Building Ethics Into the Compliance Program

Encouraging employees to engage in ethical behavior and effectively measuring ethical conduct are two of the most challenging aspects of building a strong compliance program.

At the Compliance Week 2011 conference in Washington, compliance officers and ethics experts discussed the latest practices for instilling good ethics into the organization and ways to foster a culture of ethics.

During a panel discussion called “Ethical Choices,” Patricia Harned, president of the Ethics Resource Center led a lively conversation on how compliance officers can guide employees to navigate and resolve difficult business situations in which the ethics are not always clear.

One major theme of the session was how to embed ethics into the organization and to get employees to put them in to practice. “It's not just about having a good program, but also about really getting other people to follow suit and to uphold the standards of the organization,” said Harned. “A challenge for all of us is, how do you get people to look to your code in those tough moments to be able to make the right choice.”

Getting people to feel comfortable with the resources that are available, including the compliance officer, is critical to developing ethical decision-making, said Rosland Fisher McLeod, chief compliance officer at Biogen-Idec. She said that her open-door policy helps in that effort. She also periodically stops people in the hall and asks how things are going— and does the same when she travels to international company offices. “They feel more personally connected and sometimes people will just call me up and say, ‘Hey Rosalind, this is happening, what should I do?'” she says. “Depending on what it is, we may have a lengthy conversation that leads to something broader—or not.”

Another topic that emerged during the discussion was how ethics and compliance professionals can address new research on ethics. For example, panelists discussed the book Blind Spots by Max Bazernan, which was published in March. One of the lessons said Hamel, “is that while we all like to think that we're really ethical people, ultimately, when faced with a situation, we'll tend to do what we want as opposed to what we should do. The other one is around actually being able to recognize an ethical issue, as opposed to seeing it simply as an accounting issue or as an IT issue.”

Abby Fiorella, senior vice president of global compliance and forensics at MasterCard Worldwide, said that it can be difficult for people to avoid succumbing to a rationalization process. “These are good people and well-intentioned—we all make bad decisions sometimes,” she said. “It's something to remember and that's why contexting becomes so important. It's not about whether you're a good person or a bad person, whether or not you're ethical: you're going to be in situations where you're going to be put to the test…When you're standing in that other country and someone is presenting you with a gift, what do you do?”

That's why ethics training should be as specific as possible to different employee groups, even while the overriding rules are the same, Fiorella said. To do this, she identifies what certain employees do on a daily basis, whom they interact with, what kinds of things are asked of them, and how much time they have to reflect before doing any training. Fiorella also recommends using scenarios, some of them extreme, which everyone will be able to answer, in addition to more subtle cases that will be harder to answer. “It's taking it away from just an ethics conversation to ‘this is real life, this is business, how do you work through some of those problems?'” she said.

McLeod added accountability to these ethics training recommendations. “If you have a great ethics program, but no accountability on the compliance side, you may very well have those employees who just run amok,” she said. “The ethics is the ideal, where we all want to go, and we hope that we would make the right decisions, but the compliance piece of it is, ‘You broke a rule and you're going to have to face the consequences for that.'” That reminder to employees serves as an effective deterrent of bad behavior, said McLeod.

“If you have a great ethics program, but no accountability on the compliance side, you may very well have those employees who just run amok.”

—Rosland Fisher McLeod,

chief compliance officer,

Biogen-Idec

How do compliance officers train supervisors to help their employees handle ethics? “One of the things we did this past year was to decide that our officers needed a refresher course on what it means to be an officer,” said Steve Koslow, chief ethics and compliance officer at CUNA Mutual Group. “We laugh at that, but it's surprising the number of people who become an officer at a company and don't recognize the inherent responsibility that comes with it.” Part of that responsibility is to ensure that individuals within the organization are acting in a way that promotes who the organization wants to be, he said. They have to continually ask that question, ‘Is the direction we're heading where we want the company to go? Is this who we want the company to be?' “We've taken it down a couple of levels as we've worked our way down the organization, but we felt that it was important to start with the officers,” said Koslow, who said the program, which was very well received, was done in conjunction with the firm's legal department.

The Metrics of Ethics

In another session, called “Measuring Ethical Conduct,” the Organization for Economic Co-operation and Development's Scott Mitchell, who is chair of the Open Compliance & Ethics Group, moderated a discussion on best practices for measuring employees' ethical conduct. The panel focused on how to conduct good surveys, what data points were most useful and how often to collect data, and how to align the ethics program with risk.

(From L to R) Alex Proels, chief compliance officer of Siemens Industry; Robert Foehl, director of corporate compliance & ethics at Target; Thomas Johnson, vice president of risk management at Forest City Enterprises; and moderator Scott Mitchell, chair of the Open Compliance and Ethics Group, discuss techniques to measure ethical conduct.

One broad takeaway from the panelists' presentations was that a lot of their systems had incorporated cascading measurement, said Mitchell. “In terms of strategy, a lot of your organizations may do things like balance scorecards or performance measurement that cascades down through the organization,” he said.

There was also a general sense that ethics is a very challenging thing to measure, as Alex Proels, chief compliance officer of the U.S. industry sector at Siemens, illustrated. “I was having a beer with the CEO and the CFO, and I said, ‘I have to give this presentation, what do you think I should say about metrics?'” said Proels. “And the CEO looked at me and he said, ‘I am in jail, or I am out of jail.'”

It's a very black and white way to look at it, admits Proels, but the reality is that that is the metric: do our programs keep our management out of jail? he said. “It's a very pass-fail thing, so I either get my full bonus or I get nothing,” he said.

Of course, Proehl does't stop there. His approach to measuring risk is to assess 11 measures on a quarterly basis. These data points, which make up the “compliance control framework” are: 1) tone from the top 2) compliance organization, 3) case tracking, 4) policies and training, 5) business partners, 6) tender and contracts in project business, 7) gifts and hospitality, 8) finance and accounting, 9) integration with personal business, 10) antitrust, and 11) due diligence in mergers and acquisitions. Proehls also said that Siemens sells this tool without support for a nominal fee, as recommended by the Department of Justice as a best practice. In addition, he said that he used surveys as a tool, though in Mitchell's estimation, it was notable that these were actually part of a dialogue between management and other teams.

Forest City Enterprises' Vice President of Risk Management Thomas Johnson described how his company focuses on reputation when it measures ethical conduct. The company looks at four distinct areas: 1) the Federal Sentencing Guidelines (ethics program evaluation), 2) Section 404 (fraud risks, tone at the top), 3) Enterprise Risk Management (reputation, compliance issues), and 4) company politics (associates, handbook, code of conduct, construction manual).

For example, Johnson described an exercise where his team went through Chapter 8 of the Federal Sentencing Guidelines and benchmarked the company's inherent risks to the different qualities of the Guidelines. “Ultimately, what we wanted to flesh out was what were the corporate criminal activities that presented a higher risk to us versus those that presented a lower risk, just to make sure that we calibrate our program accordingly,” he said. Offenses involving bribing public officials turned out to be their number one risk.

Johnson's presentation revealed that for him, Section 404 under the Sarbanes Oxley Act, becomes a leveraging mechanism for dealing with tone at the top issues, cultural issues, and ethical issues, according to Mitchell. “That's really interesting, because your CFO and your audit executive are still investing behind 404, so that can become a really good platform for investment in some of the things you're trying to do,” said Mitchell. Johnson also emphasized a shift in his ethics strategy from a “Thou shalt not” to a more positive framing.

The ethical measurement strategy presented by Robert Foehl, director of corporate compliance and ethics at Target is to build on operational, performance, and success metrics. Operational metrics measure against the company's stated business plan for the upcoming year, “to ensure that we're doing what we say we're going to do,” he said. “We're taking a really disciplined approach to using business data for metrics and monitoring, not only to help us in understanding how effective our compliance program truly is, at a macro and micro level, but also to ensure that through this process, we're also driving tangible business value.”

Foehl also made the point that when considering measuring ethical data, there's always a cost-benefit analysis associated with it—which Mitchell called an “aha” moment. “You can't just look at a measurement and say, ‘We're not going to do it,' because the benefit could actually be such that the benefit outweighs that cost—and vice versa,” Mitchell said.