When I was a kid, one of the very best vacations my family ever took was an extended trip out West. We flew to Chicago, took an overnight train to Denver, and from there, rented a van and set out to see all kinds of things most people simply fly over. Each of us had chosen three places where they wanted to go, and my mom scheduled it all into an epic road trip that spanned three weeks. We saw everything from Mount Rushmore to the Alamo to the Grand Canyon to Yellowstone Park. It was outstanding.

It was during that last leg to Yellowstone that we went to a most unusual place: the source of the Missouri River. It was a tiny little stream, smaller than many of the creeks I played in back home. It was so small, in fact, that I could stand astride it, and got a chuckle when my brother pointed out that I had one foot on both banks of the Missouri River. And then, to one-up me, he pushed a big rock into the water, momentarily stopping the stream entirely before my dad informed us that we were not there to vandalize one of the greatest rivers in the world. Together, we removed the rock, and restored things to their rightful place.

I relate this story because recently, I had the pleasure of meeting with Nikos Passas, a professor of collective action, business ethics, and compliance, at the International Anti-Corruption Academy. Over the course of our discussion, we talked not just about the role of ethics and compliance, but also about the role of ethics in compliance. Just before I met Nikos, I had read a few books on modern business ethics and the development of ethics and compliance from a general idea into a genuine profession. I was struck by the differing conventions we use to describe all of this, and how there seem to be two groups that overlap significantly: the role of ethics & compliance, and the role of governance, risk & compliance.

On the one hand, there is the delicate interplay between morality and operations; the mix of personal and cultural values that drive an easier way to behave properly and with integrity, even when and if business pressures might suggest alternative behavior. On the other hand, there is the much more operational interplay of knowing what the rules are, knowing what conditions might arise that could lead to the breaking of those rules, knowing what the stakes are, and ensuring that things are in place to keep anyone from going astray.

Both are important. Both are valuable. And I suppose in one way of thinking, both are two sides of the same coin. And yet, I have a hard time imagining ethics, risk, governance, and compliance living in separate worlds. Over the years, when I have covered various scandals, crises, and enforcement actions at companies from various countries and industries, the problem so often seems to arise from an ethical lapse, and then, over time, that lapse somehow reverberates and magnifies into something that becomes a major issue affecting the entire organization, whether it is a reputational crisis, regulatory fines, civil liability, or even criminal prosecution.

One episode that stands out in particular to me involved a company that faced significant regulatory troubles for some behavior that not everyone felt was really all that bad. Ultimately, the response from management was that what was done wasn't illegal because it wasn't specifically spelled out as being illegal. But when you spoke with those who were closer to the issue, they noted that yes, perhaps the company did nothing illegal, but it certainly wasn’t keeping to the spirit of the law, either. It was taking advantage of gray space in a way that didn’t reflect favorably on everyone.

When I think about that specific case, it all came back to a call that the top management made years before that, yes, a certain kind of behavior was acceptable in the name of financial performance. Had the top management made a different call, the regulatory nightmare that occurred years later probably never would have occurred. And this involved managers who otherwise had a long history of admirable and ethical behavior. Nobody is perfect. But when it comes to determining an organization’s integrity and culture of ethics, everybody has the potential to either be the rock in the headwaters, or the one who removes it.

That is the funny thing about ethics; it does not necessarily start from the boardroom. It can start from anyone and work outward from there. And so can the lapses, which is why it is so important to make the right decisions early and always, to set a tone that makes governance, risk, and compliance far smaller needs. For if you’re doing the right thing to begin with, knowing what rules to follow and how to follow them never is as difficult as it could be.

And yet, here we are, so often speaking about corporate compliance without mentioning the ethics component in the same breath. Somehow, we still seem to keep ethics and governance, risk, and compliance on either side of the river, as it were, both part of the same waters, and yet requiring some kind of bridge to bring together. Hopefully one day this will no longer be the case but, until that day arrives, it falls to compliance officers everywhere to stand with a foot on both banks, bringing these two worlds together.