Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

A Duty To Act When Misbehavior Happens

Patricia Harned | November 7, 2006

In the company lunchroom, you overhear a group of employees talking about the new hire in accounting. “I heard he’s been dating Susan in accounts payable for a couple of months,” says one of them. “They met a while back … No wonder he got the job here!”

“Yeah,” another employee chirps. “I saw them out at a restaurant last week. Hot and heavy!”

“Seems like a bad idea to me,” says a third. “She’s not his boss, but she is a supervisor in his department. Wonder what management would think if they knew about it.”

Wonder, indeed! As the company’s ethics and compliance officer, your first instinct is to go directly to the CFO and alert him about the potential for trouble in his department. The company’s code of conduct prohibits relationships between employees and supervisors, and your job is to enforce that code.

But, you wonder if you should get more evidence before raising the issue. You didn’t see them canoodling; you didn’t even hear about the relationship firsthand or see them together on company property. Then there’s the fact that the vast majority of reports your office has received lately have turned out to be HR issues; you wonder if your credibility will be on the line if you bring up a situation based on hearsay. When you return to your office you call the IT department, where they keep copies of employee emails and instant messages for the past year—as employees agree to when they are hired. Next you stop by security and ask them to “keep their eyes peeled” for any evidence of a romantic relationship between the two employees.

You leave whistling happily. This is a cut-and-dried code violation and you can really demonstrate the company’s commitment to ethics by making an example of this pair.

* * *

There is little question that a company has a right to regulate employee activities that might impact unfavorably on the business—in this case, restricting relationships between certain levels of employees to avoid the potential for harassment claims or accusations by other employees that a supervisor is granting favors to a lower-level employee. In fact, when a company does have a policy in place—in writing and publicized to the staff—it is not only right for the company to take action; it is required to investigate and discipline violators appropriately. This is backed up by the Federal Sentencing Guidelines, which are very clear that an organization must “exercise due diligence to prevent and detect violations of law.”

But the sentencing guidelines also require a company to “promote an organizational culture that encourages a commitment to compliance with the laws.” As discussed in previous columns, much of an organization’s ethical culture derives from the actions of leadership. That means that even when a situation under investigation appears to be clear and straightforward, an organization must walk a fine line between stringently enforcing standards and overstepping the bounds of respect and fairness.

Over the past 20 years, written codes of conduct have proliferated and communications technology and capacity have boomed, creating ever-increasing opportunities to monitor employee (and other stakeholder) conduct. While the recent board-leak investigation scandal at Hewlett-Packard is the most visible current example, corporate efforts to detect misconduct have gone awry before—often, unfortunately, when leaders have chosen to be willfully unaware of the tactics used.

Much of the discussion surrounding the HP scandal debates the legality of “pretexting” and other tactics or the public relations nightmares that occur if the public finds out. Beyond questions of law and publicity, though, is the ethical dimension. How does an organization assume the integrity of its stakeholders while also questioning their behavior? What are the principles that underpin an appropriate investigation?

Corporate leaders could do much to stay on the fine ethical line, and to improve the culture of the organization at the same time, by making the following ethics considerations central components of internal investigations.

    Avoid shady behavior. Part of what is disturbing about the HP scenario is the language reporters use to describe the activities, describing the tactics as “legal but shady,” “on the edge but above board,” and “murky.” As HP Chief Executive Officer Mark Hurd said in a Business Week Online interview on Sept. 26, “[T]hat’s not exactly the question here. It’s a question about appropriateness, and we have a different standard. We’re not trying to straddle the legal line at every turn.”

    In fact, when a company does have a policy in place—in writing and publicized to the staff—it is not only right for the company to take action; it is required to investigate and discipline violators appropriately.

    Don’t hide your head in the sand. Sometimes organizations allow their security contractors to push the legal envelope, assuming they are protected by not doing the investigating themselves or by declaring ignorance of the methods used. Organizations can be held liable for the illegal conduct of an investigative firm, so it is imperative that they hire only reputable investigators and monitor their activities. Even more, organizations have an ethical obligation to be aware of the means by which subcontractors carry out their directives. A moment of willful ignorance can undo years of effort building a reputation of being a responsible organization.

    Be reasonable in policymaking and investigations. Under certain circumstances and within reasonable limits, the law allows employers to monitor their employees’ communications. For instance, employers have a legitimate interest in assuring that employees are not disclosing trade secrets, engaging in illegal activities, or harassing coworkers. Yet employees have a legal and ethical right to some measure of privacy. In addition to being consistent and lawful, polices and procedures for investigating employee activities should be based on sound business reasons and balanced against the privacy rights of the individual.

    Establish a police state at your own peril. Restricting all employee rights and recording all employee communications may protect you from allegations of unfairness, but it won’t do much to maintain an atmosphere of respect and responsibility. Employees who feel overly monitored will lose their effectiveness, be resentful, and may leave. They also may assume that they do not need to be responsible for the standards of the organization, since the company appears to be taking on that role single-handedly.

    The Golden Rule applies. If you would find an action invasive personally, it will probably feel that way to the employee. Apply this useful litmus test when conducting investigations to measure whether you are overstepping the bounds of ethical conduct.

    Review and strengthen policies. Do what you promised in advance that you would do. Organizations should regularly review their electronic-communications policies and other standards of conduct to make sure they are up to date with technology and the law and that they align with the organization’s ethical values. For instance, policies that make clear when and where the organization intends to monitor usage of electronic and communications equipment makes employees aware of areas where they have no expectation of privacy.

The bottom line is that from an ethics perspective, investigations gone wrong jeopardize an environment of trust. And trust is important capital to an organization; without it, reporting structures don’t work, policies are meaningless, and brand reputation won’t last very long. Secret, underhanded monitoring of employee activities, especially when followed management’s evasiveness and denials, encourages employees to hide their actions and act first to protect their self-interest. On the other hand, prompt, thorough, and fair investigations that are followed by appropriate corrective action set a consistent standard for employees and will do much to enhance the ethical climate.