2018 Summer of Compliance
In an expected ruling, the Supreme Court held that Dodd-Frank’s anti-retaliation provision does not extend to an individual who has not reported a violation of the securities laws to the SEC. The court signaled this outcome in the oral arguments and in the end, the decision was 9-0. It turned on the textual and legal definition of who is “whistleblower” within the statute. From the ruling:
Sarbanes-Oxley applies to all “employees” who report misconduct to the Securities and Exchange Commission (SEC or Commission), any other federal agency, Congress, or an internal supervisor. Dodd-Frank defines a “whistleblower” as “any individual who provides . . . information relating to a violation of the securities laws to the Commission, in a manner established, by rule or regulation, by the Commission.”
There will be a lot of discussion in the compliance and legal press about what this means for organisations and their compliance programmes. There will also be discussion as to whether consideration should be given to modify the language in Dodd Frank to expand the protections. We will see how this all plays out.
In the end, what this ruling really highlights once again is the importance of organisational culture and preventing retaliation from occurring in the first place. We know that culture always supersedes legal compliance and one could make the case that all of this discussion falls into the area of looking for legal loopholes rather than focusing on the spirit and intent of strong ethics and compliance programmes.
Time and time again, research shows that employees much prefer to report an issue to their immediate supervisor than to have to take it up the management chain or outside the organisation. Time and time again, the agencies report that employees have tried to raise their concerns internally before coming to them. And yet, we continue to think we can dictate the “terms and conditions” of taking issues outside the organisation. We cannot.
Any board of directors or senior leadership team that sees this ruling as an opportunity to take the pressure off strong oversight of reporting practices will do so at their own peril. The outcome of this ruling will likely be that more issues are taken directly to the SEC without the opportunity for an internal review.
We know that many of these issues – both accounting issues and claims of retaliation – are already going directly to the regulatory agencies. This problem existed before this most recent ruling because these employees do not trust that the issue will be handled appropriately internally.
And now, we are seeing very public evidence of these whistleblowers finding alternate channels to make their voices heard.
The whistleblower is starting to sound very different. It’s a little stronger, a little bolder, and a little louder.
A review of the SEC whistleblower programme’s 2017 Annual Report to Congress gives us a quantifiable look at the monetary force behind this voice. Since the SEC issued its first whistleblower award in 2012, it has proceeded to award approximately $160 million to individuals who have come forth with a report that led to a successful enforcement action. Fiscal year 2017 was a particularly active year with the SEC doling out three of its 10 largest awards of all time – awarding a total of $50 million (almost a third of all award dollars to date) to 12 individuals. And just last month in March 2018, the SEC issued its largest individual award ever at $33 million.
There is definitely something happening here. More reporters are coming forth with substantiated reports, and the awards for those reports are increasing in number and size.
Going deeper into the annual report, we get a particularly interesting glimpse at the future with a look at the Office of the Whistleblower’s Investor Protection Fund. This is the fund that ensures whistleblower award payments do not subtract from the money to be rightfully returned to investors. Therefore, this is also the fund from which the office will pay out future whistleblower awardees. After the balancing of the 2017 budget, this fund currently has over $320 million dollars in it. That is more than double what the SEC has paid out in all the years it has been in operation. So the SEC is not only poised to maintain its steady growth in annual payouts, but ready to ramp it up as well.
The volume and size of awards are not the only thing on the up. Tips, the submitted reports of whistleblowers, have increased even more drastically. In 2011, the first full year of data from the programme, the SEC received 334 whistleblower tips. A modest start. In fiscal year 2017, the programme received 4,484 tips.
The type of money the SEC is sitting on is not only incentivising reluctant whistleblowers, but it is also fueling investment from an ever-expanding cadre of constituents. This is especially true for venture capitalists who are backing whistleblowers to fuel high-stake cases for a portion of the payout. This type of support makes whistleblowers louder than ever, and more capable than ever to survive, and prevail in lengthy court cases.
External whistleblower reports can thoroughly shake a company, its reputation externally, and its culture internally. Aside from eliminating wrongdoing, there is no benefit to a company by having its dirty laundry aired, litigated and charged on the mainstage. Companies should do their best to ensure they hear and resolve whistleblowers’ reports internally before they are motivated to go outside. Here are a few best practices to not just hear whistleblowers, but to actually show you’re listening.
TAKE A VERY HARD LOOK AT YOUR INTERNAL COMPLAINT PROCEDURE
Your company needs to have a robust whistleblower hotline and incident management system. This ensures employees have multiple channels for reporting. These avenues must also be transparent, and, well, real. As a compliance practitioner responsible for protecting your organisation, you should be testing these channels regularly to ensure reports are being properly received, processed, escalated and ultimately resolved efficiently and effectively.
Additionally, create an environment where employees feel confident in their ability to raise issues internally:
Identify and address cultural and organisational barriers to a “speak-up culture.” Report on culture issues and improvement plans to the board of directors.
Address the issues of fear of retaliation directly. Train managers about their responsibilities, including their responsibilities to escalate concerns. Publish sanitised case studies of actions taken against retaliators. Implement a programme to monitor for potential retaliation.
Ensure that robust escalation policies are in place requiring notification to the board of allegations relating to issues that could cause serious reputational or financial harm to the organisation.
Don’t be lulled into a false sense of security. Just because concerns of retaliation have not been raised through formal channels doesn’t mean that it is not occurring in the organisation. Test the system.
Discover How a Hotline & Issues Management System Builds Trust & Encourages Internal Reports >>
EMPLOY CLEARLY THOUGHT-OUT INVESTIGATIVE PROTOCOLS
Every company should spend time thinking through in advance how it will investigate cases of variant natures and severities. This should include a plan for dealing with the individual who comes forward during the process to ensure they do not feel shunned, ostracised or retaliated against in any way, shape or form.
TRAIN FRONTLINE MANAGERS
Compliance training may be the most important thing companies can do. There needs to be a renewed commitment to training, most significantly for frontline managers. Managers need to understand what a complaint and protected activity look like. And they need to know how to respond to internal reporters. There is no room for responses like, “keep your head down, and I’m sure it will get better.” Finally, managers need to know what they are supposed to do once they get a report, how to escalate it, and what their role is in the investigation.
Whistleblowers, and the internal corporate programmes managing them, have always been an integral part of not just improving corporate transparency, but also improving a company’s performance and bottom line. Today, the voice of the whistleblower is getting stronger and louder and companies need to double down on their incident management processes and efforts to develop a healthy speak-up culture that encourages employees to report internally first. This will ensure companies have a chance to resolve issues before they fester and result in significant reputational or financial damage to their brands.
» EMPLOYEE TRAINING COURSE: Whistleblowing, Reporting and Retaliation
» WHITE PAPER: Embracing Whistleblowers: Understand the Real Risk and Cultivate a Culture of Reporting
» QUICK VIDEO: How to Encourage Whistleblowers to Use Internal Reporting Tools
» WHITE PAPER: 12 Essentials for Communicating with Incident Reporters & Whistleblowers
» DEFINITIVE GUIDE: Definitive Guide to Incident Management: Going Beyond the Whistleblower Hotline
While we have known for years that culture will always win over compliance, data from across our NAVEX Global benchmark reports and surveys of compliance officers shows a disturbing trend – employee facing initiatives are becoming more focused on compliance rather than driving a culture of integrity and respect. Our data shows this across various initiatives including:
» Training objectives
» Writing and managing organisational policies
» Managing third parties
» Reporting systems and processes
On one hand, this is not a surprise. Our surveys and benchmark reports indicate that more programme elements are under direct scrutiny in legal and regulatory action – most notably organisational policies and third-party risk management. It is understandable that organisations are tightening up processes and documentation in response to the scrutiny.
However, it is failures in organisational culture that continue to draw the reputation-destroying headlines. So how are organisations responding to these headlines? Our survey results show they are putting even more focus on compliance. This is a downward cycle that leads to what is called “vicious compliance” (when judgment and ethics are considered less than doing what is required) and ultimately, even more colossal culture failures.
Let’s look at the most recent data causing this concern. For the first time in the four years of our annual Training Benchmark Report, “create a culture of ethics and respect” dropped to number two behind “comply with laws and regulations” as the top objective for training. And the drop was significant as shown below (note that multiple answers could be selected):
Even more concerning were the results to the question: “How does your organisation best define a culture of ethics and respect?” where multiple answers were again permitted. While “encouragement for speaking up, asking questions, and raising concerns” was the top answer (45%), very close behind was “alignment to regulatory requirements and guidelines” (40%). It is hard to understand how alignment with regulatory guidelines is the best way to define a culture of ethics and respect.
Of further concern, the lowest ranking responses included answers we believe would much better define a culture of ethics and respect:
» Retaliation is not tolerated (20%)
» Rules are enforced equally regardless of level (20%)
» Openness to alternative viewpoints and backgrounds (9%)
Finally, from our Hotline Benchmark Report and webinar survey, we continue to find disturbing results relating to issues of retaliation and lack of focus on proactive efforts to prevent or address retaliation. External agencies continue to receive a high rate of complaints of retaliation. Internal complaints remain below 1 percent of all reports received. We surveyed compliance officers about where retaliation prevention falls in their programme priorities and were stunned to find that the majority of respondents said it was not a priority. Reducing fear of retaliation is one of the most important ways to improve a “speak-up” culture, yet it is not the priority.
Effective and mature programmes must do two things well:
» Selling: This includes the messages and documentation needed to get the necessary programmes funded and identified risks addressed. The audience for “selling” is usually the board of directors and senior management.
» Winning: This is what succeeds in changing culture by “winning” the hearts and minds of employees, securing their engagement in the process. Ultimately, the culture has to support compliance with policies, laws and regulations before it can be achieved. The audience here is all employees—including executive management—and often other external stakeholders.
While the messaging and approach may be different for each audience, both are critical to success. Yet what we see now is more organisations that approach “winning” by focusing on even more compliance and box-checking. This will not work.
Further, the “selling” message is missing the mark. For example, when it comes to employee training, we found the percentage of organisations conducting board training dropped to 44 percent from 58 percent in 2017. Of those who did board training, only 29 percent trained on corporate culture and only 23 percent trained on board oversight obligations. If the rationale for the programme’s existence is not understood, and the business value behind a culture of ethics and respect not clear, boards and senior leaders will not see the value of the investment.
This brings us back to the downward cycle and danger of focusing on compliance without proper attention to culture (where culture is defined as “the way things really get done around here”). We’ve seen it too many times; requirements are met for their own sake, but not linked to cultural enhancement. When you have the kind of compliance programme that’s so prescriptive that all the compliance officer (and employees) do is check the boxes, an environment is created where employees and leaders look for loopholes to simply satisfy the task—rather than asking themselves what the right thing is to do. This inevitably leads to an increase in employee cynicism, and employee understanding of what is really important diminishes. In this way, your programme can actually work to undermine the organisation’s culture, and the unintended consequence is that we actually achieve less compliance.
As stated above, we need to find the right balance between selling and winning. So, what is the best approach?
AUTOMATE & KEEP "VICIOUS COMPLIANCE" TASKS IN THE BACK OFFICE
Technology and automation will help reduce time spent on manual processes, improve reporting and analytics needed to demonstrate ROI of the programme, and allow more time to focus on a culture of ethics and respect, but they should not be the entirety of your compliance efforts. Checking the required box is not enough.
» Use compliance and risk management messaging as needed to demonstrate the necessity of various programme elements to key stakeholders.
WORK "ETHICAL CULTURE" MESSAGING & SUPPORT INTO ALL ASPECTS OF EMPLOYEE-FACING PROGRAMME IMPLEMENTATION
» Ensure that training is role and risk based and clearly communicates the “why” of the expectations.
» Develop useful, clear and consistent policies that aren’t full of legalese.
Start a Free Trial of Policy & Procedure Management Software >>
» Devote considerable attention to creating a speak-up culture without fear of retaliation. Ensure issues are addressed in a timely way. Make retaliation prevention and monitoring a priority, and tell all employees about actions taken against retaliators.
See How Powerful an Agile Code of Conduct Can Be in Shaping Company Culture >>
» Review business objectives and compensation plans to ensure that these will not put unacceptable pressure on employees to achieve results. You should also consider very careful selection of business partners who also will not put inappropriate pressure on employees to cross the line. Understand the risk of all your third parties by having a reliable system that alerts you to possible cases of misconduct, and guarantee that your partners and third parties understand your organisational values.
» Finally, and most importantly, leadership accountability is what every employee is watching. In the end, what happens to the top performers who violate the rules will send the loudest message of all to the organisation.
Let’s make 2018 the year that we break the cycle of trying to “fix” culture with more compliance.
Need a deeper assessment of your culture and what your programme may be missing?
» BENCHMARK REPORT: Ethics & Compliance Training Benchmark Report
» BENCHMARK REPORT: Hotline & Incident Management Benchmark Report
» DEFINITIVE GUIDE: Code of Conduct: How to Engage Your Workforce with Your Organisation’s Values & Goals
» DEFINITIVE GUIDE: Compliance Programme Assessment
» It Is Time to End the Debate: Compliance Hotlines Must Accept & Track HR-Related Reports
» Retaliation: The Feedback Loop that Quiets Company Culture
» Character Reputation of Senior Leaders Is Foundation of Compliance ROI
» Four Phases of Corporate Culture Maturity from the SEC’s Chief Accountant
Internal audit is an organisational function that has seen its share of change over the years. Previously seen as pseudo-actuarial work, complete with green-capped visors, auditors today are taking on more responsibilities than ever and are more often seen as secret agents that heroically defend organisations from fraud and failure. From Sarbanes-Oxley (SOX) to cyber security, internal audit teams are now responsible for stress-testing and measuring the strength of the controls, policies and procedures that guide employee behaviour day in and day out.
Internal audit’s origins in financial controls and compliance has prepared it to tackle the complex corporate behaviour standards found in regulations such as SOX and Dodd-Frank. As the requirements of these regulations become routine, we are beginning to see new internal auditor responsibilities taking on heightened importance and urgency.
Similar growth is being seen in audit’s expansion into cyber and IT audit, which were once considered issues of the future. Today, increased scrutiny on data security and management have made these efforts a major part of the internal audit’s responsibilities.
Audit’s Responsibilities Evolve Alongside Technology
The use of technology is increasingly critical to how organisations do business, and can no longer be managed solely by an IT division in an organisation, nor is it something organisations can audit “someday.”
At the 2018 IIA/ISACA conference in Nashville, audit’s growing cyber and tech responsibilities took over the conversation. The requirement to understand cyber security threats and to guard against them has become the responsibility of every employee. It was a common sentiment heard that “information technology is no longer a department, but rather a part of all departments.” In response to the risks that come with new technologies that we are just learning to use (much less protect), internal audit is asking: how do auditors – traditionally accountants by trade – keep up with the growing diversity in their growing responsibilities?
They grow, and they learn. Internal audit teams are making efforts to recruit more people with a variety of backgrounds and perspectives to best manage the expansion of their roles across organisations. And if that proves unfruitful in today’s fully employed marketplace – they are turning to organisations like ISACA, that provide training to empower auditors to learn the skills necessary to audit their organisations’ technologies. With this expansion in both size and scope, internal auditors’ visibility is growing across their organisations. Nowadays, it’s increasingly likely that in your organisation, an internal audit team or audit committee is reporting directly to your board of directors.
Today, internal audit is building strategies and developing processes that many departments with benefit from just by association.
Internal audit is in the midst of a profound transformation that could, ultimately, lead to big changes in how it and compliance work together. For compliance professionals who are close with their friends in internal audit, now is a good time to put a little more love and care into the relationship.
You can see glimpses of that potential future in several surveys that hit the internal audit world this spring. Those surveys come from a variety of sources — the Institute of Internal Auditors as well as some professional services firms — and all reach essentially the same conclusions: audit is maturing.
First, internal audit is searching for new ways to add value to overall enterprise, beyond its historical duties of financial audits or testing controls for Sarbanes-Oxley compliance. Second, internal audit is also racing to add more data analytics capability, so it can be more comprehensive in its job of assessing risk and identifying weak spots in business processes.
Bring those two points together, and you arrive at a third conclusion.
Internal audit, the so-called “Third Line of Defense” against corporate misconduct, will be able to add value by helping other functions in the first and second lines of defense run their business processes in a more effective, risk-aware manner.
That is, while doing its day job of analysing risk and finding ways to reduce risk to reasonable levels, internal audit could also perform more of a “business process improvement function.” For instance, the audit team might create an algorithm to analyse a pile of data and identify risk. After it’s done, it can leave that algorithm with the operating business unit so the operations unit can monitor that risk itself.
For example, your company might have a policy that travel and entertainment expenses below £50 don’t need receipts. The audit team could build an algorithm to find employees with unusually high number of expenses at £49 — just below the threshold where they would need to supply documentation.
Presto! The finance and compliance teams have a new tool to help identify possibly suspicious payments (how many bribes have been smuggled through the T&E account, after all?) when previously you were searching for illicit needs in giant haystacks of data.
Audit has a bright future of improving effectiveness and efficiencies far outside its own department, and compliance professionals need to take note.
COMPLIANCE SHOULD BE TUNED IN TO INTERNAL AUDIT ENHANCEMENTS
Reducing the risk of misconduct is one of the top goals for compliance officers. Anything that helps to achieve that end is welcome.
So how can ethics and compliance officers work constructively with a more powerful and precise internal audit function? And just as important, how can you ensure that internal audit and other operating units don’t engage in risk management or business process improvements without considering the compliance department’s needs?
1. UNDERSTAND WHAT DIGITISATION MEANS FOR BUSINESS PROCESSES
Understand what’s really happening here. As more business processes experience digital transformation, they become part of an ecosystem that can be evaluated efficiently with data analytics.
Twenty years ago, even simple T&E validations would require an army of auditors to sift through oceans of paperwork and spreadsheets. We could say the same for due diligence programs, whistleblower hotlines, bonus payments, and much more. The data existed, but not in a format that could be studied. Now the data can be studied.
2. MAXIMISE INTERNAL AUDIT IMPROVEMENTS THAT CAN ENHANCE COMPLIANCE EFFORTS
Know what business process improvements you want to see. Operating units typically want processes to become more efficient: faster, simpler, more profitable. Internal audit departments typically want to reduce the risks that either (a) the board tells them to reduce; or (b) they want to reduce, depending on their enterprise risk assessments. In a world where more improvements are possible, it becomes more important for compliance to know which improvements are the ones worth pursuing — and which aren’t.
3. CREATE EFFECTIVE DETECTION METHODS THAT CAN BECOME DETERRENTS THEMSELVES
Think about messages, not just monitoring. An effective internal audit team telegraphs to employees that the organisation has the ability to detect suspicious activity all through the organisation. The greater analytics ability strengthens the company’s control environment — the overall message the company projects to employees and third parties about how seriously it treats potential misconduct.
Or put another way, a greater ability to enforce a policy tells employees that the policy’s objective is taken more seriously. How can the ethics and compliance team leverage that? Which policies and objectives do you want to emphasise? What analytical tools could you use to emphasise them, while internal audit does its usual job of finding and reducing risk?
This transformation of internal audit will be a long time coming. Some internal audit functions already do dazzling things; some are still tiptoeing into this new world with small staffs and tight budgets. Regardless, this future is going to come. Compliance officers should be prepared to seize the opportunity when it does.
» TOOLKIT: Compliance Toolkit for Auditors
» TOOLKIT The Ultimate Culture Assessment Toolkit
» WEBINAR Grace Under Pressure: Coordinating Audit, Legal & Compliance
» USE CASE Simplify Regulatory Edits & Audits
Data privacy laws have evolved dramatically, and enforcement has increased also. The financial and reputational impact of data privacy now feels very new to many legal, IT and compliance teams. Understanding of the nuances of these privacy laws is increasingly complicated. Adopt a strategy through which you view your data across all geographic locations where you do business, store data or utilise vendors.
Developing and monitoring data management practices is key to any privacy compliance programme. Know how and where you are storing data, whether it is moving across borders, and if data localisation regulations apply. Consider how your privacy practices will be replicated and managed in all countries. The protection systems you are building will not always be sufficient across all jurisdictions and can actually increase data vulnerability.
DATA BREACHES
Data breaches are a global phenomenon. Although we have been seeing breaches at a higher volume in some geographical regions, this is a global concern. The key is to plan, prepare and then plan some more.
What You Need to Know:
» Policy & Procedure Resilience: Know how your policies and procedures will perform in a data breach. Are they comprehensive enough to combat the complexity of modern attacks and human errors? Test your policies and employee knowledge. Start a Free Trial of Policy & Procedure Management Software
» Cross-Jurisdictional Breach: Breaches that affect a variety of data sets and/or regions make prevention and containment exceptionally difficult. Understand where your data is, regardless of location, and the unique regulations that apply so you can respond quickly.
» Crisis Communications Plan: In the event of compromised data, you should inform your employees, the public, and shareholders in a thoughtful and accurate way. Data privacy is about building trust, so having an effective crisis communication plan will help your organisation be responsive and transparent in an effort to preserve the trust of your people.
VENDOR MANAGEMENT & DATA PRIVACY
Vendors can often be a serious concern for data privacy, with potential loss or vulnerability of your organisation's data. Companies of all sizes are being targeted by cyber attacks as a way to infiltrate connected third parties and work their way up the supply chain.
What You Need to Know:
» Vendor Privacy: Ensuring privacy is part of every vendor agreement. Embed privacy protocols into vendor management programmes instead of developing and implementing a separate privacy programme altogether.
» Audit & Notification Rights: With vendors, you don’t always know when a risk arises so the opportunity for prevention and containment is reduced. Require vendors to notify you of any breach, or suspected risk, associated with the data they have or access. Retain the right to audit the data practices of each vendor to ensure they meet your privacy standards.
» Indemnification: Your vendor agreements should ensure that your third party indemnifies you appropriately for losses.
The General Data Protection Regulation (GDPR) definitely rises to the top of virtually any privacy discussion. The GDPR is not just a major concern for privacy officers, but it may also prove to be one of the biggest issues facing the GRC space in 2018. The scope of the regulation is broad, its extraterritorial reach extensive, and penalties for non-compliance are high. There is a lot built into this regulation and EU regulators expected organisations to be in compliance by its enforcement date of May 25, 2018.
What You Need to Know:
» Penalties: Failure to comply with the GDPR can result in fines of up to 4 percent of your organisation’s global annual turnover (revenue), or up to €20 Million, whichever is greater. Penalties for lesser offenses, such as failure to keep accurate records or failure to promptly notify of a breach may result in smaller fines. These fines start at 2 percent of annual turnover or €10 Million, whichever is greater.
» Extra-Jurisdictional Reach: Under the new territorial scope of the GDPR, many organisations that were not previously subject to the EU directive will now be subject to GDPR. It cannot be assumed that because you do not have a business operation within the EU that you do not have to abide by the rule. The law will apply to many organisations that sell goods or services within the EU regardless of business presence.
» Privacy Impact Assessment: Performing privacy impact assessments is a requirement under the GDPR for controllers. These assessments must be conducted across all areas of the business where personal data is collected, managed and/or used.
» Privacy by Design: Data protection is now a legal requirement under the GDPR. This means that data protection and privacy-by-default concepts not only have to be embedded into the development life cycles of products but also across the enterprise to areas like vendor management and selection, human resources and policy and procedures. Privacy needs to be a holistic consideration.
» Breach Notification: The GDPR requires that controllers notify supervisory authorities within 72 hours of becoming aware of a breach of personal data. There are some exceptions such as when the breach is unlikely to result in harm to the individual, but generally organisations will need to abide by the new 72-hour rule or have a very good reason for delay.
The GDPR is a broad and complex regulation. It is key though for CCOs to understand, at least at a high level, the requirement and potential penalties for non-compliance. What is crucial to understand is that the law is intended to protect the owner of personal data – and that’s the individual, not the organisation.
IDENTIFY YOUR PRIVACY LEAD
Even if your organisation is not legally required to hire a Data Privacy Officer (DPO), it is still best practice to appoint someone to stay informed and lead your team on data privacy concerns.
DEVELOP A PRIVACY COMMITTEE
Similar to hiring a DPO, you may not be legally required to have a privacy committee, but it will support your organisation in embodying a “privacy by design” mentality throughout your business operations. This committee could naturally be woven into a preexisting compliance committee or serve independently.
UNDERSTAND YOUR GEOGRAPHICAL FOOTPRINT
Map out all jurisdictions in which you operate and know exactly which laws apply. This should be a responsibility of your privacy lead, so that someone knows the suite of laws that apply to your operations and how you are addressing your compliance with those laws.
TRAIN YOUR VENDORS & EMPLOYEES
Data breaches are still often a result of human error. Ensure your vendors and employees are being trained on all the forms of modern cyber attacks like phishing, but also on the larger practice of social engineering.
» WEBINAR: Top 5 Privacy Concerns CCOs Should Care About
» SAMPLE POLICY: Data Breach Response Policy
Download Here (Adjust "Keyword" filter to search additional information policies.)
» SAMPLE POLICY:Information Security
Business leaders, academics and others have shared and debated ideas about ethics, compliance, internal controls and governance. The early ethics officers borrowed from one another and often collaborated on innovative approaches to common problems. Over time, the business ethics movement gained momentum and spread worldwide. Within a decade, working professionals in the field settled on best practices for organisational compliance. As new technologies became available and new challenges emerged, innovations continued, especially with respect to training, reporting and data management.
As a group, ethics officers are risk averse by nature – in fact it’s safe to say that avoiding or minimising risk should be their most essential trait. But when you build a profession out of risk averse people, no one should be surprised when out-of-the box thinking is rare and even discouraged. Better to be safe than sorry.
In recent years, at conferences and through associations and networks, professional discussions have grown more and more focused and granular. This is to be expected. What was first a movement has become a profession, and much of your time and energy is now devoted to fine tuning ethics and compliance programmes, developing efficiencies, and addressing gaps and weaknesses that surface. Thus, as the ethics and compliance field has matured, an unfortunate development has occurred. The insulated and risk-averse discussions have inadvertently created the conditions that can lead to stagnation. If not corrected, this can eventually undermine your relevance.
In the early days of the movement, innovation and new perspectives often came from academia. However, academic business ethics research is now either dominated by an anti-business bias or it is overly theoretical and impractical. Business ethics centres and think tanks are geared toward the lucrative leadership retreat model. The leadership retreat model features annual getaways for corporate leaders where they can discuss ethics and values with “thought leaders.” These retreats may inspire some, but have little lasting impact on improving corporate cultures or advancing ethics and compliance initiatives. Associations and conferences, once a key source of new ideas, are now indebted to the status quo, and presentations are mostly old ideas dressed up in new packages.
How can we rekindle innovation, collaborate across the industry and challenge one another to tackle new problems and solve old problems better?
Looking ahead, we do have reason to be optimistic. The profession is still growing. New ethics officers from diverse backgrounds are joining the ranks. Global and regional organisations are challenging what has for too long been an European and U.S.-centric industry. Hard lines such as those that divided corporate social responsibility and values-based programmes from E&C are being blurred. Most importantly, old networking models are giving way to online networks that provide new and unprecedented opportunities to share ideas and collaborate. The only thing standing in the way of innovation is a willingness on your part to be bold, to take some risks, and challenge assumptions.
We can be sure that new ideas and new approaches will emerge, and they are likely to be novel ideas that those of us who have been around for a while would never think of. While we await these new ideas, and in the interest of priming the pump, we offer a few questions for consideration in the hope of jump starting new debates in 2018. Our questions start with the position of the ethics officer – its function and effectiveness and how we can best approach the challenges we face.
We have been working toward corporate ethics and compliance accountability for decades now. And as every established business function should, compliance needs to assess the progress it has made and continue improving its trajectory. Consider the questions below to spark your innovative thinking.
For instance:
» How have regulatory and other pressures altered the role of the ethics office? Do compliance programmes allocate time properly between managing their programme, crunching data and providing status reports versus time spent interacting with employees?
» Do corporate leadership responsibilities support or detract from ethics and compliance efforts? Do rising leaders in the organisation have ample ethics training? Is a demonstration of ethics, civility and respect a job requirement for promotion and hire?
» Do ethics and compliance training budgets have any room to train managers organisation-wide so that they are comfortable doing more to support ethics and compliance?
» How can the value of local ethics officers be integrated with global corporate compliance efforts? Is there value to be achieved with a matrix of part-time local ethics officers who coordinate with corporate ethics officers to better understand and influence cultures and subculture?
» Instead of a central, corporate ethics officer overseeing all ethics initiatives, is it better for some programme elements – risk assessment, for example – to be handled by other functions such as Audit?
Key steps for organisational innovation start with innovative compliance professionals. Consider the steps below from professionals currently innovating in the field of compliance.
UNDERSTAND WORKPLACE ADJACENCIES
Figure out—in the domain that you serve in GRC—what some of the adjacencies are that live in a silo next to you. What could you learn about those adjacencies that will actually help you make connections in the organisation you currently work at, or maybe in a future position? The ability to integrate these functions and have them truly be centers of business excellence versus cost, which is often how compliance is viewed, is a very effective path to influence. This is where you land on the cutting edge of being a forward-thinking compliance professional.
BE A SCIENTIST AND AN ARTIST
Make your compliance work a mixture of science and art. Gather key data points that are indicators of programme effectiveness. These could include your surveys, benchmarks, attestations, audit results and HR statistics. That’s the science part. Next you need the art. ROI is a story of effectiveness. You can have all the data in the world but if it’s not packaged in a way that makes sense to whomever is your audience, it will fall on deaf ears. And remember to trust the “soft side” of data gathering. Your intuition on how leadership in various locations is responding to and supporting your programme is a key point of your analysis.
See How Modern Hotline & Incident Management & Policy & Procedure Management Systems Provide Key Success Reporting Metrics >>
FACILITATE THE “YES” WHEN POSSIBLE
Whenever possible, say yes to the business. If the business has requested a process or procedure that you cannot approve, see if you can find another way to get to the business’ desired outcome. For instance, the sales staff at a company I consulted for wanted to work with a competitor to share information to provide a new service to the market. The way that they wanted to do this would clearly violate competition law, so I knew I would have to say no. Instead of saying no, I asked them for details about the outcome they wanted to create. The business told me that the other competitor had a new service that would pair brilliantly with the offering of the company for which I was consulting. We figured out a way to bundle the product and service together in a joint offering via a third-party. That worked to create the market opportunity the company wanted while protecting the company’s reputation and eliminating the risk of a regulatory investigation. Whenever you can facilitate a “yes,” do so.
COMMIT TO SELF-EDUCATION
Make a commitment to continue with self-education in a regimented way. It's one thing to say, "Oh, I'm going to learn more about X, Y, and Z” or “I'm going to try and read more on this topic.” It's another thing to actually execute on that. So I'm a big believer that a minimum of an hour in your calendar each week should be dedicated to pure personal education. For me, I split that hour by focusing half on subject matter expertise in new areas that I feel like I need to fine tune my learning or acquire new knowledge. The other half is related to broader business skills and gaining a better understanding of emerging markets and business growth. That's a really specific, tactical answer but I actually think it's a great discipline to get into – to actually calendar your educational time.
Become a Member of Compliance Next—an Online Learning Community for Continued Education >>
ADAPT AND CAPITALISE ON ORGANISATIONAL INTELLIGENCE
Create allies and build trust at a variety of department levels. Learn and exercise organisational intelligence. Identify key influencers and decision makers who you will need to work with on a regular basis to keep your programme running smoothly. Ensure you have a good working relationship with those below the top person in each group because a change in one key person could set back good progress if there isn’t a backup set of relationships.
Recognise that change tolerances vary. Managing compliance is very much about managing people, their expectations and their buy-in into programme goals.
LOOK FOR THE MOTIVATION OF THE BUSINESS
When you’re asked for approval or advice on a project, do you look at the request on the paper, or do you try to see where the project fits in the greater context of the company’s plans? Wildly effective compliance officers always try to understand the business and to see where the project and problems fit in. When you understand the motivation of the business, you will be better placed to give more fulsome advice. You will also be able to anticipate the secondary and tertiary requests which will be coming once you’ve given approval or denial for the project, so you can streamline the request process by anticipating the next question and answering it where appropriate. The more you understand the business and understand the motivation behind the request, the more effectively you can answer queries.
» CASE STUDY: Bumble Bee Seafoods Shores Up Ethical Culture
» WHITE PAPER: 10 Steps to Create an Organisational Culture of Ethics, Integrity & Compliance
» WHITE PAPER: Solving the Top Five Concerns of Compliance Professionals
» QUICK VIDEO: How to Become a Change Agent
» DEFINITIVE GUIDE: Compliance Programme Assessments
For decades, victims of harassment have been silenced and blamed for the conduct of harassers, while the perpetrators’ behaviours have been tolerated, and, in the most egregious of cases, enabled.
Traditional methods of recourse available to victims – such as making an internal report or filing a charge of harassment or lawsuit – required effort, courage and risk by the victim, but netted little in the way of true cultural or institutional change. Victims have learned over time that individual action has minimal effect on rebalancing a culture that condones retaliation, improperly assesses the risk of keeping perpetrators on staff, and turns a blind-eye to the true cost of such behaviours.
Today, however, victims of harassment have found a new way to voice their experiences. The internet and social media tools have shifted the balance of power. And organisations in all industries and of all sizes are feeling the tremors. Sexual harassment and sexual assault allegations have surfaced about powerful and influential men, and media coverage of these revelations has dominated news cycles. Bill Cosby, Harvey Weinstein, Charlie Rose, Kevin Spacey, Al Franken, Matt Lauer, and Garrison Keillor are but a few of the names that have been revealed; certainly, there will be more.
VICTIMS HAVE FOUND A NEW OUTLET
What once was quintessentially an individual experience that received little to no public discussion (bringing an individual complaint of harassment against a manager or coworker), is private no longer.
Victims of harassment have the power of choice. They can make an internal report and hope that their organisation responds properly, or they can choose to take their story public. The latter has proven to be incredibly powerful in the past 12 months, in what some have called a reckoning.
The “#MeToo” hashtag campaign has given victims a way to speak collectively – share their stories online and create a culture of empathy and activism, effectively shifting the power of voice in the story of harassment. Victims who have joined the #MeToo movement have found solace in numbers, and increased confidence – a defining effect of the events of this transformative time.
DRIVEN BY FRUSTRATION
What is driving this phenomenon? Frustration, cynicism and lack of trust in the process. Employees are tired of feeling like they are not heard, they lack power, and that their issues don’t matter. And when it comes to harassment, they are sick of working in an environment where that conduct is tolerated, or worse yet, condoned. In each of the high-profile events, the story is similar – the victim did speak out or was aware that others had spoken out and nothing had been done. The harasser had power over the victim and objecting was potentially career ending.
With victims of harassment now having increased control over how their own personal stories are told, organisations are placed in a new position. They no longer have dominion over the narrative, or ultimately the actions they must take to redress the wrong. Influential and powerful men are being removed for conduct that their employer had previously brushed off as OK.
Employers today are faced with a new challenge. Should they look back in time and reconsider the actions they did or did not take in response to harassment allegations? Every organisation has a history with harassment allegations. Now, however, organisations must determine if they addressed those allegations properly at the time or if there are skeletons still in their closet. And what if new allegations emerge that date back to the time of the original incident?
If new allegations emerge, even if they relate to the original incident that was addressed, it is important to look into them and assess them. New information is critical in considering the appropriateness of the original action. Employers must evaluate the cultural impact of harassment, not just legal liability, as they craft appropriate corrective action. Employers should consider the totality of the circumstances as they determine the best next steps. Simply because a matter was closed out at one point, does not mean that an employer cannot revisit it, especially if new allegations emerge.
But the tougher question is: Should the employer start to review old files, even if new facts have not emerged? It is good to be knowledgeable about decisions and actions that have occurred in the past. If for no other reason, knowledge about prior corrective actions can lead to fairness and consistency as you deal with new situations. But on a deeper level, employers can learn much from how situations were handled or mishandled, and how those decisions continued to impact employees after the situation was closed. Employers should be working closely with legal counsel as they evaluate any decisions they have made in the past years, or even decades.
A fresh look at old misconduct may force employers to make difficult decisions about how the matter was originally handled, or make improvements in how they plan to handle future incidents of misconduct. If an employer chooses to go down this path, carefully consider your process, who is involved, and what the purpose of your review is. As you take a look at old events, consider the events in context, and examine them not from a pure legal defensibility angle, but rather from a perspective of culture and a commitment to a respectful environment.
Ask yourself:
» Did the original handling of the situation resolve the problem, or has it persisted despite initial actions?
» How proactive are you right now – are you really trying to understand the current state of your culture, including how employees feel about their work environment?
» Was the initial decision to not address the issue at all, and if so, was that the right decision? It is possible that old wounds have not healed, and that the failure to act properly may be continuing to negatively impact your culture.
TEACH YOUR EMPLOYEES
Training, done right, can be effective. Employees need to be reminded about expectations and reassured about your values in our current climate. High-quality training helps make employees more aware of what is permissible, and what your organisation expects of them. Don’t make it overly legal or seem as though you are using training just to build a legal defense. And don’t make promises or statements in your training that aren’t reflective of your true culture.
Request a Free Anti-Harassment Training Course Trial (exclusively endorsed by ACC) >>
LISTEN UP
“Speak-up” culture is a great mantra but means nothing if companies do not practice a complementary “listen-up” culture. It doesn’t take long for employees to realise that their concerns, reports and questions are not being heard or taken seriously. Create a corporate culture in which employees feel comfortable raising their voices about anything from sexual harassment to feelings of being insulted. This will allow your compliance programme to resolve issues before they turn into scandals, and preserve the integrity of your organisation’s culture internally and its reputation externally. And don’t ever tolerate retaliation.
Get a Demo of a Whistleblowing & Hotline Intake System >>
MAKE CONSEQUENCES REAL
Strong cultures are built on actions, not documents. This means you have to enforce your policies by holding people accountable for the things they say and do. If someone is guilty of harassment, they need to be dealt with in a way commensurate with their actions. Similarly, if someone makes an offensive off-the-cuff remark, it needs to be addressed not swept under the rug.
Start a Free Trial of Policy & Procedure Management Software >>
FUND YOUR CULTURE
You have to fund company culture the same way you would fund product improvements, corporate expansions and R&D. This gives your compliance programme the resources it needs to deal with issues when they are small and manageable rather than catastrophic. This requires a long-term view of the ROI of compliance, and it will prove to be more profitable than short term gains accrued by turning a blind eye.
See How Powerful an Agile Code of Conduct Can Be in Shaping Company Culture >>
» SAMPLE POLICY: Global Anti-Discrimination, Anti-Harassment, Anti-Bullying & Anti-Retaliation
» CHECKLIST: Harassment Investigation Checklist
» LEGAL BRIEF: Sexual Violence and Harassment Legislation: New Duties for Ontario Employers Under Ontario Bill 132, Sexual Violence and Harassment Action Plan Act
» WHITE PAPER: Managing Workplace Harassment: What Employers Should Know
» High-Profile Sexual Harassment Claims Show a Toxic Culture Can Be a Product Defect
» Is a “Very Strange Year at Uber” a Cue to Improve Culture or Harassment Training…or Both?
» Harassment May Be Near an Inflection Point – But Still Much Work to Do
» You Can’t Delegate Ethics on the Issue of Sexual Harassment
Today, the chasm that divides us feels deeper than it has felt in the past several decades. Our debates today aren’t just about big government or little government, or whether we should fund a new school building; they are about race, gender, sex, sexual orientation, gender identity, national origin, and religion—and people’s right to fair treatment, protection and the rights and benefits enjoyed by others. And often, our conversations fuel and highlight the differences among us rather than bring us closer together.
These conversations are happening everywhere (and yes, this means they are happening in your workplace as well). Individuals are finding ways to express themselves through actions like attending protests and rallies and showing solidarity through common behaviours like taking a knee. They are also expressing themselves through speech by commenting on social media, posting images and content, joining online groups, and debating at work. This past year has given us a lot to talk about—from religion, terrorism, immigration, race equality, justice, harassment and equal treatment.
Often opinions are fueled by personal beliefs, religious teachings, and experiences. And while discussion is healthy and necessary, it can get heated and disrespectful quickly. Read the comments section of any online post about a controversial topic, and you’ll get a sense about what people are really thinking—the heated nature of the interactions would easily be considered offensive or inappropriate in any workplace.
In addition, social media has eradicated any line of demarcation between work and personal life. If you have a social media presence, your “private” life is now very public.
This is the new norm. Things are not going to change any time soon, and employees will continue to bring these conversations into their workplaces (virtually and personally). These heated exchanges can damage workplace relationships, and give rise to claims of harassment and discrimination.
Simply put, the workplace is not the best forum for these conversations, and now is the time for employers to address it head-on.
It is important to communicate what your organisation will tolerate in its code of conduct, training on the appropriate use of devices and social media, and clear messaging from leadership. While you can't always control what topics arise in the workplace, you can create a culture of respect and take the steps necessary for healthy conversation.
It can be a fine line between encouraging employees to be themselves and managing a culture where all feel respected. Sometimes, the two do not go hand-in-hand. With the hotbed of political, religious and emotionally-charged conversations happening in our workplace, it is very easy for employees to feel disrespected, and sometimes even discriminated against for sharing their own opinions. While training employees at every level about the importance of respect is a crucial first step, it is also important to understand how the concept of "psychological safety" plays a role in maintaining a positive and effective workplace culture.
As defined by Harvard Business School professor Amy Edmondson, psychological safety refers to the sense of confidence that a team will not embarrass, reject or punish someone for speaking up. In general, a psychologically safe climate is one in which people feel comfortable being themselves and expressing themselves without the fear of retribution. When we expand this view to our largest corporate group, the employee base, we can see how this concept applies directly to a true organisational speak-up culture.
According to research conducted by Google, after two years of studying 180 teams, holding over 200 interviews, and categorising and analysing 250 team attributes, nothing in particular stood out among all the groups studied. Some groups were friends outside of work, some only saw or talked to each other in meetings. Some were introverts, while others were extroverts. There was no structural formula that led the researchers to conclusively say: Put this type of individual in charge of a group comprised of these type of individuals.
Then they came across one trait that defined interactions – civility, or lack thereof. Who the individuals were in each group didn’t matter as much as how those individuals treated one another. With that connection, Google's data indicated that psychological safety, more than anything else, was critical to a team's effectiveness.
So how does this apply to the issues of free speech and speaking up in your organisation? It starts at the top. Employees who are managed with a respectful, conversational and empathetic direction from their leaders start to mirror that behaviour with their colleagues – and begin to understand that retaliation and disrespect will not be tolerated. Employees who feel safe in their workplace will be more likely to engage in well-mannered conversations (should one of the aforementioned topics arise), as well as open a dialogue about potential misconduct that threatens their culture.
Employers need to learn how to manage discourse while maintaining their culture, and at the same time help their employees navigate these challenging times.
KEEP THESE THINGS IN MIND
First, consult with a lawyer. There are a lot of laws that can come into play when you are dealing with speech and behaviour. You have a responsibility to foster the culture you want for your employees—elevate the importance of respectful communication.
See How Powerful an Agile Code of Conduct Can Be in Shaping Company Culture >>
Don’t take sides—unless you are in the business of taking sides or it’s critical to your business. Create a workplace that is safe and respectful. Quickly and professionally address inappropriate discussions or acts of mistreatment.
Discover How a Hotline Intake System Builds Trust & Improves Culture >>
Train your managers so they know how to handle heated disputes as work. Train your employees so they understand that unfettered speech at work it not OK and it has consequences.
Request a Free Employee Training Course Trial >>
Be prepared to handle incidents involving employees who engage in offensive conduct off-duty; whether you chose to make it your business or not, you must own your decision. Remind employees about key policies, including your harassment, workplace violence, and business conduct policies—scheduling automatic policy refreshers and requiring attestations from readers.
Start a Free Trial of Policy & Procedure Management Software >>
Taking these steps will help organisations ensure that they are demonstrating their commitment to a healthy corporate culture and fostering an environment of ethics and respect in the workplace—no matter what’s going on in the world around us.
» SAMPLE POLICY: Social Media Use
» QUICK VIDEO: Tone at the Top: The First Ingredient To a Top Notch E&C Programme
» EBOOK: Code of Conduct: The Crucial Document Every Organisation Needs
» WHITE PAPER: 12 Essentials for Communicating with Incident Reporters & Whistleblowers
Employees work harder and stay longer at companies that are committed to their values and insulated by an ethical culture. Learn how to reinvigorate your workforce with a programme that protects your people, reputation and bottom line.
Thank you for subscribing! Please be sure that @navexglobal.com is on your company's safe sender list to ensure our emails reach your inbox!