In June 2020, the U.S. Department of Justice published detailed guidance, the “Evaluation of Corporate Compliance Programs” (ECCP), for prosecutors to use to determine the degree of credit an organization should receive for its E&C program under the Federal Sentencing Guidelines. In the section entitled “Continuous Improvement,” the DOJ made the point that programs must evolve to remain effective and avoid operating on cruise control, noting:
A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale. ECCP, p. 15.
Despite the strong hint from the DOJ to avoid cruise control, E&C programs make the same five major mistakes again and again—even ones that are well-funded and run by dedicated professionals. This isn’t limited to small companies or certain sectors or locations. Using these mistakes as a lens to review your program can be helpful. Even better, correcting these mistakes doesn’t require a major budget increase or onboarding a new system. They point the way to low-hanging fruit that can be “harvested” to improve effectiveness and add momentum to your program.
1) Relying on rules to change behavior
As LRN founder and Chairman, Dov Seidman, puts it: “Three or five core values, if they are translated into shared values and understood behaviors, are more potent and powerful than 1,000 rules with all their carrots and sticks.”
Although many companies now understand the value of values in motivating employees to do the right thing—even when not required and no one’s looking—there’s work to be done. Many programs:
- Have long, convoluted compliance policies steeped in legalese.
- Send out punitive communications on the assumption that prospective penalties will change behavior.
- Use codes of conduct that are lists of rules without reference to real life situations employees face.
During the pandemic, organizations faced unprecedented challenges and risks to their operations and ethical culture. LRN’s 2022 Ethics & Compliance Program Effectiveness Report—surveying 1,200 ethics and compliance professionals worldwide—showed that 78% of respondents reported that their firms emphasized company values, rather than rules and procedures, to motivate employees to do the right thing.
Those that met the challenge relied upon shared values to motivate employees and stay true to their mission. Motivating employees to pivot, adapt, and in some cases self-isolate in plants and facilities for days on end was made possible by shared values, not directives or threats of penalties for non-compliance. As a leading CECO recently put it, moving from “must-do” to “want-to-do” requires common values and purpose—not a five-pound rule book.
2) Ignoring the power of the positive
Many, if not all, of the E&C programs we assess and review are in organizations with sound ethical cultures and have inspiring stories about doing the right thing, recovering from compliance meltdowns, or meeting unexpected challenges. Yet few actively leverage the power of the positive in their E&C programs.
For example, decisions by company leadership to cut their own compensation to avoid laying off employees during COVID can powerfully shape perceptions and build ethical muscle if they are communicated as values in action. Talking candidly about risks and how to deal with them can build trust. As a case in point:
- 64 % of respondents in the 2022 E&C Program Effectiveness Report said that their leadership communicated candidly about the challenges of the pandemic.
- 82% reported that their ethical culture emerged stronger from the COVID crisis.
Lessons actually learned are significantly more powerful in driving ethical behavior than even the best training. E&C programs can leverage the power of the positive by sharing sanitized stories of ethical decisions such as firing a top performer for misconduct, consistent with organizational justice and company values.
These initiatives resonate more strongly than summaries of penalties and a long list of prohibitions. They are consistent with the 2020 DOJ ECCP focus on, “What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?” Similarly, showcasing instances of moral courage or ethical leadership by employees can create powerful role models.
3) Clogging up the E&C program with legalese and bureaucracy
Even E&C programs that focus on values in their codes of conduct or training frequently stop short of making their policies and procedures employee friendly. Programs that still cling to the old model of complex rules, regurgitation of statutes, and a maze of procedures and processes aren’t doing their employees any favors and are hindering their ability to move to mobile-friendly training and program access. The DOJ’s 2020 ECCP reflects this shift in approach and asks if compliance policies are searchable and employees can readily understand them.
LRN’s 2022 E&C Program Effectiveness Report found that 56% of respondents listed integrating major E&C program elements into a mobile app in the near future as a top priority. A strong majority of programs surveyed intend to further strengthen their programs by focusing on ease of access and comprehension.
For example, the CECO of a leading mining company worked to simplify his compliance policies by focusing on values, make them searchable and interactive and directly connected to internal approval processes, citing Amazon’s famous “one-click” button as the model to follow. During the pandemic, Dell Technologies was able to move its annual compliance training and other critical features of its E&C program onto its mobile app, freeing up employees from their home computers as families struggled with remote learning and other challenges (as recounted in LRN’s 2021 E&C Program Effectiveness Report).
4) Engaging in blind benchmarking
Although best practices in ethics and compliance can evolve by organizations benchmarking their programs to learn about innovations and shifts in approach, benchmarking can go too far and provide a false sense of security. The DOJ 2020 ECCP, as quoted above, warns against letting an E&C program become a “snapshot” frozen in time and stresses the importance of on-going risk assessments—not benchmarking—in shaping every aspect of the program. According to the ECCP:
“Prosecutors should consider whether the company has analyzed and addressed the varying risks presented by, among other factors, the location of its operations, the industry sector, the competitiveness of the market, the regulatory landscape, potential clients and business partners, transactions with foreign governments, payments to foreign officials, use of third parties, gifts, travel, and entertainment expenses, and charitable and political donations.”
The ECCP goes on to stress the importance of using the organization’s unique risks to tailor its E&C program. For example, two Fortune 500 companies in the retail sector may have similar profiles in terms of employees, locations, and structure, but significantly different risks if one of them is in a tight vertical market with significant potential for antitrust risks or the other is sourcing materials in areas suspected of human rights violations or trafficking. Moreover, a company with a history of compliance problems or regulatory action will need to focus on ensuring those problems do not happen again, as regulators react badly to repeat offenders. When it comes to E&C programs, one size does not fit all, and your risk assessment is should serve as the program’s “north star.”
5) Seats at the right tables
Best practice in the E&C area contemplates a critical role for the E&C program in identifying and mitigating risks and strengthening and enhancing ethical culture. Despite emphasis on operationalizing programs into business and strategic decision making, there are some significant gaps in this area that commonly arise and should be addressed.
Managing third parties is a high-risk area for many companies. Most prosecutions under the Foreign Corrupt Practices Act and other countries’ anticorruption laws involve corrupt actions by third parties acting on behalf of an organization. As a result, third-party controls designed to mitigate that risk are a key feature of many programs.
Serious gaps occur, however, in delegations of authority and procedures that relegate the E&C team to an advisory function, without authority to decide whether a third party with red flags should be onboarded or a proposed acquisition or joint venture should proceed. The same problem arises in mergers and acquisitions.
Too often, the sales, marketing, or operations team has final decision authority. Thus, hiring a third party with a less-than-stellar reputation to get the deal done, or keep the plant open by getting an expedited permit, is ultimately the responsibility of those with the least understanding of the risks that can arise—or the mitigation steps needed prior to hire to resolve such risks. Similarly, the history of failed acquisitions due to ethical culture issues speaks eloquently of the risk of doing a deal based on solely on business growth considerations.
More generally, E&C has a significant role to play in environmental, social, and governance (ESG) programs and reporting. The “G” relates to strengthening good governance and promoting strong civil institutions, wherever an organization operates. Viewing and connecting ESG initiatives to E&C programs enhances both.
Limiting E&C programs to legal and compliance concerns may be changing. LRN’s 2022 Program Effectiveness Report found that 83 % of respondents reported that ethics and compliance considerations played an important role in shaping their organization’s response to the pandemic. Let’s hope that trend continues.
This article was originally published in The Compliance & Ethics Blog.