It’s one thing to talk about ethics, values and compliance and quite another to see principled behavior acted out in the everyday operations of the business.
How to take talk of compliance and ethics and make it something that truly takes root among employees, stakeholders and third-party partners was the topic of discussion this week during a webinar featuring LRN senior advisor Susan Divers and Tom Fox, an attorney, author and compliance evangelist.
The job of any compliance program is to identify the company's risks, and since every company has a different risk profile based on its products, philosophies and personalities, all efforts must start with an assessment of risks and how those risks may impact the company and its reputation, said Fox.
Once an assessment is complete, the next step is to build a risk management strategy around it, said Fox, while remaining aware that a risk is just a risk, and that just because it exists doesn’t mean it will lead to a problem. Still, start with the highest risks and map out mitigation plans based on the compliance program guidance put out by the Department of Justice or Securities and Exchange Commission.
LRN research shows linking rules to be compliant with the underlying values the company is based on helps make the connection with people as to why doing things the right way is important, said Divers. Tying compliance to shared values means when discussing anti-bribery initiatives, making the conversation about integrity; when sharing training on anti-sexual harassment make it about respect, she said.
LRN asked in a recent survey whether an organization's consideration of ethics and compliance risks or factors substantially modified or led to the abandonment of a business initiative. Among companies that were viewed as high performing in terms of ethics and compliance, 23% said that happens regularly, compared with 8% of respondents at low-performing firms.
Once a program is in place and a risk-mitigation strategy is set, Fox said the next task is to install a remediation plan. That doesn’t mean rushing to fix every problem immediately--in fact, he said the DOJ and SEC don’t expect that, just a reasoned, well-thought-out approach to addressing risks.
Fox suggests putting together a mitigation plan for the top five risks to start, and using the data and information gained from those exercises as a feedback loop to further drive future upgrades. That means using cultural surveys, values surveys, sitting down with employees in workshops and town hall meetings to figure out where you are as a program and where you need to go. “But in making those assessments take a look at the information [being collected] and tailor your solution to the information you get,” he said.
For example, Fox cited a company that saw a decline in the number of hotline reports it was receiving. Looking a little deeper, the company found it wasn’t that employees didn’t want to report issues, it was they preferred to bring their concerns to their immediate supervisor. So the company trained those middle managers to accept someone speaking up and taught them how to report those issues up the chain.
The hotline numbers didn't go up but reporting went up and more solutions bubbled up from the staff, said Fox, who called it a “prime example of operationalizing solutions closer to the front lines. The company saw an issue and in assessing the issue it found something it had not expected. They took that information and fed it back in to the program to make it more robust.”
Divers cited LRN research that shows employees prefer to engage with managers rather than call a hotline, so it’s important for companies to train managers and to create dashboards to capture the concerns being raised. “This is a good example of operationalizing compliance,” she said. “Rather than just saying the checklist says we have to have a hotline, we got one, so we are good..it’s also important to maintain a strategic focus and structure.”
For example, Divers said she spoke with some people from the DOJ and they were commenting about how so many organizations obsess with relatively low-level entertainment and reimbursement questions when they should be more focused on high-risk areas whether those risks are being mitigated effectively.
That focus includes being able to deliver messages to employees and other partners at the point they will be most helpful, such as when employees land in a foreign country on a business trip, said Divers, who touted LRN’s Catalyst mobile app as a way to drive values through training and messaging.
“What we see is a lot of companies make very difficult, long and elaborate processes that can run on to 25 pages. What we recommend is simplifying those processes to make them user-friendly,” she said. “Just click on the link, go to the right place and have a decision tree that walks you through how to do that.”
If you're interested in viewing the webcast, click here to watch on demand.