16 June 2014
The seven steps to creating a culture of ethics, integrity and compliance in your organisation
A culture of integrity must be intentionally shaped. A strong compliance programme, built on an organisation’s values and principles, creates the bedrock for a culture that is focused on outstanding quality and business outcomes.
An effective compliance programme consists of several core elements that operate to prevent, detect and correct problems. These elements, scalable to the size and scope of the organisation, have become the gold standard for compliance programmes in all industries and are embraced by standard-making bodies worldwide, including the Organisation for Economic Co-operation and Development (OECD) in its anti-bribery recommendations.
A culture of compliance must start with an understanding of the legal, compliance andreputational risks of the organisation. Good risk assessment forms the basis for an effectivecompliance programme. Risk assessment should be a formal process that leverages the experience and expertise of internal leaders and subject matter experts to develop a comprehensive risk list, which can then be prioritised based on likelihood and magnitude of potential problems.
1. Designate a compliance owner
The compliance programme must have a designated owner, often called the ‘compliance officer’ or, even better, ‘compliance and integrity officer’ to denote that the programme is about doing the right thing, not just legal compliance. This person should be a well-qualified member of senior management with direct access to the governing body and with reporting responsibility to the top tier of executive management.
A high-level compliance committee should also be established to advise the compliance officer and assist with programme implementation, chaired by the compliance officer. The work of the committee includes analysing the industry environment and specific risk areas, assessing and recommending improvements in the system of risk controls (e.g.policies, training, monitoring and ownership), developing a system to solicit and respond to problems, as well as other activities relating to the strategy and operation of the programme.
2. Implement written standards and procedures
Every organisation should develop a code of conduct for all employees and those who do work on the organisation’s behalf. This is an important vehicle for The seven steps to creating a culture of ethics, integrity and compliance in your organisation communicating a clear commitment by executive management to a culture of ethics, integrity and compliance. The document should state the organisation’s mission, goals, values and compliance standards, plus the requirement for appropriate staff to adhere to their professional codes of conduct. The risks that are addressed in the standards and related documents should track the organisation’s risk profile, with more attention being given to high-risk topics such as harassment and health and safety.
An organisation must have written policies and procedures that address specific risk exposure foreach function or department. Crafting and updating policies, especially those that must be adapted to different risk groups, is not an easy task. Many organisations use a software solution to partitionpolicies by department or ward and for easy policy retrieval, authoring, review, approval, distribution and user attestation. Such a system can track and report on quizzes, surveys, noncompliancealerts, disclosures, reviewer/approver tasks, exception requests and policy versions and updates, which are handy tools for evaluating policies as a risk control mechanism.
3. Conduct appropriate training
As part of the compliance programme, organisations should conduct specific training on a periodic basis for all employees and other contracted staff. This is essential to communicating and reinforcing values and standards, meeting legal obligations and mitigating legal, reputational and operational risks. Training can also help to change behaviours and reduce instances of wrongdoing through prevention.
The process for building an effective training and communication plan begins with the list ofrisk areas from the risk assessment. Determine the audiences that need education in each risk area. For each audience, specify the depth and frequency of training based on the individuals’ jobs and risk exposure and then establish education methods and a calendar. A typical curriculum may include a blend of live and computer-based training, supplemented with newsletter articles, staff meeting reminders, posters and short video bursts. Online or mobile device training can be linked directly to policies and vice versa through the software environment.
4. Develop open lines of communication
Offering employees a safe way to report problems is critical. Fear of retaliation is one of the mostcommon reasons that staff refuse to speak up about misconduct. Organisations should encourage opendoor reporting to management. There should also be an open line of communication directly to the compliance officer and the compliance committee. Some staff may feel more comfortable taking issues straight to the compliance professionals. Anonymous routes of reporting should also be provided in jurisdictions where anonymity is permitted. This is commonly a toll-free helpline or web-based reporting system, which complies with local data privacy laws.
Combat scepticism and improve workplace culture by publishing anonymised or sanitised reports of issues addressed. Not only does this demonstrate that the organisation hears and takes such reports seriously, but this provides another way to educate staff on what is and is not accepted behaviour – and how the organisation will handle conduct that steps over the line.
5. Centrally manage all reports and allegations
Reported concerns should all be added to a centralised database that also collects the helplineand web reported cases, plus those that come directly to compliance staff and managers. A goodcase management system enables consistent data collection from multiple departments, geographies and people. This, in turn, allows for an aggregate analysis of the issues so that data trends can inform improvements in policies, training or processes. Connecting data from various parts of the organisation can also be an important tool in detecting and correcting wider problems.
6. Respond consistently and appropriately to alleged offences
Another important element of a compliance programme is appropriate response to reports andfindings of misconduct. Such reports cannot be ignored, discounted without inquiry or left to languish for long periods of time. Case managers must respond to all reports within a short timeframe to make sure the reporting employee knows that the complaint was received and is under review. The case manager typically will triage the case based on type of issue and determine, typically with the compliance office or others, whether the issue can be handled directly or if an investigation is warranted. All investigations should follow a written protocol to ensure consistency and to alert, consult and involve the right people.
Investigators should have the training, expertise and subject matter knowledge to conduct theinvestigation effectively. Depending on the allegation, organisations should consider engaging outside resources – such as lawyers or auditors – to assist with selected investigations.
A written policy should guide disciplinary action for misconduct and for potentially failing to detecta violation due to negligence. Employees should trust that any discipline will be applied fairlyand consistently no matter the role or level of employee. Any necessary disclosures to outside lawenforcement or government agencies must be done within a reasonable time period. Other corrective action, such as changes to control mechanisms (policies, training, monitoring, etc) should also be implemented in a timely fashion.
7. Audit, monitor and adapt as needed
Compliance programmes should include auditing and monitoring for violations of laws, policies and standards of conduct, as well as audits of compliance programme processes to ensure effectiveness and identify areas for improvement. The audit plan should be re-evaluated annually to ensure it is focused on appropriate areas of concern with consideration of prior audit findings and new risk assessments. The results of the audits should be shared with the compliance officer so that the information can be used to analyse the compliance risk environment for needed improvements.
Mary Bennett is vice president of Navex Global’s Advisory Services