Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Monitoring and Auditing Performance-Enhancing Risks

Jose Tabuena | May 27, 2015

People tend to do what gets rewarded. For instance, give someone the opportunity to earn frequent flier miles and he will find ways to fly and spend in absurd ways to optimize those miles.

This phenomenon happens at an organizational level, too. Recently in Atlanta, school administrators and teachers were convicted for fudging the results of standardized tests. One could argue that the regime established by the No Child Left Behind Act sets up rigid standards derived from high-stakes testing. Those performance targets can result in even competent teachers branded as failures and getting fired.

So should we be surprised that educators believe tampering with student testing is widespread? Does that necessarily make teachers bad people? No. They’re simply behaving the way people do under pressure when judged on the basis of a metric.

To change behavior, we need to change the numbers we measure. Take executive compensation as another example. Metrics that focus on long-term value (such as five years of share price improvement) are a start; but even more important are new numbers that direct a leader’s attention to the real drivers of sustainable success.

The adage, “what gets measured gets done” is fitting. Management science has long held that people respond when results are measured—and especially when their pay and bonuses are tied to those measurements. In other words, encouraging corporations to revise their pay-for-performance criteria to include clear measures of compliance and ethics, along with responsible environmental, social, and governance criteria, might go a long way to elicit desired behavior from corporate managers.

The Unique Nature of Performance-Enhancing Risks

Incentives can be particularly troublesome with risky behaviors that fall under the general heading of unlawful organizational conduct. The distinctive characteristic of “performance-enhancing risks” (as labeled by academics like Malcolm Sparrow with the Kennedy School of Management), is that the motivation for risk-taking derives from the organization’s performance goals, rather than from the personal motivation of individuals. Examples of performance-enhancing risks include the following topics familiar to compliance officers:

  • The payment of bribes by companies to win contracts;
  • Misrepresenting the financial condition of the corporation to maintain investor confidence and drive up the stock price;
  • Aggressive billing that helps an organization maximize profits but also can rise to the level of abusive or fraudulent practices to achieve production and efficiency targets;
  • Ignoring and neglecting safety procedures to meet performance criteria and project deadlines.

In such situations, the risky behavior supports some essential purpose of the organization. At the same time, individuals who engage in performance-enhancing behaviors may be formally rewarded with bonuses and promotions for performance gains, while the company turns a blind eye on how the goals are met. Further, individuals may be celebrated informally for their achievements, by their peers and prevailing cultural norms.

A fundamental issue is that we cannot be objec­tive about our actions when we have a personal interest in the outcome, such as when a big commission is at stake. And on the far side of those actions, after they are taken, are ancillary risks that have uncertain, indirect, and longer-term consequences. Recognizing the nature of performance-enhancing risks, including the dynamics that lead to and sustain such behavior, can aid compliance and internal audit in developing effective control strategies.

Using Incentives in Compliance and Ethics

The compliance function can play an essential role in developing approaches to counter these dynamics and temptations. After all, relying on the business units (the first line of defense) to balance the competing values here is probably unwise. So this is where the effective use of incentives as monitored by compliance can make a difference.

By developing appropriate compliance and ethics incentives, management and boards can demonstrate their commitment to compliant and ethical conduct in the organization. They can reduce the risk of illegal or unethical conduct while fulfilling their fiduciary obligations to ensure that the organization has an effective compliance and ethics program.

While incentives are common, their use in compliance and ethics programs has been slow to catch on. Noted compliance authority Joe Murphy writes that “[A]lthough incentives are an essential element of compliance and ethics programs, surprisingly little attention has been paid to this topic, as compared to other elements such as codes of conduct, helplines, training, and risk assessment.” Murphy has published a whitepaper on using incentives (available through the Society of Corporate Compliance and Ethics) that provides a roadmap on aligning incentives and can be valuable for those struggling with execution.

Compliance professionals should remember that the role of incentives was highlighted in the 2004 revisions to the Federal Sentencing Guidelines, which require, in Item 6 of the seven standards:

(6) The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program …

The Guidelines go on to address discipline separately, so clearly “incentives” here means something other than negative consequences. The Guidelines also emphasize the importance of corporate culture in affecting employee behavior. Appropriate incentives can support a positive culture that helps individuals resist negative influences. Employees do look to see who gets promoted or passed over, and who gets paid bonuses or not. The resulting perceptions contribute to the overall company culture.

Murphy refutes the common objections to the use of incentives, and describes the various approaches for using incentives and integrating compliance and ethics-related performance criteria in:

  • Personnel evaluations;
  • Promotion consideration;
  • Bonus determinations and other incentive systems;
  • Rewards and recognition;
  • Awards for courageous whistleblowing;

Opponents will say that developing metrics for compliance and ethics performance is difficult, but it can be accomplished with focused attention. Compliance and ethics criteria, like other features of a typical performance evaluation, include subjective elements where nuanced measures and ratings can be developed.

Don’t Forget Internal Audit

Internal audit has a role as the last line of defense in testing the efficacy of incentives at the organization. The use of recognition and awards (along with the application of discipline) can be referenced when evaluating the control environment level of COSO.

For example, in assessing the implementation and effectiveness of controls involving integrity and ethical values, auditors can include whether compensation models (such as commissions for sales functions) create undue pressure for employees to engage in unethical practices to meet individual or organizational financial targets. If such pressures are identified, internal audit and compliance can work with the business unit to alleviate or bring some of those risks into balance, while recognizing that such pressures are inherent in the business.

The following are testing procedures for the internal auditor to evaluate the implementation and effectiveness of performance-based incentive and disciplinary controls:

  • For highly-paid executives, evaluate the rationale for all aspects of compensation and consider whether it is designed to reward long-term performance.
  • Obtain documentation of “field” communications (speeches, slide decks, memoranda, e-mails, and so forth) that reflect expectations and demands of employees. Look for inconsistencies in the messages about ethics and compliance to this group, compared to communications conveyed from senior executives.
  • Evaluate the degree to which ethical business practices have been factored (if at all) into executive-level performance evaluations and compensation criteria. Consider whether practices provide for executive-level accountability for ethical lapses, including significant cases of fraud or other misconduct.
  • Determine if compensation has been adjusted for missed performance goals. Recognize that decisions to pay bonuses when performance targets weren’t achieved can undermine the company’s compensation philosophy and objectives.
  • Sample personnel files of employees disciplined for a particular offense (say, improper sales practices), and assess whether discipline was applied consistently and proportionately. Determine whether employees in different regions or managerial positions were subjected to the same disciplinary measures meted out to the rank-and-file for the same offense.
  • If the organization does rate managers on specific compliance and ethics criteria, review personnel files to verify the validity of the rating. See whether variance occurs among those ratings, or whether the majority of them receive the same high rating.

In performing testing procedures, internal audit can provide additional assurance on whether incentives are having the desired effect. Findings from audit testing can lead to enhanced control strategies, where incentives are meaningful and sanctions have the same currency as performance-related rewards.

With the present distrust of business and the persistence of corporate misconduct, organizations must to do a better job of using incentives as a tool to drive the kind of behavior they expect of employees. By developing appropriate compliance and ethics incentives, management and boards can demonstrate their commitment to compliant and ethical conduct in the organization. They can reduce the risk of illegal or unethical conduct while fulfilling their fiduciary obligations to ensure that the organization has an effective compliance and ethics program.