Transcription
Building world-class ethicsand compliance programs:Making a good program greatFive ingredients for your program
ContentsIntroduction1How did we get here?2What are the ingredients?3Tone at the top4Corporate culture7Compliance risk assessments12The Chief Compliance Officer18Testing and monitoring23Contacts29
IntroductionThe expression “never a dull moment” could have beentailor-made to describe the ethics and compliance functionand how it has evolved over the past decade or so. Thewell-publicized financial scandals that marked the aftermathof the tech bubble in 2002 and the housing bubble in 2008led the Congress to pass sweeping legislation that calledfor increased regulation, greater financial transparency, andmore rigorous scrutiny of large corporations.Suddenly, the ethics and compliance function found itselffront and center, its responsibilities greatly expanded,and its activities far more integral to the strategic core oforganizations struggling to regain public trust.Furthermore, the stunning growth of social media, mobiletechnologies, and “big data” has ushered in a new eraof transparency, exposing illegal transactions and raisingprofound new ethical questions about the way business isconducted. Once again, the ethics and compliance functionhas a central role to play in teasing out these issues.What has become abundantly clear is that when it comesto creating ethics and compliance programs, organizationstoday cannot afford to settle. “Good enough” is simply notgood enough. Rather, organizations should continuouslystrive for “great.”What separates a “good” ethics and compliance programfrom a “great” one? How does an organization’s investmentin compliance and reputation risk mitigation systems andprocesses measure up against leading practices? At a timewhen risks are increasing, what are the building blocksupon which to build a world-class ethics and complianceprogram that not only protects an organization frominternal and external threats, but also enhances its brandand strengthens its relationships with all stakeholders?These are all questions that were explored in our series ofarticles about the ingredients of a world-class ethics andcompliance program. We’ve combined all of the articlesinto this compendium to allow for easier reading andreference. We hope you find these insights helpful. Tolearn more, please visit us at: www.deloitte.com/us/ecs orwww.deloitte.com/us/goodtogreat.Nicole SandfordPartner Deloitte AdvisoryNational Practice Leader,Enterprise Compliance ServicesDeloitte & Touche LLPBuilding world-class ethics and compliance programs: Making a good program great Five ingredients for your program 1
How did we get here?During the 1990s, the bulls were running wild. NASDAQrose from 329.8 in October 1990 to its historical high of5,048.62 in March 20001 and the Dow Jones IndustrialAverage rose from 2,442.33 to 9,928.82 in the same timeperiod.2 The dramatic rise in market value may have causedstakeholders—such as regulators and investors—to hesitatein questioning the underpinnings and legitimacy of the bullmarket.When a number of high-profile corporate scandals wereexposed, there was a devastating loss of trust; it was as ifthe public had been trampled by those same bulls. NASDAQfell to 1,139.90 in October 2002,3 losing nearly 80 percentof its value, while corporate stocks on all exchangescollectively lost 7 trillion in market value.4 Painfully, thesescandals exposed widespread arrogance, fraud, conflictsof-interest, preferential treatment, and a collective failureamong the gatekeepers charged with oversight andmaintaining the public trust.The public and Congress questioned where the leaderswere and who held the reins. In response, Congresspassed The Sarbanes-Oxley Act of 2002, demandinggreater accountability by boards and top executives. Inparticular, this law offered the platform to popularizethe term “tone at the top,” clearly an element missingin the aforementioned scandals. In addition, the 2004amendments to the U.S. Federal Sentencing Guidelinescreated powerful incentives for corporations to “promotean organizational culture that encourages ethical conductand a commitment to compliance with the law.”5 Much ofthis legislation also emphasized the importance of assigninga high-ranking official to administer the organization’sethics and compliance programs.2Fast forward to a time when a global economic tsunamifollowed failures in the financial services industry and thenationalization and recapitalization of banks and otherproud institutions. The world stood as a powerless witnessto the loss of more than 30 million jobs worldwide6 anda 37 percent decline in the value of global equities.7 In itswake, the meltdown exposed bribery and corruption, fraud,insider trading, conflicts-of-interest, money laundering,price fixing, and Ponzi schemes on an unthinkable scale.Then President-elect Obama spoke about “reckless greedand irresponsibility.”In response, Congress passed the expansive newrequirements in the Dodd-Frank Wall Street Reformand Consumer Protection Act, coinciding with anunprecedented level of cross-border cooperation ofregulators and prosecutors globally. Then, in March2010, the Organisation for Economic Co-operation andDevelopment (OECD) issued its Good Practice Guidanceurging companies to promote a comprehensive systemof ethics and a culture of integrity, to which 45 nationshave become signatories. In May 2013, The Committeeof Sponsoring Organizations of the Treadway Commission(COSO) adopted provisions to its original guidancepromoting ethics and culture as integral to a comprehensiveframework for reputation risk management.All told this adds up to a clear mandate for organizationseverywhere: it’s time to get serious about developing atruly effective ethics and compliance program. Your survivalcould well depend on it.
What are the ingredients of a great ethics andcompliance program?While there are a number of factors that separate the“good” from the “great,” in our experience, there are fivefactors that are key differentiators in the highest-performingethics and compliance programs.Tone at the top—The starting point for any world-classethics and compliance program is the board and seniormanagement, and the sense of responsibility they share toprotect the shareholders’ reputational and financial assets.The board and senior management should do more thanpay “lip service” to ethics and compliance. They needto empower and properly resource the individuals whohave day-to-day responsibilities to mitigate risks and buildorganizational trust.Corporate culture—A culture of integrity is central to anyeffective ethics and compliance program. Initiatives that donot clearly contribute to a culture of ethical and compliantbehavior may be viewed as perfunctory functions instillingcontrols that are impediments to driving the “value change”of the enterprise.Risk assessments—Ethics and compliance risk assessmentsare not just about process—they are also aboutunderstanding the risks that an organization faces. The riskassessment focuses the board and senior management onthose risks that are most significant within the organization,and provides the basis for determining the actions necessaryto avoid, mitigate, or remediate those risks.The Chief Compliance Officer (CCO)—The CCO hasday-to-day responsibility for overseeing the management ofcompliance and reputational risks, and is the agent for theboard’s fiduciary obligations in this regard. A skilled CCOcan create a competitive edge for their organization.Testing and monitoring—A robust testing and monitoringprogram can help ensure that the control environmentis effective. The process begins with implementingappropriate controls, which should be tested and ultimatelymonitored and audited on a regular basis.On the following pages, we will explore each of theseelements in greater detail.Building world-class ethics and compliance programs: Making a good program great Five ingredients for your program 3
Tone at the topTone at the top is what instills the organization with a culture of integrity.Without question, reputation risks today are at leastas great as strategic, operating, and financial risks.That’s because, as we’ve seen again and again, once anorganization’s reputation is compromised, the impact canbe devastating—from a plummeting stock price to a loss ofcustomers.Guarding against reputational risk begins with setting theproper tone at the top that the organization values andembraces a culture of integrity.How can chief executive officers (CEOs) create the righttone at the top? What role should the board play? Howabout the CCO? How does tone at the top cascade to themiddle and beyond?Who sets the tone?In the context of an ethics and compliance program,the tone at the top sets an organization’s guiding valuesand ethical climate. Properly fed and nurtured, it is thefoundation upon which the culture of an enterprise is built.Ultimately, it is the glue that holds an organization together.“Sometimes, all it takes is a rumor, ahint of impropriety or malfeasance,or a social media post gone viral, tonegatively impact shareholder valueand damage—or worse, destroy—corporate and brand reputations inan instant.”Keith Darcy, independent senior advisor to Deloitte & Touche LLP4The board, the CEO, and the CCO play critical roles insetting the tone at the top.The boardThe starting point for setting the tone begins with theorganization’s governing authority—most frequentlythis means the board of directors. The board’s mostfundamental tasks would typically include hiring the CEO,approving strategy, monitoring execution of the plan,setting risk appetite, and exercising appropriate oversightregarding risk mitigations, all with the underlying goal ofpreserving and creating shareholder value.The board sets the tone of the organization in the waythat it executes each of these responsibilities. However,perhaps no single decision drives tone at the top more thanthe selection of the CEO. That process must necessarilyfocus on competence, character, and chemistry and raisesquestions such as the following; Does the prospective CEO have the requisite skills andexperience to move the organization forward? Does this person possess the character and moral fiber tomodel and contribute to the development of a valuescentered enterprise and strategy? Does the CEO have the chemistry and communicationskills necessary to rally others to successfully andconsistently deliver on the organization’s valueproposition to all stakeholders?Boards must provide appropriate weight to each of theseconsiderations. Too often, the CEO selection processfocuses mostly on competence, with less thought given tocharacter and chemistry.Once selected, the board is accountable to monitor theCEO’s performance based upon appropriate metrics forcompetence, character, and chemistry. In summary, thegoverning authority must ensure that ethical objectives arebuilt into the actions and the strategy of the organization,and that they are not merely a statement of goodintentions.
The CEOEstablishing the right tone at the top is much more thana system of compliance. Establishing the right tone isessential to fortifying the organization’s reputation and itsrelationship with all stakeholders. The street is littered withcorporate failures and sub-optimal performance from CEOswho have neglected to prioritize the development of aculture of integrity.The CEO is the face of the organization, the figurehead towhom employees ultimately look for vision, guidance, andleadership. A CEO’s behavior tells employees what counts,and what’s rewarded and punished. Leadership derivesfrom trust, and trust is built upon a common understandingbetween people.8 Leadership, therefore, is relational, nottransactional.Tone at the top demands that leaders—and especially theCEO—find ways to connect with people inside and outsidethe organization. Leaders must openly and continuallycommunicate their values, using different platforms anddistribution systems. Unfortunately, many companies undercommunicate values by a significant degree.Developing a sense of shared values—a set of beliefsagainst which all decisions can be measured and tested—isincreasingly the basis on which long-term strategies andsuccessful implementations are built. Failure to align ethicsand values to business strategies and operating plans bearspotentially heavy costs.9The CCOClearly, the chief compliance officer plays a critical role insetting and reinforcing the tone at the top. The personselected for this role must be beyond reproach—someonewhose integrity is clear and who can earn the respect ofpersonnel at all levels. The character and stature of theperson the board and executive management team selectto hold the CCO position is a powerful statement about theorganization’s commitment to ethics and compliance, asis the organizational positioning of the person within theexecutive leadership team.“People are suspicious of leaderswho are closed about their values orstandards. Stakeholders assume if youvalue nothing, you’ll value anything.”Thomas Rollauer, executive director, Deloitte Center for Regulatory StrategiesThe CCO contributes to tone at the top in both directand indirect ways. The CCO has a built-in platform forreinforcing the organization’s values; balancing themessaging related to sales and growth. The CCO is alsothe leader that employees seek out when they have ethicalconcerns. Therefore, he or she plays a crucial role increating a “speak up” culture—an essential element of toneat the top.In addition, the best CCOs seek out opportunities for theCEO to convey key ethics and compliance messages inboth internal and external communications. He or she alsoproactively assists the board in both understanding andexecuting their role in setting the tone at the top.Beyond the roles described above, the board and executivemanagement help translate the “tone at the top” toa healthy “mood in the middle” by ensuring certainorganizational practices are in place at all levels, includingamong others: Recruiting and screening methodologies—It beginswith intake channels and screening for people’scharacter, competence, and chemistry. Everyone in thehiring process should recruit for character first. Socialization and training—Organizations should createa seamless integration—beginning in orientation—tofoster an ethical and compliant culture. Mentoring andadditional training must offer consistent messages aboutwhat’s valued.Building world-class ethics and compliance programs: Making a good program great Five ingredients for your program 5
Reward systems—You get what you measure.Recognition and rewards should be aligned with desiredvalues and behaviors. Everyone must be reviewed notonly for what they do, but how they do it. Moreover,employees with the courage to step forward with ethicalconcerns must be appropriately recognized and rewardedto help encourage others to follow suit. Employee exits—People leaving the organization shouldbe treated equal to how they were brought in. It sends amessage regarding how people are valued.Unique challengesIn creating the right tone, certain issues require specialattention from the board and senior leaders. These uniquechallenges include: Mergers and acquisitions—Cultural integration isessential to a successful combination, especially inmitigating risks to the combined entity. Leaders mustensure that acquired employees don’t feel plundered,exploited, or occupied.Reinforcing tone at the top Walk the talk: Implement and publish board operating principles that align withthe organization’s values, and provide specific responsibilities for acting in an ethicalmanner at all times. Remember the water cooler: When making difficult decisions about unethicalbehavior involving anyone in a management role, assume both the ethical breach,and your response to it, will be widely known within the organization. Think abouthow the decision may reinforce—or conflict with—the company’s stated values. Keep an ear to the ground: Use new technologies to monitor the corporate buzz.What are your employees, customers, and other stakeholders saying about theorganization’s culture in social media and other digital platforms? Reward for principled performance: Include ethics and compliance inperformance goals for C-Suite executives, and tie those goals to compensation. Build an ethical corporate ladder: Consider the ethics and compliance trackrecord when promoting people into senior leadership roles, particularly as part ofsuccession planning. Autonomous and decentralized operations—Thefurther away from headquarters, the greater thelikelihood that something gets “lost in translation.” Taketime to understand and respect other peoples’ cultures,and pay special attention to business units or individualsthat operate with significant autonomy. Neither moralimperialism nor moral relativism works. Co-create a newunderstanding. Discontents—Nothing will undermine tone quickerthan not addressing and dealing with individuals whoseactions are contrary to the organization’s beliefs. Institutionalization—Institutionalization of values isoften the first step toward bureaucracy. The seniorleadership helps set the tone at the top by keeping valuesand culture “fresh.”There is also another reality that must be recognized indeveloping tone. Given the proliferation of social mediaand mobile technologies, there are conversations going onbetween and among all stakeholders at any given moment.The world is becoming increasingly transparent. As a result,the gaps between a leader’s words and actions can “goviral” in a nanosecond, thus undermining efforts to build aconsistent message and tone. Where there are actions thatcannot be spoken about, or words that cannot be put intoaction, the moral development of the enterprise can beundermined by cynicism.Setting the right tone offers lasting benefitsAt its most basic level, an organization is a community ofpeople with common interests and shared values bandedtogether to achieve a common goal.10 Increasingly,employees are saying they want to be identified with anorganization that stands for something more than quarterlyearnings and whose values align with their own. They wantto take pride in what they produce. They want to admirethe people with whom they work.11Creating and maintaining the right tone at the top is anessential first step in creating an enterprise anchoredto an effective ethics and compliance program. It alsooffers benefits that extend beyond compliance programsthemselves—benefits that include both client and customerretention, increased employee engagement, and theestablishment of an enduring brand.6
Corporate cultureA culture of ethics and compliance is at the core of a strong risk management program.In a business environment where reputational threatslurk around every corner, a strong culture of ethics andcompliance is the foundation of a robust risk managementprogram. The lessons learned related to scandals andorganizational crises that trace back to the early 2000smake one thing clear: without an ethical and compliantculture, organizations will always be at risk. In fact, moreand more, culture is moving from a lofty, “squishy” conceptto something that should be defined, measured, andimproved (see figure 1).Culture has always been important to how organizationsoperate. So why is it getting so much attention lately?One reason is that regulators have come to the realizationthat without a culture of integrity, organizations arelikely to view their ethics and compliance programs asa set of check-the-box activities, or even worse, as aroadblock to achieving their business objectives. In fact,organizations responsible for some of the most egregiousacts of malfeasance have had quite impressive, formalizedethics and compliance guidelines. The problem was eitherleadership or a group of influential insiders op
The Chief Compliance Officer (CCO)—The CCO has day-to-day responsibility for overseeing the management of compliance and reputational risks, and is the agent for the board’s fiduciary obligations in this regard. A skilled CCO can create a competitive edge for their organizatio
