Tools & Resources

Ready-Made Memos

Ready-Made Memos are topical best practice messages that are ready to be shared with your team when you want them and when you need them. 

Choose from the topics below. Expand content using the arrows on the right. And copy and paste the messages into your internal newsletter and messaging to keep compliance top of mind with your managers and strengthen your organizational culture.

Copy-and-paste compliance communications for your company

  • 4 Ways to Maximize Your Compliance Program Effectiveness Arrow Down Icon Icon of solid caret pointing downwards.

    As a compliance professional, and especially as a manager in the field, there is no lack of items on your to-do list vying for time and attention. But one of the many talents held by effective compliance professionals is the ability to do more with less – to create a work environment where time is spent on the things that matter most.

    Consider the following four steps below for increasing the efficiency of your program:

    1. Encourage Anonymous Reporters to Follow-up

    Research has consistently shown that 7 out of 10 anonymous reporters do not follow-up on their reports. This low rate means several things, but most notably it showcases how difficult it can be for investigators to fully investigate a case. Without any opportunity to communicate with reporters, investigators are often left without necessary information to fully explore allegations of misconduct. Further, reporters are also not checking to see if their concerns are ever addressed. These issues have a direct impact on the perceived overall hotline program effectiveness.

    Encouraging reporters to follow-up enables investigators to ask important questions that will provide additional information on a reported incident, which could be the difference between resolving a case – or not. It also helps keep the reporter informed and knowledgeable of what the organization is actively doing to support their case.

    2. Err on the Side of Millennial-Type Learning Preferences

    The term “millennial” is the ubiquitous adjective describing anything from reading habits to the type of snacks stocked in the breakroom. And that’s for good reason. Millennials are a powerful force increasingly defining the modern workplace. However, when it comes to training, it is not about age, but about how individuals – regardless of their generation – engage with content. Millennials are changing that too – for all of us. Growing up immersed in technology was once a defining trait of a learner; however, with the younger generation filling out more of the workforce, they are effectively influencing the way we all learn.

    The youngest two generations will comprise 70 percent of the global employee base within the next four years and influence the way the workforce as a whole learns. Erring of the side of millennial-type learning preferences will ensure you are providing training content in the most consumable way to the largest portion of your workforce.

    3. Master the Executive Summary for Board Reporting

    Your executive summary should be short, and provide a high-level glimpse of the following program focus areas:

    • Communications
    • Training
    • Ethics Hotline/ Helpline Data
    • Investigations
    • Governance
    • Risk Assessment
    • Yearly Initiatives (for annual report only)

    The executive summary should also highlight any resource challenges the compliance department has that requires support from the board.

    4. Regularly Review and Update Code of Conduct

    To remain effective, your Code of Conduct needs to function at a high level, be principle based and written in a way that is easy to read and use. Your Code of Conduct is your most important policy, but that doesn’t mean it needs to include every policy. It needs to be uniform and consistent so that employees can retain the most important information and search the document efficiently when necessary.

    The more detailed legal issues are best reserved for policies. Making the distinction between your communication tool, which is your Code, and the more in-depth policies which support it, will ultimately save you time. Employees will become more informed and the need for the compliance function to provide guidance will decrease as your Code becomes more effective.

  • Compliance Training: Your Managerial Responsibilities Arrow Down Icon Icon of solid caret pointing downwards.

    From time to time you’ve received announcements about upcoming ethics and compliance training. In the past, questions have been raised about what exactly managers are responsible for doing with their teams as training rolls out. Bottom line, you need to touch base with your employees to remind them of their obligation and ensure that time is scheduled so that everyone can complete the training on time. But there’s more. Besides making sure each person on your team completes the course by the deadline, here are some ways that you can help support these important initiatives:

    • Make the time to attend training sessions yourself. Attend live training sessions; not as a moderator or an observer, but as a participant. Nothing says “we’re all in this together” more than actually being there. If training is online, be the first to complete it and talk about the topics relevant to your work group.
    • Create your talk track. All managers should have thirty second responses that are ready-to-go when an employee asks why they need to attend the training or why the company is putting such effort into ethics and compliance.
    • Watch the non-verbal (and verbal) cues you send. Sometimes an eye roll or a shrug from you, or saying “I guess we have to do training again,” is all that’s needed to undermine an ethics & compliance initiative. You are likely more powerful and influential than you know.
    • Be selective and act as an advocate for your employees. You know your employees and the issues they face better than anyone. Work with your compliance officer to ensure that the most relevant training is available. And don’t be shy about pushing back if you feel a training requirement is out-of-sync with employee needs. Though there may be a good reason why it’s required, it’s important that the compliance officer understands your concerns.
    • Take it seriously and get with the program. Capitalize on communications from the compliance department. You have the responsibility to make those messages real and relevant for your staff. Your employees can tell a phony from a mile away. If your heart’s not in it, they’ll know.
    • Seal the deal. After the training is over, a follow-up question or comment from you can help seal the deal and reinforce the training. A simple comment can make all the difference: “You know I wasn’t sure what to expect from the training, but it raised some interesting questions. Don’t you think?” Then take a few minutes in a staff meeting to review one or two of the topics and discuss how they apply in your work group.
    • Try quick reinforcement.  Some organizations have “safety moments” where every meeting begins with a sentence or two about safety. Consider starting staff meetings with a similar “ethics moment” addressing a topic in the code of conduct.
    • Don’t be a stranger. Compliance officers too often become isolated in organizations. Having a compliance officer who knows you, your business and your concerns can be a real asset. Make the first move. Why not offer to take your compliance officer out to lunch? How about inviting a member of the ethics and compliance staff to talk about a compliance topic important in your work area? Let your staff know the topic in advance and ask them to be ready with questions. It could pay dividends in next years’ training.

    Remember, employees want to know that you support the training before they embrace it. Every time you do or say something that supports the program, it opens their minds to it. Ultimately, what employees learn and internalize from the training helps protect our organization.

  • Biggest Mistakes Compliance Makes with the Board Arrow Down Icon Icon of solid caret pointing downwards.

    An outstanding board engagement strategy can help ethics and compliance professionals build credibility with their boards and gain significant program support. Conversely, board strategies that are not finely tuned can unintentionally downplay or even undermine an ethics and compliance program’s effectiveness – no matter how successful the program truly is.

    Becoming a strategic business partner to the board requires making the most of each engagement. Avoid the mistakes below to help your department get the most from its top executives.

    1. Not Making Sense of Culture

    “Culture” is one of the squishy terms we use that can represent a number of different things, even to those who work in compliance. It nonetheless has a tremendous impact on the goals of the larger organization and needs to be made a priority for the board. Therefore, the compliance officer has to not only tout the importance of culture, but also explain why it’s important. One way is to ensure that the board understands the difference between compliance and ethics. Getting employees to be compliant is the goal, however, more time and money will be spent driving compliance in a weak culture than in one that is strong and self-governing.  

    More importantly, boards need to know about the specific culture at your organization and how it manifests throughout different levels. According to the National Association of Corporate Directors Public Governance Survey, 82 percent of board respondents would not rate their understanding of the “buzz at the bottom” as high. Talking about culture across the entire organization can lead to sweeping generalizations – so breaking it down to highlight potential trouble areas in departments, regions or hierarchy keeps your board message focused.  

    2. Reporting on Activity Rather than on Results & Strategy

    One of the biggest issues compliance officers face when reporting to the board, is the data dump. Compliance has access to a lot of data; however, that data alone is not impressive nor instructive to the board. It can even have a numbing effect. To avoid this problem, set the stage for your report with a high-level executive summary that outlines key points. This should clearly show where your program is most effective and how it ties into overall company strategy and KPIs.

    Furthermore, do not provide data without context. Incident management reporting rates, policy attestations, and compliance training completions mean little to board members unless they know what the data suggests and why. Clearly connect these numbers back to anchor points in the board’s mind. For instance, the organization wants to reduce legal risk. This requires knowing and resolving issues before they exit the building and turn into lawsuits. The board most likely already knows that the hotline is key to identifying these issues early on within the organization, but they need to know if the current reporting rate signals strong or poor performance toward that goal. Industry benchmark reports also provide additional context for these numbers as well as grab the attention of directors by showing immediate comparisons to peers.

    3. Reporting Too Much or Too Little

    Boards should receive reports regularly on ethics and compliance program results. The industry best practice is to deliver at least quarterly reports in addition to an annual report. Consistency is key for a number of reasons. Quarterly reports keep E&C issues top of mind for the board and make it easier to connect the dots on how data points trend quarter over quarter. Regular, on-time reports also builds the professionalism of the compliance brand in the board’s mind. Missed or late reports draw into question the effectiveness of the team. On the other hand, inundating the board with too many reports, can be overwhelming and reduces the impact of each report.

    The best way to know the optimal frequency for sending reports is to simply ask your board what they prefer.

    4. Being Overly Deferential

    This is a tricky one. While you should always be respectful of their roles, your job is to help board members understand their responsibilities and risks. You cannot effectively communicate this information if you start from a position of perceived weakness. Be confident in your content and delivery. Too much deference may translate as uncertainty or that the concepts you are speaking to are not critical. Authority respects authority, so the way you present your ideas are just as important as the ideas you present.

  • Helping Your Staff Make Good Decisions Arrow Down Icon Icon of solid caret pointing downwards.

    Do the right thing. Uphold our values. Always act with integrity. These are the kind of messages you’ll typically find in our code of conduct and compliance training. But what about those grey areas? Our training tells employees to ask for help anytime they encounter an issue they’re unsure about. However, before they ask, most people try to find the right path on their own. This is often where poor decision making can get organizations and individuals into trouble.

    The good news is this: as a manager, you can help your employees avoid unethical business practices. And in fact, our training messages come to life when you reiterate them. Research has shown that people typically make poor decisions for one of four reasons: lack of understanding, pressure, lack of accountability and self-interest. Here are ways you can support your team in ethical decision making around each of these issues:

    Lack of Understanding: Employees may not recognize when they are dealing with an ethics or risk issue, or they may lack understanding of the rules and standards that apply. Sometimes, it can be simply not realizing their responsibilities in a sticky situation.

    Remedy: Watch the news, check out blogs and talk to your team about the types of risks and ethical challenges that may occur in your organization. Pick one or two issues that are particularly relevant to your staff and the work they do. Work through the “what if” situation using our code and policies as guidance. This helps them walk through the process of ethical decision making in advance of a problem while demonstrating your willingness to help with a tough issue.

    Pressure: Time and performance pressure are part of today’s business world. However, pressure applied by management or peers to achieve an impossible deadline, or to do something that violates values or rules, can push good people to cross the line. Inappropriate incentives can do the same thing.

    Remedy: Keep an eye on the pressure meter in your work group and any extraordinary incentives to “get the numbers” or “have zero safety incidents.” Verbalize to your staff, often, that there is no justification for misconduct.

    Not Enough Accountability: Inconsistent discipline for misconduct sends the message that our organization is not serious about doing the right thing. Discounting future consequences in favor of immediate gain is a risk when there does not seem to be accountability for making ethical decisions.

    Remedy: Make sure to take corrective action consistently when needed. And when you educate your team on the issues they may encounter, be sure to emphasize the consequences of bad behavior—both short and long term.

    Self Interest: It is, unfortunately, human nature to believe that we are smarter, more deserving and better than we really are. In the workplace, this can lead to a “slippery slope” situation where someone rationalizes doing just one small bad thing, which makes the next bad decision easier, and so on. By his own admission, this type of thinking landed Andrew Fastow of Enron fame in jail for many years.

    Remedy: Talk with your staff about the human frailties we all share, and do it often. Awareness of a temptation can be built through periodic repetition of the potential risk.

    Celebrate Good Decision Making

    It’s easy to overlook the good decisions being made in your work group. Make a point of looking for these and mentioning them in staff meetings. Such decisions make good instructional moments—and the person who did the right thing will appreciate the kudos.

  • 5 Ways Managers Can Help Make Ethics & Compliance Real for Their Teams Arrow Down Icon Icon of solid caret pointing downwards.

    Despite our best efforts, ethics and compliance training and requirements can seem like distractions to front-line employees. Managers who bring E&C principles to life for their teams can have a major, positive impact–not only on their teams, but also on their organization’s efforts to mitigate compliance risk.

    So how can you help your team see the value in compliance—and make E&C real for your team? Here are five ways managers can have a true impact:

    1. Help them filter the noise and get to what matters most. While our code of conduct is broad and applies to all employees, there will be some aspects of the code or specific policies that are particularly applicable.  Make sure your team keeps the most relevant polices, laws and regulations top of mind. When they have a robust understanding of the policies, they will naturally learn how to comply. Offer additional training when and where appropriate.
    2. Share your approach to E&C. Share (appropriate) examples of your decision-making process with your team—particularly when there are grey areas to be navigated. Demonstrate your willingness to go to the E&C or HR team for advice and guidance. Modeling willingness to collaborate and seek guidance will give them permission to do the same.
    3. Set aside (even a little) time for team discussions about E&C. Ask your team to share examples—from their work experience or from current events—for discussion with the team. Even taking five minutes in your next team meeting to have someone present a brief situation that involved a difficult ethical choice that’s pertinent to their role or your business—and the outcome of that choice—can have a major impact.
    4. Showcase senior executive commitment. Share examples of top-level executive team decisions that your team might not otherwise know about. Employees who understand that there is a deep commitment to E&C at the highest levels of the organization are more likely to commit themselves.
    5. Reiterate available resources for E&C help. Make sure your employees know you are always willing to help them work through tough decisions and unclear situations. Remind them of their allies in HR, Legal and E&C who are ready and willing to help.

    Ensuring employees see E&C as a vital component of their personal success—and the company’s long-term health—is one of the key contributions managers can make to the success of our organizations. 

  • 9 Tips for Addressing Employee Cynicism Arrow Down Icon Icon of solid caret pointing downwards.

    Eye rolls. Chuckles. Silence.

    It’s easy to recognize signs of employee cynicism when it comes to ethics and compliance (E&C) activities. What’s harder to accept is that employee cynicism signals disbelief that the organization is seriously committed to a culture of integrity. Unchecked, cynicism can lead to higher risk of misconduct—ultimately the company’s reputation and bottom line.

    What Should You Do about It? 

    1. Role Model Appropriately
    Often, leaders don’t realize the impact their behavior can have on shaping organizational culture. An offhand remark or a dismissive attitude can speak volumes. Be personally committed to modeling behavior that supports an ethical culture, even when you think no one will know.

    2. Hold Yourself and Others Accountable
    Demonstrate consistent accountability. If top producers and leaders experience the same types of corrective action for misconduct as everyone else, word will get around.

    3. Make E&C Real for Your Employees
    Nothing frustrates employees more than training, emails, surveys and meetings that are not relevant to their work or are perceived to be unnecessary. Discuss E&C situations that your employees can relate to.

    4. Bring E&C Topics into Everyday Communication
    Your E&C program is not an add-on to the business—it defines how employees should work every day. Make a habit of talking about E&C as a regular part of work discussion. For example, introduce brief “safety moments” in staff meetings to discuss what employees should know about working safely. Or try an “ethics moment” to discuss doing the right things in situations that can really occur in their jobs.

    5. Regularly Communicate Expected Standards and Conduct
    E&C tools help us do what is expected and appropriate at work. We may think we know it all, but we need reminders. Repetition of E&C concepts is important so that we can recall the information we need at the moment we need it.

    6. Emphasize the Importance of Speaking Up
    Employees speak up when there’s something broken in the workplace. Why not speak up if there’s a question about conduct that could derail the organization? Employees protect their own company—and jobs—by reporting concerns.

    7. Demystify the Reporting Process
    Let employees know the different methods they can use to ask a question or report a concern. It’s especially important to explain what to expect after making a report. 

    8. Address Concerns about Reporting
    Fear of retaliation can prevent people from speaking up. Help employees understand that retaliation won’t be tolerated. Explain what they can do in case they feel they are experiencing retaliation. Another inhibitor can be the belief that nothing will be done with their report. Here it is critical to model your own commitment to action and to closing the loop with the reporting employee once action is taken.

    9. Be Available
    As a manager, be available to your employees and third-parties in case they want to report or have questions. And don’t just say it. Do it. 

  • Tone at the Top Is About Actions Not Words Arrow Down Icon Icon of solid caret pointing downwards.

    A company’s code of conduct should be a living document – one that is regularly updated and regularly visited by both leaders and employees to practice and embody the values of the organization. But at the end of the day, a code is just words. These words do not manifest into a strong corporate culture until senior leadership embeds its statutes into all their business practices. This modeled behavior is what influences the true culture of an organization. This is why we have the phrase “culture always wins.” If your code says one thing but your culture – driven by senior leaders – showcases another, it’s your culture that will define your organization for better or worse.

    So let’s talk about a few ways actions speak louder than words when it comes to tone at the top.

    1. There has to be accountability, and it has to be equal

    Rules that are not enforced hold no value. Even worse are rules that are enforced for most, while exceptions are made for others – such as high-performing employees. An effective tone from the top, ensures the entire organization knows that the company is committed to its values and policies, and that there will be consequences for one and all alike if those standards are sidestepped.

    2. Your incident management process is key to driving a speak-up culture

    As a CEO, senior leader, manager or compliance professional, your tone from the top starts with listening. Encouraging employees to raise their voices to report wrongdoing only gets you halfway to a speak-up culture. Employees need to be convinced that their voices are being heard. That only happens when employee reports are efficiently processed and resolved. An effective incident management process makes it easy and comfortable for employees to report. It provides regular updates to employee reporter so that they are not left wondering what is going to happen next or, worse, fear retaliation. And lastly, effective processes communicate back to employees what has changed, or the reason things are not changing. 

    3. Tone at the top needs to connect through the middle

    Individual contributors who excel in their jobs are often the ones who are made managers. But just because someone is good at their job, doesn’t mean they are good at managing. All managers, especially new managers, need to be trained on how to effectively support their ethics and compliance initiative. Middle managers are an organization’s cultural ambassadors. These are the people employees look to for answers every day, and they need to be equipped to provide those answers correctly and accurately day in and day out. 

  • Culture Building: Your Critical Role as a Manager Arrow Down Icon Icon of solid caret pointing downwards.

    You may have heard the term “tone in the middle” and its importance in creating a culture of integrity. But why is it important? And what exactly does a middle manager, squeezed between the frontline and the top tier, need to do to create the right tone?

    Why It’s Important

    Employees take their cues from you. If something is a priority to you, it’s a priority to them. As their leader, employees look at your attitudes and actions to answer the questions, “What’s really important around here?” and “How do we really do things in this organization?” The way the workforce thinks, behaves and works is the very definition of corporate culture. And your behavior is a key factor in shaping the culture.

    Intentionally building a culture that has a reputation for ethics and integrity is hugely important for many reasons. But one of the most compelling is that research has shown that ethical companies are more financially successful than others. In the recent Institute of Business Ethics report “Does Business Ethics Pay?” research revealed that ethical companies succeed due to higher productivity, more loyalty from customers and investors, the ability to attract and keep the best employees, and increased trust and improved collaboration with business partners.  

    What You Can Do to Create the Right Tone

    While building an ethical organizational culture may feel like an enormous responsibility, it is a natural outcome of good management. It is also a primary goal of an effective ethics and compliance program, in which you already play a part. There are several things you can do to set the right tone and actively support the compliance program:

    • Be intentional about the messages you send: Be aware of your words, your actions and your underlying attitudes. Saying or doing something that sends the wrong message, such as “Do whatever it takes to get that done,” or laughing at an off-color joke speaks volumes about the location of integrity on the priority list.
    • Play a role in education: When it comes to compliance training, what is your attitude? You can support the initiative by explaining to the staff why it is important and take the training yourself. Periodically, bring in a news clipping or pick a code of conduct topic to discuss in a group meeting that is relevant to the risks the employees face.  Model the use of the code and policies when helping an employee answer an ethics or compliance question. All of these actions set the tone about the importance of the ethics and compliance program.
    • Manage trust: This means addressing wrongdoing appropriately and with consistency. Protect confidential information and avoid favoritism. Keep your promises; tell the truth; be respectful. Cooperate fully with investigations. All these behaviors build trust in you and in the system. Employees view the organization’s commitment to integrity through the lens of how they are treated. Your trustworthiness tells employees if that commitment is real or not.
    • Respond to problems: Asking questions and raising concerns is an important compliance activity. As a supervisor, you are the top resource employees turn to with workplace questions and issues. Your key responsibilities in this role include being available to employees and listening objectively to their issues. Equally important is your duty to handle issues properly and promptly. Never forget to close the loop with the person who raised the concern. Your approach has the power to encourage employees to come to you with important issues or shut down the process.
    • Be vigilant: Monitor your work group for signs of potential problems, such as increased employee absenteeism and turnover, poor morale, a decrease in number of voiced questions and concerns and decreased productivity. You may need to ask for help to dive into the causes behind these changes in employee behavior.
    • Use your resources:  If you need any assistance to properly address an employee question or concern or in handling signs of misconduct, reach out to any of the resources provided by the organization—including legal, human resources or your own manager.


    As a manager, you play a pivotal role in building and sustaining our culture of integrity. Part of that role is supporting our ethics and compliance program. The outcome of your efforts will be a happier and more productive workforce and the increased economic success of our organization.

  • Key Components of an Effective Conflict of Interest Program Arrow Down Icon Icon of solid caret pointing downwards.

    We expect employees to disclose conflicts of interest (COI) if and when they occur. This requires employee to know how to disclose and, more importantly, what to disclose. Whether it’s showcased as a dedicated policy or mentioned in the code of conduct, organizations often use a prescribed method for helping employees identify potential conflicts. Because so many fringe interests exist, many circumstances can surface where a policy provides little guidance for nuanced conflicts – making them difficult to manage. By including COI as a component of the larger compliance program, we can more effectively manage and minimize COI risk.

    Let’s take a look at what the best compliance programs do to manage COI risk.

    Conflict of Interest Risk Assessment

    Start by assessing the overall COI risk experienced by the organization, specific departments and even individual functions. Most well-known risk areas naturally receive prioritized attention, so it’s important to get creative.

    Think about circumstances involving monetary relationships that involve customers, competitors and suppliers – but also those that involve family employment issues. Assess the more common risk areas first, but ensure you are uncovering unknown risk areas, too. The goal of conducting a COI risk assessment is to gain a better understanding of who, what, where, when and why to create a tailored approach to both known and potential COI risks.

    After carefully assessing risk areas, use this information to start designing risk prevention policies and procedures. Highlight the areas of the organization that are most vulnerable, with the most realistic risks, to best adjust a program and maintain its overall success over time.

    Although this could be a stand-alone project, it doesn’t have to be. Try integrating the COI risk assessment as part of an overall compliance program assessment.

    Conflict of Interest Policies & Procedures

    Next, review all existing policies to ensure foundational support for COI inside the compliance program. Policies such as the code of conduct and the COI policy itself are good places to start. Note that the more complex an organization’s COI risk is, the more a standalone COI policy can be helpful. Typically, however, a section in the code of conduct is sufficient.

    Once the policies and procedures reflect updated information, implement a disclosure process for employees to speak up in the event they identify potential conflict. The previous step – the risk assessment - will be helpful in uncovering high risk areas to implement a voluntary disclosure process. Sometimes, all employees should be given the opportunity to surface potential COIs, other times it may be more appropriate to only administer the disclosure to certain employees, departments or general risk profiles. It is good practice to administer these annually.

    Compliance Training on Conflicts of Interest

    After exploring risk profiles, policy specific language and disclose processes – it is critical to have a clear communication strategy to set employee expectations. Tailor training to specific job functions using the findings from the risk assessment. Low-risk employees should be given general code of conduct training, while higher-risk employees should receive in-depth, in-person training on COI. All managers should be trained on how to best handle situations where a disclosure is made directly to them. Providing employees with training using a risk-based approach helps make the training more valuable and increases the level of engagement by the learner. All this is done by providing relevant information to the right employees.

    Automate Conflict of Interest Disclosure

    While manual processes are a good start, automation saves companies time and money – all while improving efficiency. Using software to automate policy workflows, approval processes, voluntary disclosures and employee training can greatly benefit organizations. It provides robust tracking abilities that allow leadership to keep policies and attestations well-organized, keep policies up-to-date, all while effortlessly providing a tailored training experience to various departments and specific job functions. Overall, automation makes the effort toward building an effective COI program easier.

    Audit & Improve

    Continually assess and monitor COI program success. Regularly audit the program and ensure higher-risk areas are being continually monitored. Determining rate of assessment and other specific considerations should rely heavily on findings uncovered during the initial risk assessment.

    COIs can surface anywhere regardless of industry, employee rank or functional expertise. Compliance must take a thoughtful, risk-based approach to management and build a proactive program that aims to minimize risks – both known and unknown. By following a thorough process for developing, disseminating and evaluating COI efforts, organizations will be better equipped to identify potential conflicts and have supporting internal controls in place when those efforts fall short. 

  • Discouraging Retaliation While Encouraging Internal Reports Arrow Down Icon Icon of solid caret pointing downwards.

    Every employee should feel encouraged by their organization to raise workplace concerns using internal reporting channels, especially when instances of retaliation surface. Unfortunately, many organizations fall short when it comes to encouraging reports of retaliation. Managers and leadership alike own the responsibility to prevent retaliation and ensure that if, and when, it does occur, that employees feel safe notifying the organization and trust the issue will be responded to appropriately. Any underlying fear of retaliation ultimately undercuts processes supporting internal reports and severely limits compliance programs.

    Let’s briefly review the current legal landscape of retaliation, and then discuss how you can help encourage reports of retaliation while discouraging retaliatory behavior.

    Retaliation against employees who raise workplace concerns is not only illegal, it’s bad for business. It further enhances the external incentives employees have to skip internal reporting channels and go straight to regulators. The most recent example of this was the 2018 ruling by the U.S. Supreme Court that the Dodd-Frank’s anti-retaliation provision, does not apply to individuals who do not first report violations directly to the Securities and Exchange Commission (SEC).

    Even with these incentives to report externally, time and time again, research shows that employees much prefer to report an issue to their immediate supervisor than to take it up the management chain or outside the organization. Agencies also report that employees often try to raise concerns internally before going to regulators. So even though employees are encouraged to report retaliation directly to regulators, organizations can reduce this legal risk by showing a commitment to retaliation prevention and effective correction.

    Follow these key steps to empower employees and prevent retaliation:

    1. Ensure commitment from leadership and management. Senior management must demonstrate a commitment to valuing and addressing any employee concerns involving retaliation law and prevention. Management should demonstrate this commit through both words and actions; through both policies and enforcement.
    2. Build a robust system for listening to and resolving compliance issues. Provide multiple channels for employees to submit reports. Implement processes that support open-door reporting, web-intake and an employee hotline. Policies and procedures should be in place that enable employees to have a trusted, fair, timely and effective processes for report resolution.
    3. Develop an intake and response system for reports of retaliation. Using the same channels to report retaliation as an employee would say, report bribery, is likely to surface distrust. Having independent channels to report retaliation allows employees to elevate concerns beyond their manager, or anyone who could be involved in the report.
    4. Provide anti-retaliation training to employees and managers. Every level of management, including the board, should have all the required knowledge to recognize, report and prevent retaliation. This includes training on whistleblower protection laws, company policies and employee rights. Additionally, employees should have full knowledge of available protection programs and benefits offered by the organization.
    5. Practice strong program oversight. Continuous testing and oversight are required to ensure that whistleblower programs are operating as expected and delivering intended results. Program monitoring and auditing are two options, which may overlap, but when used together will effectively highlight both program strengths and weaknesses.
  • Understanding Inclusion’s Role in Diversity, and Vice Versa Arrow Down Icon Icon of solid caret pointing downwards.

    Diversity and inclusion are highly discussed terms that are often used interchangeably. However, how those terms manifest in the workplace can be experienced very differently by employees. This becomes clearer when we apply accurate definitions for each.

    According to Gallup, “Diversity represents the full spectrum of human demographic differences.” A number of these can been seen in the EEOC’s list of protected classes. Inclusion on the other hand refers to “a cultural and environmental feeling of belonging.” There is not a clean cut list for these feelings, which is why inclusion is often excluded from the conversation. That needs to change, especially if organizations hope to achieve the performance and engagement benefits that inclusive workforces promote.

    It’s important to understand that diversity and inclusion are distinct concepts that require distinct efforts to achieve. Interestingly though, they are also, in many ways, dependent on one another. So how can we be successful in sharpening our focus on both components? And just as importantly, how can we accurately measure our efforts and overall success in these cultural areas?

    The following three steps showcase how to build an inclusively diverse organization.

    Step 1: Assess the Existing Level of Inclusion

    Organizations, specifically managers and those in leadership roles, need to adapt to the behaviors and practices of others. This prevents us from developing strategies in a bubble. Being understood and appreciated by others helps employees feel integrated in the organization – like they have a voice and are connected to the greater business. Understanding employee’s subjective experience with inclusion is key.

    Get to the root by asking the following questions about your workforce:

    • Do employees feel comfortable speaking up?
    • Are employees confident in the organization to take their concerns seriously?
    • Do things change when needed?
    • Do employees believe in the work they do?
    • Do employees believe the actions they take will actually make a difference?

    Take this further by including questions in your annual or semi-annual employee survey that drive at this sentiment. Research from Deloitte associates inclusive cultures with values like “fairness and respect; and value and belonging.” Tailor your questions to dig into these areas.

    Step 2: Acknowledge Gaps & Drive Improvement

    After hearing from employees, carefully review and internalize the feedback. Then identify areas for improvement. As an example, if you received low survey results, that shows that employees might not feel comfortable sharing their thoughts with the company. What are you going to do about it? The key is doing something. Inclusive cultures require action – that is how employees know their input and values have been acknowledged and included.

    Step 3: Measuring Your Success

    Understanding an individual employee’s perception of inclusivity and overall phycological safety can be difficult to accurately measure. Tangible, physical characteristics such as gender, race and personality type can be observed and accounted for when measuring diversity – not so much with inclusion.

    This requires some ingenuity. Think back to the survey questions discussed in step one. These will give you some measure on the current state of inclusion in your workplace. By tracking these results over time, as well as cross referencing results with major work events (mergers, trainings, parties, etc.,) you can get a sense of which efforts are making an impact on the employee perspective. This will provide a working gauge of whether you’re moving in the right direction.

  • Increase Individual Ownership of Civility Arrow Down Icon Icon of solid caret pointing downwards.

    When it comes to owning compliance responsibility, it’s clear that the compliance department cannot be responsible for all compliance concerns. In the same sense, corporate civility and integrity cannot be wholly owned by an organization’s management. Here are several ways you can help encourage employees to take ownership of workplace integrity and amplify your ability to foster a civil work environment.

    Acknowledge & Live into Core Values

    While there are many critical components of a successful E&C program, building a culture that reinforces an organization’s core values requires more than just some online training, a code of conduct and some legal input. Leadership, from the board of directors down, must be committed to building and enforcing an effective E&C program.

    Instructing employees to “just do the right thing” does not go far enough. Corporate culture is created through the expression of actions, symbols, words, stories and values at all levels of the organization. This requires everyone in leadership, from the c-suite down to the frontline managers, to be walking examples of your core values. Policy, procedures, investigations, and response to corporate misconduct, all need to reinforce these values as well. As soon as employees see conflict between values and actions, culture is threatened.  

    Provide Integrity Training to Managers

    Setting the right tone and culture within an organization is not just the responsibility of senior management. Frontline managers – often a firm's go-to individuals – have a key role to play in becoming a part of the organization’s DNA. Unfortunately, managers often lack the required training to effectively manage pressure, communicate clear expectations or even respond appropriately to employee concerns. Managers need to be trained on how to have those hard, yet critical conversations with those they manage. They must also be aware of their own personal ethics and be aware of how those ethics are interpreted by other employees.

    Evaluate Leadership’s Commitment to Core Values

    Imagine stepping into one of your employee’s shoes, specifically one who has a very high ethical standard. Then imagine seeing a manager in the organization get away with some form of misconduct such as bullying, dishonesty or harassment. Imagine the resentment that would start to grow. Especially after they were just trained on leading with integrity. Managers, just as much as employees, need to be held accountable for upholding corporate core values. This is best achieved through 360-degree reviews in which employees evaluate how their managers are living into core values. Incorporating the ability for anonymous reviews from subordinates is key for honesty and accuracy of evaluations.

    Blend Your Code of Conduct & Core Values

    A code of conduct is not just a powerful tool, it is a corporation’s constitution. It should be designed to set the tone for the organization’s culture and provide a platform for every other policy to stand on. It not only informs everyone in the organization about how business should be done, but also sets an expectation for how employees will conduct themselves. In a way, it’s the most important policy. It should convey core values such as integrity, civility, respect and any other values that the organization firmly believes in. It should also communicate the weight the organization puts on these values including hiring and firing based on its values. Regularly reviewing the code can help ensure that core values are always top-of-mind for both managers and employees.

    Promote Civility & Be Present

    What used to be commonly held and cherished interactions are now being threatened by dependency on nonessential technology. We’ve entered an era where we check our phones before meetings instead of exchanging pleasantries with colleagues. Sending instant messages to coworkers is now easier than walking to their desk. And we find it more convenient to send an email instead of making a phone call and having a verbal conversation. Largely, we now see coworkers as part of the corporate architecture rather than as human beings who share a world outside of the office walls. In our effort to re-humanize business, people will again begin to see themselves as responsible for values like civility, integrity and respect and the cost to the workplace will begin to flatline.

  • What Motivates Employees to Speak Up? Arrow Down Icon Icon of solid caret pointing downwards.

    According to groundbreaking research on the ROI of whistleblower hotlines by Kyle Welch, supported by George Washington University and the University of Utah, we now have quantifiable evidence that more internal reports create real business value for organizations. If you have not familiarized yourself with the data, you can download NAVEX Global’s summary of the key findings to get up to speed.

    In general, the research shows that hotline reporting activity and return on assets are always positively correlated. Simply put, the more hotline activity, the greater the ROA.

    To get the full ROA of whistleblower hotlines, we first need to ensure we get the raw material incident management programs run on – employee reports. And before we consider the report, we must consider the employee. Do they have the necessary trust in the organization, comfort in their immediate environment, and proper understanding of the incident management process to actually make a report? Creating a workplace culture where you can honestly answer “yes” to each of those questions is key to getting the significant value whistleblower hotlines can have for the organization.

    Steps to Create a Speak-up Culture

    When it comes to speaking up, there are two main reasons employees do not report. First, they believe that nothing will be done about the issue. This is either because management sees reports as an attack on the organization or, just as harmful, management is apathetic to employee concerns. Second, employees fear retaliation. The possibility of personal or financial retribution for reporting their concerns will effectively remove internal reporting as an option for employees. To overcome these two nonstarters, organizations need to put special care into learning how to listen and understanding what motivates whistleblowers.

    Listen First

    There is a difference between employees who know how to report an incident and those who do report an incident. The difference is the trust they have in their organization and leadership. This put the onus of driving a speak-up culture directly on organizational management, not the employee.

    Think of it this way. Internal reporting is a three-part process that starts and ends with management.

    Step 1: The tone from the top has to create a safe environment in which employees feel comfortable and encouraged to report issues. This tone from the top should ensure employees know that the organization sees them as part of the solution, not part of the problem.

    Step 2: Employees report concerns through appropriate channels.

    Step 3: Management, supported by its compliance and HR teams, take action to investigate reports, follow up with employees, and resolve cases in a timely manner.

    If step one or three fail, so will step two.

    Understand What Motivates Employees to Report

    Awareness: To be comfortable in their reporting, employees need to be confident in their understanding of what is and is not an issue. This starts with a clear and well-distributed code of conduct that identifies behaviors that are not tolerated. This is reinforced through corporate policies and procedures that further outline issues that need to be identified. Finally, all these written standards need to come to life through effective compliance training.

    Empowerment: If employees have the courage to raise their voice, they need to be assured that their action will trigger corporate action to resolve the issue. They also want to see that their ethical conduct is rewarded, or at the very least not punished. “Rewarded” does not have to have a monetary connotation, but simply needs to make the employee know that their efforts are appreciated.

    Safety: A sense of safety is the opposite of a fear of retaliation. If retaliation is even in the back of an employee’s mind, reporting will be far from it. Organizations need to over compensate for this by creating environments in which employees feel as safe as possible. General awareness efforts stated above are key, but safety is further reinforces by the cues (intended and unintended) that they get from their direct managers. Managers at all levels of the organization need to be properly trained on how to be drivers of their corporate speak-up cultures as well as how to handle reports when they receive them directly from employees.

    Like compliance professionals have been saying for years, hotlines are the canaries in the coalmine that let organizations know of issues before they become major problems. To get the most value out of those hotline and incident management programs, we need to make sure our employees know they are the most important part of that process.

  • The ROI of Third-Party Risk Management Goes Beyond Staying Out of Trouble Arrow Down Icon Icon of solid caret pointing downwards.

    It is critical to understand why managing third-party risk isn’t just about staying out of trouble – it’s about maximizing the return on investment while strategically applying the cost of due diligence. Taking the time to thoughtfully select our business partners will provide us the greatest benefits for our organization. Coupled with a strategic approach to our vendor selection process, we will not only be able to minimize our initial investment in due-diligence, but also maximize the overall business value generated by our risk management program.

    Maximizing the ROI: Establishing Fruitful, Long-Term Relationships

    Proper due diligence is key to successful third-party risk management, but also simply for building successful third-party relationships. Developing these relationships is costly. Those costs turn into losses rather than investments when relationships fall through or prove to be unfruitful for any number of reasons. Preventing a compliance failure is only part of the equation. The business case should include revenue associated with third parties, the cost of those partnerships, and the advantages of establishing long-term relationships with trusted partners. Proper due diligence with our third-party risk management should create real value for the organization outside contingency plan for potential litigation.

    Minimizing Investment: Stratification, Context & Information Management

    Third-party risk management has evolved beyond just identifying red flags. Mature programs not only know how to surface green and yellow flags, but they also know how to do so with economy. This prioritization of risk enables programs to apply resources and man-hours appropriately to the due diligence process.

    Economical risk managers are astute information managers. Compliance programs are achieving this by properly identifying sources for risk intelligence, vetting results and filtering that intelligence through unique organizational risk profiles. This ability to risk-rank each third party is called stratification, which employs contextual cues to focus risk mitigation efforts on key areas of interest. This maximizes impact by minimizing noise, which is key to logical, risk-based decision making. This is also one of the ways third-party risk management programs maximize their ROI, by accurately allocating their investment of time and resources.

    Programs can begin stratifying their risk by understanding three major risk management components:

    1. Known Risks

    Our known risks are defined by regulatory bumpers such as the Foreign Corrupt Practices Act (FCPA) or Transparency International’s Corruption Perception Index. Looking at the FCPA Guide, the known risk will be colored by geography, type, contract value, and relationship with governmental agencies.

    2. Business Justification

    These risks need to be measured alongside our organization’s original business justification for working with a third party. Some questions will begin to surface such as: Do these regulatory standards apply to the scope and complexity of our third-party engagement? If so, can the engagement be modified to address the potential risk? Determining the answers to these questions is why we need to go beyond the traditional red flag.

    3. Reputation Screening

    Finally, we need to source the right information from reputational screening. This includes adverse media, sanctions and politically exposed person (PEP) lists. This is one of the more trying aspects in the decision-making process. Finding reliable information among large volumes of potential sources is the top challenge for many due-diligence programs.

    Any single component of our third-party risk management program viewed in isolation does not provide enough clarity for decision making. Viewed together, however, they enable us to score third parties and position each accurately in the organization’s risk hierarchy, as well as capture the greatest benefits from each partner engagement. Whether you call it stratification, context or information management, this is how programs shrewdly maximize their return by applying appropriate levels of due diligence to the partners they work with.

  • Rebuilding Trust After a Compliance Failure Arrow Down Icon Icon of solid caret pointing downwards.

    With trust in institutions at an all-time low, compliance programs and their organizations have an uphill battle to rebuild credibility with their stakeholders in the event of a compliance failure. Consider these steps when you have to prove your organization is not defined by an unfortunate misstep.

    Create a Public Relations Strategy for Employees

    After a compliance failure, the organization needs to make systemic changes that ensure the failure does not happen again. Just as important, however, is making the organization aware of those systemic changes. These efforts need to be sincere; they need to show acknowledgement of the incident; and they need to convince employees and customers that the organization is going above and beyond to rectify the situation.

    One way – although a hard way – is to make resolutions to substantial missteps highly visible to your internal base. When a senior leader is caught up in a scandal and the issue is swept under the rug – or even appears to be – employees grow cynical. These high-level cases will have the most impact on employee perception and are the ones they will watch most closely for indication of what the organization truly believes. Whenever your organization is digging out from a compliance failure, try to publicize (when possible) the steps it is taking for resolution.

    Rally the Right People

    Your PR strategy has to go beyond the compliance and executive team. In his book, The Tipping Point, Malcom Gladwell identifies a group of people called “connectors.” These are the individuals who effectively influence large numbers of people organically. A lot of times, these are your directors and senior managers, but not always. These are the people at your organization who are simply better at communicating their ideas and beliefs than others. These are the folks you need to get on board to understand and evangelize the systemic changes taking place at your organization.

    Develop Focus Groups

    Making business changes at an organization can be done in a boardroom. Making culture changes requires getting all the individuals in the organization invested. The best way to do this is making people feel like part of the solution – as they should be. Going beyond the employee survey is helpful here. Small in-person or virtual focus groups will give employees a chance to voice their support or concern for the corporate changes on the table. Furthermore, as being part of the group that has worked on developing the changes, your focus group members will be part of your internal influencers reinforcing the validity of the changes.

    Focus on the Problem not the Channel

    In our social media age, many compliance failures are aired out over the social media channels of both employees and customers. Sometimes the company may not even learn about an issue until finding it on social media. The key here is to not be distracted by the technology that is propagating the issue, but instead stay completely focused on the issue itself. Responding to issues found on social media with more stringent policies for social media use tells employees that you don’t really care about solving the issue, you just care about making it go away. The optimal solution would be to follow the previous three steps in such a way that employees start to share the good work that your company is doing on their social media channels. That is how you rebuild your reputation.

    Bob Corlett, President and Founder of Staffing Advisors and HRExaminer Editorial Advisory Board Member may have said it best: “Bad online reviews are not an online problem. They are a real life problem. If you own a restaurant, the solution to your bad restaurant reviews is not found online – you solve it in the kitchen.”

  • 5 Characteristics Of An Effective Change Agent Arrow Down Icon Icon of solid caret pointing downwards.

    Today’s relentless business environment continues to pressure organizations to continuously innovate all aspects of business operations. Similarly, as a risk manager, you’re expected to continuously protect the organization from excessive risk and avoid various pitfalls, compliance failures, lawsuits and other damages. While some studies show strategic innovations reduce risk, others claim that innovation increases vulnerability. Striking a balance between risk and reward for any organization can be challenging, but we have to challenge ourselves to keep pace with innovation while accounting for our company’s risk appetite.

    Think about it this way – if you’re not innovating how you manage business risk, you’re not innovating as a business and someone else will overcome you in the market. Alternatively, if you’re innovating recklessly, you place your organization at unnecessary risk. Risk management strategies have to keep pace with business innovation, while not allowing innovation to outpace risk management capabilities. The risk manager’s goal is to increase mitigation capabilities rather than stifle business innovation.

    Let’s take a look at the five ways you can drive your organization to flourish in both innovation and risk aversion:

    1. Promote a Culture of Risk Awareness

    Train your leadership on proper methods of risk analysis and educate them on the reasons they are used for your enterprise. Create alignment from your organization’s tone from the top that embed tolerance levels into decision making throughout the entire organization. Ensure that strong messaging is relayed to midlevel managers and other key areas of the organization to ensure proper oversight.  The goal here is to create links between the risks associated with innovation and how they fit into the overall strategic business plan.

    2. Regularly Assess & Adjust Desirable Risk Tolerances

    An acceptable level of risk may not be possible for all regions, industries or projects; however, we need enough due diligence to not only rule opportunities out, but to also rule them in when possible. Risk  tolerances should be referenced through all stages of the planning process. Higher risk appetites also require increased periodic reviews to make sure the project stays aligned with the original scope of the innovation strategy.

    3. Participate Across Project Life Cycles

    Support your risk managers with a reputation of being strong, strategic contributors of calculated innovation within your business. From the beginning stages to the final rollout, encourage risk managers to engage with functional teams throughout the entire life cycle of new projects to timely assess and direct potential business risks. Over time, this type of consistent involvement from risk managers will imbed risk awareness into daily operations and business critical decision making.

    4. Regularly Evaluate Risk Management Tactics for Effectiveness

    Using multiple methods for gauging the effectiveness of your risk assessment strategy allows you to diversify the source informing your risk calculations. Transparency International’s Corruption Perception Index is a key source for regional risk concerns, but make sure to use politically exposed persons list, media archives as well as other objective, unbiased sources of information to curate an accurate picture of the immediate risk environment. The more accurate your risk assessment, the more nimble your organization can be.

    5. Innovate Your Own Risk Assessment Toolkit

    Start exploring and taking advantage of new innovative technologies that are being developed and made available to risk managers to more efficiently identify and address business risks. These tools shouldn’t eliminate human oversight, but remove the burden of administrative tasks to create more time for deeper oversight. Then, take the time to teach stakeholders on the benefits of these new tools, metrics, measurements and methods. Once familiar with risk analysis technologies, explore how you can pull real-time data to drive real-time responses as concerns arise.


  • Steps to Operationalize Policies & Procedures Arrow Down Icon Icon of solid caret pointing downwards.

    One of the top priorities for E&C programs is increasing awareness of policies across the organization, according to the 2018 Policies & Procedure Management Benchmark Report. Regulators are looking for the tie between your compliance program and the type of conduct you are trying to impact. Hui Chen, former compliance counsel for the U.S. Department of Justice, may have put it best: “…companies use to bring in binders full of their policies…I really don’t care what the policy says…I’m more interested in how the policies actually operate.”

    This requires policies to go beyond simply words on a page and instead properly package and distribute guidance in ways that effectively transfer concepts into the minds of readers. Consider the steps below to craft, share and train on smarter policies.

    Eliminate Ambiguity

    An effective policy statement is clear and unambiguous, providing an explanation of how the organization wants employees, contractors and third parties to behave and not just provide a list of things they can’t do. This allows employees to understand the intent of each policy and how it aligns with the values of the organization. In the rare instance in which circumstances create a situation where a policy and values conflict with incentives or other opportunities, understanding intent will equip employees with the behavioral expectation that properly represents the organization.


    Beyond simply editing and distributing policies, automated policy management solutions can provide explicit evidence of attestations, comprehension quizzing, and data around third parties. It ties together with the government’s current recommendation to demonstrate compliance program effectiveness, providing an audit trail if regulators come knocking. Organizations need to be able to demonstrate that the conduct under investigation was prohibited by a specific policy and procedure and provide proof that policies and procedures have been effectively implemented.

    Accommodate Employee Preferences

    Policies need to be adapted for the intended audience. The harassment policy for an international employer might have to be tweaked to address social realities in Scandinavia versus Saudi Arabia, for example. Policies regarding the Foreign Corrupt Practices Act may have to be more detailed for employees dealing with international customers and suppliers than a retail clerk in Iowa.

    Be Able to Answer Yes to the Following Questions:

    • Do you know the last time the entirety of your business policies came under review?
    • Is each of your policies reviewed periodically by your legal department to ensure compliance with current laws and regulations across domestic and international operations?
    • Do you know who creates all of your policies, as well as the standards and methods used to implement and enforce them?
    • Do you maintain meticulous attestation records indicating that your employees have read and understood the policies that apply to them?
    • Can your employees find the most current version of any assigned policy in less than three minutes?
  • Go Beyond the Zero-Tolerance Policy on Sexual Harassment Arrow Down Icon Icon of solid caret pointing downwards.

    Senior leadership and board members need to take ownership of the issue of sexual harassment in their workplaces. The tone at the top determines the tolerance a workplace has for sexual harassment. Cultures that truly do not tolerate any form of harassment have senior leaders that go beyond quoting their zero-tolerance policies – they take the necessary actions to weed out bad actors and create workplace environments that are preventative rather than responsive.

    Consider the steps below to create a tone at the top that supports harassment-free workplaces.

    Make the Tone at the Top Visible

    If employees only get training, policies or emails about sexual harassment, they see the buck being passed down the line. Instead, seeing members of the C-suite and the board actually champion the messages behind these tactics reinforces the support from the top and cuts employee cynicism.

    Corporate leaders should state their commitment to harassment free environments in town halls and in newsletter updates. This is even more powerful when done onsite during annual kickoffs or social events. Also, consider adding quotes from board members in your policies and include images or videos of board members in your harassment prevention training programs. The tone at the top needs a face, name and authenticity for it to permeate throughout an organization.

    Act Swiftly

    Not every sexual harassment case allows for quick processing and resolution. But do your best to ensure swiftness for those that do. Employees need immediate gratification to believe that things are actually changing.

    According to LegalZoom’s 2018 Workplace Insight Report, “only 26 percent [of employees] believe their employers can take swift action to address a workplace misconduct scandal.” This statistic must change to ensure the preventive effects of speak-up cultures can thrive. Speak-up cultures drive corporate transparency, which ensures bad behavior like sexual harassment isn’t allowed to fester in dark corporate corners.

    Make High-Level Cases of Harassment Highly Visible

    Nothing is more harmful to your work than employees thinking that certain individuals get special treatment. If a senior leader is caught up in a scandal and the issue is swept under that rug, or at least appears to be to the larger employee population, cynicism sets in.

    These are the cases that have the most impact on employee perceptions, and the ones they will be watching attentively to see if their organization really practices what is preaches.

    Understand the Soft Skills of the Workplace

    Let’s set aside, for a moment, any arguments about doing the right thing for its own sake. We’re well past the point where companies can ignore the financial burdens of a huge reputational hit. And members of boards have a fiduciary duty to prevent financial setbacks.

    With that in mind, corporate leaders need know the climate of their workplace as it relates to sexual harassment. Accurately answering the following questions provides a good representation of your culture.

    • Do your employees feel safe, and able to speak their minds?
    • Do your employees feel heard?
    • Do your employees feel decisions are made fairly?
    • Do your employees feel that the decision-making process is transparent?
  • 5 Incident Management Components Programs Often Overlook Arrow Down Icon Icon of solid caret pointing downwards.

    Setting up your toll-free hotline number and creating a website are only the first steps of implementing an effective incident management program. Those are the tools, but what’s more important is the people and the process. Consider the following components necessary to transform reporting tools into a comprehensive program that helps organizations learn about misconduct, build trust between organization and employee, and demonstrate organizational commitment to an ethical culture.

    1. Secure Top-Down Support

    Incident management programs don’t just need tacit support from organizational leadership, they need visible top-down support. This support from the top is the only way a program can influence and modify employee behavior. If a program is seen as unimportant or a nuisance to top management, employees will share that distrust. Encourage leaders to regularly highlight the various reporting channels and benefits of reporting to the workforce.

    2. Clearly Define Stakeholder Involvement

    Each stakeholder needs to have and understand their role within the incident management system. Common stakeholders include: legal, finance/audit, HR, risk management, loss prevention, operations, IT, communications and compliance. Each stakeholder should be aware of how the program is being implemented and communicated, as well as have clear expectations for processing and responding to reports. Stakeholder involvement should also be defined in investigation plans, protocols and triage processes.

    3. Consider Offering One Reporting Ecosystem

    Having multiple reporting numbers and sites for different issues is not only a burden for program administers, but it can also be confusing to employees, suppliers, consumers and stakeholders. Organizations can even alienate potential reporters in cases where complaints regarding discrimination and sexual harassment – both high-liability issues – are turned away because the website and hotline are “for corruption and bribery complaints only.” It is better to learn about high-liability issues as early as possible so the organization can investigate and remediate issues quickly to avoid legal action. A single, unified system provides a better reporting experience for employees and a better opportunity to limit liability for the organization.

    4. Capture the Most Complete & Accurate Information

    Especially in the case of anonymous reporters, there may never be an opportunity to ask clarifying questions. Top-tier third-party hotline providers are well equipped to ensure that all important details are captured by trained interviewers and offer web reporting tools that protect the identity of confidential reporters. When follow-up is necessary, third-party providers also have systems in place to offer unique identifier codes so anonymous reporters can get back in touch.

    5. Know the Regulatory Requirements that Could Affect the Program

    Whether it is data privacy and protection, allowable and non-allowable reports in the EU, or required protections against retaliation, there are a number of regulations that impact the operation of an incident management program. Ensure that planning addresses all regulatory requirements early in the process to avoid costly and time-consuming delays during implementation.

    Delivering on these fundamental incident management components will allow your program to be ready to receive information from across the organization as well as drive credibility of the program within all levels of operation.

    *Concepts in this Ready-Made Memo to Managers was sourced from NAVEX Global’s Definitive Guide to Incident Management.

  • Compliance Across Generations Arrow Down Icon Icon of solid caret pointing downwards.

    By 2020, Millennials will make up 50 percent of the global workforce. Our youngest generation, “the Nexters,” will also be out of school and making up 20 percent of the employee population. This means that organizations will be operating with up to five generations of employees. Moving forward, compliance professionals must learn to drive programs that support ethics and compliance efforts effectively for each generation.

    This unprecedented change carries its fair share of challenges, but also offers some very unique opportunities. Our job is to mitigate the fissures generational gaps can create within organizations while simultaneously amplifying the positive byproducts. To do this, we must identify natural alignments among generations to maximize engagement opportunities. This interplay can lay the groundwork for dynamic and thriving workplace cultures.

    Consider the ideas below as you develop an effective cross-generational compliance program.

    The Power of Rewards

    Whether it’s a growing social media culture, the prevalence of interactive design or the gamification of everything, people of all generations have grown accustomed to being rewarded for their efforts. As with gamification, these rewards don’t always have to be significant compensation increases or title changes. Rewards just need to be simple positive reinforcements that confirm to an employee that they have made progress toward a goal and their progress has been noted. Compliance can use this trend to shake its nickname of the “No Police” and become the “Congratulation Cops” – although there is probably a better name for it.

    Attention Spans Can Be Misleading

    We have all heard about shrinking attention spans in our era of distraction. This is very true as digital media, email notifications and the like have all conditioned our attention spans to be effectively ephemeral. However, we are still very well equipped to pay attention to things that interest us – consider the phenomena of binge-watching a TV series. According to Dr. Gemma Briggs from Open University, our attention spans are “very much task dependent. How much attention we apply to a task will vary depending on what the task demand is.” Similarly, “How we apply our attention to different tasks depends very much about what the individual brings to the situation.”

    This tells us to be cautious when we default to creating shorter, smaller, quicker pieces of compliance content for our employees. This technique is often correct, but we need to ensure our training topics, compliance messaging and general employee communications still encourage the necessary behavior change they are designed to produce. In short, our goal is not to develop compliance programs that fit into diminishing attention spans, but to create programs that inherently garner the necessary attention for concepts to be effectively absorbed.

    Proper Design Goes a Long Way

    Our two younger generations have grown up with visual media. The educational and informational efficiencies that visual media provide is also appreciated by people across the generational spectrum. This ties back to overall design thinking which focuses on creating experiences that are intuitive to the user. For example, to access a training course, do employees have to read a long email, find the appropriate link that takes them to your LMS, and then search for the proper title before they can complete their training? Or, do they receive a short email with a big button that say, “Complete Training,” that automatically launches their training when clicked? Make sure to have your employees in mind whenever creating tasks that they need to complete.

  • Reintroduce Yourself to PII as You Prep for GDPR Arrow Down Icon Icon of solid caret pointing downwards.

    Personal identifiable information (PII) is the lynchpin of the EU’s new General Data Protection Regulation (GDPR). To effectively meet the regulation, we need to reacquaint ourselves with exactly what constitutes PII in 2018.

    PII has always been a sensitive subject but, with the advent of GDPR, that sensitivity is touching a larger swath of data. In general, GDPR covers any information that can somehow be associated with a person. That’s a big “any.”

    According to the definition included in the GDPR, “personal data” is defined as:

    “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

    As compliance professionals we have to ensure we, and our companies, are doing the necessary due diligence needed to identify and protect that big bucket of data.

    We can start by securing the most common types of information we process:

    • Name, data of birth, address
    • Credit card information, financial information
    • IP addresses

    This extends to information like:

    • IP addresses
    • DNA or other genetic information

    And even seemingly identifiable adjacent information like:

    • Photo and videos
    • Social or ethnic identifiers

    The GDPR also provides definitions to build out a few of these categories.

    “Genetic data means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question.”

    “Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.”

    “Data concerning health means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”

    The verbiage used in the regulation may sounds a bit intimidating. And that’s the point. The regulation is intended to get organizations to take data privacy seriously.

    The key to understanding PII is to not just think about it as buckets of disassociated data that you can secure once and then forget about. We need to consider all of our data through the lens of the owner of that data, and how they may or may not be comfortable with it being used. And as a reminder, the owner of PII is the individual, not the company who is collecting or processing it. That, after all, is what the GDPR is designed to do - give EU citizens control over their own information.

  • Managing Free Speech in a Speak-up Culture Arrow Down Icon Icon of solid caret pointing downwards.

    Speech in the workplace is a complex issue. First, organizations and compliance professionals put significant effort into creating cultures in which employees feel comfortable raising their voices. This is key to effective whistleblower hotlines and incident management programs. We have even gone so far as to make “speak-up culture” a commonplace phrase in our business jargon. Second, we have the issue of free speech. Free speech, however, is not a concept that has credence in the workplace. It is a constitutional right but does not protect people while operating in the capacity of an employee in the private sector. This creates confusion among employees who don’t understand the distinction, and can strike caution into those who do. What then are we as compliance professionals to do to navigate this fine line of managing discourse while also maintaining strong cultures?

    Talk to Someone Who Knows

    First things first, consult with a lawyer. Organizations need to have a clear understanding of all the laws that apply to workplace speech and behavior. These could be federal laws, state-specific laws, variations between on and off-duty implications, and laws pertaining to specific types of speech or behavior as in association with political activities.

    Aim for Civility

    Aside from driving a speak-up culture that improves the effectiveness of incident management programs, ethics and compliance programs need to understand the holistic business benefits of creating a workplace that is safe and respectful. This is closely tied to the idea of “psychological safety,” which is a term gaining popularity in organizations striving to create the best dynamics within team settings. Psychological safety refers to the climate in which employees think and speak. A climate that is “safe” allows employees to express themselves without fear of retribution. This seems to focus on what can be said but, often times, feeling comfortable to express oneself with appropriate language and ideas can be diminished when one fears what they might hear in response. Therefore, by ensuring we quickly and professionally deal with inappropriate speech like inflamed language, derogatory comments and aggressive disrespect, we can make room for healthy communication between employees. 

    Train Your Corporate Influencers (i.e., Managers)

    Curtailing heated disputes or navigating incendiary workplace discourse is not a common skill. That means your frontline managers who represent your company daily to your larger workforce need to be trained on how to identify and respond to potentially harmful discussions.

    Understand Policies in the Proximity

    Know when to call on your formal policies like anti-harassment, workplace violence and anti-discrimination. Understand the letter and spirit of these policies and enforce them when speech and behavior crosses the line.

    Free speech in the workplace is a complex issue often with no definitive do and don’ts for organizations to follow. We should however do our best to create a workplace of ethics, civility and respect. This is one in which there is healthy discourse, an effective speak-up culture and still everyone knows when to mind their tongues.

  • Harassment Is a Human Issue Arrow Down Icon Icon of solid caret pointing downwards.

    How we view issues determines how we go about resolving them. Like many issues facing ethics and compliance professionals, sexual harassment is a compliance issue, but also more specifically a human issue. Human behavior is what is responsible for harassment and any response to eliminate harassment needs to account for a change in behavior.

    Harassment takes the human aspect a step further than many compliance issues. It is not only created by human behavior, but it can also be defined by how other humans interpret that behavior. What may not be considered derogatory or diminishing to one may be interpreted that way by another. And that matters.

    Furthermore, while all harassment may not result in liability for an organization or supervisor, it can affect employee performance and your organization’s ability to retain good people. This is usually seen in behavior that creates a hostile work environment and involves conduct toward an employee that is unwelcome. The behavior is considered hostile when it becomes so pervasive that it alters an employee’s working conditions.

    So when it comes to creating work environments that are free from harassment in all its forms, we need to focus on our people – harassers, victims and the larger employee population who are key to driving a culture of ethics and respect.

    Here are several steps you can take to focus on the human issue of harassment.

    Keep People Accountable

    Enforcement doesn’t have to mean dismissal or severe consequences, but it does have to mean consequences. People need to be held accountable for the way they act and the things they say. Behavior ranging from full-blown sexual harassment to creating or perpetuating hostility in the workplace need to be addressed with a similar range of responses. Allowing any instance of harassment to go unaddressed supports a permissive culture and undermines the effectiveness of your compliance policies, training and leadership.

    Never Blame the Victim

    When people come forward with a report of harassment, treat them with the respect warranted by such a courageous act. It is not easy to bring forth these reports. That’s why, according to the Equal Employment Opportunity Commission (EEOC), “Employees who experience harassment fail to report the harassing behavior or to file a complaint because they fear disbelief of the claim, inaction on their claim, blame, or social or professional retaliation.” We see here that victims are already fighting an uphill battle. They should not be met with judgement or second guessing when they take the necessary step of reporting their experiences.

    Make Everyone Aware of the Impact of Their Words

    Employees in the modern workplace should be taught to think before they speak. If a comment is diminishing, marginalizing or any other quality that may negatively affect fellow employees, the comment is best left unsaid. This ties into driving a larger culture of ethics and respect that does not rely on policies to eliminate bad behavior, but on culture to naturally enforce the sentiment of policies with a tone of: That’s just not how we do business.

    Create a Listen-Up Culture

    The common turn of phrase is “speak-up culture,” however that puts the onus of speaking up on the employee. Before a victim of harassment will speak up, they have to not fear, as quoted earlier from the EEOC, “disbelief of the claim, inaction on their claim, blame, or social or professional retaliation.” This means leadership and the compliance department need to ensure employees that their reports will be heard, taken seriously and resolved efficiently. After consistent proper handling of incident reports, employees will understand that the organization values their voice and is ready to listen.

  • How to Train the Millennial-type Learner Arrow Down Icon Icon of solid caret pointing downwards.

    Generation differences can play a big role in how employees engage with aspects of our business and compliance programs. What’s interesting is that this is becoming less true for how employees across all generations engage with ethics and compliance training. For instance, Millennials and Nexters (those born after 2000) are often referred to as digital natives. These are young folks who have grown up in the era of the internet, mobile devices, and social media who are steeped deeply in technology. One would think that these tech savvy individuals would have higher preferences for compliance training that is socialized, gamified, visually engaging and interactive. While Millennials do prefer this type of training content, so does everyone else.

    Millennials and Nexters, who together will make up 70 percent of our global workforce by 2020, are not only changing the way we have to offer training, but they are also changing the way the rest of us learn. This might be less about generational idiosyncrasies, and more about general advancements in technology. In any case, our compliance training must adapt to meet the needs of the modern learner.

    4 Ways to Engage the Millennial-type Learner


    Keep Training Formats Dynamic

    Mobile devices, live streaming, on-demand content and multiscreen media consumption have all contributed to the way we apply our attentions. Today everyone is a multitasker. This means that we need to use a blend of training styles so that no one format grows stale to the learning. According to NAVEX Global’s Definitive Guide to Ethics & Compliance Training the top programs use a mixture of “live and e-learning, short- and long-form courses and a variety of engaging formats, and a disciplined approach to reporting and measuring training effectiveness that focuses on training outcomes.”


    Make It Visually Engaging

    Think about the evolution of the cinematic experience. For instance, compare the special effects of a great, yet old movie like the Goonies, with something like Avatar, which itself is now a few years old. After being introduced to the whole new world of computer-generated imagery (CGI), some of our old movie favorites start to lose their appeal because we are more attuned to flaws in the set, unrealistic costume design and contrived special effects. Consider this when you deploy your training courses. Do those courses reflect the visual media that learners are now accustomed to? Do they offer the same seamless digital experience? It’s not just updating the clothing actors are wearing, but also the layout of the interface, good use of white space and packaging up complex concepts in easily consumable ways.


    Embody the Social Dialogue

    Social media has gotten everyone excited about building connections. This is great for peer-to-peer learning, which can help the adoption of training concepts through naturally occurring discussions among co-workers. Think about different offline ways to complement your online compliance training. Have manager-led discussions around case studies to help further educate employees on specific behaviors – these should be sanitized of course and respect confidentiality. Training concepts could also be woven into team and department meetings so employees are regularly connected with those concepts and have a chance to discuss them with others.


    Tell a Story that’s Hard to Put Down

    While younger generations are often labeled as having short attentions spans, they have also been responsible for a new phenomenon called “binge watching.” This is where people consume multiple episodes of a TV show in one sitting. Now that sounds like expanded attention. This seems to indicate selective attention. And that attention is reserved for highly engaging content that tells a story that you just have to see what’s coming next. So while your training program might not be able to rival the production value of a Game of Thrones or Netflix original series, you can still ensure that learners are engaged in a story. And this story should be relevant to employees and not just tell them about concepts but actually place them into scenarios where those concepts can be seen in their day-to-day jobs. 

  • 4 Steps to Elevate Your Personal Compliance Brand Arrow Down Icon Icon of solid caret pointing downwards.

    Ethics and compliance is a people business. Sometimes the person you have to focus on first is yourself. Take the necessary steps to create a daily, weekly or monthly professional development plan to grow a little more every day and create a personal compliance brand that transforms your program and your career.

    Use these four steps as general guides directing your efforts toward developing professional credibility and your personal brand.

    1. Know It All, or at Least as Much as You Can

    A lot of times the buck stops with Compliance. And that means we need to have the answers. Elevating your professional standing and personal brand as an integral part of the business requires an extensive knowledge of the compliance industry and its evolving landscape. Therefore, learn the business and learn everything you can that touches your work.

    You can start by selecting one of Compliance Next’s five learning tracks to take your ethics and compliance knowledge reserve to the next level.

    2. Hone Your Expertise with Experience & Community

    Becoming an expert requires more than just knowledge. The most effective compliance professionals have a deep understanding of their field, but also know how to navigate through unexpected situations, and handle issues that can’t always learned from a book. The best way to build your expertise is through experience – putting in the time. The next best thing is expanding and strengthening your professional peer network. A tight knit group of compliance professionals who actively share experiences and lessons learned can effectively contribute years of expertise to one another through knowledge sharing.

    Explore groups on Compliance Next to start building your peer-to-peer network.

    3. Make Respect a Part of How You Do Business

    Respect is key to relationship building. It’s key to gaining the loyalty of your peers, department and organizational decision makers. And it is also key to supporting the larger healthy workplace culture that compliance professionals are charged with cultivating. So, as a starting point, always speak and act with honesty and transparency. There are enough hidden agendas at play in workplace politics. Make it a point to develop trusting and honest relationships with all those you interact with, as well as be a champion who fuels that behavior throughout the organization.

    4. Don’t Avoid Accountability

    The higher you rise in your career, the more responsibility you acquire. Effective professionals in any function bolster this responsibility with accountability. Understand that your decisions and actions are just that, “yours,” for better or worse. Everyone makes mistakes; established compliance professionals own their mistakes and take the necessary steps to amend the wrong and improve for next time. It’s all part of the growing pains of a successful career.  

  • Does Your Incident Management Program Even Work? Arrow Down Icon Icon of solid caret pointing downwards.

    Your organization has an inherent information source ready to provide early warning signs of problems percolating within. This is your whistleblower hotline and incident management program.  Effective incident management programs nurture speak-up cultures, help programs focus on the most critical areas of behavior change, and provide a safe and confidential place for employees to clarify policy or discuss concerns.

    Each facet of an effective whistleblower hotline and incident management program enables compliance officers to respond swiftly to prevent, contain or resolve incidents before they become compliance disasters. That is, if your hotline and incident management program is factually effective. The only way to know this is to test.

    How to Test Your Program

    Call Your Hotline & Submit a Web Report

    Test your hotline by calling it directly with various compliance concerns, reports, questions and violations. The goal is to ensure that the system in place processes, triages and elevates reports properly. Track your reports all the way up your organizations to see if escalation kicks in properly to notify your compliance team and board when necessary.

    Make Sure Your Program Works for Everyone

    First off, is the call specialist answering your hotline able to speak the language of the caller? Same goes for your web intake platform – are necessary forms and communications translated to meet the language needs of all your employees and third parties? Next, ensure technical functionality of your system. Can your hotline be reached from every country in which you do business?

    Test Validity of Reports

    Your team may be receiving reports, but are they accurate and comprehensive enough to prompt effective and efficient resolutions? Ensure your call specialists are equipped to gather as much necessary information as possible to thoroughly process each report. Likewise, managers need to be trained to handle open-door reports with confidence. Additionally, along with receiving each report, managers must enable and encourage anonymous whistleblowers to follow up on their reports.

    Sit Back & Wait

    Proper processing, user-friendly technical functionality, and both report comprehensiveness and accuracy are all key components to an effective incident management program. But before you can call it good, you have to test for timeliness. How long did it take for the report to get to you? How long before you were followed up with about the reported incident? Timely follow-ups to employee reports assure whistleblowers that their concerns are being taken seriously. This alone plays a major part to ensure incidents do not fester into bigger issues while reports are being processed. Timeliness is also essential to prevention. There is a finite window of time in which compliance responses can be proactive. When that window closes, you have to resort to containment.


  • Know Why You Made Your Due Diligence Decisions, and Document It Arrow Down Icon Icon of solid caret pointing downwards.

    As companies implement more robust risk management programs, we can expect to see more post hoc analyses and questioning of due diligence programs. How do companies design their systems in response to this rising expectation?

    Companies cannot blindly conduct due diligence, document each step and avoid careful analysis of third-party risks. Last year’s Och-Ziff enforcement action underscored this point when Och-Ziff conducted due diligence of an Israeli businessman, DRC Partner, and raised serious questions about DRC Partner’s integrity. In fact, the DOJ cited the internal disagreement within Och-Ziff management over whether to engage DRC Partner or not in their action.

    The government’s citation of internal debates or the manner and quality of resolution of red flags raises some interesting questions. If three officials argue to move forward with a third party and two disagree, can the company move forward or will DOJ/SEC cite the two opponents as evidence of an “unresolved” red flag? 

    How-to Avoid this Pitfall? 

    The company must fully document the debate and factors underlying the decision, including why any dissenting viewpoints were overruled.

    Third-party risk management will continue to be the focus of DOJ and SEC FCPA enforcement actions. Companies have to design their programs in response to this increasing scrutiny of third-party due diligence reviews.

  • 3 Ways to Get in Front of Conflicts of Interest Arrow Down Icon Icon of solid caret pointing downwards.

    Give Your Policies a Process

    Conflicts of interest have been a compliance concern for long enough that most organizations have the right policies in place. The processes that enforce those policies, however, need the same attention. Effective COI efforts include a process that identifies, manages and resolves conflicts.  Employees need to be trained on what constitutes a conflict of interest; disclosure channels need to be promoted so employees know where to report potential conflicts; and management needs to understand the correct protocols to resolve potential conflicts before they become actual or perceived conflicts.

    Be Transparent First and All at Once

    One form of conflict is a perceived conflict of interest. This is where an actual conflict may not exist; however, there appears to be a conflict from the perspective of the public, internal staff or shareholders. When dealing with a perceived conflict of interest, the only way to completely resolve the issue is with full transparency. This requires putting everything that may be of interest onto the table for all to see. Efforts of transparency need to happen all at once. If there is a steady drip of additional information, it will further turn perception and opinion against the parties involved.

    Get Familiar with Likely Conflicts

    Conflicts of interest have certain characteristics and tendencies. Train yourself to identify the subtleties of the more frequent conflict types and you will be more attuned to their various nuances.

    Consider the four below:

    1. Contracting with Former Employees

      Conflicts often surface when current business comes with a history. When that history includes a bias that may influence the current business, you may have a conflict. This often happens when third-party work is being performed by a former employee who previously managed the same third-party contract while at the organization.
    2. Related Party Business

      Relation between business parties sounds easy enough to identify, and it is when, say, an employee shares the same name as a business partner. There is a sharp increase in difficulty when this is not the case. So you must rely on disclosure. This means employees need to be made aware of the necessity of disclosure and the type of information that needs to be disclosed.
    3. Doing Business with Current Employees

      For most organizations, the rule is simple – don’t do outside business with internal employees. However that might not always have to be the rule. Employees may have outside business interests. It is not a conflict of interest to do outside business with a current employee simply because they are an employee. The conflict arises if the work is incompatible with the employee’s position within the company. You just must ensure there is fair competition when securing business, and that employee business interests are selected only if they are truly the best option.
    4. Qualifying Smaller Contracts

      Purchases with large price tags usually garner the type of oversight that eliminates any potential conflict. However, smaller contracts often require the discretion of fewer decision makers and therefore allow for more personal bias to creep in. Even though smaller purchases drive less financial exposure, poor oversight may still leave you vulnerable to risk. 
  • 5 Questions to Ask about Your Cyber Security Arrow Down Icon Icon of solid caret pointing downwards.

    The majority of cyber security breaches are caused by human error. That’s why creating a culture of cyber security is one of the most effective steps to ensure your organization prevents attacks. It’s much better than having to pick up the pieces after an attack.

    Use these five questions to get an idea of how your program will weather the storm in the current cyber climate.

    1. Does my team use their own phones, tablets or other electronics for work purposes?

    A better question might be: Does my organization have a BYOD (Bring Your Own Device) policy? If it does, you are one step closer. Next you have to make sure employees are aware of the policy and that its practices are enforced. One security breach on one device has the potential to affect your entire organization.

    2. Do my employees know what to do if they encounter a suspicious email?

    Phishing is getting more sophisticated every day. The rule of thumb is to think before you click. And when in doubt, ask. Ensure your employees know they are a critical link in your cyber attack prevention efforts and are ready to act if the time comes. Immediate internal reporting is an essential part of maintaining sound cyber security.

    3. Does my team stay on top of required security updates from IT?

    As we learned for the major WannaCry ransomware attack, a neglected patch update can cause disastrous effects to an organization. Putting off any type of security update request coming from your IT team puts devices and, therefore, your organization at risk. Reinforce with your team the need to act promptly when a security update is required.

    4. How often do we use web apps?

    There is an app for everything. Sometime the easy app choice is not the most secure choice. Get IT involved in your app decisions early on to verify the security of any application you plan to bring into your organization’s network.

    5. When was the last time you talked with your team about taking laptops on the road?

    Team members who travel or work offsite need extra reminders about keeping data safe and secure. Give periodic reminders about the need to be extra vigilant about preventing laptop theft, and using only secure Wi-Fi connections to access the network or confidential documents.

    Awareness is key to creating a culture of cyber security. Employees need to know that their behavior has a major impact on the security of the organization. And make sure you are setting a good example. 

  • Recognizing the New Face of Cyber Security Arrow Down Icon Icon of solid caret pointing downwards.

    All you have to do is scroll through your news feed to see a series of headlines reinforcing the need to protect your organization against cyber attacks. Cyber security can no longer be seen as just an issue that IT has to deal with, or just Compliance, Operations or Legal for that matter. Cyber security is an enterprise-wide risk involving all business units, all operational units, all your employees and all your key third parties. That being the case, it requires a cross-functional approach.

    Here are four things to know about the current issues of cyber security.

            1. Cyber Security is a People, Process and Technology Issue

    With the enterprise-wide risk that cyber security presents, it is essential that organizations develop cross-functional approaches. Key players such as IT, Security, Legal, Compliance, HR, Operations, Procurement or your supply chain need to be engaged. Also customer support is a function that many may not consider. However, if your network is compromised or customer data is compromised, you are going to need a way to communicate to your customers. Similarly, public relations and communications teams need to be able to articulate the company’s approach to cyber security and, should there be a breach, will be key in helping the company communicate what’s happening and what it is doing to respond to it.

           2. There Is More Surface Area than ever before to Protect

    The rise of mobile and other internet-connected devices is increasing the access points that organizations need to protect. Everything from checking our email to accessing our corporate networks to turning the lights on and off in our homes is being managed remotely and provides additional opportunities for bad actors to gain entry to corporate networks. With varying security controls on each access point and the increasing amount of sensitive information managed remotely, mobile habits are creating more surface area cyber security programs must protect. 

            3. Old Threats Are Manifesting Themselves in New Ways

    Consider ransomware: Stealing information has always been a threat, but now bad actors are holding this information until receiving a ransom, or threatening to share the information publicly if a ransom is not received. In some cases, the biggest threat is the complete destruction of information, or just as threatening, the manipulation or corruption of that data.

            4. Big Data Is a Big Responsibility

    With modern technology and the decreasing cost of storage, we have the ability to maintain inordinate amounts of data easily. But just because we can doesn’t mean that we should. Companies are not differentiating between data that is critical, sensitive and confidential from all the data that is not. The reality of our risk environment is such that there is a good chance that our data is being compromised in some way. Whether it is from careless employees, malicious insiders or bad actors outside our organizations, chances of a data breach happening is high. The key is to differentiate between what is really critical and what is not.

    We have to remain vigilant in our efforts against cyber risk. The protections that worked yesterday may not work today, and tomorrow might present an entirely new risk we never expected.  

  • Four Ways You Can Help Mitigate Rising Cyber Security Risks Arrow Down Icon Icon of solid caret pointing downwards.

    As former FBI Director James Comey stated, “There are only two types of companies when it comes to cyber security. Those that have been hacked and those that do not know they’ve been hacked.” With so many potential entry points to our company’s network (smart phones, tablets, laptops, etc.), the bottom line is that  cyber security risks have increased for all organizations, including ours.

    Understanding and Managing Our Cyber Security Risk

    As a manager, you have a responsibility to help protect our organization’s sensitive information—including personnel, financial and strategic data—to thwart potential risks.

    Consider taking the following steps to protect yourself, employees and our organization online:

    • Be sure your employees complete and understand the training provided by both our compliance department and IT/Information Security. Make sure your team is getting the information they need to effectively protect our organization from cyber security risks.
    • Teach employees how to spot phishing emails and report suspicious emails. When applicable, use case studies from real security breaches to highlight the importance of being vigilant when accessing websites, logging onto the network from other devices and clicking on links embedded in emails.
    • Understand your role in protecting your employees’ personal information. Do not work on compensation or other sensitive employee information on an unsecured network or on a device that does not have the appropriate encryption technology.
    • As always, be there to answer their questions. As is crucial for fostering a culture of compliance, support a speak-up culture by demonstrating that when your employees aren’t sure what to do, they know can talk to you. 

    Compliance with our technical guidelines does not automatically equate security. Even the most compliant organizations have or will experience a security breach at some point. But we should all be proactive about ways to deter, detect and remediate should a breach occur in our organization and your contributions are critical to that equation.

  • Are You Helping Create a Culture of Cyber Security? Arrow Down Icon Icon of solid caret pointing downwards.

    How confident are you that your team’s day-to-day business decisions will help us strengthen a culture of cyber security in our organization? If you’re not sure of the answer, read on!

    The majority of cyber security breaches are caused by human error. We need your help to keep cyber security top of mind. Ask yourself the following questions to determine the degree to which your team is helping our organization stay secure:  

    • Does my team using their own phones, tablets, flash drives, etc. at work? Reinforce the need to comply with our “bring your own device” policy—and the potential impact of even one security breach on our network.
    • Would my employees know what to do if they encountered something suspicious in their email in box? It only takes one click in a phishing email to create a system vulnerability or inadvertently download malware. The rule of thumb should be think before you click—and when in doubt, ask. Cyber criminals are using increasingly sophisticated methods to target employees and break in to system networks. Immediate internal reporting is an essential part of maintaining effective cyber security.
    • Does my team stay on top of required security updates from IT? Putting off security updates you’re requested to make by the IT team creates risk. Reinforce with your team the need to act promptly when a security update is required.  
    • How often do we use web apps? Using popular, online, web-based apps might seem like an easy choice—but they may not be the most secure choice. Check with IT before you say “yes” to a team member who wants to use a web app—or before using them yourself.
    • When is the last time I talked with my team about taking laptops on the road? Team members who travel or work off site need extra reminders about keeping data safe and secure. Give periodic reminders about the need to be extra vigilant about preventing laptop theft, and using only secure wi-fi connections to access the network or confidential documents.

    As with all aspects of ethical and compliant behavior, your team looks to you to determine which behaviors are acceptable and which are not. Remind employees that their behavior can have a major impact—and make sure you’re setting a good example.   

  • Ethics & Compliance Engagement: Avoiding Cynicism and Staying Committed—Even When You’re Overwhelmed Arrow Down Icon Icon of solid caret pointing downwards.

    Burnout. Fatigue. Stress. When we feel overwhelmed by issues at work, engagement can be the first casualty. Cynicism can start to seep into our conversations, actions and interactions. When this happens, ethics and compliance requirements or issues might feel like just another box to check. After managers and their teams reach a critical point of disengagement with E&C initiatives, you may start to hear things like…

    • “Just take the online training as quickly as you can and get it over with. We’ve got more important things on our plate.”
    • “Don’t bother reporting that to HR—they’re not going to do anything anyway.”
    • “Right or wrong, that’s just the way things get done around here.”
    • “That policy is so unclear. Just do whatever you think is best.”
    • “We’ve always done it that way. I know it seems like a violation of procedure, but really it’s fine.”
    • “Running that through legal is going to be a nightmare. Just sign it. No one will care.”

    While these kinds of reactions may sound somewhat innocuous, they’re actually the seeds that can grow team-wide dismissal of ethics and compliance efforts. And a dismissive attitude can breed misconduct, unethical actions and a highly-damaging culture of cynicism.

    Our organization is fully committed to ensuring that every employee is empowered and equipped to make ethical decisions that are in line with our code of conduct and our core values. The only way to live out this commitment is to help individuals rethink what they say, what they do, and how they get things done through a lens of ethical decision-making.

    When E&C requirements are feeling burdensome, consider this: research shows that firms with excellent governance, risk and compliance practices generally have better:

    • Financial returns
    • Brand and reputation protection
    • Credit ratings and capital cost reduction
    • Advantages in mergers and acquisitions
    • Cultures, and employee retention and satisfaction

    So the next time you hear a team member express scorn for an ethics and compliance activity—or when you’re tempted to say something negative yourself—get back on the right track by reminding your team member and yourself of the benefits of fostering a culture of compliance, ethics and respect.  

    As always, we want to be a resource for you. Come to us with questions, ideas and issues you’re facing. If morale or engagement on your team is low, let us help you reduce compliance risks related to disengagement while we work together on strategies for addressing the root causes of the issues your team is facing. And remember, as a manager, you are in the very best position to set a tone for your team.

    What example will you set today? 

  • Has Your Compliance Risk Profile Changed? Arrow Down Icon Icon of solid caret pointing downwards.

    When’s the last time you took a few moments to do an ethics and compliance risk assessment on...yourself? Things in our organization can change quickly, including managers’ span of control, members of your team, which vendors we use and more. As your business partners, we in the ethics and compliance department want to be a resource for you when your exposure to ethics and compliance risk changes or expands.

    So take a moment and review this list: do any of these sound familiar?

    • Your span of control has increased, and you are now dealing with employees or third parties in countries you haven’t worked with before.
    • You’ve started working with a new internal team.
    • You’re dealing with fast-moving structural changes to your team or your department.
    • A new law or regulation has come into effect and you’re not sure what the implications might be for your team.
    • You have new team members from a generation or cultural heritage you’re not accustomed to working with.
    • You’ve recently been promoted to a management position, and wish you had a better grasp on ethics and compliance issues that might come up in your new role.
    • An employee brings a potential compliance violation to you and you aren’t sure how to respond.
    • You’re not entirely clear on how to apply one of our new or updated policies—or a longstanding policy that now applies to you more directly.

    Any and all of these issues (and many more like them!) can create new ethics and compliance challenges for managers. We want to remind you that you are not on your own! If you have questions about ethics and compliance concerns, we want to connect you with help. From one-on-one consultations, training resources and advice to setting up mentoring relationships with other managers within our organization, we are committed to equipping you for success. 

    Raising your hand when issues come up is a major part of owning ethics and compliance. There is no question too small to ask. Set an example for your team: “speak up” when you face new ethics and compliance challenges. Together, we’ll continue to build an ethical and compliant organizational culture we can all be proud of. 

  • Managing Generational Diversity in the Workforce—The Ethics and Compliance Perspective Arrow Down Icon Icon of solid caret pointing downwards.

    As a manager, you are no stranger to generational diversity in the workplace. With the influx of millennial workers, you are now managing employees from up to three or even four different generations. And the millennials that everyone is talking about will make up 50% of the workforce by 2020.

    So from an ethics and compliance perspective what does this mean for you as a manager? Here are three things to consider.

    1) Don’t make the mistake of doing things just for millennials or using loaded language (rife with generational or age based stereotypes). That’s a sure-fire way to get your efforts to backfire, and possibly end up being the subject of an age discrimination lawsuit. What you need to focus on is improving the ethics and compliance conversation for every worker, regardless of age. The more we get our employees talking about doing the right thing, the better we will become at recognizing what that is, and executing against it.

    2) Understand the needs of your evolving employee population. Research from the Ethics Resource Center concludes that workers between the ages of 19 and 29 are in a significant area of vulnerability in terms of unethical conduct.  So the younger you are the more likely you may be to make an ethical mistake. Ensure that all employees (including new employees) have access to ethics and compliance training, that they get to know key internal resources, and that you personally support a speak up culture that allows them to raise concerns and ask questions.

    3) Recognize and embrace the new more social and collaborative workplace. It’s not just about millennials; workplaces today are fast becoming a place where ideas can be openly discussed and challenged, information is more readily available to everyone and  learning happens more organically and informally. And it’s not just millennials that will benefit from these changes—all employees will see the positive impact.

    To support this trend consider your role in fostering that type of work environment for all your employees (regardless of generation) with these ideas:

    • Encourage peer-to-peer learning relating to ethics and compliance topics, creating opportunities for your team to maximize the benefit of each other’s’ experience and perspectives.
    • Invite the ethics and compliance department to come and talk with your department or team. The more familiar your team is with the organization’s values and objectives, the more aligned they are likely to become with them.
    • Identify ethics and compliance mentors on your team that can help employees work through challenging situations, and direct employees to the right internal resources if further guidance is needed.

    If you need additional help addressing these issues on your team, please contact HR, the ethics and compliance team, or our legal team. They can help you get to the root causes of an issue and, if necessary, get your team back on the right track.

  • Your Role in Ensuring Our Policies are Effective Arrow Down Icon Icon of solid caret pointing downwards.

    Maintaining policies is not the job of our ethics and compliance department alone. We all need to ensure that our policies are as effective as they can be—which requires that we work as a team. You are on the front lines with our employees and vendors every day, and may hear about issues with policies long before we do.

    Policies that miss the mark—for whatever reason—leave our organization open to risk. Ensuring that our employees and vendors adhere to our policies helps us avoid compliance failures before they occur. We hope you will reach out when you encounter any of the following issues with policies, so we can work together to make the policy more effective.

    Contact us when you encounter a policy that is…

    1) Difficult to Understand. Our ethics and compliance team is committed to making our policies understandable. If employees are struggling to understand the wording or meaning of part or all of a policy, we want to know. Our goal is to make sure our policies are easy to understand and follow. 

    2) Outdated. Our goal is to review all of our policies on a regular basis to ensure that they are up-to-date. However, between reviews, your help is invaluable. If you or someone on your team encounters a policy that is out of date for any reason, get in touch.

    3) Missing Information Related to New or Updated Laws and Regulations. Because of your area of expertise, you and your team may be the first to know about new laws or regulations that may impact our policies and procedures. If there is a new law or regulation your team knows of—or knows is coming—check with us to determine whether there needs to be a policy or procedure change made to address it.

    4) Culturally Insensitive. We strive to ensure that our policies are culturally sensitive. If we miss the mark, we want to know and address is right away. If you or a team member sees something in a policy that is potentially offensive or otherwise needs to be addressed, be in touch right away.

    5) Not Correct for (or Applicable to) a Particular Region or Location. Not every region or location is the same, and sometimes our policies must reflect those differences. If you notice something in a policy that doesn’t seem to apply to your location or your team members’ locations, let us know. We may have a specific version of a policy we can provide to you, or we may need to make a custom version of a policy to address the issue.

    And finally, contact us if there is an issue you think we should have a policy on, but do not. Gaps in policies are as risky as policies that do not meet our standards.

    Policies are the backbone of an organizational culture that supports a culture of ethics and respect. By working together, we can help ensure that our organization continues to be focused on fostering the kind of workplace we all want to be a part of.

  • Keeping Off-Site Employees Connected With Our Organization’s Mission and Values Arrow Down Icon Icon of solid caret pointing downwards.

    Employees who work outside of our normal workplaces—including those working at home or in other countries—present special challenges for managers. For instance, because they are physically separate, it can be easy to pay less attention to them and to assume everything is going well. It also can be harder to ensure their actions are consistent with our code of conduct and policies.

    However, nothing reinforces and nourishes our ethical culture more than the words and actions of the leader who employees interact with most often—you, their manager. As a manager of a remote employee or employees, you should make an extra effort to consistently: 

    • Reach out to your remote and overseas employees on a regular schedule. Regular communication is essential—and not just via email. Remember, the goal is to build a personal connection. Call and have a one-on-one chat, just as you would with onsite employees. If reaching overseas employees means getting up early in the morning or staying up late at night, do it—it will be all the more meaningful to the employee.
    • Listen to your remote and global employees. That sounds obvious, but it can be easy to discount the ideas or concerns of someone when you lack the connection that comes from being face-to-face. If remote or global employees feel they are not heard or valued, they will tune out.  Also, clearly and consistently reiterate that you want to hear from remote and global employees—and they should feel free to call you anytime.
    • Find ways to build messages about our values into conference calls and other communications with remote and global team members. You don’t have to have long discussions—two to three minutes each week or so will often have more impact than half an hour per quarter. Think along the lines of a “safety minute,”  a way many manufacturing and industrial companies start each meeting. 
    • Urge all team members, including remote and global employees, to speak up when they believe our code of conduct or policies are being violated. Remember that in some cultures, speaking up is not the norm. Sincere, frequent encouragement will demonstrate that you truly want to hear about potential problems as soon as possible. 
    • Praise—as often as possible—employee actions that reflect our values. Nothing works like positive reinforcement. Highlight remote and global employees whenever possible.

    Employees who work off-site can increase the risk of ethics and compliance violations. But that risk can be significantly mitigated by the tone you as a manager set—and your diligence in making meaningful connections with off-site employees can have a huge, positive impact on our corporate culture.

  • Taking the Fear Out of Change: A Manager’s Unique Role Arrow Down Icon Icon of solid caret pointing downwards.

    Change isn’t easy.  And yet, organizations must make changes all the time to stay ahead of business, cultural, regulatory and economic trends.

    As a best practice, organizational changes are usually well researched, timed effectively and communicated well in advance. Despite all the preparation that goes into planning and processing policy changes, a successful launch cannot take place without one key element—management’s support. 

    As a manager, you are the critical piece in helping employees understand and adapt to new processes. Here are three guidelines to keep in mind as you help your employees through change:

    1) Address Uncertainty.  It can often feel as though decisions that impact employees are being made at a distance.  To help your employees better understand process changes, and provide as much background information around the process change as you can.  As you talk through the changes, highlight process gaps and the impact those gaps presented for the business.  Additionally, provide feedback to organizational stakeholders on your team’s reactions, both positive and negative, to better help management refine the process and make your employees feel heard. 

    2) Choose the Best Possible Timing & Communication Channel for Sharing Information Related to Change. Do your best to know when changes will be communicated, especially ones you know will impact your team. As much as possible, try to seed in advance that a change in procedure or policy may be coming.  If the change must be communicated via email, be sure to cover it in your next staff meeting.  If it’s through a Town Hall or other meeting, gather your team after and take questions for follow-up.  If you’re responsible for communicating the change, consider the channel.  Is this something better addressed in a broader meeting?  One-on-one?  Is a written communication truly most appropriate, or would it be better as a follow-up to a verbal explanation?

    3) Keep the Lines of Communication Open.  The more people know—about how change will be coming, and when and how it will impact them—the better it will be accepted when it arrives.  Leadership plays a key role in managing employees' resistance to change, but you can help make the process easier for the people you manage. Communicating early and often about coming shifts can help impact how employees react and lessen the overall impact of the only real constant—change.  

  • Harassment: Stop It Before It Starts Arrow Down Icon Icon of solid caret pointing downwards.

    Many managers assume that harassment isn’t a big deal with their employees. But do you really know if harassment is an issue for your employees? Have you asked them? According to a 2015 survey, 48% of U.S. employees have either experienced or witnessed “abusive conduct” at work (27% have suffered abusive conduct at work; another 21% have witnessed it).

    As a manager, we are looking to you to help watch for and prevent harassment before it starts. A powerful prevention tool every manager has is the ability to talk with and listen to his or her employees. Some simple ideas you can use include:

    • Talk about respect and fair treatment at team meetings – you don’t have to over do it, just weave a couple minutes into a team meeting once a month.
    • Reward/recognize employees who do the right thing by speaking up or who contribute to creating a respectful culture.
    • Let employees take the initiative and share thoughts about how to improve the workplace culture.
    • Talk with employees one-on-one and ask them whether they think harassment is an issue in the work group and the organization.

    You’re probably reading that last suggestion with doubt. Instead of literally asking them, have a conversation with each employee every quarter (or so) about how things are going in general. Ask them:

    • How are you doing?
    • Are you enjoying your work?
    • How are the team dynamics – and are there any issues or concerns?
    • Have you seen or experienced anything that goes against our value of treating others with respect?

    You need to be genuinely interested in hearing your employees’ responses and willing to take action; if you aren’t, asking questions will backfire.  Inaction in the face of problems can result in employee morale issues, resentment and – worse yet – potential legal liability.

    Remember, your silence sends a strong message to your employees – “I don’t really want to hear about it.” Talking about your expectations makes the statement that harassment won’t be tolerated. So, as this year begins, take a different approach. Start a productive dialogue with your employees and aim to improve the culture where you work.

  • Educated Managers and Supervisors are Our Best Defense Against Retaliation Arrow Down Icon Icon of solid caret pointing downwards.

    As a manager or supervisor you are the first line of defense in preventing retaliation. All too often, managers and supervisors at some companies get this wrong: we want to make sure we get it right.

    Managers and Supervisors are Critical to Anti-Retaliation Efforts

    Training and awareness of how to spot retaliation—as well as knowing how to prevent it—are crucial for all organizations. As a manager or supervisor you need to know how to receive and handle reports without retaliating, and how to spot and halt any retaliation you may observe.

    Respondents to the Ethics Resource Center’s 2013 National Business Ethics Survey (“ERCBES”) indicated that employees initially report issues to their managers or supervisors over 60% of the time. However, if employees perceive that their “reward” for internal reporting of non-compliance will be retaliation, they are much less likely to report issues of concern to their manager. They may also potentially avoid internal reporting altogether and go directly to a regulator or to the media. In these cases the company is denied the first opportunity to fix the problem.

    The ERCBES statistics also showed that 21% of respondents reported being retaliated against for reporting misconduct. We must strive to ensure that this statistic does not apply to the way our organization handles reports of compliance failure.

    How can we significantly reduce the instances and perception of retaliation in our company?

    Managers and supervisors have a crucial role to play in identifying and eliminating retaliation. Key steps to take include:

    1. Understand What “Retaliation” Means

    To get a full understanding of our company’s views on retaliation, be sure to read our Code of Conduct and policies on retaliation. In the past, retaliation generally took the form of a manager firing an employee for reporting them for a compliance failure. However, there are often many more subtle ways of retaliating such as:

    • Giving an unmerited negative performance review
    • Assigning the reporter a less attractive sales territory
    • Taking away the reporter’s overtime opportunities
    • “Disinviting” the reporter to routine meetings

    These kinds of behaviors are considered retaliation, and are unacceptable.

    2. Support our “Open Door” Policy

    Communicate to your employees how important it is to you and to the company that they feel free to come to you and discuss any violations. Make sure they know that if they do report to you in good faith, the report will be properly handled and there will be no retaliation by you, even if you are named or involved in the alleged violation.

    Make sure you say thank you to the employee for coming forward and reporting the issue, and assure them that retaliation is not acceptable and violates company policy.

    Additionally, effectively using the “Open Door” policy is part of your higher fiduciary responsibility as a manager and supervisor.

    3. Be on the Lookout for Peer-to-Peer Retaliation

    In addition to retaliation by a manger or supervisor, the next most likely source of retaliation can be the reporter’s peers. Non-management employees may believe that a peer reporter “sold them out” or got their work group or favorite boss in trouble. This peer response can unleash the most subtle retaliation, often to devastating effect.

    As a manager, you have a duty to be on the lookout for this peer-to-peer retaliation and put a stop to any action which might be perceived as retaliation.

    4. Follow and Document Good Processes

    To demonstrate fairness, make sure that any issue resolution follows a consistent and well-established process which includes:

    • Maintaining confidentiality
    • Promptly conducting an appropriately thorough investigation
    • Documenting the process
    • Involving legal and HR departments in the process early

    We need to do everything possible to identify and eliminate all forms of retaliation so that our employees are comfortable knowing that they can and should report issues of noncompliance to our managers.

  • Recognizing & Curbing Workplace Harassment: What It Is, Where It Happens, and What to Do Arrow Down Icon Icon of solid caret pointing downwards.

    The effects of harassment on employees and within an organization can be devastating. Unchecked harassment can erode trust, weaken goodwill and undermine productivity, as well as put our organization at legal and financial risk. The good news is that managers can help us maintain a positive workplace environment in which everyone has the opportunity to thrive. Here are four ways you can help prevent and stop harassing behavior in your organization:

    1) Recognize Harassing Behavior When You See It
    Harassment typically takes one of three forms:

    Verbal Harassment: Sexually explicit or derogatory jokes, innuendo, name-calling, insults, comments or other verbal behavior based on a person’s race, gender, religion, national origin, or other characteristic protected by law or our policies.

    Physical Harassment: Inappropriate physical conduct, including unwanted touching or gestures. While physical harassment most often is based on sex, it can relate to any protected characteristic, including religion and disability.

    Visual Harassment: Any visual material, including posters, calendars, screen savers, web pages, comics, personal photos—even tattoos—that is sexually explicit or derogatory of a protected characteristic.

    2) Address the Behavior Right Away

    As an employer, we have a duty to protect all of our employees from harassment and discrimination. As part of that, you have a “duty to act” whenever you become aware of potential harassment—regardless of how you learn of it.

    If you see or overhear behaviors that are potentially harassing, the best option is to address it right then, on the spot. You do not need to scold the person or be aggressive, but you do need to point out that their behavior is inappropriate and stop it. Then email HR to let them know what happened and how you dealt with it.

    If an employee tells you about potentially harassing behavior, assure them that the matter will be taken seriously and will be kept as private as possible. Thank them for coming to you, then reach out to HR and share the employee’s concern.

    If an employee asks you not to tell anyone, including HR, what they have told you, explain that you have a duty to alert HR. If they are suffering such behaviors, others might also. You can offer to keep their complaint as anonymous.

    Remember, doing nothing is never an acceptable option. When in doubt, at a bare minimum, reach out to HR or the compliance team for guidance.

    3) Know Where Our Policies Apply

    Our anti-harassment policies apply in any work-related setting—not just at daily work sites.

    Company picnics and holiday parties, client sites, conferences, and business meals all typically are “work-related settings,” so your duty to address harassing behaviors applies in those settings as well.

    We are not responsible for our employees’ purely personal, non-job-related behavior (thank goodness!). However, if one employee complains that another employee has harassed him or her off the job, we should take steps to ensure that the behavior does not continue at work.

    4) Lead by Example

    Your behavior sets the tone for the workplace. Always be respectful and professional and your team is very likely to follow suit.  If you have any doubt, before you act, ask yourself whether you would be comfortable if your behavior were recorded with a smartphone and then posted to the internet, with a link sent to our senior leadership. If not, the behavior does not belong in the workplace!

  • You’ve Received an Allegation of Misconduct—Now What? Arrow Down Icon Icon of solid caret pointing downwards.

    Most executives in management positions are problem solvers. Generally, this is a good thing! But when it comes to handling allegations of workplace misconduct, the urge to proactively “problem solve” can have extremely negative consequences.  

    When a manager acts independently to investigate alleged misconduct—that is, without first coordinating with legal, compliance and/or human resource departments—they may inadvertently be violating a variety of laws. And even if their informal investigation does not violate any laws, they could be undermining the success of any subsequent “official” investigation.

    As a manager, you don’t need to know the details of case law or the names of the underlying statutes that protect employees. But you do need to know what to do—and not do— when you become aware of an allegation. Below are guidelines to follow when you receive an allegation:


    • Don’t promise complete confidentiality to an employee who reports a concern to you. There may well be a need—either under the law or your organization’s policies and procedures—to alert others within the organization to the concern. Many times, this is not only to protect the employee raising the concern but also to protect others in the workplace. Failure to tell HR, legal, or compliance teams about it might result in further harm to the reporter and/or to others. At most, tell the reporting employee that you will keep the matter as private as possible, but may need to alert others in the organization.
    • Don’t start your own investigation, including interviewing witnesses, checking email, or searching the workplace. Interviews and electronic or physical searches may well violate an employee’s right to privacy. The laws relating to privacy are complicated and sometimes counterintuitive. Never conduct a workplace search without prior approval from your legal team.
    • Don’t assume you know what’s really going on. It’s all too easy for managers to assume, based on prior experience, that they know whether or not an allegation is true. Sometimes we think we’ve “seen it all before” view a person as a “complainer” who is simply seeking attention. Assumptions like these are big mistakes. Treat every allegation impartially and with an open mind.
    • Don’t share the details of an allegation with anyone unless they have a legitimate need to know. This can be difficult—it can be hard not to share “juicy” information.  But don’t do it.


    • Do secure evidence that might be destroyed before an investigator can get ahold of it. While it may not be appropriate to review documents or images stored on an employee’s work laptop, you generally will be able to retrieve the laptop and give it to your legal or security team.
    • Do check with your compliance, HR or legal teams if you have any doubts about what you should or should not do. Let them make the hard decisions. You can then help follow through as needed.

    Giving your employees confidence that workplace investigations will be handled well—and doing your best to follow the law, as well as your organization’s guidelines for investigations—is a critical part of helping your organization strengthen its culture of ethics and respect.  

  • Let’s Talk Policies: Access and Education Make the Difference Arrow Down Icon Icon of solid caret pointing downwards.

    One of your subordinates comes to you to ask if she is permitted to keep a gift from a customer. How do you know you are giving her the right answer? You certified that you read  our code of conduct and our gifts and entertainment policies but, with everything you are asked to keep track of, how accurate is your memory? 

    Our policies (including our code of conduct) are important tools for managing the business risks they address. They set the behavioral standards for all our staff members, but they are only good controls if employees consult the policies when faced with a pertinent issue, and act according to the guidance. As a manager, you have two important responsibilities related to our organization’s policies–ensuring access and use.


    Does your staff know where to find our policies and how to use them? You and your staff are responsible for complying with all company policies, and being able to access them when necessary is the first step. Here are some tips to help:

    • Make sure employees know where our policies are stored and how to access them. And don’t just tell them. You need to show them.
    • If you see that a policy is dated three or more years ago, tell the person responsible for maintaining it (or ask your boss or the compliance department, if you do not know who is responsible). Ask your employees to do the same. Outdated policies can get us into trouble just as fast as no policy at all.
    • If you think our policies should be organized in a better way to enable access and use, let the compliance department know, because poor accessibility is an organizational risk.  Controls do no good if you cannot get to  them when needed.


    One reason employees do the wrong thing is because of a lack of awareness and/or full understanding of our policy or procedure. As a manager, it falls to you to make sure they understand the types of risks and problems they may face in their jobs and how they are expected to behave.  That means they need education on  where to find the related policies, but also on how to apply the standards. Consider these ideas for educating your staff:

    • When employees bring issues or concerns to your attention, first consult all the relevant policies and/or procedures together with the employee so that your staff gets used to consulting policies first for guidance.
    • If you have an electronic policy management system, demonstrate its features to your staff. You may be able to link to training, the code of conduct and other supporting documents straight from the policies.
    • During staff meetings, bring up a business risk your employees are likely to encounter. Give them a potential scenario and ask how they would handle it. This is a perfect time to show them the related policy and explain the parts that apply to the scenario.

    Employees generally want to do the right thing. It is part of your job to make sure they have access to and know how to use all  the important tools that are available to support their efforts. Our organization’s policies and procedures are some of those tools and should be referenced and brought forward to encourage continued use. This helps to protect our stakeholders, our coworkers and our organization.

  • The Third Party Link with Our Compliance Program Arrow Down Icon Icon of solid caret pointing downwards.

    Like all great companies, we focus on ensuring that we have an effective compliance program. While our primary focus is on what we and our employees need to do to ensure compliance, we cannot stop there. Whether we like it or not, our employees are only one element of the compliance equation. We also have many critical partnerships with agents, contractors or other third parties. As a result, it is necessary for us to also focus on the qualifications and actions of our current and proposed third parties.

    Use of Third Parties May Elevate Our Risks of Bribery and Corruption

    The third parties we engage can have a significant impact on both our reputation and bottom line. While our supply chain has always focused on the qualifications and actions of our third parties with respect to quality and services, we also have to be sure that we focus on bribery and corruption risks. 

    In fact, in the U.S., over 90 percent of all FCPA bribery and corruption actions in the last few years have involved the actions of third parties. Among other issues, these cases have involved: use of illegal payments to obtain licenses or permits; bribes to ensure successful awarding of contracts; or payments, trips or scholarships to relatives of government officials to gain access to decision makers of state controlled companies.

    What Steps Can We Take to Lower Our Third Party Risks?

    If you work with or engage third parties:

    • Make sure you know and follow our policy about the engagement and use of third parties
      • Do not engage any third party without a reasonable business rationale
      • Ensure that no third party is engaged outside of our policy guidelines
    • Complete due diligence on every third party
      • Complete the appropriate level of due diligence for the third party’s risk
        • Does not have to be the same for every third party
        • However, within the same risk level is must be consistently applied
      • Complete the activity before any contract (afterward, it may be too late)
      • Regularly update the due diligence and monitor or audit compliance
      • Follow our record retention policy about documenting the due diligence and the results

    Communicate our Compliance Policy and Expectations to Third Parties

    We cannot just assume that third parties understand our expectations about what constitutes compliant behavior in accordance with our code of conduct or third party policy. Best practices require us to take steps to communicate these to our third parties and confirm that we are comfortable they have had training on the risks.

    What Are the Third Party Red Flags We Need to Watch Out For?

    Some third party relationships may send up obvious—or more subtle—indicators that the organization is not being engaged for legitimate business purposes. Some of the red flags may relate to commercial bribes and others may be more related to the bribery of government officials. Both elements of bribery violate our code and must be prevented. Look for things such as:

    • Third parties conducting business in a country with a poor corruption index or history of corruption
    • Guarantees of close personal relationships between third parties and government officials
    • Conducting business in countries with high levels of state ownership or control of businesses
    • Unusually high levels of cash or miscellaneous payments
    • Payments made to third parties which are unusually large and not properly or well documented
    • Poor reputation or credentials of any agents or third parties and any unwillingness to provide anti-bribery certifications or audit rights
    • Elaborate gifts, travel  and entertainment expected as part of doing business

    Trust but Verify

    Third parties are critical partners of ours and this communication is not meant to suggest that third parties are not trust worthy or are all willing to pay bribes. Their role in the success of our company’s strategic goals cannot be denied. Nevertheless, we must continue to exercise reasonable due diligence, oversight, training, monitoring and auditing of our third parties to ensure that they do nothing to harm our company’s reputation. “Trust but verify” perfectly sums up our relationship with third parties. Third parties with nothing to hide should not fear a strong, effective compliance program like ours.

  • Encouraging the Anonymous Reporter to Follow-up Arrow Down Icon Icon of solid caret pointing downwards.

    Our company offers employees a number of avenues to raise questions or concerns. You, as a manager, are a primary resource for your team members. An alternate resource is our company’s hotline/helpline that employees can use to report either anonymously or offer their name and contact information. We do not discourage anonymous reporting and, as managers, it is important to respect this option. We do ask, however, that those who report anonymously remain engaged in the process by following up on their reports.

    The Majority of Anonymous Reporters Don't Follow Up on Their Reports

    Research has consistently shown that seven out of ten anonymous reporters are not following-up to their reports.  This low rate makes it difficult for investigators to truly investigate a case, thus affecting the overall perceived effectiveness of the hotline/helpline program. Following-up allows investigators to pose questions that will give them additional information to the reported incident and may mean the difference between resolving a case or not. Further, these reporters are not learning whether their concern has been addressed. Both of these outcomes lead to frustration – both for reporters and investigators.

    Explaining the Process to Your Team

    Whether an anonymous report comes in through the web or hotline/helpline, the reporter is given a unique identification number as well as a PIN.  It is important that the reporter save these two numbers in a safe place. These unique identifiers will be the only way that they are able to follow-up to their report. Typically investigators will post any questions they have within ten days of opening their investigation. The responsibility then falls on the reporter to check in and respond to those questions. 

    Periodically Remind Your Team of the Importance of Reporting All Misconduct

    The company has incorporated processes during the initial intake of a report designed to increase awareness of the importance of following-up. However, we need your support in reminding and encouraging all employees who report to you to stay engaged in the process and see it through. You can do this in a group or staff meeting as part of a discussion of the overall hotline/helpline process. If you need additional information about our processes you can contact the ethics office and we will be happy to assist.

    We encourage all managers to embrace their role in developing the culture surrounding the use of a hotline/helpline and all of our reporting options. Consistent and positive encouragement can increase the effectiveness of these processes and help us all benefit by creating a stronger organizational culture.

  • Making the Most of Our Code of Conduct Arrow Down Icon Icon of solid caret pointing downwards.

    As you know, the company has a number of ethics and compliance resources in place to ensure that everyone understands our expectations and standards. These resources include training modules, our hotline and our Code of Conduct.

    The code of ethics may be the most underutilized resource that we have. It is an excellent summary of our ethics and compliance standards, and it includes information about what we need to do to report problems and ask questions. And yet, for the most part, employees only refer to the code once a year during the annual certification process.

    Everyone is busy, but if we aren’t proactive about ethics it can fall between the cracks. As a manager, you have a critical role to play in ensuring that employees and our business partners are clear on what they need to know and do when it comes to ethics and compliance. The more we discuss ethics and compliance, the more we make it clear that it is a priority for us, and that can go a long way to protect our company’s reputation and good name.

    With this in mind, here are some tips for how you can make the most of our code to help deliver important messages about our commitment to ethics. 

    • Leave a copy of the code in a prominent, visible place in your own work area. This is easy to do and can be a good first step to raising awareness about the code. Also, arrange to have printed copies of the code available in common areas and restock when necessary. Though many of our resources are online, don’t underestimate the value of physical printed copies.
    • Whenever you can, in team meetings and discussions with employees, refer to the code of ethics - especially to specific content. The more you’re seen using it, the more others will understand that it is a tool for them to use as well.
    • Employees know that you understand their working conditions and the problems they face. They’ll trust you to help them apply our code and policies and focus on what’s important to them. Be selective. Draw their attention to topics in the code that apply to their work.
    • When an employee comes to you with a concern, use the code. The code can help focus the discussion by helping to identify the specific concern and possible next steps. With the help of the code, you may be able to help turn a general question about fairness to a more specific and actionable concern. For instance, it may be that what the employee really has in mind is time charging: “I am concerned that others aren’t being held accountable and if we record time in this way, it won’t be in accordance with company policy.” Once the specific concern is identified, if necessary use the code to determine how best to escalate the issue as needed.
    • Remember: our code of ethics is not just a resource for employees; it also is intended for our business partners and even the public. We want others to know about our commitment to ethics and compliance. Refer to the code and our standards when meeting with contractors and suppliers. If you meet with prospective employees or do public presentations representing the company explore how you might be able to leverage the code in your presentations.

    And finally, we are continually gathering information about how to improve all of our ethics and compliance resources, including our code. We count on you to provide us with suggestions for how the code can be improved. What comments, praises or concerns are you hearing? Are there topics or risk areas that should be included or expanded in the next revision of the code? Have you seen other companies’ codes that you feel are more effective or user-friendly than ours?  

  • Ethics and Compliance Investigations Arrow Down Icon Icon of solid caret pointing downwards.

    As a manager, you may have questions about the role you should play when there has been an allegation that our policies or our Code has been violated.  The answer falls into three main buckets:

    1)      When you are the person accused :

    It is natural for managers accused of wrongdoing to be angry and frustrated. However, whatever the underlying facts may be, it’s important to realize that being accused “comes with the territory” of being a manager.  Sometimes employees think a manager has done something wrong when, in fact, they have not. Other times various workplace dynamics may be in play.  We understand that this is often the situation. To help us resolve the issue, here are some suggestions:

    • Don’t let your anger lead you to retaliate. While you may feel wronged and personally hurt, don’t take any negative action toward the person who raised the issue—or anyone you simply suspect of doing so. Retaliation is itself a serious violation of our policies, and will lead to discipline, even if the underlying accusation turns out to be unfounded.
    • Don’t try to give “input” or share your “viewpoint” with potential witnesses in the investigation. Even innocent inquiries can seem like pressure when they come from a manager. The best course of action is to avoid discussing the matter with anyone other than the investigator and anyone else with a legitimate “need to know.”
    • Do cooperate fully in the investigation. Share what you know. Be open and provide information requested by the investigator, even if you’re not sure why it could be important.
    • Do trust the process. The investigator’s job is to determine what happened, not to pursue an agenda against you or anyone else.

    2)      When you are not the person accused:

    Managers who learn that an investigation is being conducted in their business unit often worry that the outcome may reflect poorly on them. Other times, the manager may want to try to “solve the problem,” and address the underlying behavior themselves. While these are common reactions, it’s imperative that you let the investigation run its course:

    • Avoid the temptation to look into the matter yourself. While you may see your efforts as helping, they can undermine the investigation by alerting witnesses to what is coming or by tainting evidence. 
    • Maintain confidentiality. The investigator may need to share certain information with you. It may be tempting to share such information, but you must not. 
    • Assist the investigator if requested. The investigator may request your insight, your help setting up interviews or for you to monitor a given person or situation. Help as asked — and don’t be afraid to ask for clarification if the request is unclear.

    3)      If you learn of a potential violation of our policies or Code:

    Sometimes you may be the person that has alerted us of a potential problem. Remember, we need to know about all potential violations as soon as possible. Alert us to any potential violations, even if:

    • You do not supervise the person or people involved.
    • You did not receive a complaint, but simply learned of the potential problem indirectly, such as by overhearing others talking about it.
    • You are not sure whether the conduct does, in fact, amount to a violation. It’s far better to raise it than keep it to yourself.

    Our goal is to surface problems and resolve them as quickly and fairly as possible. This can’t be done without your support and cooperation.   

  • 4 Common Mistakes in the Hiring Process and How to Avoid Them Arrow Down Icon Icon of solid caret pointing downwards.

    Most hiring managers understand that they should avoid questions related to a candidate’s national origin, citizenship, age, marital status, disabilities, other protected characteristics, as well as arrest record, during the interview process. But is it okay to research a candidate’s social media profiles? What seemingly harmless conversation topics might create legal or ethical issues or risk?

    Follow these four guidelines to make sure your hiring processes are legal, fair and responsible—and help you identify the best candidates.

    1) Be Prepared

    The importance of being prepared would seem obvious, but many managers enter interviews without sufficient preparation. Plan your interviews ahead of time. When you’re equipped with questions that focus on the knowledge, skills and abilities needed for success, you’ll be more likely to identify great candidates—and less likely to veer into risky territory. Uncertain about whether a question is acceptable? Check with our HR or compliance department in advance.

    2) Don’t Conduct Your Own Internet Research on Candidates

    Researching a candidate online is not unlawful. Indeed, many companies do credit checks, criminal background checks and social media research during the hiring process. But looking up this kind of information on your own can create risk.

    First, you might come across information, such as photos that you feel indicate “poor judgment,” that leads you to reject a candidate. Likewise, you might find a reason to prefer a candidate, such a political causes or affiliations. The risk is that in such situations, you may substitute your personal biases for the values of our organization. It also could lead you to select someone who is not, in fact, the strongest candidate for the role. And, of course, if the reason you select or reject a candidate is based on a protected characteristic, you may be violating the law and our non-discrimination policy—clearly, a bad thing.

    Second, depending on how you conduct your research and what you find, you might be violating the law. For instance, some states prohibit an employer from asking for a candidate’s username and passwords for social media accounts. Gaining access to restricted (private) pages through “pretext”—for example, by asking a candidate to “friend” you, by posing as someone you are not, or by asking someone else to do so—also can raise legal and ethical issues.

    As a result, the best course of action is to:

    • Avoid doing background research on candidates—leave that up to the HR department.
    • If you believe researching a candidate would be helpful, reach out to HR or Compliance first.
      • Work with HR or Compliance to identify exactly what you will look for, how the search will be conducted, and who will do it.
      • Perform the same searches for each candidate. Singling certain candidates out can appear to be discriminatory.
      • Share the information uncovered by the searches with those involved in the selection process, and let the organization make the decision of how to use it.

    If the organization will be using background checks or social media research in the hiring process, inform each candidate so that she/he can plan accordingly.

    3) Don’t Make Promises About Jobs, Visas or Sponsorships

    Candidates will view you as speaking on behalf of the organization. As a result, any inaccurate statement you make to a candidate—even if you thought it was true—can be problematic, and, depending on what you say, might even create a legal problem. When it comes to questions about relocation payments, visa sponsorships, benefits information, etc., suggest that the candidate follow up with HR who are the resident experts and will be able to give the best answer.

    4) Follow Our Standard Processes for Recruiting and Hiring

    There’s a good reason we have these policies and procedures in place. If you aren’t familiar with our hiring policies, or if anyone in your department needs a refresher, talk to the compliance, HR, or recruiting team. Seeking help from experts is a sign of intelligence, not weakness!

  • Are You Approachable? Are You Sure? Arrow Down Icon Icon of solid caret pointing downwards.

    In a recent Harvard Business Review article, “Can Your Employees Really Speak Freely,” two business professors shared their research findings related to the gaps between managers’ perceptions of their approachableness, and the reality.

    As a manager, being approachable is critical, because most employees prefer to speak to their managers about ethics and compliance issues before going to HR, ethics or a hotline/helpline. 

    Based on the article, here are five questions you can ask yourself about your approachability:

    1) Do you issue general rather than specific invitations to check in with employees? “Come and see me any time” is not as effective as sending a meeting request or scheduling a specific time to check in with members of your team. Also, consider whether it is easy or hard for your team to find your office and visit. Can they come by casually, or does it feel like a big deal to stop by?

    2) What messages are you sending with your body language? The authors warn against “conveying your power through subtle cues” that indicate dominance. If you’re sitting behind a huge desk, crossing your arms, or frequently checking your phone during meetings and conversations, you could be sending a message you don’t intend.

    3) Do you follow up with employees’ questions and suggestions? If a team member comes to you with a question, suggestion or concern and you listen but take no action, your trust with that employee erodes. Commit to following up, and let them know what action, if any was taken—and if not, why not.

    4) Are most of your conversations with your team fairly formal? If you rarely have casual conversations with your employees—or if every conversation feels “high stakes”—employees will be much less comfortable sharing information with you.

    5) How do you handle brainstorming sessions? Your approachability can be significantly impacted by how you treat team members during those moments where they’re out on a limb—including sharing new or off-the-cuff ideas in front of other team members. This frequently happens in brainstorming or planning sessions. When team members feel safe and protected there, they’re more likely to find you approachable and trustworthy. 

    The more your team members feel comfortable with you, the more likely they are to speak up when they have a question or an issue. And that helps us better protect our company, our reputation and our bottom line. 

  • Ignorance Is Not Bliss When It Comes to Pay Arrow Down Icon Icon of solid caret pointing downwards.

    When it comes to pay, employers want to get it right. But before you can get it right you have to first know what “right” is – that means understanding your organization’s policies and ensuring that you consistently follow the guidance provided. Staying informed is one of the simplest ways to prevent rule violation.

    Although the rules can be complex, these 3 steps will help you and your employees stay informed:

    1.Don’t Assume, Check Your Policy
    Rules are different depending on whether employees are “exempt” or “non-exempt” from overtime. Know the status of each member of your team and if you manage non-exempt employees, be sure that you know the specific policies set by our organization. In general, employers must pay non-exempt employees at least a minimum wage for all hours worked and overtime as required by the law. But, there may be additional rules that dictate things such as timing of meal periods and/or breaks during an employee’s shift. Overtime rules may also vary by state.  For example, is it after 40 hours during the week or after a certain amount of time each day?

    2.Inform and Educate
    Ensure that employees also know the rules about their own work hours and reinforce the importance that they adhere to them. It is easier to hold employees accountable to policy when they know exactly what is expected of them. This goes double for managers. See next step.

    3.Cultivate a “Speak Up” Culture
    Create an environment where employees feel respected enough to speak up and approach managers with questions regarding policy. In a “speak up” culture there is a comfortable dialogue in which employees trust managers to be knowledgeable and forthright about external work-hour regulations and internal policy guidelines.

    Innocent mistakes and ignorance of the rules do not protect us from liability when errors in pay happen – so it is important that you understand what is expected, ask questions and get issues resolved properly. You don’t have go it alone. Employees and managers need to work together to ensure both understand and follow an organization’s policies. Managers should not be shy when it comes time to raise questions or concerns about pay or hours. 

  • 5 Ideas for Improving Your Team Culture Arrow Down Icon Icon of solid caret pointing downwards.

    Managers who create positive, respectful team cultures are not only a tremendous asset to our organization, they help protect it from the legal, financial and reputation risk that can be caused by misconduct. 

    As we end this year and look ahead to next year, we want to encourage you to reflect on steps you can take to make your team culture even stronger. Consider the ideas below—and remember that the ethics and compliance team is here as a resource for you. We would love to help you brainstorm additional ways to help employees embrace our values and mission. 

    1. Brainstorm Potential Risks: You are on the frontlines of behavior risk issues. What new issues do you see emerging—or potentially emerging—that we should stay ahead of? What existing risks might be greater in the coming year? For example, current world events and 2016 politics are almost guaranteed to increase discussions of race, religion and national origin in the coming year—and if those discussions turn derogatory, they could contribute to the creation of hostile environments and claims of discrimination. Are you ready to address such conversations in the workplace?
    2. Talk With Your Peers: Make time to talk with other managers, many of whom may be experiencing similar E&C challenges as you are. Find out what strategies they’ve tried in communicating with their teams, and what’s working—and not working—to really make a difference.
    3. Think About Incentives and Processes: Are there incentives, structures or processes that create pressure to bend the rules? For example, could financial rewards or job security concerns tempt employees to fudge data, use questionable methods to win sales, or hide failures to meet goals? Can you—or others— address these pressures and reduce the chance of misconduct?
    4. Consider Potential “Rewards”: Are there ways to applaud and acknowledge ethical behaviors on your team? Whether it’s just a verbal acknowledgement during a team meeting or a quick email—or something more formal like a certificate or mention in a newsletter—a little bit of recognition goes a long way in demonstrating your deep commitment to a culture of ethics and respect.
    5. Meet With Us: The ethics and compliance team wants to be a resource for you.  If you have any concerns about managing your team, answering tough questions or want some ideas, perspectives, or coaching on maintaining a healthy team culture, please contact us at any time.

    An organizational culture is only as healthy as its teams. Thank you for all you’ve done this year, and all you’ll do in the coming year to help us maintain a culture of ethics, integrity and respect.

  • E&C Investigations: Do’s and Don’ts for Managers Arrow Down Icon Icon of solid caret pointing downwards.

    It’s one of the parts of your job you like the least: you receive a complaint about a team member, and an internal investigation is underway.

    As a manager, your participation in workplace investigations is critical in creating optimal outcomes. You also have the very important role of maintaining confidentiality and coaching all of the team members who may be involved to do “the right things right,” both during and after the investigation.

    Here are some do’s and don’ts to keep in mind:

    • Do: Be open and honest with investigators. Now is not the time to shade the facts to steer the outcome of the investigation. We need to know what actually happened, good or bad.
    • Don’t: Discuss details of the investigation with other members of your team.  If other team members become aware of an investigation, a good talking point to use is, “For a variety of important reasons, details of the investigation are confidential, and that means I can’t discuss this issue with you. I hope you understand.”
    • Do: Ask questions about the role (if any) you are expected to play in the investigation – the compliance, HR, and legal teams want to be a resource to you.
    • Don’t:  Take any steps to investigate the issue yourself unless the steps have been approved.  Often, actions that seem like they would be helpful (questioning a member of the team or going through emails or files) can compromise an investigation.
    • Do: Be objective.  Stay neutral during an investigation: the outcome may surprise you.
    • Don’t: Retaliate. It can be difficult to keep personal feelings out of an investigation. But no matter your perspective, no retaliation is acceptable—whether against the subject of the investigation, the person who brought forward the complaint, or a witness who participates in the investigation.
    • Do: Think about what, if anything, you can do as a manager to change your team culture or processes to address the root cause of a complaint.

    Workplace investigations can be difficult for everyone involved. But ultimately, going through the process of an investigation is essential in helping correct issues that can undermine a healthy corporate culture.

  • Could it Happen Here? Supporting a Culture of Compliance Arrow Down Icon Icon of solid caret pointing downwards.

    Keeping Off-Site Employees Connected With Our Organization’s Mission and Values

    Everyone has heard the old adage, “the cover-up is worse than the crime.” So why do we continue to read news stories about organizations that knew—or should have known—about problems that could endanger public safety and ultimately damage their company’s reputation?  

    A Rash of Recalls

    A rash of recent recalls among auto-makers has brought this issue to the forefront once again. Over the past few months, several manufacturers have been forced to recall thousands of vehicles, pay millions in fines and admit that they have endangered the lives of their customers.

    In one of the cases, it is documented that the issue was discovered numerous times and either ignored or buried.  As with most organizations in this situation, the company is already facing serious reputational damage and heightened legal risk due to an issue that was known and left unaddressed.

    Could it Happen Here?

    Research shows that there are two reasons why people don’t speak up or report issues: the belief that nothing will be done, and fear of retaliation. If employees at our company have these concerns then some version of the scenario described above could happen here.

    So how do we prevent this and protect our good name and reputation?

    Don’t ignore or cover up a problem. As this case demonstrates, it rarely turns out well. If you become aware of a problem or concern that is not addressed or appropriately resolved, it is important that you speak up. And, as a manager in our organization, you have a responsibility to take action to ensure that the right people are involved to properly investigate the situation.

    Doing Your Part

    To help protect our organization, our employees and our reputation, let’s all help each other to be sure to:

    • Work issues to a satisfactory outcome
    • Recognize inappropriate pressure and be aware of the messages you send
    • Provide clear direction and make good and timely decisions
    • Watch for red flags
    • Hold others accountable to the same high standards, while showing respect
    • Cultivate and practice good communication skills and establish an open environment where retaliation is not tolerated
    • If you don’t believe the issue has been satisfactorily resolved, use another of the multiple available resources to report your concern, including the ethics hotline/helpline
    • Be a great role model—do what’s right, even when it is difficult
  • Anonymous Reports Are a Good Thing Arrow Down Icon Icon of solid caret pointing downwards.

    Our company offers a number of avenues for employees to raise questions or concerns but you, as a manager, are always our first line of defense for your team members. An alternate resource is our company’s ethics helpline which employees can use to report either anonymously or offer their name and contact information. We support and protect anonymous reporting and, as managers, it is important for all of us to align on this point and to respect this option. Anonymous reports allow our employees to make reports that they simply may not be comfortable making in person.

    We also recognize that having an anonymous report lead to an investigation in our own organization can be uncomfortable. Here are some factors and guidance for you to consider should you find yourself in this situation:

    1. Do not feel as though employees are going above you to report anonymously. Research has shown that historically 6 out of 10 reports coming in through the hotline and web reporting channels are made anonymously so this is not unique to you or your department.
    2. Supporting (and not demeaning) anonymous reports or reporters shows that you want the reporting experience to remain a safe and confidential way to make a report.
    3. When an anonymous report comes in through the hotline, it is imperative that you do not seek out the identity of the reporter. Maintaining the integrity of anonymous reports will allow the company to continue to receive actionable reports from all across the company.

    One critical aspect of these reports – that will assist in the substantiation of anonymous reports – is advising all reporters follow-up with their report. The company has made it part of our intake process to highlight the importance of following-up, but needs your support in reminding and encouraging employees who may report anonymously to stay engaged in the process and see it through. You can do this in a group or staff meeting as part of a discussion of the overall helpline process. If you need additional information about our processes, contact the ethics office and we will be happy to assist.

    We encourage all managers to embrace their role in developing the culture surrounding the use of the helpline and all of our reporting options. Consistent and positive encouragement can increase the effectiveness of these processes, and continue to make our workplace one where we are all invested in our culture.

  • Managers Have Major Impact on Preventing Workplace Harassment and Discrimination Arrow Down Icon Icon of solid caret pointing downwards.

    Workplace harassment and discrimination, in any form, can damage company culture, stifle innovation and depress morale. But the harmful effects can go much further, creating “career limiting” outcomes for managers and leaders and resulting in serious financial penalties for companies who allow discrimination issues to fester.  

    During fiscal 2014, the U.S. Equal Employment Opportunity Commission (EEOC) fielded 88,778 charges of workplace discrimination. The top five discrimination charges were retaliation, race, sex (including pregnancy and sexual harassment), disability and age.

    As managers, you are in a unique position to help prevent, identify and address potential issues. To help our organization ensure that we’re fostering a culture of fairness, ethics and respect, while avoiding the risks of legal action, managers need to: 

    • Spot and address potential issues before they grow:Keep your radar attuned to team dynamics and conversations.  If you learn of potential harassment or discrimination, you must address it. Ignoring it is not an option, even if the issue seems small or questionable. It does not matter how you learn of the issue or whether you manage the individuals involved. When in doubt, reach out to compliance, HR or legal teams.
    • Take every report seriously: Avoid bias in receiving reports; treat each report with gravity. Know that the organization does not expect you to investigate or handle every report directly, but we do expect you to notify human resources, legal, or the ethics and compliance team who have been trained to appropriately investigate these types of reports.
    • Proactively manage controversial workplace conversations and interactions: While it’s hard to avoid talking about controversial issues of the day, create an expectation and understanding that inappropriate comments and conduct will not be tolerated. If conversations become heated, take quick action to shut down the conversation and address the issue.
    • Don’t assume that your employees know the rules or know when their conduct crosses the line: Be ready to provide additional coaching or training to employees who may not be aware that their behavior is inappropriate or potentially offensive.
    • Lead by example: Your team looks to you to set the tone. Your actions and your words speak loudly: demonstrate that you will have no tolerance for harassing or discriminatory behavior by setting the standard. 

    Ensuring our workplace is free of all forms of harassment and discrimination can challenge even the best managers and leaders. If you need additional help with addressing potential discrimination issues, please contact HR, the ethics and compliance team, or legal. They can help you get to the root causes of an issue and, if necessary, get your team back on the right track.

  • Five Essentials for Providing Employee Performance Feedback Arrow Down Icon Icon of solid caret pointing downwards.

    Many supervisors feel uncomfortable giving their employees feedback. Many even avoid giving feedback altogether because they fear a negative reaction or are nervous about saying or doing something that could be seen by an employee as harassment or discrimination. Some just don’t like being critical of others.

    But giving frequent, accurate employee feedback—both positive and negative—is one of the best ways to create an engaged and motivated workforce, and is critical for the success of our organization. Here are five tips on giving feedback —while staying within the bounds of ethics and compliance best practices—for high-impact results.

    1) Set the Right Foundation

    Early on, communicate your performance expectations for each of your employees. Define the goals you want to achieve and set clear targets for each employee. Explain that you’ll check in periodically on progress towards those goals. Setting the stage for honest and frequent feedback early on will make it easier and more natural to communicate constructive feedback when it’s needed.

    2) Highlight Employee Achievements

    Employees are more motivated when their contributions are recognized. Hearing positive feedback, especially when it is timely and specific, helps employees maintain their confidence. Reinforcing and recognizing positive behaviors also helps set a strong, supportive tone for the team.

    3) Promptly Communicate Concerns

    Feedback needs to happen in real time. Without feedback, employees will naturally believe that their performance is acceptable. So, the longer you wait, the longer the problem will persist. Delaying constructive criticism also can negatively impact your team culture if other employees feel that nothing is being done about an issue that affects everyone. Giving prompt feedback sends a message that you care about your team’s success, and that you actively support improvement and growth

    4) Motivate Change

    When preparing to give feedback, especially if it includes criticism, consider these principles for the best outcome:

    • It sounds silly, but think of yourself as a superhero—today, you are going to help your employee save his or her job. If you view providing criticism as a good thing, your tone, word choice, and demeanor all will change, and the employee will be more likely to respond positively. If you start off feeling uncomfortable and defensive, however, your employee will pick up on it and the conversation will be more negative or even confrontational.
    • Be specific, both about how the employee is falling short of expectations and—most importantly—what the employee needs to do in order to succeed. Without a specific “target” to aim for, it will be difficult for the employee make the changes you need. Agree on a time frame for improvement.
    • Determine whether the employee will need support such as training, how-to guides, mentoring, etc.—and then provide it.
    • Let the employee respond to the feedback. She may feel caught off-guard in the moment, so allow some time for processing and response if necessary.

    5) Document the Conversation

    Once you’ve provided feedback, make a record of the conversation using specific, factual descriptions. A good tool can be an email to the employee recapping your conversation. Document:

    • How the employee is falling short of, meeting, or exceeding expectations. Be specific.
    • Your expectations for performance going forward.
    • Employee’s responses and agreement to make any required changes.
    • Specific details of what the employee needs to do differently, and the agreed timeline for success (action plan).

    Employee feedback doesn’t have to be an uncomfortable or defensive process. It is a valuable tool for growth and should be done frequently. Use these tips to provide feedback that motivates change and helps build empowered, resilient, and skilled teams.