We are ethical … so why do we need compliance?
Few businesses, if any, ever set out to do the wrong thing, yet stories of prosecutions and fines continue to hit the headlines. GoodCorporation’s Spring Business Ethics Debate at the House of Lords looked at the relationship between ethics and compliance raising the question, “We are ethical so why do we need compliance?”
One standard riposte to the demands for codes and regulation to govern behaviour is that if a company employs good people, why does it even need a code of conduct, let alone a compliance function? A company may well have faith in the people it employs, but without a compliance function, how does an organisation know if employees really are behaving ethically?
Ethical companies were compared to clean ponds containing clean frogs with the compliance function needed to keep both frogs and pond pollution-free. The compliance function can be seen as a means of ensuring that a company’s good faith that the right thing is being done can always be proven. Three key areas were considered at the start that GoodCorporation agrees are key to establishing an ethical compliance function.
- Remit: The remit of the compliance function should be defined within that of the assurance providers. Creating an integrated assurance map is a useful exercise, as it enables an organisation to differentiate the remit of audit, compliance and other assurance providers ensuring that there are no gaps or overlaps.
- Scope: Defining the scope of work is also essential and can be influenced by the position of compliance within the organisation. If compliance sits within the legal function, its emphasis can be on laws and regulation. When placed in finance it can be more focused on accounting laws, Sarbanes Oxley and the more financial aspects of compliance. Where an organisation operates in many markets, global governance and supervision of compliance is required. This must allow for regional variances and it is unlikely that a one-size-fits-all approach would work. Wherever it sits, the scope of work must be clearly defined to ensure that compliance is appropriate to the assurances necessary to protect the business. An annual Compliance Risk Assessment could be considered to ensure there is no exposure to a new threat.
- Bite: Does the compliance function have a voice at Board or senior management level? Is it reactive or proactive and should it move towards the latter? Are the endeavours of the compliance team supported at Board level and have sanctions been authorised to deal with any breaches?
The debate explored the potential impact of compliance and the steps required to make it effective.
Culture and Behaviour
The compliance function should be a key tool for demonstrating that an organisation is doing the right thing and as such should explicitly include ethics. An ethical compliance programme should start with the code of conduct, from which a culture of integrity with clear standards of behaviour can be developed. Effectively embedded, this will also protect the reputation of an organisation. An ethical compliance programme should drive the integrity of an organisation. It is not sufficient to be compliant without caring how this is achieved. Compliance should therefore be linked to a statement of principles that can be used to set standards of behaviour that go beyond compliance with rules and regulations.
This should begin with clear messages from the top of the organisation to set the tone. Management must ensure that the right structures are in place to deliver compliance and that a clear communication and training programme will be rolled-out. Effective communication should emphasise not only the benefits to the business of a values-based approach to conduct, backed up by a clear set of rules that govern conduct, but also the collective responsibility for compliance.
Investment should be made in leadership teams around the globe who are responsible for delivery, emphasising what is expected with guidance on how this can be achieved. Support can be vital in challenging parts of the world where compliance with certain policies can go against local norms for doing business. Good guidance on gifts and hospitality and refusing facilitation payments can achieve compliance in such markets.
Monitoring & Reporting
Effective compliance functions must be accountable, so structures need to be in place to ensure the right level of oversight. Also audits, either internal or external, are likely to have a role here to provide assurances that policies and procedures are being correctly followed.
A report card approach could also be considered, requiring the component parts of the organisation to report on their compliance status. The results of this or a similar reporting procedure should be included in the annual report, rather than considered as a separate item or not reported on at all.
Sanctions & Rewards
An organisation should consider what sanctions to impose for any breaches of compliance. In order to have bite, there must be consequences for non-compliance. But a reward structure could also be considered. Building ethics and compliance into the appraisal and bonus system demonstrates real commitment on the part of the organisation and shows the tangible value it places on ethical conduct.
Many organisations are experiencing a time of considerable change in managing an effective compliance function. The reputational and financial costs of non-compliance are great, with some businesses never fully recovering if successfully prosecuted for breaking the law. While the stakes for breaching the rules may be high, this is balanced by the benefits of conformity and acting with integrity in terms of employee retention, increased productivity and an enhanced reputation. A more proactive approach to ethical compliance, therefore, has a tangible role in the wider debate of restoring trust in business.
GoodCorporation guidance on establishing an ethical compliance function
- Step 1: The Code of Conduct
The remit of the compliance function should be based on the Code of Conduct, combining aspirational corporate values with clear statements and rules on expected behaviour.
- Step 2: Risk Assessment
Conduct a risk assessment to identify areas of exposure and high-risk, including current levels of accountability for the management of ethics and compliance related risks.
- Step 3: Gap Analysis
Identify the gaps to see what policies and procedures may need to be put in place to reduce ethics and compliance risks. This should be delegated to, or managed in conjunction with, the relevant functions who are given the responsibility of developing the processes required.
- Step 4: Embedding
Ensure that every function has a training and communication programme in place for embedding the correct procedures to ensure the right ethical tone as well as compliance.
- Step 5: Oversight & Monitoring
The ethics and compliance teams should not have day-to-day responsibility for ensuring compliance in all departments with the Code of Conduct, but should ensure that all the necessary training has been put in place to deliver correct implementation.
Once correct policies and procedures have been established in the relevant departments, the key remit of the compliance function should be oversight and monitoring. An annual Risk Assessment Check should be carried out as the exposure to risk may change as a business develops. A reporting system on compliance status by department should be considered. Internal or external audits should also be employed to provide assurance.
External reporting in the annual report should also be considered.
- Step 6: Speak Up
An effective speak-up system is also an invaluable tool, creating an open and transparent culture which reduces the risk of damaging behaviour going undetected. The compliance function should have responsibility for the whistleblowing line, ensuring it is correctly promoted, monitored and acted upon.
GoodCorporation’s Business Ethics Debate – March 2015