5 Things to Know When Merging Compliance and Ethics Programs

ethicsOrganizations have been living with the notion of combined ethics and compliance programs (E&C) ever since Sarbanes-Oxley (SOX) introduced hotlines and whistleblower concepts. Before the advent of SOX, most organizations’ codes of conduct, if they even had a formal document, was usually introduced to employees upon hire, most likely out of date and referenced in the back pages of the employee handbook. As a result, complaints about wrongdoing, ethics violations and other misdeeds were rarely reported, had no clear channel for action and often ended with the whistleblower being punished or at the very least ostracized.

SOX addressed this issue by requiring an anonymous hotline where whistleblowers could live freely without fear of harm or retribution. As years have gone by, the hotlines and the process itself have matured. They went from being additional phone lines into HR with promises of anonymity (how does that work?) to third-party administered processes with anonymous reporting to corporate officers.

SOX also established significant personal penalties on corporate officers for reporting financial information that was knowingly incorrect. SOX put the CEO and CFO on the hook by requiring signed certifications within the company’s quarterly and annual reports. In many cases, the process has matured to the point where individuals who have issues to report can do so without fear of reprisal.

Questions remain, however, regarding the effectiveness of the reporting process. Many organizations report that their hotlines typically carry petty complaints about timesheet abuse, leaving work early, taking long lunches and other similar issues. Racial or gender abuse issues also surface, but concerns of management fraud, corporate wrongdoing and massive deception do not seem to make the list.

Now begins a new decade with continuing and well-publicized cases of fraud and corruption, which prompted new standards and promulgations such as the Dodd-Frank Act to establish an award for those reporting new information to the SEC that result in penalties. Awards are significant, starting at $100,000 and going up from there. The Dodd-Frank Act takes the carrot approach of dangling significant money in front of individuals to incent them to report abuses. As of mid-2011, the SEC is still struggling with how to implement this provision.

5 Things To Consider When Merging Compliance and Ethics

Corporate America has tried the stick and is now trying the carrot approach. Why is it so hard to integrate compliance with ethics? Here are five things to consider when attempting to integrate or combine compliance with ethics.

  1. Ethics is a mindset of right vs. wrong. By the time an individual enters the corporate mainstream, notions of right and wrong are already established. It is difficult to force a different set of values.
  2. Since childhood, people have been told not to be tattletales. Most of us remember situations where wrongdoing went unpunished because it only surfaced when someone “tattled.” “I don’t care,” the parent said. “Stop being a tattletale.” If organizations are to promote and reward good behavior of coming forth with news about possible wrongdoings, ethics violations and other misdeeds, this has to change.
  3. Ethics is subjective. What is right to one person may not be right to another. As a result, ethics groups spend time defining processes to report problems, but shy away from trying to define what is right and wrong.
  4. Ethics are not embedded into our core strategies and business plans. Ethics tends to be a one-off topic discussed at town hall meetings, new hire orientations or annual employee certifications programs. It is typically not placed into operation nor monitored, planned for, benchmarked or dashboarded.
  5. Organizations at times say one thing and do another. They say ethics must come from the top, but then ethics issues are made anonymous.

Solving the Compliance vs. Ethics Dilemma

Corporate America can make significant progress in integrating ethics and compliance, but organizations must realize that results will not be immediately obvious. That is a tough fact for many bottom-line oriented folks to swallow. However, progress can be made by applying several proven methods:

  • Continue to influence employees’ perceptions of right and wrong. Continue to offer training, focus groups and town hall meetings. Just remember that it is an influencing process.
  • Demonstrate that leadership is not afraid of ethics issues. Have the CEO talk about ethics challenges that leadership and the company are facing. Ask members of the leadership team to speak about cases they have dealt with but protect the innocent while doing so.
  • Embed ethics issues into running the business. Make ethics part of client acceptance, vendor acceptance, management discussions and reporting to the public.

Most importantly, organizations must treat ethics like any other business activity by establishing metrics to monitor compliance with expected actions. Ethics dashboards should be included in the normal monthly business reviews to ensure ongoing engagement and accountability.

Ethics will continue to be a moving target for compliance and regulatory bodies. It is up to corporate leadership to enact any significant and proactive change. By taking an active role in positively influencing the way employees conduct business both internally and externally, leadership has the opportunity to foster a more ethical workplace.


About the Authors

John Martin is director at MorganFranklin, leading the company’s most complex and challenging risk and control engagements. He is a quoted and published expert in internal control audits, implementation and training. John is a director in MorganFranklin’s commercial practice with extensive experience in SOX compliance, GRC implementations and enterprise risk assessments. He has led GRC platform projects at several companies, where the challenges ranged from lack of a common risk taxonomy to misaligned strategies from various stakeholders.

Bill Hughes serves as managing director in MorganFranklin’s public sector financial management and performance improvement practice, where he has been instrumental in creating, leading and shaping the strategic direction of the company’s government sector activities. In addition to leading a number of key projects, Bill is responsible for practice and business development and contributing to the creation of new service offerings.

Edward Applegate serves as managing director at MorganFranklin with a focus on risk management, including the areas of internal audit, IT audit, enterprise risk management and Sarbanes-Oxley compliance. He also leads transaction services engagements involving SEC reporting and financing for private equity transactions.

No related content found.

About the Author

John Martin, Bill Hughes and Edward Applegate

John Martin is a director in MorganFranklin's commercial practice with extensive experience in SOX compliance, GRC implementations and enterprise risk assessments. He has led GRC platform projects at several companies, where the challenges ranged from lack of a common risk taxonomy to misaligned strategies from various stakeholders. John is a quoted and published expert in internal control audits, implementation and training and leads MorganFranklin's most complex and challenging risk and control engagements. John was a designated audit test specialist while at the Big Four and helped develop training around a risk-based approach to internal controls.  He understands adult learning and the significant role on-the-job learning and job aids play in transferring knowledge.  John is the author of “Improving the Audit Process" - a Big Four initiative to improve efficiency and effectiveness of engagement teams. John has the contributed the following articles to Corporate Compliance Insights: