Organizations have been living with the notion of combined ethics and compliance programs (E&C) ever since Sarbanes-Oxley (SOX) introduced hotlines and whistleblower concepts. Before the advent of SOX, most organizations’ codes of conduct, if they even had a formal document, was usually introduced to employees upon hire, most likely out of date and referenced in the back pages of the employee handbook. As a result, complaints about wrongdoing, ethics violations and other misdeeds were rarely reported, had no clear channel for action and often ended with the whistleblower being punished or at the very least ostracized.
SOX addressed this issue by requiring an anonymous hotline where whistleblowers could live freely without fear of harm or retribution. As years have gone by, the hotlines and the process itself have matured. They went from being additional phone lines into HR with promises of anonymity (how does that work?) to third-party administered processes with anonymous reporting to corporate officers.
SOX also established significant personal penalties on corporate officers for reporting financial information that was knowingly incorrect. SOX put the CEO and CFO on the hook by requiring signed certifications within the company’s quarterly and annual reports. In many cases, the process has matured to the point where individuals who have issues to report can do so without fear of reprisal.
Questions remain, however, regarding the effectiveness of the reporting process. Many organizations report that their hotlines typically carry petty complaints about timesheet abuse, leaving work early, taking long lunches and other similar issues. Racial or gender abuse issues also surface, but concerns of management fraud, corporate wrongdoing and massive deception do not seem to make the list.
Now begins a new decade with continuing and well-publicized cases of fraud and corruption, which prompted new standards and promulgations such as the Dodd-Frank Act to establish an award for those reporting new information to the SEC that result in penalties. Awards are significant, starting at $100,000 and going up from there. The Dodd-Frank Act takes the carrot approach of dangling significant money in front of individuals to incent them to report abuses. As of mid-2011, the SEC is still struggling with how to implement this provision.
Corporate America has tried the stick and is now trying the carrot approach. Why is it so hard to integrate compliance with ethics? Here are five things to consider when attempting to integrate or combine compliance with ethics.
Corporate America can make significant progress in integrating ethics and compliance, but organizations must realize that results will not be immediately obvious. That is a tough fact for many bottom-line oriented folks to swallow. However, progress can be made by applying several proven methods:
Most importantly, organizations must treat ethics like any other business activity by establishing metrics to monitor compliance with expected actions. Ethics dashboards should be included in the normal monthly business reviews to ensure ongoing engagement and accountability.
Ethics will continue to be a moving target for compliance and regulatory bodies. It is up to corporate leadership to enact any significant and proactive change. By taking an active role in positively influencing the way employees conduct business both internally and externally, leadership has the opportunity to foster a more ethical workplace.
About the Authors
John Martin is director at MorganFranklin, leading the company’s most complex and challenging risk and control engagements. He is a quoted and published expert in internal control audits, implementation and training. John is a director in MorganFranklin’s commercial practice with extensive experience in SOX compliance, GRC implementations and enterprise risk assessments. He has led GRC platform projects at several companies, where the challenges ranged from lack of a common risk taxonomy to misaligned strategies from various stakeholders.
Bill Hughes serves as managing director in MorganFranklin’s public sector financial management and performance improvement practice, where he has been instrumental in creating, leading and shaping the strategic direction of the company’s government sector activities. In addition to leading a number of key projects, Bill is responsible for practice and business development and contributing to the creation of new service offerings.
Edward Applegate serves as managing director at MorganFranklin with a focus on risk management, including the areas of internal audit, IT audit, enterprise risk management and Sarbanes-Oxley compliance. He also leads transaction services engagements involving SEC reporting and financing for private equity transactions.
John Martin is a director in MorganFranklin’s commercial practice with extensive experience in SOX compliance, GRC implementations and enterprise risk assessments. He has led GRC platform projects at several companies, where the challenges ranged from lack of a common risk taxonomy to misaligned strategies from various stakeholders. John is a quoted and published expert in internal control audits, implementation and training and leads MorganFranklin’s most complex and challenging risk and control engagements.
John was a designated audit test specialist while at the Big Four and helped develop training around a risk-based approach to internal controls. He understands adult learning and the significant role on-the-job learning and job aids play in transferring knowledge. John is the author of “Improving the Audit Process” – a Big Four initiative to improve efficiency and effectiveness of engagement teams.
John has the contributed the following articles to Corporate Compliance Insights: