For years, ethics and compliance officers have turned to the U.S. Sentencing Guidelines, and other similar frameworks, to inform their ethics and compliance programs to prevent and detect violations of law.

The shortcoming in such frameworks, however, is that they focus only on minimum standards, based on compliance with laws or regulations. By following a check-the-box framework, companies severely limit the scope and effectiveness of their overall ethics and compliance programs.

The good news is that many companies from a wide variety of sectors and industries continue to exceed minimum standards, implementing ethics and compliance programs that don’t just satisfy regulatory expectations, but also make up the core of their overall business strategies. “They think much more broadly and deeply about ethics and compliance, its purpose, and its importance within an organization,” says Pat Harned, CEO of the Ethics and Compliance Initiative (ECI), a non-profit group that empowers companies to foster ethical practices.

In short, less mature ethics and compliance programs can learn a lot from these so-called “trailblazers.” With this in mind, ECI on April 25 issued a first-of-its-kind report, “Principles and Practices of High-Quality Ethics & Compliance Programs,” the purpose of which, Harned says, is to capture the qualities and principles that make up high-quality ethics and compliance programs to create a roadmap for other companies.

The report is the result of nearly a year of back-and-forth dialogue between a blue ribbon panel of ethics and compliance practitioners, former enforcement officials, academics, and other thought leaders. Specifically, the report identifies five core principles that every high-quality ethics and compliance program shares.

Ethics and compliance is central to business strategy. According to the report, a high-quality ethics and compliance program is not an “add-on” feature, but rather is designed to support the company’s overall business objectives; it’s an essential element within every operation.

“Leaders are expected to drive ethics and compliance forward as part of daily operations,” Harned says. At the same time, ethics and compliance officers are visible participants and contributors to strategic discussions about the day-to-day operations of the company; crisis management; and briefings to the board, the report states.

At pharmaceutical giant Merck, for example, ethics and compliance “really is integrated into all of our strategic decision-making,” says Ashley Watson, the firm’s chief ethics and compliance office. “It’s a part of how we do business.”

“It’s not about mitigation of risk; it’s the achievement of integrity.”
Pat Harned, CEO, Ethics and Compliance Initiative

Compliance officers at Merck are “part of a team,” Watson adds. “They participate proactively in all business decisions.”

High-quality ethics and compliance programs are also afforded the appropriate staff and funding to do its work, the report states. Additionally, these programs dedicate themselves to continuous improvement through feedback loops and constant evaluation.

As part of this process, ethics and compliance officers listen to employee feedback about leaders’ behaviors and the ways in which the program can be improved. “In ethics and compliance, we can never declare victory,” says Watson. You can never check all the boxes and be done, she says.

Ethics and compliance risks are identified, owned, managed, and mitigated. Although most companies conduct risk assessments as part of their normal operations for determining business objectives, risk assessments within high-quality ethics and compliance programs are “essentially the foundation on which the program is built,” says Harned. That means the program is recognized as being a key component of the risk assessment process, providing management and the board with insight that helps avoid business disruption and loss.

One critical theme that sets high-quality ethics and compliance programs apart from the rest is that responsibility for risk is shared across the company. Leaders assume ownership for the ongoing identification and mitigation of risks that are relevant to their areas.

In high-quality ethics and compliance programs, too, the ethics and compliance program itself is evaluated as a risk area. For example, compliance performance, organizational culture, and the willingness (or fear) of employees to report matters are evaluated as potential risks to the company, the report states.

Additionally, the assessment and mitigation of risk is not limited to the confines of their internal operations, but rather continues with third parties and supply chains. Due diligence processes are rigorous, well-documented, tested, and monitored for effectiveness just like any other critical business process, the report states.

Leaders at all levels across the organization build and sustain a culture of integrity. High-quality programs understand that “culture is the largest influencer of business conduct,” says Harned. “It’s not about mitigation of risk; it’s the achievement of integrity.” Every leader in the business must understand they have a responsibility to build that culture of integrity, she says.


Below is an excerpt of the key supportiving objectives of the five principles outlined in the Principles and Practices of High-Quality Ethics & Compliance Programs.
Supporting objectives of Principle 1:

The E&C program exists to support business objectives overall;

The E&C program is well-resourced, including having a senior-level chief ethics and compliance officer who is visible in strategic discussions of the organization;

Compliance personnel are visible participants in key strategic discussions and are frequently asked to give their input to ensure decision-making aligns with values;

The E&C program itself is dedicated to continuous improvement through continue feedback loops, constant evaluation; and

The board is aware of the design of the ethics and compliance program, the operation of it, the outcome of the program and are regularly by the ethics and compliance leader.
Supporting objectives of Principle 2:

The E&C program is calibrated to key risk areas identified through a robust, continuous risk assessment process;

Leaders across the organization are assigned responsibility for the ongoing identification and mitigation of risks that are endemic to their operations;

Self-assessment, early issue spotting and prompt remediation of compliance gaps are recognized and rewarded;

Ethics and compliance—both the program and the state of the organization from an E&C perspective—are regularly monitored as risk areas;

Guidance and support for handling key risks are provided to employees according to their role;

The organization maintains rigorous third party due diligence processes that screen for integrity.

Supporting objectives of Principle 3:

Leaders are incentivized and expected to personally act with integrity and are held accountable if they don’t;

Leaders own and are held accountable for building a strong ethical culture;

Core values are communicated through a number of channels;

The organization encourages the reporting of concerns and suspected wrongdoing;
Supporting objectives of Principle 4:

Leaders create an environment where employees are prepared and empowered to raise concerns and resources are provided to support employees in decision making;

The organization respects all employees’ rights to report to government authorities;

The organization provides a broad and varied number of reporting avenues, each with effective tracking for escalation and response of significant matters;

The organization treats all reporters the same—with consistency and fairness—throughout the entire process;

The organization has proactive processes in place to prevent retaliation, including awareness training for leaders, monitoring of employee reporters, and demonstrated consequences for violations; and

The organization communicates directly with individual reporters and more broadly with all employees when cases are closed.
Supporting objectives of Principle 5:

The organization regularly communicates that individuals who violate organizational standards of or the law will be disciplined;

The organization maintain investigative excellence;

Disciplinary action is consistently taken when violations are substantiated;

Systems for escalation and response are well-developed and regularly tested, and leaders are held accountable for compliance;

Appropriate disclosures are made to regulatory or other government authorities.
Source: Ethics & Compliance Initiative

To achieve this, high-quality programs evaluate leaders for their efforts as part of their annual performance reviews, the report states. Furthermore, ethics and compliance equips managers and supervisors with the core values and support they need to help them connect values to decisions made in day-to-day operations.

“People tend to look first at their direct managers as a model for behavior, so if middle managers aren’t walking the walk and talking the talk, you can have a significant problem,” says Matt Pachman, chief ethics and compliance officer and acting chief risk officer at consulting firm FTI Consulting.

High-quality programs seek to provide guidance to non-management employees to help them deal with ethics and compliance situations that they may encounter. Specifically, training and awareness programs are implemented and tailored to employees by role, function, culture, and geographic location.

The company encourages, protects, and values the reporting of concerns and suspected wrongdoing. “One of the biggest risks for a company is when wrongdoing is happening, but employees are afraid to come forward and tell management about it,” says Harned. “Making it a priority for employees to know that they should—and are welcome—to come forward is a critical part of a high-quality ethics and compliance program.”

You cannot assume that managers are going to know exactly how to handle an employee who has reported an issue, says Pachman. Ethics and compliance plays a valuable role by providing training and communication to managers on how to appropriately manage a situation in which an employee comes to you, he says.

High-quality ethics and compliance programs send “consistent and meaningful messages to employees about the organization’s stance against retaliation,” the report states. Furthermore, instances of retaliatory behavior are closely investigated, and appropriate action is taken.

High-quality ethics and compliance programs also share the outcomes of substantiated wrongdoing. “This transparency in reporting investigative outcomes builds trust and confirms accountability among employees and third parties in a powerfully direct manner,” the report states.

The organization takes action and holds itself accountable when wrongdoing occurs. It’s not reasonable to expect that misconduct can be eradicated completely, but companies with high-quality ethics and compliance programs respond quickly and act responsibly, the report states. This means, in part, that investigations of alleged wrongdoing are “timely, neutral, thorough, competent, and consistent,” Harned says.

When misconduct is discovered, high-quality ethics and compliance programs respond with appropriate consequences; no exceptions are made for senior-level executives who are implicated for engaging wrongdoing.

Furthermore, when wrongdoing does occur, a company with a high-quality program holds itself accountable both to employees and externally to appropriate regulators and government authorities. “It maximizes learning from every substantiated case, and it acknowledges issues and corresponding mitigation to employees in order to reinforce the message that integrity matters,” the report states.

Done right, a high-quality ethics and compliance program “really can foster a culture of integrity,” says Pachman. “It’s not just about doing the right thing, which ultimately we should all do, but it’s good for business.”

Companies that have ethics and compliance programs that meet only the minimum standards required by law or regulation are “doing themselves a tremendous disservice,” Pachman adds. Clients, customers, shareholders, and other stakeholders are going to appreciate it, he says, if they think your company is characterized by integrity and lives by its values.