishing attention spans, but to create programs that inherently garner the necessary attention for concepts to be effectively absorbed.
Proper Design Goes a Long Way
Our two younger generations have grown up with visual media. The educational and informational efficiencies that visual media provide is also appreciated by people across the generational spectrum. This ties back to overall design thinking which focuses on creating experiences that are intuitive to the user. For example, to access a training course, do employees have to read a long email, find the appropriate link that takes them to your LMS, and then search for the proper title before they can complete their training? Or, do they receive a short email with a big button that say, “Complete Training,” that automatically launches their training when clicked? Make sure to have your employees in mind whenever creating tasks that they need to complete.
Personal identifiable information (PII) is the lynchpin of the EU’s new General Data Protection Regulation (GDPR). To effectively meet the regulation, we need to reacquaint ourselves with exactly what constitutes PII in 2018.
PII has always been a sensitive subject but, with the advent of GDPR, that sensitivity is touching a larger swath of data. In general, GDPR covers any information that can somehow be associated with a person. That’s a big “any.”
According to the definition included in the GDPR, “personal data” is defined as:
“Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
As compliance professionals we have to ensure we, and our companies, are doing the necessary due diligence needed to identify and protect that big bucket of data.
We can start by securing the most common types of information we process:
This extends to information like:
And even seemingly identifiable adjacent information like:
The GDPR also provides definitions to build out a few of these categories.
“Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”
“Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”
“Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”
The verbiage used in the regulation may sounds a bit intimidating. And that’s the point. The regulation is intended to get organizations to take data privacy seriously.
The key to understanding PII is to not just think about it as buckets of disassociated data that you can secure once and then forget about. We need to consider all of our data through the lens of the owner of that data, and how they may or may not be comfortable with it being used. And as a reminder, the owner of PII is the individual, not the company who is collecting or processing it. That, after all, is what the GDPR is designed to do - give EU citizens control over their own information.
Speech in the workplace is a complex issue. First, organizations and compliance professionals put significant effort into creating cultures in which employees feel comfortable raising their voices. This is key to effective whistleblower hotlines and incident management programs. We have even gone so far as to make “speak-up culture” a commonplace phrase in our business jargon. Second, we have the issue of free speech. Free speech, however, is not a concept that has credence in the workplace. It is a constitutional right but does not protect people while operating in the capacity of an employee in the private sector. This creates confusion among employees who don’t understand the distinction, and can strike caution into those who do. What then are we as compliance professionals to do to navigate this fine line of managing discourse while also maintaining strong cultures?
Talk to Someone Who Knows
First things first, consult with a lawyer. Organizations need to have a clear understanding of all the laws that apply to workplace speech and behavior. These could be federal laws, state-specific laws, variations between on and off-duty implications, and laws pertaining to specific types of speech or behavior as in association with political activities.
Aim for Civility
Aside from driving a speak-up culture that improves the effectiveness of incident management programs, ethics and compliance programs need to understand the holistic business benefits of creating a workplace that is safe and respectful. This is closely tied to the idea of “psychological safety,” which is a term gaining popularity in organizations striving to create the best dynamics within team settings. Psychological safety refers to the climate in which employees think and speak. A climate that is “safe” allows employees to express themselves without fear of retribution. This seems to focus on what can be said but, often times, feeling comfortable to express oneself with appropriate language and ideas can be diminished when one fears what they might hear in response. Therefore, by ensuring we quickly and professionally deal with inappropriate speech like inflamed language, derogatory comments and aggressive disrespect, we can make room for healthy communication between employees.
Train Your Corporate Influencers (i.e., Managers)
Curtailing heated disputes or navigating incendiary workplace discourse is not a common skill. That means your frontline managers who represent your company daily to your larger workforce need to be trained on how to identify and respond to potentially harmful discussions.
Understand Policies in the Proximity
Know when to call on your formal policies like anti-harassment, workplace violence and anti-discrimination. Understand the letter and spirit of these policies and enforce them when speech and behavior crosses the line.
Free speech in the workplace is a complex issue often with no definitive do and don’ts for organizations to follow. We should however do our best to create a workplace of ethics, civility and respect. This is one in which there is healthy discourse, an effective speak-up culture and still everyone knows when to mind their tongues.
How we view issues determines how we go about resolving them. Like many issues facing ethics and compliance professionals, sexual harassment is a compliance issue, but also more specifically a human issue. Human behavior is what is responsible for harassment and any response to eliminate harassment needs to account for a change in behavior.
Harassment takes the human aspect a step further than many compliance issues. It is not only created by human behavior, but it can also be defined by how other humans interpret that behavior. What may not be considered derogatory or diminishing to one may be interpreted that way by another. And that matters.
Furthermore, while all harassment may not result in liability for an organization or supervisor, it can affect employee performance and your organization’s ability to retain good people. This is usually seen in behavior that creates a hostile work environment and involves conduct toward an employee that is unwelcome. The behavior is considered hostile when it becomes so pervasive that it alters an employee’s working conditions.
So when it comes to creating work environments that are free from harassment in all its forms, we need to focus on our people – harassers, victims and the larger employee population who are key to driving a culture of ethics and respect.
Here are several steps you can take to focus on the human issue of harassment.
Keep People Accountable
Enforcement doesn’t have to mean dismissal or severe consequences, but it does have to mean consequences. People need to be held accountable for the way they act and the things they say. Behavior ranging from full-blown sexual harassment to creating or perpetuating hostility in the workplace need to be addressed with a similar range of responses. Allowing any instance of harassment to go unaddressed supports a permissive culture and undermines the effectiveness of your compliance policies, training and leadership.
Never Blame the Victim
When people come forward with a report of harassment, treat them with the respect warranted by such a courageous act. It is not easy to bring forth these reports. That’s why, according to the Equal Employment Opportunity Commission (EEOC), “Employees who experience harassment fail to report the harassing behavior or to file a complaint because they fear disbelief of the claim, inaction on their claim, blame, or social or professional retaliation.” We see here that victims are already fighting an uphill battle. They should not be met with judgement or second guessing when they take the necessary step of reporting their experiences.
Make Everyone Aware of the Impact of Their Words
Employees in the modern workplace should be taught to think before they speak. If a comment is diminishing, marginalizing or any other quality that may negatively affect fellow employees, the comment is best left unsaid. This ties into driving a larger culture of ethics and respect that does not rely on policies to eliminate bad behavior, but on culture to naturally enforce the sentiment of policies with a tone of: That’s just not how we do business.
Create a Listen-Up Culture
The common turn of phrase is “speak-up culture,” however that puts the onus of speaking up on the employee. Before a victim of harassment will speak up, they have to not fear, as quoted earlier from the EEOC, “disbelief of the claim, inaction on their claim, blame, or social or professional retaliation.” This means leadership and the compliance department need to ensure employees that their reports will be heard, taken seriously and resolved efficiently. After consistent proper handling of incident reports, employees will understand that the organization values their voice and is ready to listen.
Generation differences can play a big role in how employees engage with aspects of our business and compliance programs. What’s interesting is that this is becoming less true for how employees across all generations engage with ethics and compliance training. For instance, Millennials and Nexters (those born after 2000) are often referred to as digital natives. These are young folks who have grown up in the era of the internet, mobile devices, and social media who are steeped deeply in technology. One would think that these tech savvy individuals would have higher preferences for compliance training that is socialized, gamified, visually engaging and interactive. While Millennials do prefer this type of training content, so does everyone else.
Millennials and Nexters, who together will make up 70 percent of our global workforce by 2020, are not only changing the way we have to offer training, but they are also changing the way the rest of us learn. This might be less about generational idiosyncrasies, and more about general advancements in technology. In any case, our compliance training must adapt to meet the needs of the modern learner.
Mobile devices, live streaming, on-demand content and multiscreen media consumption have all contributed to the way we apply our attentions. Today everyone is a multitasker. This means that we need to use a blend of training styles so that no one format grows stale to the learning. According to NAVEX Global’s Definitive Guide to Ethics & Compliance Training the top programs use a mixture of “live and e-learning, short- and long-form courses and a variety of engaging formats, and a disciplined approach to reporting and measuring training effectiveness that focuses on training outcomes.”
Think about the evolution of the cinematic experience. For instance, compare the special effects of a great, yet old movie like the Goonies, with something like Avatar, which itself is now a few years old. After being introduced to the whole new world of computer-generated imagery (CGI), some of our old movie favorites start to lose their appeal because we are more attuned to flaws in the set, unrealistic costume design and contrived special effects. Consider this when you deploy your training courses. Do those courses reflect the visual media that learners are now accustomed to? Do they offer the same seamless digital experience? It’s not just updating the clothing actors are wearing, but also the layout of the interface, good use of white space and packaging up complex concepts in easily consumable ways.
Social media has gotten everyone excited about building connections. This is great for peer-to-peer learning, which can help the adoption of training concepts through naturally occurring discussions among co-workers. Think about different offline ways to complement your online compliance training. Have manager-led discussions around case studies to help further educate employees on specific behaviors – these should be sanitized of course and respect confidentiality. Training concepts could also be woven into team and department meetings so employees are regularly connected with those concepts and have a chance to discuss them with others.
While younger generations are often labeled as having short attentions spans, they have also been responsible for a new phenomenon called “binge watching.” This is where people consume multiple episodes of a TV show in one sitting. Now that sounds like expanded attention. This seems to indicate selective attention. And that attention is reserved for highly engaging content that tells a story that you just have to see what’s coming next. So while your training program might not be able to rival the production value of a Game of Thrones or Netflix original series, you can still ensure that learners are engaged in a story. And this story should be relevant to employees and not just tell them about concepts but actually place them into scenarios where those concepts can be seen in their day-to-day jobs.
Ethics and compliance is a people business. Sometimes the person you have to focus on first is yourself. Take the necessary steps to create a daily, weekly or monthly professional development plan to grow a little more every day and create a personal compliance brand that transforms your program and your career.
Use these four steps as general guides directing your efforts toward developing professional credibility and your personal brand.
1. Know It All, or at Least as Much as You Can
A lot of times the buck stops with Compliance. And that means we need to have the answers. Elevating your professional standing and personal brand as an integral part of the business requires an extensive knowledge of the compliance industry and its evolving landscape. Therefore, learn the business and learn everything you can that touches your work.
You can start by selecting one of Compliance Next’s five learning tracks to take your ethics and compliance knowledge reserve to the next level.
2. Hone Your Expertise with Experience & Community
Becoming an expert requires more than just knowledge. The most effective compliance professionals have a deep understanding of their field, but also know how to navigate through unexpected situations, and handle issues that can’t always learned from a book. The best way to build your expertise is through experience – putting in the time. The next best thing is expanding and strengthening your professional peer network. A tight knit group of compliance professionals who actively share experiences and lessons learned can effectively contribute years of expertise to one another through knowledge sharing.
Explore groups on Compliance Next to start building your peer-to-peer network.
3. Make Respect a Part of How You Do Business
Respect is key to relationship building. It’s key to gaining the loyalty of your peers, department and organizational decision makers. And it is also key to supporting the larger healthy workplace culture that compliance professionals are charged with cultivating. So, as a starting point, always speak and act with honesty and transparency. There are enough hidden agendas at play in workplace politics. Make it a point to develop trusting and honest relationships with all those you interact with, as well as be a champion who fuels that behavior throughout the organization.
4. Don’t Avoid Accountability
The higher you rise in your career, the more responsibility you acquire. Effective professionals in any function bolster this responsibility with accountability. Understand that your decisions and actions are just that, “yours,” for better or worse. Everyone makes mistakes; established compliance professionals own their mistakes and take the necessary steps to amend the wrong and improve for next time. It’s all part of the growing pains of a successful career.
Your organization has an inherent information source ready to provide early warning signs of problems percolating within. This is your whistleblower hotline and incident management program. Effective incident management programs nurture speak-up cultures, help programs focus on the most critical areas of behavior change, and provide a safe and confidential place for employees to clarify policy or discuss concerns.
Each facet of an effective whistleblower hotline and incident management program enables compliance officers to respond swiftly to prevent, contain or resolve incidents before they become compliance disasters. That is, if your hotline and incident management program is factually effective. The only way to know this is to test.
Call Your Hotline & Submit a Web Report
Test your hotline by calling it directly with various compliance concerns, reports, questions and violations. The goal is to ensure that the system in place processes, triages and elevates reports properly. Track your reports all the way up your organizations to see if escalation kicks in properly to notify your compliance team and board when necessary.
Make Sure Your Program Works for Everyone
First off, is the call specialist answering your hotline able to speak the language of the caller? Same goes for your web intake platform – are necessary forms and communications translated to meet the language needs of all your employees and third parties? Next, ensure technical functionality of your system. Can your hotline be reached from every country in which you do business?
Test Validity of Reports
Your team may be receiving reports, but are they accurate and comprehensive enough to prompt effective and efficient resolutions? Ensure your call specialists are equipped to gather as much necessary information as possible to thoroughly process each report. Likewise, managers need to be trained to handle open-door reports with confidence. Additionally, along with receiving each report, managers must enable and encourage anonymous whistleblowers to follow up on their reports.
Sit Back & Wait
Proper processing, user-friendly technical functionality, and both report comprehensiveness and accuracy are all key components to an effective incident management program. But before you can call it good, you have to test for timeliness. How long did it take for the report to get to you? How long before you were followed up with about the reported incident? Timely follow-ups to employee reports assure whistleblowers that their concerns are being taken seriously. This alone plays a major part to ensure incidents do not fester into bigger issues while reports are being processed. Timeliness is also essential to prevention. There is a finite window of time in which compliance responses can be proactive. When that window closes, you have to resort to containment.
As companies implement more robust risk management programs, we can expect to see more post hoc analyses and questioning of due diligence programs. How do companies design their systems in response to this rising expectation?
Companies cannot blindly conduct due diligence, document each step and avoid careful analysis of third-party risks. Last year’s Och-Ziff enforcement action underscored this point when Och-Ziff conducted due diligence of an Israeli businessman, DRC Partner, and raised serious questions about DRC Partner’s integrity. In fact, the DOJ cited the internal disagreement within Och-Ziff management over whether to engage DRC Partner or not in their action.
The government’s citation of internal debates or the manner and quality of resolution of red flags raises some interesting questions. If three officials argue to move forward with a third party and two disagree, can the company move forward or will DOJ/SEC cite the two opponents as evidence of an “unresolved” red flag?
How-to Avoid this Pitfall?
The company must fully document the debate and factors underlying the decision, including why any dissenting viewpoints were overruled.
Third-party risk management will continue to be the focus of DOJ and SEC FCPA enforcement actions. Companies have to design their programs in response to this increasing scrutiny of third-party due diligence reviews.
A company’s code of conduct should be a living document – one that is regularly updated and regularly visited by both leaders and employees to practice and embody the values of the organization. But at the end of the day, a code is just words. These words do not manifest into a strong corporate culture until senior leadership embeds its statutes into all their business practices. This modeled behavior is what influences the true culture of an organization. This is why we have the phrase “culture always wins.” If your code says one thing but your culture – driven by senior leaders – showcases another, it’s your culture that will define your organization for better or worse.
So let’s talk about a few ways actions speak louder than words when it comes to tone at the top.
1. There has to be accountability, and it has to be equal
Rules that are not enforced hold no value. Even worse are rules that are enforced for most, while exceptions are made for others – such as high-performing employees. An effective tone from the top, ensures the entire organization knows that the company is committed to its values and policies, and that there will be consequences for one and all alike if those standards are sidestepped.
2. Your incident management process is key to driving a speak-up culture
As a CEO, senior leader, manager or compliance professional, your tone from the top starts with listening. Encouraging employees to raise their voices to report wrongdoing only gets you halfway to a speak-up culture. Employees need to be convinced that their voices are being heard. That only happens when employee reports are efficiently processed and resolved. An effective incident management process makes it easy and comfortable for employees to report. It provides regular updates to employee reporter so that they are not left wondering what is going to happen next or, worse, fear retaliation. And lastly, effective processes communicate back to employees what has changed, or the reason things are not changing.
3. Tone at the top needs to connect through the middle
Individual contributors who excel in their jobs are often the ones who are made managers. But just because someone is good at their job, doesn’t mean they are good at managing. All managers, especially new managers, need to be trained on how to effectively support their ethics and compliance initiative. Middle managers are an organization’s cultural ambassadors. These are the people employees look to for answers every day, and they need to be equipped to provide those answers correctly and accurately day in and day out.
Give Your Policies a Process
Conflicts of interest have been a compliance concern for long enough that most organizations have the right policies in place. The processes that enforce those policies, however, need the same attention. Effective COI efforts include a process that identifies, manages and resolves conflicts. Employees need to be trained on what constitutes a conflict of interest; disclosure channels need to be promoted so employees know where to report potential conflicts; and management needs to understand the correct protocols to resolve potential conflicts before they become actual or perceived conflicts.
Be Transparent First and All at Once
One form of conflict is a perceived conflict of interest. This is where an actual conflict may not exist; however, there appears to be a conflict from the perspective of the public, internal staff or shareholders. When dealing with a perceived conflict of interest, the only way to completely resolve the issue is with full transparency. This requires putting everything that may be of interest onto the table for all to see. Efforts of transparency need to happen all at once. If there is a steady drip of additional information, it will further turn perception and opinion against the parties involved.
Get Familiar with Likely Conflicts
Conflicts of interest have certain characteristics and tendencies. Train yourself to identify the subtleties of the more frequent conflict types and you will be more attuned to their various nuances.
Consider the four below:
The majority of cyber security breaches are caused by human error. That’s why creating a culture of cyber security is one of the most effective steps to ensure your organization prevents attacks. It’s much better than having to pick up the pieces after an attack.
Use these five questions to get an idea of how your program will weather the storm in the current cyber climate.
1. Does my team use their own phones, tablets or other electronics for work purposes?
A better question might be: Does my organization have a BYOD (Bring Your Own Device) policy? If it does, you are one step closer. Next you have to make sure employees are aware of the policy and that its practices are enforced. One security breach on one device has the potential to affect your entire organization.
2. Do my employees know what to do if they encounter a suspicious email?
Phishing is getting more sophisticated every day. The rule of thumb is to think before you click. And when in doubt, ask. Ensure your employees know they are a critical link in your cyber attack prevention efforts and are ready to act if the time comes. Immediate internal reporting is an essential part of maintaining sound cyber security.
3. Does my team stay on top of required security updates from IT?
As we learned for the major WannaCry ransomware attack, a neglected patch update can cause disastrous effects to an organization. Putting off any type of security update request coming from your IT team puts devices and, therefore, your organization at risk. Reinforce with your team the need to act promptly when a security update is required.
4. How often do we use web apps?
There is an app for everything. Sometime the easy app choice is not the most secure choice. Get IT involved in your app decisions early on to verify the security of any application you plan to bring into your organization’s network.
5. When was the last time you talked with your team about taking laptops on the road?
Team members who travel or work offsite need extra reminders about keeping data safe and secure. Give periodic reminders about the need to be extra vigilant about preventing laptop theft, and using only secure Wi-Fi connections to access the network or confidential documents.
Awareness is key to creating a culture of cyber security. Employees need to know that their behavior has a major impact on the security of the organization. And make sure you are setting a good example.
All you have to do is scroll through your news feed to see a series of headlines reinforcing the need to protect your organization against cyber attacks. Cyber security can no longer be seen as just an issue that IT has to deal with, or just Compliance, Operations or Legal for that matter. Cyber security is an enterprise-wide risk involving all business units, all operational units, all your employees and all your key third parties. That being the case, it requires a cross-functional approach.
Here are four things to know about the current issues of cyber security.
1. Cyber Security is a People, Process and Technology Issue
With the enterprise-wide risk that cyber security presents, it is essential that organizations develop cross-functional approaches. Key players such as IT, Security, Legal, Compliance, HR, Operations, Procurement or your supply chain need to be engaged. Also customer support is a function that many may not consider. However, if your network is compromised or customer data is compromised, you are going to need a way to communicate to your customers. Similarly, public relations and communications teams need to be able to articulate the company’s approach to cyber security and, should there be a breach, will be key in helping the company communicate what’s happening and what it is doing to respond to it.
2. There Is More Surface Area than ever before to Protect
The rise of mobile and other internet-connected devices is increasing the access points that organizations need to protect. Everything from checking our email to accessing our corporate networks to turning the lights on and off in our homes is being managed remotely and provides additional opportunities for bad actors to gain entry to corporate networks. With varying security controls on each access point and the increasing amount of sensitive information managed remotely, mobile habits are creating more surface area cyber security programs must protect.
3. Old Threats Are Manifesting Themselves in New Ways
Consider ransomware: Stealing information has always been a threat, but now bad actors are holding this information until receiving a ransom, or threatening to share the information publicly if a ransom is not received. In some cases, the biggest threat is the complete destruction of information, or just as threatening, the manipulation or corruption of that data.
4. Big Data Is a Big Responsibility
With modern technology and the decreasing cost of storage, we have the ability to maintain inordinate amounts of data easily. But just because we can doesn’t mean that we should. Companies are not differentiating between data that is critical, sensitive and confidential from all the data that is not. The reality of our risk environment is such that there is a good chance that our data is being compromised in some way. Whether it is from careless employees, malicious insiders or bad actors outside our organizations, chances of a data breach happening is high. The key is to differentiate between what is really critical and what is not.
We have to remain vigilant in our efforts against cyber risk. The protections that worked yesterday may not work today, and tomorrow might present an entirely new risk we never expected.
Do the right thing. Uphold our values. Always act with integrity. These are the kind of messages you’ll typically find in our code of conduct and compliance training. But what about those grey areas? Our training tells employees to ask for help anytime they encounter an issue they’re unsure about. However, before they ask, most people try to find the right path on their own. This is often where poor decision making can get organizations and individuals into trouble.
The good news is this: as a manager, you can help your employees avoid unethical business practices. And in fact, our training messages come to life when you reiterate them. Research has shown that people typically make poor decisions for one of four reasons: lack of understanding, pressure, lack of accountability and self-interest. Here are ways you can support your team in ethical decision making around each of these issues:
Lack of Understanding: Employees may not recognize when they are dealing with an ethics or risk issue, or they may lack understanding of the rules and standards that apply. Sometimes, it can be simply not realizing their responsibilities in a sticky situation.
Remedy: Watch the news, check out blogs and talk to your team about the types of risks and ethical challenges that may occur in your organization. Pick one or two issues that are particularly relevant to your staff and the work they do. Work through the “what if” situation using our code and policies as guidance. This helps them walk through the process of ethical decision making in advance of a problem while demonstrating your willingness to help with a tough issue.
Pressure: Time and performance pressure are part of today’s business world. However, pressure applied by management or peers to achieve an impossible deadline, or to do something that violates values or rules, can push good people to cross the line. Inappropriate incentives can do the same thing.
Remedy: Keep an eye on the pressure meter in your work group and any extraordinary incentives to “get the numbers” or “have zero safety incidents.” Verbalize to your staff, often, that there is no justification for misconduct.
Not Enough Accountability: Inconsistent discipline for misconduct sends the message that our organization is not serious about doing the right thing. Discounting future consequences in favor of immediate gain is a risk when there does not seem to be accountability for making ethical decisions.
Remedy: Make sure to take corrective action consistently when needed. And when you educate your team on the issues they may encounter, be sure to emphasize the consequences of bad behavior—both short and long term.
Self Interest: It is, unfortunately, human nature to believe that we are smarter, more deserving and better than we really are. In the workplace, this can lead to a “slippery slope” situation where someone rationalizes doing just one small bad thing, which makes the next bad decision easier, and so on. By his own admission, this type of thinking landed Andrew Fastow of Enron fame in jail for many years.
Remedy: Talk with your staff about the human frailties we all share, and do it often. Awareness of a temptation can be built through periodic repetition of the potential risk.
Celebrate Good Decision Making
It’s easy to overlook the good decisions being made in your work group. Make a point of looking for these and mentioning them in staff meetings. Such decisions make good instructional moments—and the person who did the right thing will appreciate the kudos.
As former FBI Director James Comey stated, “There are only two types of companies when it comes to cyber security. Those that have been hacked and those that do not know they’ve been hacked.” With so many potential entry points to our company’s network (smart phones, tablets, laptops, etc.), the bottom line is that cyber security risks have increased for all organizations, including ours.
Understanding and Managing Our Cyber Security Risk
As a manager, you have a responsibility to help protect our organization’s sensitive information—including personnel, financial and strategic data—to thwart potential risks.
Consider taking the following steps to protect yourself, employees and our organization online:
Compliance with our technical guidelines does not automatically equate security. Even the most compliant organizations have or will experience a security breach at some point. But we should all be proactive about ways to deter, detect and remediate should a breach occur in our organization and your contributions are critical to that equation.
How confident are you that your team’s day-to-day business decisions will help us strengthen a culture of cyber security in our organization? If you’re not sure of the answer, read on!
The majority of cyber security breaches are caused by human error. We need your help to keep cyber security top of mind. Ask yourself the following questions to determine the degree to which your team is helping our organization stay secure:
As with all aspects of ethical and compliant behavior, your team looks to you to determine which behaviors are acceptable and which are not. Remind employees that their behavior can have a major impact—and make sure you’re setting a good example.
As a compliance professional, and especially as a manager in the field, there is no lack of items on your to-do list vying for time and attention. One of the many talents of effective compliance professionals is the ability to do more with less – to create a work environment where you spend the most time on the things that matter most. Consider the four steps below to increase the efficiency of your program.
1. Encourage Anonymous Reporters to follow up on Their Reports
Research has consistently shown that seven out of 10 anonymous reporters are not following-up to their reports. This low rate makes it difficult for investigators to truly investigate a case, thus affecting the overall perceived effectiveness of the hotline/helpline program. Following-up allows investigators to pose questions that will give them additional information to the reported incident and may mean the difference between resolving a case or not. Further, these reporters are not learning whether their concern has been addressed. Both of these outcomes lead to time loss and frustration – both for reporters and investigators.
Whether an anonymous report comes in through the web or hotline/helpline, the reporter is given a unique identification number as well as a PIN. It is important to remind the reporter to save these two numbers in a safe place. These unique identifiers will be the only way that they are able to follow-up on their report. Typically investigators will post any questions they have within ten days of opening their investigation. The responsibility then falls on the reporter to check in and respond to those questions. Encouraging your reporter to follow up, will help ensure the necessary information will be there when you need it.
2. Err on the Side of Millennial-Type Learning Preferences
The term “millennial” is the ubiquitous adjective describing anything from reading habits to the type of snacks stocked in the breakroom. And that’s for good reason. Millennials are a powerful force increasingly defining the modern workplace. However, when it comes to training, it is not about age, but about how individuals – regardless of their generation – engage with the content. Millennials are changing that too – for all of us. Growing up immersed in technology was once a defining trait of a learner; however, with the younger generation filling out more of the workforce, they are effectively influencing the way we all learn.
The youngest two generations will comprise 70 percent of the global employee base within the next four year, and influence the way the workforce as a whole learns. Erring of the side of millennial-type learning preferences will ensure you are providing training content in the most consumable way to the largest portion of your workforce.
3. Master the Executive Summary when It Come to Board Reporting
Your executive summary should be short, and provide a high-level glimpse of the following program focus areas:
Your executive summary should also highlight any resource challenges the compliance department may have which would need board support.
4. Prevent Code Creep (Just Say “No”…sometimes)
To remain effective, your Code of Conduct needs to function at a high level, be principle based and written in a way that is easy to read and use. This can be tough as your organization is full of subject matter experts, many of whom believe their material needs to be included in your organization’s Code. This is where a “no” to code creep, can be a “yes” to a more effective code (see what we did there?) Your Code of Conduct is your most important policy, but that doesn’t mean it needs to include all your policies. It shouldn’t really. Your code needs to be uniform and consistent so that employees can retain the most important information as well and search the document efficiently when necessary. The more detailed legal issues are best reserved for policies. Making the distinction between your communication tool, which is your Code, and the more in-depth policies which support it, will ultimately save you time. Employees will become more informed and the need for the compliance function to provide guidance will decrease as your Code becomes more effective.
Burnout. Fatigue. Stress. When we feel overwhelmed by issues at work, engagement can be the first casualty. Cynicism can start to seep into our conversations, actions and interactions. When this happens, ethics and compliance requirements or issues might feel like just another box to check. After managers and their teams reach a critical point of disengagement with E&C initiatives, you may start to hear things like…
While these kinds of reactions may sound somewhat innocuous, they’re actually the seeds that can grow team-wide dismissal of ethics and compliance efforts. And a dismissive attitude can breed misconduct, unethical actions and a highly-damaging culture of cynicism.
Our organization is fully committed to ensuring that every employee is empowered and equipped to make ethical decisions that are in line with our code of conduct and our core values. The only way to live out this commitment is to help individuals rethink what they say, what they do, and how they get things done through a lens of ethical decision-making.
When E&C requirements are feeling burdensome, consider this: research shows that firms with excellent governance, risk and compliance practices generally have better:
So the next time you hear a team member express scorn for an ethics and compliance activity—or when you’re tempted to say something negative yourself—get back on the right track by reminding your team member and yourself of the benefits of fostering a culture of compliance, ethics and respect.
As always, we want to be a resource for you. Come to us with questions, ideas and issues you’re facing. If morale or engagement on your team is low, let us help you reduce compliance risks related to disengagement while we work together on strategies for addressing the root causes of the issues your team is facing. And remember, as a manager, you are in the very best position to set a tone for your team.
What example will you set today?
When’s the last time you took a few moments to do an ethics and compliance risk assessment on...yourself? Things in our organization can change quickly, including managers’ span of control, members of your team, which vendors we use and more. As your business partners, we in the ethics and compliance department want to be a resource for you when your exposure to ethics and compliance risk changes or expands.
So take a moment and review this list: do any of these sound familiar?
Any and all of these issues (and many more like them!) can create new ethics and compliance challenges for managers. We want to remind you that you are not on your own! If you have questions about ethics and compliance concerns, we want to connect you with help. From one-on-one consultations, training resources and advice to setting up mentoring relationships with other managers within our organization, we are committed to equipping you for success.
Raising your hand when issues come up is a major part of owning ethics and compliance. There is no question too small to ask. Set an example for your team: “speak up” when you face new ethics and compliance challenges. Together, we’ll continue to build an ethical and compliant organizational culture we can all be proud of.
As a manager, you are no stranger to generational diversity in the workplace. With the influx of millennial workers, you are now managing employees from up to three or even four different generations. And the millennials that everyone is talking about will make up 50% of the workforce by 2020.
So from an ethics and compliance perspective what does this mean for you as a manager? Here are three things to consider.
1) Don’t make the mistake of doing things just for millennials or using loaded language (rife with generational or age based stereotypes). That’s a sure-fire way to get your efforts to backfire, and possibly end up being the subject of an age discrimination lawsuit. What you need to focus on is improving the ethics and compliance conversation for every worker, regardless of age. The more we get our employees talking about doing the right thing, the better we will become at recognizing what that is, and executing against it.
2) Understand the needs of your evolving employee population. Research from the Ethics Resource Center concludes that workers between the ages of 19 and 29 are in a significant area of vulnerability in terms of unethical conduct. So the younger you are the more likely you may be to make an ethical mistake. Ensure that all employees (including new employees) have access to ethics and compliance training, that they get to know key internal resources, and that you personally support a speak up culture that allows them to raise concerns and ask questions.
3) Recognize and embrace the new more social and collaborative workplace. It’s not just about millennials; workplaces today are fast becoming a place where ideas can be openly discussed and challenged, information is more readily available to everyone and learning happens more organically and informally. And it’s not just millennials that will benefit from these changes—all employees will see the positive impact.
To support this trend consider your role in fostering that type of work environment for all your employees (regardless of generation) with these ideas:
If you need additional help addressing these issues on your team, please contact HR, the ethics and compliance team, or our legal team. They can help you get to the root causes of an issue and, if necessary, get your team back on the right track.
Maintaining policies is not the job of our ethics and compliance department alone. We all need to ensure that our policies are as effective as they can be—which requires that we work as a team. You are on the front lines with our employees and vendors every day, and may hear about issues with policies long before we do.
Policies that miss the mark—for whatever reason—leave our organization open to risk. Ensuring that our employees and vendors adhere to our policies helps us avoid compliance failures before they occur. We hope you will reach out when you encounter any of the following issues with policies, so we can work together to make the policy more effective.
Contact us when you encounter a policy that is…
1) Difficult to Understand. Our ethics and compliance team is committed to making our policies understandable. If employees are struggling to understand the wording or meaning of part or all of a policy, we want to know. Our goal is to make sure our policies are easy to understand and follow.
2) Outdated. Our goal is to review all of our policies on a regular basis to ensure that they are up-to-date. However, between reviews, your help is invaluable. If you or someone on your team encounters a policy that is out of date for any reason, get in touch.
3) Missing Information Related to New or Updated Laws and Regulations. Because of your area of expertise, you and your team may be the first to know about new laws or regulations that may impact our policies and procedures. If there is a new law or regulation your team knows of—or knows is coming—check with us to determine whether there needs to be a policy or procedure change made to address it.
4) Culturally Insensitive. We strive to ensure that our policies are culturally sensitive. If we miss the mark, we want to know and address is right away. If you or a team member sees something in a policy that is potentially offensive or otherwise needs to be addressed, be in touch right away.
5) Not Correct for (or Applicable to) a Particular Region or Location. Not every region or location is the same, and sometimes our policies must reflect those differences. If you notice something in a policy that doesn’t seem to apply to your location or your team members’ locations, let us know. We may have a specific version of a policy we can provide to you, or we may need to make a custom version of a policy to address the issue.
And finally, contact us if there is an issue you think we should have a policy on, but do not. Gaps in policies are as risky as policies that do not meet our standards.
Policies are the backbone of an organizational culture that supports a culture of ethics and respect. By working together, we can help ensure that our organization continues to be focused on fostering the kind of workplace we all want to be a part of.
Employees who work outside of our normal workplaces—including those working at home or in other countries—present special challenges for managers. For instance, because they are physically separate, it can be easy to pay less attention to them and to assume everything is going well. It also can be harder to ensure their actions are consistent with our code of conduct and policies.
However, nothing reinforces and nourishes our ethical culture more than the words and actions of the leader who employees interact with most often—you, their manager. As a manager of a remote employee or employees, you should make an extra effort to consistently:
Employees who work off-site can increase the risk of ethics and compliance violations. But that risk can be significantly mitigated by the tone you as a manager set—and your diligence in making meaningful connections with off-site employees can have a huge, positive impact on our corporate culture.
Change isn’t easy. And yet, organizations must make changes all the time to stay ahead of business, cultural, regulatory and economic trends.
As a best practice, organizational changes are usually well researched, timed effectively and communicated well in advance. Despite all the preparation that goes into planning and processing policy changes, a successful launch cannot take place without one key element—management’s support.
As a manager, you are the critical piece in helping employees understand and adapt to new processes. Here are three guidelines to keep in mind as you help your employees through change:
1) Address Uncertainty. It can often feel as though decisions that impact employees are being made at a distance. To help your employees better understand process changes, and provide as much background information around the process change as you can. As you talk through the changes, highlight process gaps and the impact those gaps presented for the business. Additionally, provide feedback to organizational stakeholders on your team’s reactions, both positive and negative, to better help management refine the process and make your employees feel heard.
2) Choose the Best Possible Timing & Communication Channel for Sharing Information Related to Change. Do your best to know when changes will be communicated, especially ones you know will impact your team. As much as possible, try to seed in advance that a change in procedure or policy may be coming. If the change must be communicated via email, be sure to cover it in your next staff meeting. If it’s through a Town Hall or other meeting, gather your team after and take questions for follow-up. If you’re responsible for communicating the change, consider the channel. Is this something better addressed in a broader meeting? One-on-one? Is a written communication truly most appropriate, or would it be better as a follow-up to a verbal explanation?
3) Keep the Lines of Communication Open. The more people know—about how change will be coming, and when and how it will impact them—the better it will be accepted when it arrives. Leadership plays a key role in managing employees' resistance to change, but you can help make the process easier for the people you manage. Communicating early and often about coming shifts can help impact how employees react and lessen the overall impact of the only real constant—change.
Many managers assume that harassment isn’t a big deal with their employees. But do you really know if harassment is an issue for your employees? Have you asked them? According to a 2015 survey, 48% of U.S. employees have either experienced or witnessed “abusive conduct” at work (27% have suffered abusive conduct at work; another 21% have witnessed it).
As a manager, we are looking to you to help watch for and prevent harassment before it starts. A powerful prevention tool every manager has is the ability to talk with and listen to his or her employees. Some simple ideas you can use include:
You’re probably reading that last suggestion with doubt. Instead of literally asking them, have a conversation with each employee every quarter (or so) about how things are going in general. Ask them:
You need to be genuinely interested in hearing your employees’ responses and willing to take action; if you aren’t, asking questions will backfire. Inaction in the face of problems can result in employee morale issues, resentment and – worse yet – potential legal liability.
Remember, your silence sends a strong message to your employees – “I don’t really want to hear about it.” Talking about your expectations makes the statement that harassment won’t be tolerated. So, as this year begins, take a different approach. Start a productive dialogue with your employees and aim to improve the culture where you work.
As a manager or supervisor you are the first line of defense in preventing retaliation. All too often, managers and supervisors at some companies get this wrong: we want to make sure we get it right.
Managers and Supervisors are Critical to Anti-Retaliation Efforts
Training and awareness of how to spot retaliation—as well as knowing how to prevent it—are crucial for all organizations. As a manager or supervisor you need to know how to receive and handle reports without retaliating, and how to spot and halt any retaliation you may observe.
Respondents to the Ethics Resource Center’s 2013 National Business Ethics Survey (“ERCBES”) indicated that employees initially report issues to their managers or supervisors over 60% of the time. However, if employees perceive that their “reward” for internal reporting of non-compliance will be retaliation, they are much less likely to report issues of concern to their manager. They may also potentially avoid internal reporting altogether and go directly to a regulator or to the media. In these cases the company is denied the first opportunity to fix the problem.
The ERCBES statistics also showed that 21% of respondents reported being retaliated against for reporting misconduct. We must strive to ensure that this statistic does not apply to the way our organization handles reports of compliance failure.
How can we significantly reduce the instances and perception of retaliation in our company?
Managers and supervisors have a crucial role to play in identifying and eliminating retaliation. Key steps to take include:
1. Understand What “Retaliation” Means
To get a full understanding of our company’s views on retaliation, be sure to read our Code of Conduct and policies on retaliation. In the past, retaliation generally took the form of a manager firing an employee for reporting them for a compliance failure. However, there are often many more subtle ways of retaliating such as:
These kinds of behaviors are considered retaliation, and are unacceptable.
2. Support our “Open Door” Policy
Communicate to your employees how important it is to you and to the company that they feel free to come to you and discuss any violations. Make sure they know that if they do report to you in good faith, the report will be properly handled and there will be no retaliation by you, even if you are named or involved in the alleged violation.
Make sure you say thank you to the employee for coming forward and reporting the issue, and assure them that retaliation is not acceptable and violates company policy.
Additionally, effectively using the “Open Door” policy is part of your higher fiduciary responsibility as a manager and supervisor.
3. Be on the Lookout for Peer-to-Peer Retaliation
In addition to retaliation by a manger or supervisor, the next most likely source of retaliation can be the reporter’s peers. Non-management employees may believe that a peer reporter “sold them out” or got their work group or favorite boss in trouble. This peer response can unleash the most subtle retaliation, often to devastating effect.
As a manager, you have a duty to be on the lookout for this peer-to-peer retaliation and put a stop to any action which might be perceived as retaliation.
4. Follow and Document Good Processes
To demonstrate fairness, make sure that any issue resolution follows a consistent and well-established process which includes:
We need to do everything possible to identify and eliminate all forms of retaliation so that our employees are comfortable knowing that they can and should report issues of noncompliance to our managers.
The effects of harassment on employees and within an organization can be devastating. Unchecked harassment can erode trust, weaken goodwill and undermine productivity, as well as put our organization at legal and financial risk. The good news is that managers can help us maintain a positive workplace environment in which everyone has the opportunity to thrive. Here are four ways you can help prevent and stop harassing behavior in your organization:
1) Recognize Harassing Behavior When You See It
Harassment typically takes one of three forms:
Verbal Harassment: Sexually explicit or derogatory jokes, innuendo, name-calling, insults, comments or other verbal behavior based on a person’s race, gender, religion, national origin, or other characteristic protected by law or our policies.
Physical Harassment: Inappropriate physical conduct, including unwanted touching or gestures. While physical harassment most often is based on sex, it can relate to any protected characteristic, including religion and disability.
Visual Harassment: Any visual material, including posters, calendars, screen savers, web pages, comics, personal photos—even tattoos—that is sexually explicit or derogatory of a protected characteristic.
2) Address the Behavior Right Away
As an employer, we have a duty to protect all of our employees from harassment and discrimination. As part of that, you have a “duty to act” whenever you become aware of potential harassment—regardless of how you learn of it.
If you see or overhear behaviors that are potentially harassing, the best option is to address it right then, on the spot. You do not need to scold the person or be aggressive, but you do need to point out that their behavior is inappropriate and stop it. Then email HR to let them know what happened and how you dealt with it.
If an employee tells you about potentially harassing behavior, assure them that the matter will be taken seriously and will be kept as private as possible. Thank them for coming to you, then reach out to HR and share the employee’s concern.
If an employee asks you not to tell anyone, including HR, what they have told you, explain that you have a duty to alert HR. If they are suffering such behaviors, others might also. You can offer to keep their complaint as anonymous.
Remember, doing nothing is never an acceptable option. When in doubt, at a bare minimum, reach out to HR or the compliance team for guidance.
3) Know Where Our Policies Apply
Our anti-harassment policies apply in any work-related setting—not just at daily work sites.
Company picnics and holiday parties, client sites, conferences, and business meals all typically are “work-related settings,” so your duty to address harassing behaviors applies in those settings as well.
We are not responsible for our employees’ purely personal, non-job-related behavior (thank goodness!). However, if one employee complains that another employee has harassed him or her off the job, we should take steps to ensure that the behavior does not continue at work.
4) Lead by Example
Your behavior sets the tone for the workplace. Always be respectful and professional and your team is very likely to follow suit. If you have any doubt, before you act, ask yourself whether you would be comfortable if your behavior were recorded with a smartphone and then posted to the internet, with a link sent to our senior leadership. If not, the behavior does not belong in the workplace!
Most executives in management positions are problem solvers. Generally, this is a good thing! But when it comes to handling allegations of workplace misconduct, the urge to proactively “problem solve” can have extremely negative consequences.
When a manager acts independently to investigate alleged misconduct—that is, without first coordinating with legal, compliance and/or human resource departments—they may inadvertently be violating a variety of laws. And even if their informal investigation does not violate any laws, they could be undermining the success of any subsequent “official” investigation.
As a manager, you don’t need to know the details of case law or the names of the underlying statutes that protect employees. But you do need to know what to do—and not do— when you become aware of an allegation. Below are guidelines to follow when you receive an allegation:
Giving your employees confidence that workplace investigations will be handled well—and doing your best to follow the law, as well as your organization’s guidelines for investigations—is a critical part of helping your organization strengthen its culture of ethics and respect.
From time to time you’ve received announcements about upcoming ethics and compliance training. In the past, questions have been raised about what exactly managers are responsible for doing with their teams as training rolls out. Bottom line, you need to touch base with your employees to remind them of their obligation and ensure that time is scheduled so that everyone can complete the training on time. But there’s more. Besides making sure each person on your team completes the course by the deadline, here are some ways that you can help support these important initiatives:
Remember, employees want to know that you support the training before they embrace it. Every time you do or say something that supports the program, it opens their minds to it. Ultimately, what employees learn and internalize from the training helps protect our organization.
One of your subordinates comes to you to ask if she is permitted to keep a gift from a customer. How do you know you are giving her the right answer? You certified that you read our code of conduct and our gifts and entertainment policies but, with everything you are asked to keep track of, how accurate is your memory?
Our policies (including our code of conduct) are important tools for managing the business risks they address. They set the behavioral standards for all our staff members, but they are only good controls if employees consult the policies when faced with a pertinent issue, and act according to the guidance. As a manager, you have two important responsibilities related to our organization’s policies–ensuring access and use.
Does your staff know where to find our policies and how to use them? You and your staff are responsible for complying with all company policies, and being able to access them when necessary is the first step. Here are some tips to help:
One reason employees do the wrong thing is because of a lack of awareness and/or full understanding of our policy or procedure. As a manager, it falls to you to make sure they understand the types of risks and problems they may face in their jobs and how they are expected to behave. That means they need education on where to find the related policies, but also on how to apply the standards. Consider these ideas for educating your staff:
Employees generally want to do the right thing. It is part of your job to make sure they have access to and know how to use all the important tools that are available to support their efforts. Our organization’s policies and procedures are some of those tools and should be referenced and brought forward to encourage continued use. This helps to protect our stakeholders, our coworkers and our organization.
Like all great companies, we focus on ensuring that we have an effective compliance program. While our primary focus is on what we and our employees need to do to ensure compliance, we cannot stop there. Whether we like it or not, our employees are only one element of the compliance equation. We also have many critical partnerships with agents, contractors or other third parties. As a result, it is necessary for us to also focus on the qualifications and actions of our current and proposed third parties.
Use of Third Parties May Elevate Our Risks of Bribery and Corruption
The third parties we engage can have a significant impact on both our reputation and bottom line. While our supply chain has always focused on the qualifications and actions of our third parties with respect to quality and services, we also have to be sure that we focus on bribery and corruption risks.
In fact, in the U.S., over 90 percent of all FCPA bribery and corruption actions in the last few years have involved the actions of third parties. Among other issues, these cases have involved: use of illegal payments to obtain licenses or permits; bribes to ensure successful awarding of contracts; or payments, trips or scholarships to relatives of government officials to gain access to decision makers of state controlled companies.
What Steps Can We Take to Lower Our Third Party Risks?
If you work with or engage third parties:
Communicate our Compliance Policy and Expectations to Third Parties
We cannot just assume that third parties understand our expectations about what constitutes compliant behavior in accordance with our code of conduct or third party policy. Best practices require us to take steps to communicate these to our third parties and confirm that we are comfortable they have had training on the risks.
What Are the Third Party Red Flags We Need to Watch Out For?
Some third party relationships may send up obvious—or more subtle—indicators that the organization is not being engaged for legitimate business purposes. Some of the red flags may relate to commercial bribes and others may be more related to the bribery of government officials. Both elements of bribery violate our code and must be prevented. Look for things such as:
Trust but Verify
Third parties are critical partners of ours and this communication is not meant to suggest that third parties are not trust worthy or are all willing to pay bribes. Their role in the success of our company’s strategic goals cannot be denied. Nevertheless, we must continue to exercise reasonable due diligence, oversight, training, monitoring and auditing of our third parties to ensure that they do nothing to harm our company’s reputation. “Trust but verify” perfectly sums up our relationship with third parties. Third parties with nothing to hide should not fear a strong, effective compliance program like ours.
Our company offers employees a number of avenues to raise questions or concerns. You, as a manager, are a primary resource for your team members. An alternate resource is our company’s hotline/helpline that employees can use to report either anonymously or offer their name and contact information. We do not discourage anonymous reporting and, as managers, it is important to respect this option. We do ask, however, that those who report anonymously remain engaged in the process by following up on their reports.
The Majority of Anonymous Reporters Don't Follow Up on Their Reports
Research has consistently shown that seven out of ten anonymous reporters are not following-up to their reports. This low rate makes it difficult for investigators to truly investigate a case, thus affecting the overall perceived effectiveness of the hotline/helpline program. Following-up allows investigators to pose questions that will give them additional information to the reported incident and may mean the difference between resolving a case or not. Further, these reporters are not learning whether their concern has been addressed. Both of these outcomes lead to frustration – both for reporters and investigators.
Explaining the Process to Your Team
Whether an anonymous report comes in through the web or hotline/helpline, the reporter is given a unique identification number as well as a PIN. It is important that the reporter save these two numbers in a safe place. These unique identifiers will be the only way that they are able to follow-up to their report. Typically investigators will post any questions they have within ten days of opening their investigation. The responsibility then falls on the reporter to check in and respond to those questions.
Periodically Remind Your Team of the Importance of Reporting All Misconduct
The company has incorporated processes during the initial intake of a report designed to increase awareness of the importance of following-up. However, we need your support in reminding and encouraging all employees who report to you to stay engaged in the process and see it through. You can do this in a group or staff meeting as part of a discussion of the overall hotline/helpline process. If you need additional information about our processes you can contact the ethics office and we will be happy to assist.
We encourage all managers to embrace their role in developing the culture surrounding the use of a hotline/helpline and all of our reporting options. Consistent and positive encouragement can increase the effectiveness of these processes and help us all benefit by creating a stronger organizational culture.
As you know, the company has a number of ethics and compliance resources in place to ensure that everyone understands our expectations and standards. These resources include training modules, our hotline and our Code of Conduct.
The code of ethics may be the most underutilized resource that we have. It is an excellent summary of our ethics and compliance standards, and it includes information about what we need to do to report problems and ask questions. And yet, for the most part, employees only refer to the code once a year during the annual certification process.
Everyone is busy, but if we aren’t proactive about ethics it can fall between the cracks. As a manager, you have a critical role to play in ensuring that employees and our business partners are clear on what they need to know and do when it comes to ethics and compliance. The more we discuss ethics and compliance, the more we make it clear that it is a priority for us, and that can go a long way to protect our company’s reputation and good name.
With this in mind, here are some tips for how you can make the most of our code to help deliver important messages about our commitment to ethics.
And finally, we are continually gathering information about how to improve all of our ethics and compliance resources, including our code. We count on you to provide us with suggestions for how the code can be improved. What comments, praises or concerns are you hearing? Are there topics or risk areas that should be included or expanded in the next revision of the code? Have you seen other companies’ codes that you feel are more effective or user-friendly than ours?
As a manager, you may have questions about the role you should play when there has been an allegation that our policies or our Code has been violated. The answer falls into three main buckets:
1) When you are the person accused :
It is natural for managers accused of wrongdoing to be angry and frustrated. However, whatever the underlying facts may be, it’s important to realize that being accused “comes with the territory” of being a manager. Sometimes employees think a manager has done something wrong when, in fact, they have not. Other times various workplace dynamics may be in play. We understand that this is often the situation. To help us resolve the issue, here are some suggestions:
2) When you are not the person accused:
Managers who learn that an investigation is being conducted in their business unit often worry that the outcome may reflect poorly on them. Other times, the manager may want to try to “solve the problem,” and address the underlying behavior themselves. While these are common reactions, it’s imperative that you let the investigation run its course:
3) If you learn of a potential violation of our policies or Code:
Sometimes you may be the person that has alerted us of a potential problem. Remember, we need to know about all potential violations as soon as possible. Alert us to any potential violations, even if:
Our goal is to surface problems and resolve them as quickly and fairly as possible. This can’t be done without your support and cooperation.
Most hiring managers understand that they should avoid questions related to a candidate’s national origin, citizenship, age, marital status, disabilities, other protected characteristics, as well as arrest record, during the interview process. But is it okay to research a candidate’s social media profiles? What seemingly harmless conversation topics might create legal or ethical issues or risk?
Follow these four guidelines to make sure your hiring processes are legal, fair and responsible—and help you identify the best candidates.
1) Be Prepared
The importance of being prepared would seem obvious, but many managers enter interviews without sufficient preparation. Plan your interviews ahead of time. When you’re equipped with questions that focus on the knowledge, skills and abilities needed for success, you’ll be more likely to identify great candidates—and less likely to veer into risky territory. Uncertain about whether a question is acceptable? Check with our HR or compliance department in advance.
2) Don’t Conduct Your Own Internet Research on Candidates
Researching a candidate online is not unlawful. Indeed, many companies do credit checks, criminal background checks and social media research during the hiring process. But looking up this kind of information on your own can create risk.
First, you might come across information, such as photos that you feel indicate “poor judgment,” that leads you to reject a candidate. Likewise, you might find a reason to prefer a candidate, such a political causes or affiliations. The risk is that in such situations, you may substitute your personal biases for the values of our organization. It also could lead you to select someone who is not, in fact, the strongest candidate for the role. And, of course, if the reason you select or reject a candidate is based on a protected characteristic, you may be violating the law and our non-discrimination policy—clearly, a bad thing.
Second, depending on how you conduct your research and what you find, you might be violating the law. For instance, some states prohibit an employer from asking for a candidate’s username and passwords for social media accounts. Gaining access to restricted (private) pages through “pretext”—for example, by asking a candidate to “friend” you, by posing as someone you are not, or by asking someone else to do so—also can raise legal and ethical issues.
As a result, the best course of action is to:
If the organization will be using background checks or social media research in the hiring process, inform each candidate so that she/he can plan accordingly.
3) Don’t Make Promises About Jobs, Visas or Sponsorships
Candidates will view you as speaking on behalf of the organization. As a result, any inaccurate statement you make to a candidate—even if you thought it was true—can be problematic, and, depending on what you say, might even create a legal problem. When it comes to questions about relocation payments, visa sponsorships, benefits information, etc., suggest that the candidate follow up with HR who are the resident experts and will be able to give the best answer.
4) Follow Our Standard Processes for Recruiting and Hiring
There’s a good reason we have these policies and procedures in place. If you aren’t familiar with our hiring policies, or if anyone in your department needs a refresher, talk to the compliance, HR, or recruiting team. Seeking help from experts is a sign of intelligence, not weakness!
Eye rolls. Chuckles. Silence.
It’s easy to recognize signs of employee cynicism when it comes to ethics and compliance (E&C) activities. What’s harder to accept is that employee cynicism signals disbelief that the organization is seriously committed to a culture of integrity. Unchecked, cynicism can lead to higher risk of misconduct—ultimately the company’s reputation and bottom line.
1. Role Model Appropriately
Often, leaders don’t realize the impact their behavior can have on shaping organizational culture. An offhand remark or a dismissive attitude can speak volumes. Be personally committed to modeling behavior that supports an ethical culture, even when you think no one will know.
2. Hold Yourself and Others Accountable
Demonstrate consistent accountability. If top producers and leaders experience the same types of corrective action for misconduct as everyone else, word will get around.
3. Make E&C Real for Your Employees
Nothing frustrates employees more than training, emails, surveys and meetings that are not relevant to their work or are perceived to be unnecessary. Discuss E&C situations that your employees can relate to.
4. Bring E&C Topics into Everyday Communication
Your E&C program is not an add-on to the business—it defines how employees should work every day. Make a habit of talking about E&C as a regular part of work discussion. For example, introduce brief “safety moments” in staff meetings to discuss what employees should know about working safely. Or try an “ethics moment” to discuss doing the right things in situations that can really occur in their jobs.
5. Regularly Communicate Expected Standards and Conduct
E&C tools help us do what is expected and appropriate at work. We may think we know it all, but we need reminders. Repetition of E&C concepts is important so that we can recall the information we need at the moment we need it.
6. Emphasize the Importance of Speaking Up
Employees speak up when there’s something broken in the workplace. Why not speak up if there’s a question about conduct that could derail the organization? Employees protect their own company—and jobs—by reporting concerns.
7. Demystify the Reporting Process
Let employees know the different methods they can use to ask a question or report a concern. It’s especially important to explain what to expect after making a report.
8. Address Concerns about Reporting
Fear of retaliation can prevent people from speaking up. Help employees understand that retaliation won’t be tolerated. Explain what they can do in case they feel they are experiencing retaliation. Another inhibitor can be the belief that nothing will be done with their report. Here it is critical to model your own commitment to action and to closing the loop with the reporting employee once action is taken.
9. Be Available
As a manager, be available to your employees and third-parties in case they want to report or have questions. And don’t just say it. Do it.
In a recent Harvard Business Review article, “Can Your Employees Really Speak Freely,” two business professors shared their research findings related to the gaps between managers’ perceptions of their approachableness, and the reality.
As a manager, being approachable is critical, because most employees prefer to speak to their managers about ethics and compliance issues before going to HR, ethics or a hotline/helpline.
Based on the article, here are five questions you can ask yourself about your approachability:
1) Do you issue general rather than specific invitations to check in with employees? “Come and see me any time” is not as effective as sending a meeting request or scheduling a specific time to check in with members of your team. Also, consider whether it is easy or hard for your team to find your office and visit. Can they come by casually, or does it feel like a big deal to stop by?
2) What messages are you sending with your body language? The authors warn against “conveying your power through subtle cues” that indicate dominance. If you’re sitting behind a huge desk, crossing your arms, or frequently checking your phone during meetings and conversations, you could be sending a message you don’t intend.
3) Do you follow up with employees’ questions and suggestions? If a team member comes to you with a question, suggestion or concern and you listen but take no action, your trust with that employee erodes. Commit to following up, and let them know what action, if any was taken—and if not, why not.
4) Are most of your conversations with your team fairly formal? If you rarely have casual conversations with your employees—or if every conversation feels “high stakes”—employees will be much less comfortable sharing information with you.
5) How do you handle brainstorming sessions? Your approachability can be significantly impacted by how you treat team members during those moments where they’re out on a limb—including sharing new or off-the-cuff ideas in front of other team members. This frequently happens in brainstorming or planning sessions. When team members feel safe and protected there, they’re more likely to find you approachable and trustworthy.
The more your team members feel comfortable with you, the more likely they are to speak up when they have a question or an issue. And that helps us better protect our company, our reputation and our bottom line.
When it comes to pay, employers want to get it right. But before you can get it right you have to first know what “right” is – that means understanding your organization’s policies and ensuring that you consistently follow the guidance provided. Staying informed is one of the simplest ways to prevent rule violation.
Although the rules can be complex, these 3 steps will help you and your employees stay informed:
1.Don’t Assume, Check Your Policy
Rules are different depending on whether employees are “exempt” or “non-exempt” from overtime. Know the status of each member of your team and if you manage non-exempt employees, be sure that you know the specific policies set by our organization. In general, employers must pay non-exempt employees at least a minimum wage for all hours worked and overtime as required by the law. But, there may be additional rules that dictate things such as timing of meal periods and/or breaks during an employee’s shift. Overtime rules may also vary by state. For example, is it after 40 hours during the week or after a certain amount of time each day?
2.Inform and Educate
Ensure that employees also know the rules about their own work hours and reinforce the importance that they adhere to them. It is easier to hold employees accountable to policy when they know exactly what is expected of them. This goes double for managers. See next step.
3.Cultivate a “Speak Up” Culture
Create an environment where employees feel respected enough to speak up and approach managers with questions regarding policy. In a “speak up” culture there is a comfortable dialogue in which employees trust managers to be knowledgeable and forthright about external work-hour regulations and internal policy guidelines.
Innocent mistakes and ignorance of the rules do not protect us from liability when errors in pay happen – so it is important that you understand what is expected, ask questions and get issues resolved properly. You don’t have go it alone. Employees and managers need to work together to ensure both understand and follow an organization’s policies. Managers should not be shy when it comes time to raise questions or concerns about pay or hours.
Managers who create positive, respectful team cultures are not only a tremendous asset to our organization, they help protect it from the legal, financial and reputation risk that can be caused by misconduct.
As we end this year and look ahead to next year, we want to encourage you to reflect on steps you can take to make your team culture even stronger. Consider the ideas below—and remember that the ethics and compliance team is here as a resource for you. We would love to help you brainstorm additional ways to help employees embrace our values and mission.
An organizational culture is only as healthy as its teams. Thank you for all you’ve done this year, and all you’ll do in the coming year to help us maintain a culture of ethics, integrity and respect.
It’s one of the parts of your job you like the least: you receive a complaint about a team member, and an internal investigation is underway.
As a manager, your participation in workplace investigations is critical in creating optimal outcomes. You also have the very important role of maintaining confidentiality and coaching all of the team members who may be involved to do “the right things right,” both during and after the investigation.
Here are some do’s and don’ts to keep in mind:
Workplace investigations can be difficult for everyone involved. But ultimately, going through the process of an investigation is essential in helping correct issues that can undermine a healthy corporate culture.
Everyone has heard the old adage, “the cover-up is worse than the crime.” So why do we continue to read news stories about organizations that knew—or should have known—about problems that could endanger public safety and ultimately damage their company’s reputation?
A Rash of Recalls
A rash of recent recalls among auto-makers has brought this issue to the forefront once again. Over the past few months, several manufacturers have been forced to recall thousands of vehicles, pay millions in fines and admit that they have endangered the lives of their customers.
In one of the cases, it is documented that the issue was discovered numerous times and either ignored or buried. As with most organizations in this situation, the company is already facing serious reputational damage and heightened legal risk due to an issue that was known and left unaddressed.
Could it Happen Here?
Research shows that there are two reasons why people don’t speak up or report issues: the belief that nothing will be done, and fear of retaliation. If employees at our company have these concerns then some version of the scenario described above could happen here.
So how do we prevent this and protect our good name and reputation?
Don’t ignore or cover up a problem. As this case demonstrates, it rarely turns out well. If you become aware of a problem or concern that is not addressed or appropriately resolved, it is important that you speak up. And, as a manager in our organization, you have a responsibility to take action to ensure that the right people are involved to properly investigate the situation.
Doing Your Part
To help protect our organization, our employees and our reputation, let’s all help each other to be sure to:
Our company offers a number of avenues for employees to raise questions or concerns but you, as a manager, are always our first line of defense for your team members. An alternate resource is our company’s ethics helpline which employees can use to report either anonymously or offer their name and contact information. We support and protect anonymous reporting and, as managers, it is important for all of us to align on this point and to respect this option. Anonymous reports allow our employees to make reports that they simply may not be comfortable making in person.
We also recognize that having an anonymous report lead to an investigation in our own organization can be uncomfortable. Here are some factors and guidance for you to consider should you find yourself in this situation:
One critical aspect of these reports – that will assist in the substantiation of anonymous reports – is advising all reporters follow-up with their report. The company has made it part of our intake process to highlight the importance of following-up, but needs your support in reminding and encouraging employees who may report anonymously to stay engaged in the process and see it through. You can do this in a group or staff meeting as part of a discussion of the overall helpline process. If you need additional information about our processes, contact the ethics office and we will be happy to assist.
We encourage all managers to embrace their role in developing the culture surrounding the use of the helpline and all of our reporting options. Consistent and positive encouragement can increase the effectiveness of these processes, and continue to make our workplace one where we are all invested in our culture.
Workplace harassment and discrimination, in any form, can damage company culture, stifle innovation and depress morale. But the harmful effects can go much further, creating “career limiting” outcomes for managers and leaders and resulting in serious financial penalties for companies who allow discrimination issues to fester.
During fiscal 2014, the U.S. Equal Employment Opportunity Commission (EEOC) fielded 88,778 charges of workplace discrimination. The top five discrimination charges were retaliation, race, sex (including pregnancy and sexual harassment), disability and age.
As managers, you are in a unique position to help prevent, identify and address potential issues. To help our organization ensure that we’re fostering a culture of fairness, ethics and respect, while avoiding the risks of legal action, managers need to:
Ensuring our workplace is free of all forms of harassment and discrimination can challenge even the best managers and leaders. If you need additional help with addressing potential discrimination issues, please contact HR, the ethics and compliance team, or legal. They can help you get to the root causes of an issue and, if necessary, get your team back on the right track.
Many supervisors feel uncomfortable giving their employees feedback. Many even avoid giving feedback altogether because they fear a negative reaction or are nervous about saying or doing something that could be seen by an employee as harassment or discrimination. Some just don’t like being critical of others.
But giving frequent, accurate employee feedback—both positive and negative—is one of the best ways to create an engaged and motivated workforce, and is critical for the success of our organization. Here are five tips on giving feedback —while staying within the bounds of ethics and compliance best practices—for high-impact results.
1) Set the Right Foundation
Early on, communicate your performance expectations for each of your employees. Define the goals you want to achieve and set clear targets for each employee. Explain that you’ll check in periodically on progress towards those goals. Setting the stage for honest and frequent feedback early on will make it easier and more natural to communicate constructive feedback when it’s needed.
2) Highlight Employee Achievements
Employees are more motivated when their contributions are recognized. Hearing positive feedback, especially when it is timely and specific, helps employees maintain their confidence. Reinforcing and recognizing positive behaviors also helps set a strong, supportive tone for the team.
3) Promptly Communicate Concerns
Feedback needs to happen in real time. Without feedback, employees will naturally believe that their performance is acceptable. So, the longer you wait, the longer the problem will persist. Delaying constructive criticism also can negatively impact your team culture if other employees feel that nothing is being done about an issue that affects everyone. Giving prompt feedback sends a message that you care about your team’s success, and that you actively support improvement and growth
4) Motivate Change
When preparing to give feedback, especially if it includes criticism, consider these principles for the best outcome:
5) Document the Conversation
Once you’ve provided feedback, make a record of the conversation using specific, factual descriptions. A good tool can be an email to the employee recapping your conversation. Document:
Employee feedback doesn’t have to be an uncomfortable or defensive process. It is a valuable tool for growth and should be done frequently. Use these tips to provide feedback that motivates change and helps build empowered, resilient, and skilled teams.
Despite our best efforts, ethics and compliance training and requirements can seem like distractions to front-line employees. Managers who bring E&C principles to life for their teams can have a major, positive impact–not only on their teams, but also on their organization’s efforts to mitigate compliance risk.
So how can you help your team see the value in compliance—and make E&C real for your team? Here are five ways managers can have a true impact:
Ensuring employees see E&C as a vital component of their personal success—and the company’s long-term health—is one of the key contributions managers can make to the success of our organizations.