Once upon a time, the idea of business ethics was more of an abstract or philosophical notion that seemed more suited for discussion in a university lecture or at a business conference. Today, however, organisations of all sizes and industries must have concrete ways of addressing ethics and compliance issues as a principal component of their business processes and strategy.
According to a study by PwC, 98 per cent of senior leaders say they’re committed to compliance and ethics however only 67 per cent have a process in place to identify the owners of compliance and ethics-related risks with only a third having an officer in place for the overall compliance and ethics. 56 per cent of the companies don’t have a chief ethics officer at all, and only 20 per cent have a Board of Directors that formed separate compliance and ethics committees. The study reports that 82 per cent of leaders communicated with employees on ethics, but 46 per cent of this is done in business meetings or by email. You can read the result in full PwC website.
Business leaders are usually quick to communicate their expectations to employees, especially when it comes to financial goals or tasks that they want to be accomplished. However, what is often lacking is a clear, concise explanation of what the organisation expects in terms of ethical behaviour and a compliance framework in place to follow. Today citizens, media, politicians and international bodies across all regions actively condemn abuses of power. And past scandals and their consequences have created a demand for increased regulations, greater transparency, and other rigorous scrutiny measures to be taken. To maintain (or regain) public trust, the ethics and compliance function, has been placed at the centre of the strategic core of organisations by effective leaders.
Empower your organisation to mitigate risk!
To ensure a robust compliance and ethics strategy, five critical elements need to be implemented; 1) tone at the top; 2) corporate culture; 3) risk management 4) a Chief Compliance Officer, and 4) testing and monitoring.
1 – Building Tone at the Top
“Tone at the top” is a term used to describe the ethical atmosphere created at an organisation or workplace by their leaders and their attitudes and behaviours. Tone at the top is vital in determining whether fraud, bribery, or corruption is likely to take place. Because it is set by all levels of management, it has a trickle-down effect on all employees. If the top leaders show a robust and zero-tolerance approach to fraud, employees are likely to lead by example.
An organisation with a strong ethical culture is usually led by a board of directors and senior management personnel who are actively engaged in promoting a culture of compliance and zero tolerance for fraud and other unethical business behaviour. Effective tone at the top will communicate to the organisation at all levels the type of conduct that is expected, what is considered unacceptable, and what the consequences will be for transgressions. A zero-tolerance approach should be followed at all times, it is vital in maintaining the culture of ethics and compliance at the organisation; below are some examples of failed tone at the top:
- The Enron scandal
- Arthur Andersen obstruction of justice
- Xerox fined by SEC
- Scandals at Fannie Mae
- Global financial crisis
- Tyco Scandal
- MCI Inc/WorldCom
- ImClone Systems trading case
For more scandals check out our list of “Top 10 Bribery and Corruption Cases of 2019” and “Top 10 Bribery & Corruption Stories of 2020 (so far)”.
2 – Corporate culture
The prevailing norms, expectations, and recognised acceptable behaviour form the corporate culture of an organisation. By implementing an ethical code of conduct and compliance with all regulations a part of those norms, the organisation will help promote positive behaviour and integrity among its staff.
You might be making assumptions that your employees know how to conduct themselves ethically, when, in fact, this expectation only exists in a grey area in their minds – if at all. In fact, some employees who have engaged in fraud, corruption or other unethical situations have claimed that while they knew their behaviour was wrong, they thought it was implicitly accepted by their bosses and, in some cases, their company on the whole.
Similar to establishing an effective tone at the top, fostering a positive corporate culture hinges on effective communication, and it needs to permeate different layers of the organisation. In other words, sending occasional emails about ethical behaviour isn’t enough to influence the culture at a company. Develop videos, team-building exercises, new employee orientations, and employee appreciation events, these provide opportunities to recognise positive behaviour and reinforce the company’s values. When employees see their colleagues being recognised and rewarded for maintaining a compliant and ethical corporate culture, they are more likely to help cultivate an ethical workplace. When the tone at the top and corporate culture are tied together, everyone at the business understands what is acceptable and expected in being a part of the organisation’s success.
3 – Risk management: perform risk assessments
Risk management is the identification, evaluation, and prioritisation of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimise, monitor, and control the probability or impact of unfortunate events or to maximise the realisation of opportunities. In other words, before you establish an ethics and compliance framework – first, a risk assessment should be conducted to uncover any vulnerabilities that need to be addressed with new processes.
Which means you need to assess how your business is conducted. So ask yourself:
- Have the various roles at the company been appropriately allocated, and is there a proper separation of duties?
- Are employees qualified for their responsibilities?
- Is the workforce trained to recognise the red flags of unethical behaviour and fraud?
Once the risks are identified, they can be isolated and addressed as part of your organisation’s comprehensive approach to ethics and compliance. The risks should be prioritised:
- Which ones pose an immediate threat?
- Could they effectively shut down the business?
- Do they pose a risk of financial, legal, or reputational risk – or all of the above?
Once prioritised, the identified risks should be assigned to critical members of the organisation. Whatever your reasons or motivations might be, if your organisation’s objective is to have an effective risk management strategy in place, then ISO 31000 can provide the principles, framework and a process for managing risk.
4 – A Chief Compliance Officer (CCO)
The implementation of a robust ethics and compliance strategy can give your organisation a competitive edge. A compliance officer or a CCO plays an essential and crucial role in the implementation. Tasked with the day-to-day responsibility of overseeing the management of compliance and ethical risks, whilst ensuring that the organisation is in compliance with the various regulatory requirements and that employees are in adherence with internal procedures and policies. Oversight should be provided by the board of directors (or ownership and executives) to ensure that problem areas have been adequately addressed, and the organisation is taking a proactive approach to mitigating risk.
5 – Testing and monitoring
When all the new processes have been implemented (the anti-fraud policy and employee code-of-conduct, anti-bribery and anti-corruption training and policies, allocation of duties and responsibilities, an anonymous reporting -hotline- process for unethical behaviour), a thorough testing and monitoring regimen is critical to ensure the new process is working.
It is important to remember that having the best processes on paper won’t make a positive difference on its own. You need to monitor how they are being used and its success. A schedule should be in place that promotes frequent, regular check-ups of the ethics and compliance controls, with metrics that show results (i.e. surprise audits) A surprise audit is an effective way to test if any new controls have reduced the flagged irregularities. The risk assessments performed before implementing ethics and compliance controls should have identified risk areas, with the new processes aimed at mitigating that risk. Only by testing, and testing frequently, can the organisation determine if the new controls have the desired effect. If they are not, the company should develop new solutions that specifically robustly target these problem areas – and, in time, test them again.
Addressing ethics and compliance issues at an organisation can be a daunting task. However, with careful preparation, expert help, and a common-sense approach, any organisation can develop or enhance its corporate culture to be proactive in mitigating ethics and compliance risks. The benefits will be obvious – increased productivity, better security, and empowered employees who understand that their organisation values integrity and an ethical work environment.
Create a zero-tolerance approach to fraud with ISO 37001 ABMS
Creating a zero-tolerance approach to fraud doesn’t happen overnight. When your organisation enrols in ISO 37001:2016 ABMS training and certification, the program involves your entire team. The training helps establish an ethical culture by educating your employees on the following:
- What constitutes fraud, corruption, and bribery, and why these are so damaging to business
- How to identify red flags of fraud, corruption and bribery
- The process for reporting fraudulent and unethical acts
- The organisation’s zero-tolerance attitude toward unethical behaviour and willingness to terminate employees for breaches, and prosecute unethical acts
- The severe ramifications for committing fraud or bribery, the legal consequences, and the negative impact on one’s career
Employees shouldn’t be expected to follow a code of conduct that they aren’t aware exists. That’s why ISO 37001:2016 ABMS creates a communication plan through which organisation leaders regularly communicate their expectations of ethical behaviour to staff periodically. Read more on how to build trust in the workplace with ISO 37001 Certification.