The most important lesson to be learned from 2014 regarding ethics and compliance is that “culture (still) trumps compliance.” That’s according to Ed Petry, former head of the Ethics & Compliance Officer Association (ECOA) and lead author of “Top Ten Ethics & Compliance Predictions and Recommendations for 2015,” a white paper he wrote with colleagues at NAVEX Global, an ethics and compliance services firm. The paper is based on input from ethics and compliance professionals at NAVEX’s client companies and is intended primarily for ethics and compliance officers, but the information is relevant for management accountants as well.
Several of the most notable ethics failures of 2014 involved problems with organizational culture. Management at General Motors “lost track of the importance of listening to employees” and had to recall millions of vehicles at considerable cost and loss of reputation. The sports world was rocked with conduct scandals in football and basketball while charges of corruption were made at FIFA, the international governing body for soccer. A “corrosive culture” was said to cause cheating at the Veterans Administration, and “a culture of silence” contributed to embarrassing breaches of security at the Secret Service. The last two incidents foster attitudes of mistrust of government and hinder its efforts. And at several elite universities and colleges, a culture of cover-ups and failure to take appropriate action in cases of reported sexual assaults has brought increased attention and outcry.
Petry’s paper cites relatively new factors affecting recent ethical failures, including the role of social media and the lagging adoption of rigorous ethics and compliance programs. For instance, the viral exposure of a video showing professional football player Ray Rice punching his girlfriend in an elevator provided instant evidence to the court of public opinion and likely altered how the case progressed. Following the public’s reaction to the video, the initial penalty was increased and an investigation was conducted into how the National Football League handled the incident.
The paper also noted that many ethics cases in 2014 involved organizations that didn’t have rigorous and effective ethics and compliance programs. And as more and more company operations become global, those programs need to involve others in the supply chain. The ethical actions of third parties—such as suppliers—are increasingly more critical to the success of an organization. While legal and ethical norms may differ in each country, it’s the responsibility of purchasers to provide effective oversight of a vendor’s operations to be sure they are conducted in accordance with standards at the head of the supply chain. The paper suggests:
- Be sure to keep a complete and up-to-date record of all third parties with which your company does business.
- Assign responsibility to managers to be sure third parties are aware of their ethics and compliance responsibilities. It’s critical for all parties involved to be trained properly.
- Share your organization’s code of conduct with business partners and third parties in the supply chain. Be sure they understand their responsibilities in this area.
Another key finding in the paper is that technology-enabled ethics and compliance is ready for takeoff. There was a significant increase in the number of organizations considering better use of technology in improving the use of their codes of conduct. Additionally, the consumers of training activities have sophisticated attitudes about delivery methods and expect online training to meet their quality expectations. New training formats and “burst learning” modules are available and are especially helpful for targeted audiences, such as third parties and senior executives. Automated risk management systems are available to:
- Help identify all members of your third-party relationships, not just direct supply chain members, and assist in risk prioritization.
- Conduct risk assessment on a due diligence basis.
- Provide action plans to address risk profiles developed by the system.
- Assist in the ongoing monitoring and periodic screening of risks.
- Result in an auditable trail of documentation.
Although large company prosecutions get the headlines, “smaller organizations have always borne the brunt of regulatory enforcement.” Petry believes that small and medium-sized companies have lagged behind in creating ethics and compliance programs.
The paper concludes with a strong emphasis on cybersecurity and its implications for ethics programs. Many believe this is the greatest risk that companies face. Petry believes that cybersecurity is both an ethics and a compliance issue, and I agree. IMA® members are bound by the IMA Statement of Ethical Professional Practice to “keep information confidential.” The loss of confidential information isn’t only illegal, but it can lead to major adverse consequences.
Key cybersecurity action items set forth in the paper include rigorous risk analysis and evaluation of controls, such as reminders of the dangers of phishing e-mail messages and the importance of visiting only “safe” websites from work devices. Another key step is to ensure that your organization has strong alert protocols and a viable breach response plan. The number and severity of attacks on IT infrastructure continues to grow as the globalization of information increases.
If culture continues to trump compliance, then it’s time that culture becomes a driving force for compliance. Maintaining an open ethical culture requires not only a commitment from the top supported by actions that are consistent with its values, but it also requires the efforts of all areas of the organization working together.