Hi, I am Tia Berry. Many of you may have spoken with me or met me at one of our events.
I look forward to watching your progress and if you have any questions, concerns, technical issues – whatever just send me an email or give me a call.
With our ECI Community there is a discussion forum for E2C. Please use this forum to post questions as you take the courses, and if you want to begin dialog with other members taking the course feel free to create a thread and start the discussion.
My email is tia@ethics.org and my direct number is 571.480.4415.
Tia
Introduction to E2C
The High Quality E&C Program model was introduced in 2016
HQP includes 5 principles, 27 strategic objectives and 100 plus leading practices
The Five Principles related to E&C in the context of:
· Strategy
· Risk Management
· Culture
· Speaking up
· Accountability
The material is organized as follows:
Principle 1: Strategy
Session 4: The Value of the Chief Ethics and Compliance Officer
Session 5: The Role of the Chief Ethics and Compliance Officer
Session 6: Assessing a Code of Conduct
Session 7: Positioning E&C with the CEO, C-Suite and Board of Directors
Session 8: Building and Leveraging Influence
Principle 2: Risk
Session 9: The Transition from Governance Risk Compliance (GRC) to Integrated Resource Management
Session 10: Components and Tactical Understanding of the Enterprise Risk Management Process
Session 11: Defining the Necessary Countermeasures to Mitigate Risk
Principle 3: Culture
Session 12: The Role of Leaders in Setting the Tone for a Culture of Integrity
Session 13: Building, Sustaining and Measuring a Culture of Integrity
Principle 4: Reporting (Speak Up)
Session 14: Understanding and Dealing with the Problem of Retaliation
Session 15: Developing a Consistent, Repeatable Review, Triage and Follow-up Process for Reports and Inquiries
Principle 5: Accountability
Session 16: Implementing a Problem-Focused Investigation Process
Session 17: Continuous Program Improvement: The Journey Never Ends
Prerequisite Materials: Link to foundational knowledge deemed essential to the E&C practice. Students are instructed to review the prerequisite material to gain a broad foundational understanding of essential knowledge in order to be best prepared for the certification exam.
Recommended supplemental resources to gain a deeper understanding of material in this session:
Principles and Practices of High-Quality E&C Programs, Blue Ribbon Panel Report, ECI
An Introduction to the Importance and Value of the Five Principles
Overview of the five principles of a high-quality ethics and compliance program and the value and importance of each principle
Principle 1: Ethics and Compliance is Central to Business Strategy
Practitioners should be well-versed in the language of strategy.
When E&C is not deeply embedded in organizational strategy and execution, the organization is more likely to be unaware of or ignore E&C risk. This makes it difficult to put proper controls in place.
E&C programs, initiatives and execution targets must be consistent with and aligned with the organization’s core values.
Principle 2: Ethics and Compliance Risks are identified, owned, managed and mitigated
Risk assessment programs have four key components. The enable identification, assigning ownership, managing risk exposure, and implementing risk mitigation strategies.
Principle 3: Leaders Across the Organization Build and Sustain a Culture of Integrity
Integrity can be defined as an alignment between what we think, feel, say and do.
The HQP framework identifies leading practices in building and sustaining an ethical culture.
Principle 4: The organization encourages, protects and values the reporting of concerns and suspected wrongdoing.
Organizations must consistently and regularly:
· Promote the resources available;
· Develop processes and routines that support a speak up culture and climate of psychological safety while mitigating retaliation risk;
· Implement and monitor advisory helplines and associated metrics to ensure a robust and effective reporting system.
Principle 5: The Organization Takes Action and Holds itself Accountable when Wrongdoing Occurs
Accountability in this context relates to how we manage investigations, build effective partnerships with other staff agencies and act in transparent ways.
Accountability is:
· Holding ourselves and others accountable for success and shortcomings of our operational activities;
· Adhering to a process of continuous program improvement;
· Using feedback and experience to implement program changes;
· Creating a climate of psychological safety and culture of integrity.
The HQP principles represent a road map that, when founded on supporting objectives and leading practices, help create, evaluate and sustain a high quality E&C program.
Recommended supplemental resources to gain a deeper understanding of material in this session:
CRITICAL ELEMENTS OF AN EFFECTIVE ETHICS & COMPLIANCE PROGRAM, ECI
The Purpose of a compliance program, Michael Volkov
5 Essential Elements of Corporate Compliance, Baker McKenzie
Continuous Program Improvement, Tom Fox, Podcast
Aligning Compliance Program Priorities with Business Objectives, Jay Martin, Baker Hughes
• GBES the role value of the CECO
§ NBES 2013 – Ethical Leadership FINAL (NBES)
• GBES impact of culture
§ 2019_2-GBES-The Impact of Organizational Values and Ethical Leadership on Misconduct
§ GBES2018 Q3-CommunicationTrust Final
• GBES CECO impact on risk
§ NBES 2013 – Reporting and Retaliation FINAL
§ 2019_3-GBES-Workplace Misconduct and Reporting
• GBES Summary of the value of HQP
§ 2019_1-GBES-Global Differences in Employees Views of E&C Program Maturity
§ GBES2018 Q2-ProgramImpact Final
§ NBES 2013 – Large Companies FINAL (debating on your audience – this might be helpful)
Understanding the HQP Measurement Framework
An organization moves through 5 stages in respect to each of the 5 HQP principles:
Stage 1: Underdeveloped – A new E&C program or an existing one that has not progressed far in embedding HQP elements.
Stage 2: Defining – A program that has a few HQP elements, but still lacks many important attributes.
Stage 3: Adapting – A program that contains a number of HQP elements reflecting some important attributes, but with room to further mature.
Stage 4: Managing – An E&C program that can be considered effective or good, but not a “High Quality Program”.
Stage 5: Optimizing – An E&C program that contains the majority of, if not all, HQP elements.
An acronym that helps to recall the five stages is UDAMO.
In Stage 1 a program has adopted few of the leading practices found in high-quality programs or perhaps even met the minimum standards of the US Federal Sentencing Guidelines.
In Stage 2 a program is established but is not widely embraced by the organization and operates tactically and not strategically.
In Stage 3 the program is beginning to include more leading practices of High Quality Programs, but lacks consistency.
In Stage 4 the program is mapping more consistently to business and operational needs and discussions. Leaders in the organization are generally demonstrating ethics-related actions, employees are comfortable raising issues without fear of retaliation, and the organization demonstrates accountability in a robust investigatory process that is fair, neutral and consistent.
In Stage 5 the vast majority of HQP leading practices are demonstrated and embedded throughout the organization across all principles. The organization shares its knowledge externally and is generally viewed as having a High Quality E&C program within and outside of its industry.
Organizations can qualitatively and quantitatively measure their progress through each of the five principles by benchmarking themselves internally and against organizations within and outside their industry and geographic areas of operation.
However, HQP is not about achieving a score. Rather it helps to assess strengths and weaknesses and knowing where you are in the maturity of your program and tracking your success and improvement over time.
Occasionally programs regress in terms of maturity due to such factors as
· Change of leadership and focus
· Reduction in staff and resources
· Failure to adopt a mindset and program of continuous improvement
· Complacency
ECI research indicates that most organizations are between the Adapting and Managing stages of program maturity.
Recommended supplemental resources to gain a deeper understanding of material in this session:
An effective compliance program under the sentencing guidelines, Ted Banks
COSO Framework, Michael Volkov
Building world-class ethics and compliance programs, Deloitte
Clarity or Confusion: New DOJ Guidance for Evaluating Corporate Compliance Programs, Paul Hastings
The Value of the Chief Ethics and Compliance Officer
Ways the CECO adds value:
· Articulates the organizational vision for E&C and develops and executes strategy;
· Assists leadership in defining what they need to know and when they need to know it;
· Monitors and evaluates the effectiveness of the compliance program to protect the organization and its many stakeholders;
· Demonstrates organizational commitment to integrity internally and externally;
· Mitigates sanctions by making E&C incidents less frequent and severe in terms of impact.
Severity and frequency of incidents can be mitigated by having a well-implemented E&C program as defined by the 2019 DOJ guidance. According to the guidance, prosecutors consider three factors when evaluating E&C programs:
1. Is the program risk-centric
2. Is the program well-designed
3. Has the program been demonstrated to work effectively
Sanctions are mitigated by showing evidence of visible and consistent efforts to create an organizational culture that supports and encourages ethics and compliance.
The effective CECO prevents reputational damage that results from not knowing or acting on knowledge of conditions, circumstances or incidents that create E&C risk and proactively creating and sustaining a culture of integrity across the enterprise.
The following are at least some of the qualities of an effective CECO:
· Uncompromising personal integrity
· Emotional intelligence
· Ability to exert influence without authority
· Knowledge of the business
· Approachability and ability to communicate at all levels of the organization
· A strong network of relationships within and outside the organization
· Independence, objectivity and trust
Recommended supplemental resources to gain a deeper understanding of material in this session:
The Role of the Chief Ethics and Compliance Officer
The CECO’s mission is to ensure that E&C is central to business strategy and activities are consistent with the organization’s values when we execute on strategy and achieve results
The CECO must:
· Know their organization’s business strategy and process;
· Understand elements of the strategic plan and how they align, including vision and mission, strategic objectives and priorities, plan components, business division and unit goals, and individual performance objectives;
· Connect with individuals within the organization who are key players in the strategy development process;
· Align E&C goals, objectives and activities to the organization’s strategic plan;
· Ask how each E&C goal, activity or metric connects to and supports the organization’s overall strategic plan.
The CECO must be agile at all times, but particularly when business operations are confronted with volatility, uncertainty, complexity and ambiguity (VUCA).
Building a robust network means:
· Including staff agencies, key stakeholders, and strategic partners (such as ERM, HR, Legal, Privacy, Audit, Sales & Marketing, Procurement, Corporate Responsibility, Governmental Affairs, Finance & Accounting, Information Security, Information Technology, Investor Relations, Front-line Employees, line management, Senior Management and the Board of Directors;
· Effectively managing multiple constituencies with conflicting interests and priorities;
· Demonstrating an innovative mindset and pragmatic ability to find ethical win-win solutions that are both ethical and compliant with the letter and spirit of laws and regulations.
Effectively monitoring the environment is one key to successively implementing strategy. The environment includes:
· Organizational culture, climate and conduct;
· Business, industry and regulatory context;
· A robust network within and outside of the E&C practice.
CECO’s have optimal impact when they get in front of changes in regulatory and enforcement developments and actions, leading the way for their own organizations and business and their industries as a whole.
Recommended supplemental resources to gain a deeper understanding of material in this session:
Compliance and Careers Amid Corporate Upheaval, Matt Kelly
12 Types of Risk Awareness, John Spacey
Managing Risks: A New Framework, HBR
Managing Ethics in the Workplace, Alvernia University
Organizational Culture Drives Ethical Behavior: Evidence from Pilot Studies, Ethical Systems
Creating an Ethical Workplace, SHRM
VUCA, Kim J. Harrison, Cutting Edge
Peer Network, value of ECI and fellows, People Matter, Meghan Roudebush, Interview- People Matter: Megan Roudebush on Networking, by Nathalie Muto, The ACCJ Journal, JULY 2019
LEADERSHIP IN THE COMPLIANCE FUNCTION – DO YOU ENCOURAGE OR STIFLE?, Tom Fox
Five Types of Leadership Styles That Influence Business Outcomes
Assessing a Code of Conduct
Not assessing codes of conduct create more of a liability than an asset. Therefore, the code should periodically be reviewed on a separate cycle with or in alignment with the enterprise policy review cycle, with the last review/revision date noted. Employees should periodically attest that they have read and will comply with the Code. This is particularly important after revisions have been made.
One key decision in writing a code is determining whether it should be rules based or values based. Ideally, it should include elements of both approaches.
Effective codes tap into the aspirational (values-based) desire of employees to engage in conduct and make decisions that align with their own values and those of the organization. Research suggests that when behavior is taken out of a values context and placed into a “compliance” rules category, the inclination of employees to do “the right thing” may be weakened.
Ownership of the Code should be assigned to one point of contact. The owner is responsible for keeping the Code current and relevant. It is also critical that the Code be approved by the Board of Directors.
An effective Code:
· Is reinforced through code-related training and communications;
· Includes such elements as Frequently Asked Questions, blogs, video clips, screen pop-ups, and case studies;
· Is digestible in terms of format, easy to follow, and written at an appropriate reading level (typically between the 8th and 10th grade levels). More readable text includes shorter and fewer sentences per paragraph, words with fewer syllables, and can be assessed through readily available readability calculators;
· Is communicated through country- specific translations.
Code content should reflect:
· Key risks identified through an on-going process of risk assessment. Key risks may be regulatory in nature or possibly inherent in a particular business;
· Results from the process of monitoring key performance indicators and metrics, such as the percentage of advisory calls compared to allegations of misconduct, as well as the number and kinds of allegations and percentage of substantiated vs. unsubstantiated allegations;
· Feedback from stakeholders and users.
CECO’s must be prepared to share program outcomes with stakeholders as a commitment to transparency.
User-related metrics for a Code include:
· The frequency of access to the Code compared to other E&C resources;
· Relevance of the Code to the challenges faced by users;
· Evolving access platform preferences among employees across regions and demographics.
Final thoughts before launching a new Code of Conduct:
· Ensure that the Code is reviewed by legal counsel in all regions where the organization operates;
· Make sure that the Code is closely mapped to business needs and supported by a robust communications plan;
· Include guidance on where to go for help;
· Identify management responsibilities for supporting and enforcing the code.
Recommended supplemental resources to gain a deeper understanding of material in this session:
Creating an Effective Code of Conduct (and Code Program) Jason Lundy, HR Compliance, Leadership and Career
How to build a values based culture, Training
Suggested Guidelines for Writing a Code of Ethics/Conduct, Deloitte
Warning: Flawed Codes of Conduct can create ethical complacency
Importance Of Code Of Conduct Training For Employees
Positioning E&C with the CEO, C-suite and Board of Directors
CECO’s succeed by connecting and communicating with the decision-frame of the C-Suite. This decision-frame is informed by:
· Pertinent information: What information is important for the C-Suite to know;
· Timeframe: When do they need to know it;
· Communication preferences: How do they like to receive information;
· Present options and recommendations: What options do they have and what you would recommend and why;
· Decisions: What decisions must be made, when and by whom.
Ensure that program elements align with the strategic plan and business division objectives.
In high quality programs, CECO’s regularly brief the audit committee and/or full board on a regular basis. They must decide the story they are going to tell and convey it with courage and intellectual honesty. This means communicating an overall sense of the program as a driver of a culture of integrity and communicating specific opportunities and challenges ahead.
Board briefings typically include:
· Overall information on program maturity with more granular detail on elements that should be enhanced;
· Key E&C risks, including ownership, mitigation strategies, and results of risk monitoring efforts;
· Reporting activity (e.g. categories of misconduct, percentage of substantiated allegations compared to unsubstantiated ones, percentage of advisory contacts as opposed to allegations);
· Plan year overview of program activities and initiatives, including communications and training;
· Program activities going forward.
The Board will want to know how the organization compares to others within and outside the industry. Having access to current benchmarking data is essential.
The CECO must also meet with Board leadership on a one-on-one basis independently of the CEO to ensure candid conversations about the program and state of E&C in the organization.
Recommended supplemental resources to gain a deeper understanding of material in this session:
The Key to making presentations to Senior Executives Forbes
Compliance and the Board: 3 Expert Opinions
Building and Leveraging Influence
There are different bases of power. Two primary kinds that relate to the CECO role are advisory and positional power. Positional power is that invested in the position we hold. Advisory power is the power we earn by helping people solve problems or take advantage of opportunities. Advisory power takes time to build, but it represents true influence beyond the authority vested in the CECO role.
With each interaction the CECO is either building influence or diminishing it. A key way to build advisory power is by engaging in energizing interactions.
Energizing interactions are those that are:
· Aligned with overriding purpose, vision, and a sense of possibilities;
· Make people feel as though they are making a contribution and are included and heard;
· Energized by a feeling of being fully present and engaged in a situation or conversation;
· Characterized by a sense of making progress and affording flexibility in how goals are achieved.
De-energizing interactions, on the other hand, are characterized by:
· Negative conversations that focus on why change is not possible;
· A lack of trust;
· A focus on blame as opposed to accountability.
Trust is a foundational element of energizing interactions and is cultivated by:
· Holding confidences;
· Demonstrating integrity;
· Communicating skillfully and continuously;
· Keeping promises and commitments.
We tend to seek out and want to repeat energizing interactions and avoid de-energizing ones. Energizing interactions are more productive, innovative, and centered on mission and purpose. How would people characterize their interactions with you?
Recommended supplemental resources to gain a deeper understanding of material in this session:
Motivation Doesn’t Work: Here’s What Does, Forbes
Be More Convincing with these Proven Communication Tips, Sundas Noor
The Transition from Governance Risk Compliance (GRC) to Integrated Risk Management (IRM)
The first compliance programs were based on the 1970’s Defense Industry Initiative but were not considered to have fully embraced governance and risk.
What might be considered GRC version 1.0 followed the passage of Sarbanes Oxley in the early 2000’s.
As systems and programs began to mature, so did many regulatory mandates. Dodd-Frank and the UK Bribery Act inspired an evolution of GRC into a more holistic and sustainable process of identifying, assessing and proactively responding to a broader list of risks. We can refer to this transition as GRC 2.0. GRC 2.0 also held that Human Resources or “corporate culture” must be a measure of GRC and that it should be informed by, aligned to, or integrated into activities of Enterprise Risk Management and Internal Audit.
Today, Enterprise GRC or “GRC 3.0” advocates the importance of developing synergy across the enterprise through a “balanced scorecard” that includes operational, digital, vendor, EHS, and business continuity risk.
Digital risk emerges from applications of Artificial Intelligence, Machine Learning, and Advanced Analytics.
Integrated Risk Management includes business continuity and management planning, audit management and compliance oversight.
The supply chain also represents risk through disruption from national and global disasters, insufficient monitoring of supply chain performance, under-performance of business partners, liability due to lapses in materials safety, and losses due to theft or other criminal acts.
In many ways, GRC 3.0, Enterprise GRC and Integrated Risk Management describing the same overlapping approach to identifying and managing risk across the organization.
GRC 3.0 as depicted in this course maps to ECI’s HQP framework principles. Like GRC 3.0, the HQP framework also seeks to:
· Design and integrate the E&C program to support the organization’s strategic objectives;
· Develop an expanded view of risks and apply this “risk-informed route” for E&C program development;
· Consider the external environment, stakeholder demands, operational risk and other cultural aspects of the organization when developing policies, procedures and guid
· Create an environment of physical and psychological safety;
· Ensure that the E&C program demonstrates ownership, accountability and fairness
Some HQP elements contribute greater Return on Investment (ROI) than others. For example, an existence of a helpline is fundamental to a HQP, but other elements, such as ensuring that leadership sets proper tone and demonstrates support of the program delivers a much higher ROI. In fact, of the 27 fundamental elements that are part of the HQP model, 15 are considered to be from 8 to 27 times more effective in shaping employee perceptions and outcomes. ECI research also demonstrates that when employees and managers recognize the existence of the HQP elements within their organizations they also tend to observer and demonstrate more compliant and positive behaviors. For more information related to the ROI of various HQP elements, go to www.ethic.org/roi.
Recommended supplemental resources to gain a deeper understanding of material in this session:
Components and Tactical Understanding of the Enterprise Risk Management Process
Risk in organizations typically come from industry dynamics, the size and distribution of the workforce, sources of capitalization, the supply network and other third parties, and data privacy.
Following the passage of Sarbanes Oxley, E&C became more integrated in Enterprise Risk Management through:
· Regulatory compliance
· People and culture risk
· Conflicts of Interest
· Bribery and corruption
· Extended Third Party Risk
· Incident management
· Performance Management and Incentives
· Reputation risk arising from ethics and culture issues
An E&C program in and of itself can represent risk to an organization where there is evidence of:
· Inadequate risk assessment activities;
· Inconsistent training protocols;
· Policy deficiencies;
· Lack of E&C engagement in Enterprise Strategy.
Program success is predicated upon ensuring that employees and stakeholders:
· Understand the organization’s core values;
· Identify and are prepared to handle risks;
· Raise concerns;
· Don’t bend the rules;
· Believe leaders are accountable for their actions.
Always be alert to risks posed by unintended consequences of incentive plans and performance goals that lead to a system that rewards performance regardless of how the goals are achieved.
In respect to risk posed by goals:
· Employees and managers should be given permission to innovate and take risks when faced with high goals and not simply be expected to “run faster in place.”
· Research suggests that employees are more likely to act unethically when they fall just short of achieving goals rather than when they miss goals by a wide margin.
· If organizations have a learning mindset, failure to achieve a goal is not viewed as a negative in and of itself as long as it is seen as a path to growth and success over the long term. Failure can be reframed as a way of leaning and adapting performance in ways that help employees and the organization grow and become more successful.
· Special care should be exercised to ensure that performance objectives and incentives reinforce the desired behavior.
· Incentive structure should reward employees not just on what they achieve, but also on how and how not to achieve results and outcomes.
Several types of performance indicators used in ERM are particularly applicable to designing E&C programs:
Key Performance Indicators: KPI’s capture what success looks like. For example, if you believe that building an advisory culture is an important program outcome, you might adopt a KPI that measures the percentage of advisory calls compared to allegations.
Key Risk Indicators: A KRI helps measure areas of risk to the organization. For example, measuring changes in the percentage of anonymous allegations of misconduct may be a proxy for the level of fear in a business division or the enterprise as a whole.
Key Control Indicators: A KCI reflects key events and activities in the control environment. For example, the number of code violations may reflect the adequacy of controls in a particular area – controls that are designed to prevent or detect code of conduct violations.
Some metrics can be suitable for multiple key indicators. For example, measuring how comfortable employees are in raising issues without fear of retaliation could serve as both a KPI and KRI.
When establishing program metrics, be prepared to establish the baseline measure – the place you are starting from – to assess your progress and set a reasonable goal that you think reflects a healthy E&C program and organization. Benchmarking other organizations can be helpful in setting the proper metrics and parameters of what risk should look like.
Results of risk assessments can be depicted in the form of:
· Radar maps with nodes representing areas of risk;
· Heat maps to represent probability and severity or impact;
· Simple risk rankings.
Regardless of how risk assessment results are depicted, the content of displays should be informed by:
· Past risk-related trends, industry, competitor and internal events;
· Quantitative tools such as surveys and data analytics;
· Qualitative results from focus groups and interviews;
· Culture assessments;
· General industry trends and enforcement activity.
Recommended supplemental resources to gain a deeper understanding of material in this session:
Using Metrics to Measure Compliance Performance, Corporate Compliance Insights
Defining the Necessary Countermeasures to Mitigate Risk
Appetite for risk varies from one organization to another – and it is related to how much residual risk we are willing to accept and leave on the table. Risk assessment helps us get a feel for appetite and residual risk and develop training and other controls that help mitigate levels of risk that are unacceptable.
Each organization has a risk appetite – how much risk it is willing to tolerate in a given area. The E&C risk assessment process will help identify where the greatest risk exists and how it should be addressed. Training is an important way to mitigate risk, particularly if the risk exists because employees are not aware of regulations or understand in practice how to comply with policies or regulations.
Risk can never be totally eliminated. This means that even after risks have been addressed – identified, owned, managed and mitigated – the organization will always be left with what is called residual risk. Since we can never totally eliminate risk, we need to have ways to determine what kinds of risks should be mitigated and at what cost in terms of time and financial resources. One way to do this is by calculating risk value.
Risk value is derived by assessing the likelihood of an event occurring and multiplying it by the cost of the event if it did occur. For example, if a risk has an 80 percent chance of materializing and the cost of the event would be $500,000, the risk value would be $400,000. Risk values of E&C failures are not always easy to calculate because it is challenging to estimate the actual costs of monetary sanctions, loss of productivity, and reputational damage. But it is important to assign a monetary value to risk, if possible. Doing so makes it easier to compare one risk to another and determine where resources should be applied in each particular case. If the cost of a countermeasure exceeds the risk value, perhaps resources should be allocated elsewhere.
Properly tailoring your risk mitigation process involves assessing likelihood and impact of events, applying a proportionate approach to addressing risks, providing role-specific guidance and support to employees and leaders, and wrapping communications and training around risk mitigation objectives.
A risk assessment based on likelihood and impact should be made by reviewing past incidences, frequency, and scope of infractions, the experience of other organizations in your industry and changes in the business macro-environment. Here we introduce the concept of proportionality, the idea that a laser focus should be brought to identified E&C risks at the local and systemic levels to ensure that time, staff and financial resources are applied where they have the greatest impact and value. In addition, guidance and support for handling key risks must be provided to employees according to their role and risk exposure. Communications and training plans must be brought into alignment with the actual risk faced by an organization. Plans should be timely, relevant and continuously updated as the risk environment changes. Inspect and modify the control environment to ensure that auditing and monitoring mechanisms focus on the evolving risk landscape.
Auditing is a process of looking back to determine how the organization and employees have met compliance standards in the past. Monitoring is looking at how the organization and employees are meeting standards today and on an on-going basis. These activities also apply to third party suppliers, contractors and intermediaries. This is often referred to as Extended Risk Management. A carefully designed governance structure provides oversight and the ability to escalate E&C issues based on severity and priority through pre-determined and routinely tested procedures. Otherwise we lack the preparedness to deal with E&C crises arising in the moment.
E&C risk is particularly important in times of organizational disruption. Down-sizing, staff reductions and senior leadership changes are associated with elevated ethics and compliance risk. In fact, the more organization changes that occur, the greater the E&C risk. A key learning is not to assume that misconduct metrics and associate risk remain static when organizational changes are afoot.
ECI research suggests that in times of disruption, acquisitions represent the greatest E&C risk. Mergers and Acquisitions in general offer unique challenges and opportunities. Practitioners must be prepared to move quickly and assess potential partners or acquisition targets for risk as part of the due diligence effort. Employees in acquired organizations should receive E&C training sooner in the process rather than later.
Information systems and business data analytics are playing an increasingly important role in E&C. Applying the right kind of analytics to data in the context of risk assessment can identify anomalies and possible compliance violations that might otherwise go undetected.
Recommended supplemental resources to gain a deeper understanding of material in this session:
The Role of Leaders in Setting the Tone for a Culture of Integrity
Leaders are the architects of the kind of climate where ethics flourishes. This effort is based on a foundation of accountability.
The CECO demonstrates accountability by owning the E&C program elements and ensuring compliance by employees and leaders. Leaders across the enterprise demonstrate accountability by viewing ethics and compliance as part of their core responsibility to employees and the organization.
When we use the term “values based” we mean behavior that is aligned with the core values of the organization rather than purely a focus on rules. This reference to values has its roots in a structure of performance management and incentives.
The CECO models values based behavior for the organization.
In terms of leadership, setting expectations means:
· Explicitly stating leader responsibility in terms of E&C and integrating those expectations into the performance management system;
· Aligning incentives with values driven outcomes and not inadvertently creating ethics risk by reinforcing the wrong behaviors;
· Including as incentives recognition, salary increases, and bonuses that reward behavior in a long-term context;
· Focusing on values based behavior should also be considered in hiring, promotion and retention decisions;
· Ensuring that Leaders must be knowledgeable about and assume responsibility for their roles in terms of ethics and compliance in the organization;
· Assessing leader performance by soliciting and collecting employee feedback regarding the extent of leader efforts to build and sustain a strong ethical culture.
Leaders integrate ethics and compliance in business decisions through the following habits:
· Applying stakeholder analysis in making business decisions by guiding employees through consideration of how a business decision might be experienced by different individuals or groups;
· Asking employees how a potential business decision maps to each of the organization’s core values;
· Continuously reinforcing mission, purpose, and values – the “why” we do what we do – in business discussions related to what we intend to do and how we plan to achieve goals;
· Sharing stories about business decisions that have been made or strongly influenced by the organization’s core values or what might be seen as exemplary business conduct;
· Creating opportunities for feedback and questions by spending time with employees, both in the workplace and out in the field. Schedule one-on-one and skip level meetings. Don’t require employees to seek leaders out;
· Using real and relevant examples and cases whenever possible from within and outside the organization to illustrate ethics risks and consequences.
The bottom line is that leaders influence ethics through accountability not just by what they say, but what they do – and aligning their actions with the deeper values of the enterprise and norms of the workplace.
Accountability in the context of leadership includes:
· High-level standing committee oversight of significant E&C matters and cases involving senior leaders. In other words, the governance structure is such that leaders inspect the behaviors they expect!
· Values and standards being communicated though many channels on a continuous basis in the context of stakeholder interests and E&C risks posed in the current internal and external environment.
· Training that includes not just technical role compliance, but also a values-driven context of decision-making and action. In fact, research suggests that when we substitute a compliance decision frame and
language for a values-driven one, organizational ethics is actually diminished.
Recommended supplemental resources to gain a deeper understanding of material in this session:
Building, Sustaining and Measuring a Culture of Integrity
What is culture? Culture can loosely be defined as “the way we do things around here.”
Edgar Schein, the thought leader who coined the term “corporate culture” – says that culture is composed of three levels. “Artifacts” that are visible on the surface – for example, how work spaces are organized, where leaders sit and work, public displays of core values, and depictions of history on walls or in the corridors. Arranging artifacts in visible locations is the first way to influence culture.
Beneath the artifacts we find shared values and beliefs. These can include the core values as stated by the organization. The second way to influence culture is by mapping core values and deeply held beliefs about who we are as an organization to daily activities in ways that reinforce their relevance and importance like, for example, talking about core values in the context of business decisions or telling stories that show how we have applied our core values in the workplace.
Finally, at the deepest level of culture, we find shared assumptions about what gets recognized and rewarded, what people need to do to get promoted, things we can talk about and topics that are taboo to bring up. For example, how do the following statements by employees reflect deeply held assumptions?
“Leaders really value employees around here – they listen to our ideas and suggestions on how to do things better.”
“If you see something at work that doesn’t look right – look away – and don’t report if you want to keep your job!”
Peter Drucker, the “father of management”, said that culture matters because culture eats strategy for breakfast!
The CECO is responsible for driving the on-going effort to build and sustain a culture of integrity. The HQP framework is one that can serve as a template for this task in the context of creating an effective E&C program. A culture of integrity is realized where there is a well-implemented E&C program that is aligned of core values with strategy development and execution. The CECO helps the organization develop incentives, rewards and accountability systems and practices that nourish and sustain a culture of integrity.
As we seek to create this lived and embedded integrity, remember that culture is persistent and, once established, can be challenging to change. Changing culture requires a focus on:
· Shared language and meaning: Operationalizing the language we use to transmit values. Simply using words like “trust”, “collaborate” and “integrity” does not create shared meaning. Get in the habit of saying “Trust is a great word – but what does it look like and how would I recognize it is I saw it?” Only by defining words in terms of what we expect to see as behavior creates shared meaning.
· Establish organizational “habits”: Just like individuals have good personal habits and bad ones, organizations have habits too. But in organizations habits are called “routines”. We have good organizational routines that align with our values and bad routines that inadvertently create ethics and compliance risk. An E&C routine may be one that defines how reports of misconduct by senior leaders are to be handled. Another business routine that supports E&C in an organization might be wrapped around how travel expense reporting is documented and approved or how sales people report end of quarter productions. The bottom line is that routines provide guardrails that keep behavior in alignment with deeply held va
· Observe and name behavior that is misaligned with core values: Be prepared to observe and name behavior of leaders and employees that is not aligned with core values of the organization. When we allow misaligned behavior to continue without accountability, the culture of integrity we worked so hard to build begins to deteriorate.
· The standard applies to everyone: Be prepared to remove leaders from positions of influence who are not exhibiting the behaviors that align with the desired culture and replace them with people who do. This is where the heavy lifting of building and sustaining a culture of integrity comes into play – it is where the rubber meets the road – at the intersection of what we say and what we do!
One indicator of progress is the presence of “Ethics-Related Actions” or ERA’s. ECI research identifies there “key levers” of leader behaviors that reflect a culture of integrity:
Communicating the importance of ethics and a priority;
Setting a good example of ethical conduct;
Keeping promises and commitments;
Providing information about what is going on in the organization;
Supporting others in following organizational standards.
Other key measures of culture can be directly related to E&C or more generally related to organizational metrics and activity:
E&C measure examples:
· Helpline activity;
· Levels and kinds of misconduct and general inquiries;
· Percentage of anonymous calls;
· Perceptions of pressure and stress.
Organizational measure examples:
· Employee engagement data;
· Attrition and turnover rates;
· Exit interview data;
· Rising or falling operational risk profile.
Use both qualitative and quantitative techniques to define and assess culture and monitor trends over time.
Qualitative tools:
· Focus groups
· One-on-one interviews
· Observation
Quantitative tools:
· Census surveys
· Pulse and/or random surveys that are statistically valid and reliable
Recommended supplemental resources to gain a deeper understanding of material in this session:
Understanding and Dealing with the Problem of Retaliation
A recent Global Business Ethics Survey found that a median global average of 47 percent of employees observed one or more kids of misconduct during the previous 12 months.
· Of those who observed misconduct, 69 percent reported it.
· 44 percent of those reporting misconduct indicated they later experienced retaliation.
· Three out of four employees who experienced retaliation indicated that it happened within three weeks of their initial report.
The initial period after the report represents that greatest risk of retaliation and must be monitored closely!
The most common kinds of retaliation reported by employees are being ignored or treated differently by the supervisor, followed by being ostracized by co-workers.
Retaliation matters because is tis one of the most destructive actions when it comes to E&C programs. It has a toxic influence on speak up culture and climate. That means that supervisors and leaders must be expected and trained to:
· Avoid actions that could be real or apparent retaliation;
· Be sensitive to how reporters are being treated by co-workers;
· Seek counsel from Ethics and Compliance or Human Resources if a risk of retaliation is present.
The CECO must play a leading role in promoting a climate of psychological safety where employees feel safe to report E&C issues and ask questions. This means educating leadership on the importance of creating and sustaining psychological safety as a way to protect leaders, employees and other stakeholders from E&C risks and to drive business goals and strategies in the broader context.
A healthy and robust reporting program is less about training and communications and more about the culture being seen as promoting a psychologically safe space where employees can learn from mistakes and hold each other accountable for results. Research shows that psychological safety promotes greater innovation and the ability to identify potential risks. In a broader context, psychological safety can be seen as simply good business and, when it is practiced in all areas of the organization, ethics and compliance benefits, as well.
Employees do not automatically feel safe to report misconduct or ask ethics and compliance questions. It may not come as surprise that leaders throughout the organization actually have to do something to create an
environment that is conducive to psychological safety. Here are three ways leaders “lead” to create this important component of speak-up culture:
· Show appreciation when employees trust you and the organization: Thank employees for raising concerns, individually and in a team setting, if appropriate. Showing appreciation also means following up on issues and bringing closure by reporting back to the employee on the outcome to the extent possible.
· Create opportunities to connect: Leaders have a habit of saying they “have an open door” if employees have questions or concerns. But in reality, leaders must actually “walk through their own doors” and create structures and opportunities for communication though skip level team meetings, holding weekly one-on-one sessions with direct reports, asking good questions – even having lunch with front-line employees rather than just dining with peer leaders.
· Create a learning organization: Build a work environment that encourages people to take reasonable risks to experiment and learn from failure in the context of a values-driven culture. A learning organization re-frames “falling short” as a success if we learn from the experience, resulting in an “open “ that we can change and become better over time as opposed to a “closed mindset” choice between success and failure. Which environment do you perform best in?
Returning to the topic of retaliation, how can we mitigate the risk of it happening? Consider taking the following actions:
· Ensure strong written prohibition against retaliation for reporting ethics issues or cooperating in an ethics investigation;
· Take swift and consistent disciplinary actions when retaliation occurs;
· Provide training for leaders that helps them identify ethics issues and understand their responsibility to escalate issues to the E&C office for appropriate action;
· Focus on the facts of the allegations rather than the intent of the reporter;
· Train leaders and employees on effective communication skills so that issues are dealt with constructively before retaliation even has a chance to materialize;
· Implement monitoring programs to follow-up with or monitor reporters, including promotion, performance evaluation and disciplinary actions;
· Develop, implement and maintain escalation procedures to ensure that allegations of retaliation are dealt with swiftly and substantiated allegations are reported periodically to governing authorities, including the Board of Directors.
Whistleblowing is a subset of reporting behaviors and generally applied to reports of misconduct or compliance issues to external regulatory authorities. Treatment of whistleblowers poses special risks and challenges to organizations and the CECO plays a critical role in educating leaders about whistleblower protection practices.
Organizations must ensure that there are no restrictions, written or otherwise, to an employee’s ability to report an issue to governmental authorities or regulators. E&C should actively dispel myths around whistleblowing and what speaking up is all about. Characterizing whistleblowers as disloyal or problem employees only serves to elevate risk to the organization. Most whistleblowers report issues internally first and only go outside the organization if the allegation is not investigated and handled appropriately.
ECI’s research indicates that retaliation is reduced when we combine a well-implemented E&C program with a strong ethics culture. A recent GBES survey found that an effective program has the following six elements:
· Written standards of ethical conduct;
· Training on standards;
· Advisory resources;
· A means to report confidentially or anonymously;
· Performance evaluations of ethical conduct;
· Systems to discipline violators.
When we fail to fully implement an effective program, observed misconduct, pressure to compromise standards, and retaliation increase and reports of
misconduct decrease. In fact, when none of the six elements described above are present, only 33 percent of employees report misconduct they observe and 53 percent of those reporting misconduct experience retaliation. But when all six elements are present, the percent of employees reporting observed misconduct jumps from 33 percent to 84 percent and the percentage of reporters experiencing retaliation drops to just 4 percent!
Recommended supplemental resources to gain a deeper understanding of material in this session:
Developing a Consistent, Repeatable Review, Triage and Follow-up Process for Reports and Inquiries
E&C serves as the intake channel for E&C inquiries and allegations. However, recognize that there are other channels for reporting. Coordination with the owners of these other channels ensures that accusations are not being investigated by different departments, or that the issue is being venue shopped to increase or enhance the apparent urgency of the report.
Understanding and managing reports of misconduct requires a case management system to serve as a database platform. The database allows for greater institutional transparency and should have report-writing capability. The E&C team must collect information about how issues are raised: Walk-in, correspondence, helpline call or other channels, and whether issues are being reported by executives, managers, employees, customers or vendors. Case details are critical to not only track important case-related activity, but can become central in litigation.
The CECO should ensure that a case management system is available to track case activity from the initial receipt of the report of misconduct to closure. This includes:
· The name of the reporter, if known, and date of contact;
· Case type (for example, bribery and corruption, conflict of interest, and other case types, as well as secondary cast types that may be separate from but contemporaneous with the primary allegation;
· Report type (anonymous or confidential);
· Case summary along with case details, including information related to investigative and repot intake involvement of other staff agencies in the issue either in conjunction with or separate from E&C;
· Case disposition (substantiated, partially substantiated, or unsubstantiated);
· Root cause (if known);
· Date of case closure:
· Additional information deemed relevant to the case or the outcome or to document a suspected pattern of behavior.
The E&C function should develop a triage process to determine which investigator or staff agency is responsible for investigating a matter. In addition, escalation procedures should be developed for the handling of cases deemed more urgent than others. For example, reports involving violence in the workplace, sexual harassment, physical safety, environmental reports and drug or alcohol abuse and misconduct of senior executives should be handled with an even greater sense of urgency than, for example and relatively standard conflict of interest issue or inquiry regarding an exchange of gifts with a supplier. In such cases written escalation procedures fast track urgent matters so they are handled and resolved in a timely manner. These procedures include actions such as locking down a computer to avoid destruction of documents and fast-tracking the issue to authorities.
Note that escalation procedures should be regularly tested to ensure that they are current and effective. For example, do they reflect:
· Recent organizational changes;
· Changed policies and standards;
· Current investigatory requirements and protocols.
Remember that a procedure that is not used when it is called for is more of a liability than and asset when it comes to litigation.
The E&C advisory helpline and case management system are interconnected resources. Both help detect, document and assess violations and the understanding of the Code of Conduct, policies, regulations and standards. Together, they inform E&C risk assessment and help detect trends of misconduct and wrong-doing.
As the CECO, you are charged with telling the story of E&C in your organization. This is a story that must be factual and intellectually honest and grounded in valid and reliable metrics wherever possible. Your helpline and case management system enable you to create a dashboard of metrics that are essential to your story and help document trends in activity over time. Such metrics include, but are not limited to:
· Number of reports per 100 or 1000 employees (depending on the size of the organization);
· Reports by channel through which reports are received (helpline, walk-in, email, etc.);
· Average days to case closure;
· Percentage of advisory cases compared to allegations;
· Percentages of cases substantiated, partially substantiated and unsubstantiated;
· Individual case types as a percentage of total cases.
Additional metrics may include:
· Root cause breakdown for the reporting period;
· Percentage or subjects by level/type (e.g. employee, supervisor, senior management, vendor/supplier, etc.);
· Disciplinary action;
· Percentages of confidential and anonymous reports.
Although a helpline can be managed in-house or outsourced, outsourcing a helpline in whole or part can be a cost-effective way to manage a 24.7/365 helpline resource. Advantages of outsourcing include the following:
· Greater confidentiality and improved ability to enable anonymity;
· On-going communication with anonymous reporters;
· Streamlined international reporting with multiple languages and country-specific guidance;
· Compliance with numerous certification requirements, including international data processing standards and appropriate date transfer and data integrity assurance;
· Data privacy and protection, including the California Consumer Protection Act (CCPA) in the United States and the General Data Protection Regulation (GDPR) related compliance on an international scale;
· An integrated case management system for tracking case activity and trend analysis;
· Robust peer and industry benchmarking.
Three metrics that can be used to assess your helpline performance are:
· Call answer time and abandonment rate;
· Average speed to answer;
· Report dispatch and triage time.
Recommended supplemental resources to gain a deeper understanding of material in this session:
Implementing a Problem-Focused Investigation Process
There are four foundational principles of high quality investigations. In order to be effect, investigations must be thorough, timely, neutral and consistent.
The investigation begins with a comprehensive report intake and triage process. Assessing the potential impact, urgency, importance and merit of each report ensures timely and appropriate actions.
It is critical to have both a well-developed investigative protocol. A protocol is an “official” procedure or system of rules and guidelines. Having a protocol
ensures consistent quality of investigations related to a variety of issues and in geographically dispersed areas.
From the beginning, an investigation must put a premium on neutrality – both real and apparent – to preserve the integrity, independence and objectivity of investigative outcomes. Be prepared to reassign inquiry to another investigator or staff agency if there is even the appearance of bias or conflicted interest in process or outcome.
For the accused, people are more likely to cooperate in the investigative process and offer candid and truthful information if they view the investigator and independent and without a hidden agenda or bias. For the reporter, demonstrating neutrality and communicating a fair and transparent process gives them and other stakeholders in the organization confidence in the outcome, even when it may not be what they preferred.
When it comes to investigations, consistency is everything. Each investigation begins with preparation and planning to outline the phases of the inquiry, the timeline and the documentation that must be collected. Who will be interviewed and in what order?
Conducting investigations is a core function of Ethics and Compliance. As such, it should be reduced to a process map with clear inputs and outputs to ensure consistent and through investigations over time and across the enterprise. Process mapping also helps identify steps that are inefficient and unnecessary and to design new steps in the investigative process that enhance value.
Investigations is like brain surgery – a patient is likely comforted knowing that their surgeon completed a course of study augmented by years of practice. But hearing that your surgeon learned their craft through on-the-job training alone is not very comforting! Large organizations and high quality programs benefit from ensuring that their investigators complete formal investigative training and internal or external certification to augment any experience and practice they may have gained
In addition to following an established protocol, discipline should be determined and administered in a consistent manner regardless of the level of the subject on the investigation. Although E&C does not determine discipline, it is responsible for evaluating consistency of discipline applied in their cases and elevating concerns when issues involving consistency surface. In addition, escalation procedures must be in place to handle significant issues and reporting outcome to senior leadership or the Board of Directors as appropriate.
From the standpoint of procedural transparency, it is useful to let reporters know how the investigative process will work at the first intake meeting and what they can expect in terms of potential outcomes. Keep reporters informed throughout the investigative process. It may seem like things are going quickly for you, but it may be painfully slow for them! After the investigation is complete, tell the reporter what you can about the outcome and tie it back to the expectations you established in the beginning.
Remember that transparency pays rich dividends:
· Procedural Justice: When there is transparency around a process, employees are more likely to accept the outcome even when it is not what they preferred.
· Fairness: Perceptions of fairness are enhanced when employees understand how their allegations are handled.
· Better Outcomes: Investigative outcomes present a tremendous learning opportunity for the E&C Team and organization. When we have an issue that occurs locally, it is always desirable to adopt a global perspective of how the organization can learn from a situation and make changes that mitigate the possibility of the same thing happening in the future. This is where “root cause analysis” comes into play.
Root cause analysis, sometimes called “contributing factor analysis”, seeks to understand the initial conditions that led to an eventual incident of misconduct so that conditions can be altered and similar future incidents of misconduct avoided. The analysis begins with asking “why” an incident
occurred five times, each time identifying with greater certainty the root causes that contributed to a situation.
Though root cause of E&C issues are many and varied, some common ones include:
· A lack of oversight or deficiencies in the control environment;
· Excessive pressure to meet business goals;
· Poor training or a lack of awareness of rules, policies and processes.
Whatever the root cause identified, it most likely will point the way to a systemic remedy that promises to reduce similar infractions or issues in the future. Root causes should be documented in the case management system and reported to senior leadership and the Board of Directors periodically. It is difficult to develop or maintain a High Quality Program without some level of root cause analysis.
· A final investigative report should summarize the following:
· The incident or issues investigated
· The names of the subject of the inquiry and witnesses interviewed
· Relevant documents and evidence examined
· Summary of relevant policies, guidelines and standards
· Fact findings
· Issues that could not be resolved and reasons for lack of resolution
· Recommendations (unrelated to specific disciplinary outcomes
Recommended supplemental resources to gain a deeper understanding of material in this session:
Continuous Program Improvement: The Journey Never Ends
Continuous improvement can be described as seeking incremental improvement to program elements over time and it is the hallmark of all high quality ethics and compliance programs.
The Plan-Do-Check-Act cycle is a management tool that is foundational to many continuous improvement programs and is also known as the Deming wheel or continuous improvement. It guides us through a process of planning our work, executing the plan, inspecting the outcomes, and acting on results.
· Plan: We identify our objectives and desired outcomes based on what success looks like and lay out a process for moving forward.
· Do: We implement our plan and monitor progress by gathering key metrics and relevant data.
· Check: We evaluate our data and assess the effectiveness of our program elements, noting where we have met or exceeded our projective outcomes and where we have fallen short.
· Act: Based on actual results, we improve our process and examine the reasons why we achieved or failed to achieve the outcomes we anticipated. We share the results with key stakeholders and make adjustments as the PDCA cycle continues.
There is always room for improvement in a compliance system and it is challenging to keep these programs fresh. Continuous improvement demonstrates that your program is working as intended and improving over time. This kind of information is essential when we need to:
· Provide evidence to regulators that the E&C program is robust and effective;
· Better integrate the compliance program with business objectives;
· Support requests for additional resources, such as training and communications initiatives;
· Optimize a level of preparedness for emerging risks;
· Build program credibility and influence among all stakeholders.
In terms of the target we are aiming for, an effective action agent knows where to apply energy and resources to create the greatest momentum in an organization toward a desired outcome. ECI research tells us that there are four desired outcomes related to two key drivers that characterize all high quality ethics and compliance programs.
Key drivers:
· A well-implemented E&C program
· A strong culture of integrity
Key outcomes:
· Lower rates of observed misconduct
· Higher rates of reporting of misconduct
· Lower pressure to compromise standards
· Lower levels of retaliation
As noted before, between the key drivers of E&C in organizations, culture has been shown to be the more powerful of the two.
Every senior leader believes they have a culture of integrity – until they don’t! How does one know such a culture exists?
· What’s leadership doing? Are leaders demonstrating Ethics-Related Actions and setting the right tone and messaging around the importance of ethics and compliance?
· A visible commitment to Transparency and Fairness: Is there a demonstrated commitment to transparency in the organization in terms of information provided to key stakeholders and fairness of policies, procedures, and practices that support business-related decisions that have E&C implications?
· People feel comfort speaking up: Is there a climate of psychological safety that promotes a Speak Up culture where employees feel they are supported, have permission and are expected to speak up when they have questions, concerns or observe what they believe to be unethical or non-compliant behavior and practices without fear of retaliation?
· Employees and leaders are accountable: Do employees and leaders hold themselves and others accountable for their conduct and compliance with standards and does the organization demonstrate accountability I terms of how it investigates and deals with alleged misconduct consistently at all levels in the organization?
Aside from culture, it is helpful to have access to a methodology and set of tools to assess the current state of a program and have an idea of what
success looks like. A structured approach ensures that your review is comprehensive and that you use your time and resources in a way that is efficient and effective. This can be done internally through any one of a number of external service providers with experience in program assessment and evaluation.
The ECI applies a rigorous data-driven methodology that harmonizes internal stakeholder evaluations of E&C program maturity in alignment with the five principles of High Quality E&C programs. Benchmarking is a critical part of the process, both within an organization over time and within and outside the industry. There are three steps in the process:
Step 1: Complete a questionnaire that relates to E&C basic program design and the degree of implementation of HQP principles and elements;
Step 2: Receive a customized report showing the level of program maturity from “least” to “most optimized” on each of the five HQP principles and how they compare to other organizations that have completed the survey;
Step 3: Utilize the results to prioritize improvements and allocate resources in the on-going evolution of the E&C program. For more information go to: https://www.ethics.org/hqp/
Continuous improvement is not necessarily an expensive proposition if you use the right tools, follow a game plan and are willing to invest the time and resources to assess your program correctly the first time. In fact, studies show that costs of non-compliance far exceed those of compliance efforts. What is most important is to fully embrace and commit to the opportunity to grow and improve your program in a systematic way.
Costs of non-compliance include:
· Substantial and sometimes immediate losses of capitalization;
· Reduced access to capital markets;
· Diminished shareholder value;
· Loss of market share.
Note to self: Keep abreast of the impact of ethics and compliance in other companies within and outside your industry. This can help project the costs of unethical culture and non-compliance.
To sell an investment in continuous improvement to your Board and CEO:
· Talk ROI: Find ways to quantify a return on investment
· Leadership Reputation Helps with ROI: Ethics alone can be difficult to monetize. However, Fred Kiel found in his landmark study of CEO’s and their employees that a CEO’s “character reputation” can yield five times the return on assets and a 26 percent increase in employee engagement.
Ways to quantify the ROI of an Effective Program:
· Projected savings on actual costs of litigation including expense related to staffing, engagement of outside counsel, fines and sanctions;
· Increased productivity and innovation through higher morale, employee engagement and commitment to purpose and mission;
· Lower costs of mitigation efforts compared to costs of unethical conduct, regulatory sanctions and loss of capitalization resulting from reputational damage;
· Higher employee retention resulting in lower costs associated with employee turnover and attrition;
· Enhanced value of reputation and trust resulting in greater customer acquisition and retention.
ECI’s research suggests that expanding financial markets in particular as measured by the S&P500 Index can drive pressure to compromise standards, eroding ethical conduct and compliant behavior in the process.
An investment in E&C appears to yield strong dividends in organizational performance, employee engagement and higher retention. There is a strong business case for investing in ethics and compliance, but it requires an intentional and strategic effort on the part of the CECO and other E&C practitioners to do so.
Diligently applying a continuous improvement process leads to a fully optimized high quality E&C program in terms of five foundational principles:
1. Ethics and Compliance is central to business strategy.
2. E&C risks are identified, owned, managed and mitigated.
3. Leaders at all levels across the organization build and sustain a culture of integrity.
4. The organization encourages, protects and values the reporting of concerns and suspected wrongdoing.
5. The organization acts and holds itself accountable when wrongdoing occurs.
Recommended supplemental resources to gain a deeper understanding of material in this session:
CEO character the key to the bottom-line, CNBC sqwakbox, 2015
LPEC Review
Congratulations on completing the LPEC certification course!
The following is basic information about the certification exam format and administration:
· The certification exam is administered online and consists of 80 multiple choice questions. The exam will be proctored. You will have 1.5 hours to complete the exam. Students are required to answer 60 or 75% of the exam questions correctly in order to pass.
· The exam questions will be drawn from the material covered in the prerequisite materials you have already received and the content of the 17 sessions you just completed.
· Once you have passed the exam and received your certification, you will be required to complete and submit a specified number of hours of continuing education periodically to maintain your certification. You will receive instructions on how to submit your continuing education credits in a separate email.
· Study the material in this coursework handbook and the prerequisite material provide to you to best prepare for the certification exam.
Recommended supplemental resources to gain a deeper understanding of material in this session: