Compliance and ethics program
Encyclopedia
There has been a long history of business and government excesses and subsequent legal, public and political reaction. Response to criminal misconduct has resulted in legal sanctions, governance practices, compliance standards and cultural transformation. Over the last 40 years, several major events in American business and subsequent legislation and regulation have shaped the way organizations do their business. The events with the most significant impact and influence in the development of compliance programs are the Foreign Corrupt Practices Act
, the Committee of Sponsoring Organizations, and the Federal Sentencing Guidelines
.
(FCPA) marked the early beginnings of compliance programs in the United States. In the mid 1970s, United States Securities and Exchange Commission
(SEC) investigations discovered that a significant number of American companies participated in bribery overseas. “Over 400 U.S. Companies admitted to making questionable or illegal payments to foreign government officials, politicians and political parties.” (United States Department of Justice 2006) One of the most infamous cases of its time was the admittance by a Lockheed executive, to the Multinational Corporations Subcommittee of the Senate Foreign Relations Committee, that Lockheed
had paid bribes in the amount of $22 million to Japanese’s government officials in the course of trying to sell its aircraft. This revelation came on the heels of the U.S. Government providing Lockheed with a $250 million emergency loan guarantee (Hishikawa 2003).
In an effort to restore faith in American business, in December 1977 the Foreign Corrupt Practices Act was signed into law. This anti-bribery provision makes it “unlawful for a U.S. person, and certain foreign issuers of securities, to make a corrupt payment to a foreign official
for the purpose of obtaining or retaining business for or with, or directing business to, any person.” (United States Department of Justice
2006) The law also requires publicly traded companies “to maintain records that accurately and fairly represent the company’s transactions. Additionally, it requires these companies to have an adequate systems of internal accounting controls.” (United States Department of Justice 2006)
Following the passage of the FCPA, in 1988, the Congress became concerned that American companies were operating at a disadvantage because their foreign counterparts were, as a matter of practice, paying bribes to foreign officials and deducting those bribes as business expenses on their taxes. (United States Department of Justice 2006) Subsequently, the Executive Branch began negotiations with the Organisation for Economic Co-operation and Development
(OECD), a 34-member nation coalition consisting of the United States and 33 other countries, to enact legislation similar to FCPA. In 1997, the OCED signed the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. (http://www.oecd.org/document/21/0,2340,en_2649_34859_2017813_1_1_1_1,00.html)
This regulation requires member nations to designate the payment of bribes to foreign offices as a crime and to follow the rules and regulations that govern bribery in international transactions. The U.S. ratified this convention and enacted implementing legislation in 1998. At this time, the FCPA was amendment to include territorial jurisdiction over foreign companies and nationals. A foreign company or person is now subject to the FCPA, if the company or person either directly or indirectly through agents, engages in acts which further the facilitation of corrupt payments taking place within the territory of the United States.
(COSO) was formed, and in conjunction with the CPA firm Coopers & Lybrand, COSO authored and published in 1992 the “Internal Control-Integrated Framework" (http://www.coso.org/publications/executive_summary_integrated_framework.htm). This framework has become the de facto standard in the accounting industry for auditing, evaluating and monitoring internal control systems.
The COSO Internal Control-Integrated Framework is now widely used by most organizations as the basis for “establishing and maintaining an adequate internal control structure and procedures for financial reporting” ( 15 USC § 7262) and for the assessment of control effectiveness under section 404 of Sarbanes-Oxley. (http://www.pcaobus.org/About_the_PCAOB/Sarbanes_Oxley_Act_of_2002.pdf)
was formed and delegated the responsibility “to provide “certainty” and “fairness” in sentencing, avoiding “unwarranted sentencing disparities” while “maintaining sufficient flexibility to permit individualized sentencing when warranted by mitigating
or aggravating factors (Campbell & Bemporad 2006).”
On May 1, 1991, as an extension of the Sentencing Reform Act, the United States Sentencing Commission submitted to Congress the Federal Sentencing Guidelines for Organizations] (FSGO) (http://www.ussc.gov/orgguide.htm), a set of standards that govern the sentences federal judges impose on organizations convicted of federal crimes. Enacted on November 1, 1991, core to the guidelines was the Commission’s intent to “prevent and deter organizational wrongdoing” through its design of the organizational sentencing guidelines (http://www.ussc.gov/corp/advgrp.htm). These guidelines describe the elements of an organization’s compliance and ethics program that are required to be considered for eligibility for a reduced sentence if convicted. In general, the FSGO require an organization to establish standards to guide its employees and agents. These standards must reflect government regulations and industry standards and apply to almost all types of organizations including corporations, partnerships, unions, non-profit organizations and trusts.
In 2004, the United States Sentencing Commission voted to amend its existing organization guidelines to make the criteria for an effective compliance and ethics program more stringent. Two major standards were identified in the amended guidelines. The amended guidelines stated the need for directors and executives to take an active role in the management of its compliance and ethics program and the importance of promoting an organizational culture that is compliant with the law and demonstrates ethical culture. The amended guidelines outline minimum requirements for an effective compliance and ethics program (http://www.ussc.gov/2005guid/8b2_1.htm) and the amended FSGO has become synonymous with an effective compliance program.
The FCPA, Sarbanes-Oxley and the Federal Sentencing Guidelines represent just a fraction of the standards and requirements organizations need to consider today when developing and implementing their compliance programs. “Since the passage of SOX, the New York Stock Exchange
(NYSE), NASDAQ
, and the Public Company Accounting Oversight Board
(PCAOB), have all proposed and implemented new rules relating to compliance programs (Martin 2004).” Organizations today are increasingly accountable to mandated laws, regulations and standards on a number of dimensions, which include geographical/regional considerations, as well as industry and functional discipline concerns. These regulations and standards apply to a variety of financial and non-financial areas. Adding to this complexity are the “voluntary” boundaries, which organizations have individually established such as organizational commitments, values, and contractual obligations. As a result of these dynamics, organizations at the very core of their business strategy need to establish the capacity and the capability to effectively address the conditions mandated by these external requirements and internally generated operating principles while still meeting their business objectives.
History set the tone for increasing regulations and rising standards. Overtime organizations will need to be more proactive in anticipating and addressing these considerations while simultaneously protecting and building the enterprise. More and more organizations will need to translate, integrate and simplify these various standards and requirements into a cohesive approach.
Broadly understood, compliance is an important mechanism that supports effective governance. Compliance with regulatory requirements and the organization’s own policies are a critical component of effective risk management. Monitoring and maintaining compliance is not just to keep the regulators happy, it is one of the most important ways for an organization to maintain its ethical health, support its long-term prosperity, and preserve and promote its values.
On a more practical level, a compliance and ethics program supports the organization’s business objectives, identifies the boundaries of legal and ethical behavior, and establishes a system to alert management when the organization is getting close to (or crossing) a boundary or approaching an obstacle that prevents the achievement of a business objective.
Once an issue is detected, management must be prepared to respond quickly and appropriately to minimize the impact on the organization (and the community, as appropriate). Management should continuously improve its compliance and ethics program. This will enable it to better prevent, detect, and respond to similar misfeasance and/or malfeasance in the future.
Like any other core capability and/or process, the compliance and ethics program should strive to deliver tangible benefits and outcomes to the organization. Every organization is unique and has its own objectives. As such, several objectives of the compliance and ethics program will be unique as well. That said, there are a few universal program outcomes/objectives that a compliance and ethics capability should deliver. These include an enhanced culture of trust, accountability and integrity; prevention of noncompliance, preparation for when (not “if”) noncompliance occurs, protection (to the extent possible) from negative consequences, detection of noncompliance, response to noncompliance and improvement of the program to better prevent, protect, prepare, detect and respond to noncompliance.
An important aspect of a high-performing program, and one that cannot be overstated, is enhancing the culture. A strong culture that provides important benefits would including a “safety net” for when formal controls are weak or absent, and an open environment of trust, accountability and integrity – all of the ingredients that help drive overall workforce productivity.
A well-designed compliance and ethics program is only half the picture. Critical to its success and its ability to meet the challenges of constant change, increasing complexity, rapidly evolving threats, the need for continuous improvement requires organizations to have the commitment of both senior management and the board, adequate authorization and funding, the appropriate tools to facilitate measurement and rolling-up information, comprehensive training on the measurement process and an early socilaization of approach.
The engaged involvement of key stakeholders is critical to a successful implementation or major enhancement of a compliance and ethics program, i.e. the dialogue and agreement up front, by all the major parties, regarding the objectives, goals, and overall purpose of the program will be critical to the project’s eventual impact. By working together, compliance and ethics officers, executive management, and the board can help ensure a compliance and ethics program not only contributes to the improvement of the organization’s governance practices but the success of its company’s strategy as well.
Integrate compliance and ethics - Address the “letter of the law” while promoting the “spirit of the law”. For some companies this means making a breach of company policy as serious as breaching laws, resulting in “internal” standards being as important as ‘mandatory’ standards.
Embed compliance and ethics risk management processes into the business - Organizations must systematically assess and prioritize present and emerging compliance and ethics risks. Such analysis should take into account the organization’s culture, compliance and ethics history, as well as industry issues. Business processes should incorporate compliance and ethics program needs. Boards should routinely discuss these risks, and how they are addressed, with management.
Demonstrate leadership - The board should ensure senior management consistently communicates and models the organization’s values and behavioral expectations identified in the compliance and ethics program.
Require accountability and ownership - In order to have the compliance and ethics program “make a difference”, it should foster a corporate culture that places responsibility on individuals for their actions and motivates everyone. The board and management should ensure employees have appropriate training and information and should participate in such training themselves.
Provide an open culture - Issues and problems should be, and in some cases are, required by law to be investigated and proactively managed to resolution. Unethical or illegal behavior should be addressed promptly. Employees must be required to raise and resolve violations of compliance or ethics standards. To do so, they must feel confident that they can take action without fear of retaliation. Such fears have been reduced, but not eliminated, with the introduction of the “whistleblower
” protections of the Sarbanes-Oxley Act
and the Canadian equivalents. The board should inquire of management the steps they are taking to create this open culture.
Measure performance and results - Compliance and ethics processes and results should be monitored and measured. Objective data should support evaluations that are more subjective. Evaluation results should provide the basis for continually improving the program.
There are numerous benefits and challenges to measuring the performance of a program. A well-known maxim is "what gets measured gets done.” The compliance and ethics program and capability is no different.
The Open Compliance and Ethics Group, OCEGTM, a non-profit organization that provides a performance framework for integrating governance, compliance, risk management and culture, has developed a Measurement and Metrics Guide (MMG) for assisting in measuring and reporting on the performance of compliance and ethics programs. This measurement platform advocates that program objectives be aligned with and contribute to the enterprise objectives in a tangible way. In order to achieve desired program outcomes, an organization should design processes and practices that effectively measure program dimensions on three key dimensions: effectiveness, efficiency and responsiveness.
Effectiveness describes the quality of a program along two dimensions: design effectiveness and operational effectiveness.
Design effectiveness describes the degree to which a system or process is logically designed to meet legal and other defined requirements. Does the system or process contain all the necessary elements to thoroughly evaluate risk? Has it been designed for maximum effectiveness? If not, what features must be added to improve the system? Design effectiveness is very much a logical test that considers all requirements, risks and boundaries and determines if the system is appropriately designed.
Operational effectiveness describes the degree to which a system or process operates as designed. If the system has been well designed, does it function correctly? Does it operate the way it was designed? If not, how must it be managed to elevate its level of operation? Operational effectiveness helps management understand if, given a strong design, the system is operating as it is intended.
The concept of efficiency captures the cost of the process or system – not simply financial efficiency, the amount of money spent but also the cost of human capital expended.
Financial efficiency describes the total amount of financial capital required to execute a process.
Human capital efficiency describes the type and level of individual(s) required to participate in the process. While human capital costs can be partially captured in purely financial terms, intangible opportunity cost
s must also be captured. In other words, if the program relies too heavily on senior executive time and focus, it may represent more than just purely financial costs (salary, benefits, and other overhead). An organization must also recognize the intangible costs of the loss of executive time and focus on other strategic objectives such as growth, profitability, talent retention, and customer loyalty.
Responsiveness should be looked at on two dimensions — the system's ability to operate quickly and flexibly in response to changing circumstances. Cycle time describes the amount of total hours and/or total duration that it takes to execute a process. Flexibility/adaptability describes the degree to which the system can integrate changes including new requirements (e.g. a new law, rule or regulation) and/or new business units (due to merger and acquisition activity.)
These changes may be internal; as managers study the results of past performance evaluations and make needed alterations. Or they may be external. New regulatory environments, changing market conditions, or altered public perceptions and concerns require the organization to make adjustments. A responsive system adapts quickly to changes in the environment. It also develops a long-range perspective, foreseeing more distant changes and preparing for them.
A solid measurement system and approach should be implemented that embodies these principles: Focused on Business Objectives, Outcome-Oriented and a Simple Measurement System.
Business objectives should include a program metrics and measurement, helping management understand how the program contributes to overall enterprise objectives. But while process and activity metrics are important, the outcomes are the ultimate goal – never lose sight of this.
The measurement system and approach should be simple, cost-effective and elegant to ensure sustainability. Management should look for opportunities to gather data from existing systems rather than creating whole new systems to create data. If it costs more (both in time and capital) than it is worth, the measurement program will ultimately go away.
Senior management and the board of directors should commit to a measurement approach and ensure that a high-level executive is charged with overall accountability. This should include a commitment to the longevity of the program as it will take a few years to realize the full potential of a measurement program.
The measurement system and approach should be a positive contributor to help improve performance. It should not be used for punitive purposes.
Key metrics and indicators should be specific/simple, measurable, actionable, relevant and timely.
Balance of Leading and Lagging - Lagging indicators show how the company has already done (revenue growth in the past quarter; number of workplace accidents in the last year). Leading indicators are those that may predict future performance. Examples are on-time delivery rate, which can lead to higher customer satisfaction ratings and, in turn, more sales to existing customers.
Indicators should provide visibility into both short-term and long-term objectives. Overemphasis on short-term objectives can stifle a company's long-term growth, by short-changing new product development. Emphasis on short-term financial results, such as quarterly profits, can lead to reduction in spending on research for new product development, or purchasing cheaper components to raise profit margins, leading to lower product quality, more product returns, complaints from customers, and loss of business.
Focus on Internal Trends before External Benchmarks - Program metrics and measurement should help management understand internal trends. Once internal trends are understood, the use of external benchmarks will be more meaningful.
Performance measurement system should be reviewed and improved on an ongoing basis. It is only by gaining experience measuring performance that the organization can really refine and improve the system.
(GRC) into the fabric of day-to-day business.
The integration of governance, risk management, compliance and ethics help an organization more effectively and efficiently drive performance. Governance establishes objectives and, at a high level, the boundaries inside of which the entity must operate. Risk management helps the organization identify and address potential obstacles to achieving objectives. Compliance management ensures that the boundaries are well set, and that the organization does indeed conduct business within those boundaries. A strong culture provides a safety net when formal controls and structures are weak or nonexistent — while, at the same time, providing an environment that helps the workforce reach its highest level of productivity.
High performing organizations master each of these disciplines and integrate them for maximum effectiveness, efficiency and responsiveness. Integration allows an organization to use a common operational approach to address all of these requirements and it allows an organization to leverage innovation in one area across the enterprise.
Governance, Risk Management, and Compliance
(GRC) management capability is the solution to addressing increasing stakeholder expectations. Solid financial results are no longer sufficient. Stakeholders are demanding more. They want to know about non-financial results and the intangibles that will ensure financial growth. They want increased reporting and transparency and insight into an organization’s strategy, risks, and operations along with an understanding of the manner in which business is conducted. As with the quality movement of the mid-1980s to early 1990s, these stakeholder demands are becoming baseline expectations.
Compliance and ethics practices can no longer be viewed in isolation of the rest of the organization, as some function off to the side to keep an organization out of jail. It must become part of the overall business strategy and operations, pervasive throughout the entire organization. Ultimately, taking this integrated approach will lead to better overall performance and compliance will become less of a burden on the business.
Foreign Corrupt Practices Act
The Foreign Corrupt Practices Act of 1977 is a United States federal law known primarily for two of its main provisions, one that addresses accounting transparency requirements under the Securities Exchange Act of 1934 and another concerning bribery of foreign officials.- Provisions and scope...
, the Committee of Sponsoring Organizations, and the Federal Sentencing Guidelines
Federal Sentencing Guidelines
The Federal Sentencing Guidelines are rules that set out a uniform sentencing policy for individuals and organizations convicted of felonies and serious misdemeanors in the United States federal courts system...
.
Foreign Corrupt Practices Act
The Foreign Corrupt Practices ActForeign Corrupt Practices Act
The Foreign Corrupt Practices Act of 1977 is a United States federal law known primarily for two of its main provisions, one that addresses accounting transparency requirements under the Securities Exchange Act of 1934 and another concerning bribery of foreign officials.- Provisions and scope...
(FCPA) marked the early beginnings of compliance programs in the United States. In the mid 1970s, United States Securities and Exchange Commission
United States Securities and Exchange Commission
The U.S. Securities and Exchange Commission is a federal agency which holds primary responsibility for enforcing the federal securities laws and regulating the securities industry, the nation's stock and options exchanges, and other electronic securities markets in the United States...
(SEC) investigations discovered that a significant number of American companies participated in bribery overseas. “Over 400 U.S. Companies admitted to making questionable or illegal payments to foreign government officials, politicians and political parties.” (United States Department of Justice 2006) One of the most infamous cases of its time was the admittance by a Lockheed executive, to the Multinational Corporations Subcommittee of the Senate Foreign Relations Committee, that Lockheed
Lockheed Corporation
The Lockheed Corporation was an American aerospace company. Lockheed was founded in 1912 and later merged with Martin Marietta to form Lockheed Martin in 1995.-Origins:...
had paid bribes in the amount of $22 million to Japanese’s government officials in the course of trying to sell its aircraft. This revelation came on the heels of the U.S. Government providing Lockheed with a $250 million emergency loan guarantee (Hishikawa 2003).
In an effort to restore faith in American business, in December 1977 the Foreign Corrupt Practices Act was signed into law. This anti-bribery provision makes it “unlawful for a U.S. person, and certain foreign issuers of securities, to make a corrupt payment to a foreign official
Foreign official
Foreign official, until recently, referred to a person who held a political office in a government other than one's own. However, the term has now taken a new meaning due to roles and statuses created by legislation such as the Foreign Corrupt Practices Act . From a business perspective, the need...
for the purpose of obtaining or retaining business for or with, or directing business to, any person.” (United States Department of Justice
United States Department of Justice
The United States Department of Justice , is the United States federal executive department responsible for the enforcement of the law and administration of justice, equivalent to the justice or interior ministries of other countries.The Department is led by the Attorney General, who is nominated...
2006) The law also requires publicly traded companies “to maintain records that accurately and fairly represent the company’s transactions. Additionally, it requires these companies to have an adequate systems of internal accounting controls.” (United States Department of Justice 2006)
Following the passage of the FCPA, in 1988, the Congress became concerned that American companies were operating at a disadvantage because their foreign counterparts were, as a matter of practice, paying bribes to foreign officials and deducting those bribes as business expenses on their taxes. (United States Department of Justice 2006) Subsequently, the Executive Branch began negotiations with the Organisation for Economic Co-operation and Development
Organisation for Economic Co-operation and Development
The Organisation for Economic Co-operation and Development is an international economic organisation of 34 countries founded in 1961 to stimulate economic progress and world trade...
(OECD), a 34-member nation coalition consisting of the United States and 33 other countries, to enact legislation similar to FCPA. In 1997, the OCED signed the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions. (http://www.oecd.org/document/21/0,2340,en_2649_34859_2017813_1_1_1_1,00.html)
This regulation requires member nations to designate the payment of bribes to foreign offices as a crime and to follow the rules and regulations that govern bribery in international transactions. The U.S. ratified this convention and enacted implementing legislation in 1998. At this time, the FCPA was amendment to include territorial jurisdiction over foreign companies and nationals. A foreign company or person is now subject to the FCPA, if the company or person either directly or indirectly through agents, engages in acts which further the facilitation of corrupt payments taking place within the territory of the United States.
Committee of Sponsoring Organizations
In response to the FCPA and its requirement to implement internal control programs, in 1985 a private-sector initiative was formed called the National Committee on Fraudulent Financial Reporting (commonly known as the Treadway Commission). This Commission recommended that its organizational sponsors work together to develop guidance on internal controls. Subsequently, the Committee of Sponsoring Organizations of the Treadway CommissionCommittee of Sponsoring Organizations of the Treadway Commission
The Committee of Sponsoring Organizations of the Treadway Commission is a voluntary private-sector organization, established in the United States, dedicated to providing guidance to executive management and governance entities on critical aspects of organizational governance, business ethics,...
(COSO) was formed, and in conjunction with the CPA firm Coopers & Lybrand, COSO authored and published in 1992 the “Internal Control-Integrated Framework" (http://www.coso.org/publications/executive_summary_integrated_framework.htm). This framework has become the de facto standard in the accounting industry for auditing, evaluating and monitoring internal control systems.
The COSO Internal Control-Integrated Framework is now widely used by most organizations as the basis for “establishing and maintaining an adequate internal control structure and procedures for financial reporting” ( 15 USC § 7262) and for the assessment of control effectiveness under section 404 of Sarbanes-Oxley. (http://www.pcaobus.org/About_the_PCAOB/Sarbanes_Oxley_Act_of_2002.pdf)
Federal sentencing guidelines for organizations
In 1984 Congress enacted The Sentencing Reform Act, which created a set of mandatory federal sentencing guidelines (Campbell & Bemporad 2006). As part of the Act, the United States Sentencing CommissionUnited States Sentencing Commission
The United States Sentencing Commission is an independent agency of the judicial branch of the federal government of the United States. It is responsible for articulating the sentencing guidelines for the United States federal courts...
was formed and delegated the responsibility “to provide “certainty” and “fairness” in sentencing, avoiding “unwarranted sentencing disparities” while “maintaining sufficient flexibility to permit individualized sentencing when warranted by mitigating
Mitigating factor
A mitigating factor, in law, is any information or evidence presented to the court regarding the defendant or the circumstances of the crime that might result in reduced charges or a lesser sentence.-Death penalty in the United States:...
or aggravating factors (Campbell & Bemporad 2006).”
On May 1, 1991, as an extension of the Sentencing Reform Act, the United States Sentencing Commission submitted to Congress the Federal Sentencing Guidelines for Organizations] (FSGO) (http://www.ussc.gov/orgguide.htm), a set of standards that govern the sentences federal judges impose on organizations convicted of federal crimes. Enacted on November 1, 1991, core to the guidelines was the Commission’s intent to “prevent and deter organizational wrongdoing” through its design of the organizational sentencing guidelines (http://www.ussc.gov/corp/advgrp.htm). These guidelines describe the elements of an organization’s compliance and ethics program that are required to be considered for eligibility for a reduced sentence if convicted. In general, the FSGO require an organization to establish standards to guide its employees and agents. These standards must reflect government regulations and industry standards and apply to almost all types of organizations including corporations, partnerships, unions, non-profit organizations and trusts.
In 2004, the United States Sentencing Commission voted to amend its existing organization guidelines to make the criteria for an effective compliance and ethics program more stringent. Two major standards were identified in the amended guidelines. The amended guidelines stated the need for directors and executives to take an active role in the management of its compliance and ethics program and the importance of promoting an organizational culture that is compliant with the law and demonstrates ethical culture. The amended guidelines outline minimum requirements for an effective compliance and ethics program (http://www.ussc.gov/2005guid/8b2_1.htm) and the amended FSGO has become synonymous with an effective compliance program.
The FCPA, Sarbanes-Oxley and the Federal Sentencing Guidelines represent just a fraction of the standards and requirements organizations need to consider today when developing and implementing their compliance programs. “Since the passage of SOX, the New York Stock Exchange
New York Stock Exchange
The New York Stock Exchange is a stock exchange located at 11 Wall Street in Lower Manhattan, New York City, USA. It is by far the world's largest stock exchange by market capitalization of its listed companies at 13.39 trillion as of Dec 2010...
(NYSE), NASDAQ
NASDAQ
The NASDAQ Stock Market, also known as the NASDAQ, is an American stock exchange. "NASDAQ" originally stood for "National Association of Securities Dealers Automated Quotations". It is the second-largest stock exchange by market capitalization in the world, after the New York Stock Exchange. As of...
, and the Public Company Accounting Oversight Board
Public Company Accounting Oversight Board
The Public Company Accounting Oversight Board is a private-sector, non-profit corporation created by the Sarbanes–Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. Its stated purpose is to 'protect the interests of investors and further the public interest...
(PCAOB), have all proposed and implemented new rules relating to compliance programs (Martin 2004).” Organizations today are increasingly accountable to mandated laws, regulations and standards on a number of dimensions, which include geographical/regional considerations, as well as industry and functional discipline concerns. These regulations and standards apply to a variety of financial and non-financial areas. Adding to this complexity are the “voluntary” boundaries, which organizations have individually established such as organizational commitments, values, and contractual obligations. As a result of these dynamics, organizations at the very core of their business strategy need to establish the capacity and the capability to effectively address the conditions mandated by these external requirements and internally generated operating principles while still meeting their business objectives.
History set the tone for increasing regulations and rising standards. Overtime organizations will need to be more proactive in anticipating and addressing these considerations while simultaneously protecting and building the enterprise. More and more organizations will need to translate, integrate and simplify these various standards and requirements into a cohesive approach.
Effective program design
A high-performing compliance and ethics program is best organized as an integrated capability assigned to business functions/units while managed and overseen by individuals with overall responsibility and accountability. Compliance can be a daunting challenge, but it is also an opportunity to establish and promote operational excellence throughout the entire organization and significantly improve the overall operational performance.Broadly understood, compliance is an important mechanism that supports effective governance. Compliance with regulatory requirements and the organization’s own policies are a critical component of effective risk management. Monitoring and maintaining compliance is not just to keep the regulators happy, it is one of the most important ways for an organization to maintain its ethical health, support its long-term prosperity, and preserve and promote its values.
On a more practical level, a compliance and ethics program supports the organization’s business objectives, identifies the boundaries of legal and ethical behavior, and establishes a system to alert management when the organization is getting close to (or crossing) a boundary or approaching an obstacle that prevents the achievement of a business objective.
Once an issue is detected, management must be prepared to respond quickly and appropriately to minimize the impact on the organization (and the community, as appropriate). Management should continuously improve its compliance and ethics program. This will enable it to better prevent, detect, and respond to similar misfeasance and/or malfeasance in the future.
Like any other core capability and/or process, the compliance and ethics program should strive to deliver tangible benefits and outcomes to the organization. Every organization is unique and has its own objectives. As such, several objectives of the compliance and ethics program will be unique as well. That said, there are a few universal program outcomes/objectives that a compliance and ethics capability should deliver. These include an enhanced culture of trust, accountability and integrity; prevention of noncompliance, preparation for when (not “if”) noncompliance occurs, protection (to the extent possible) from negative consequences, detection of noncompliance, response to noncompliance and improvement of the program to better prevent, protect, prepare, detect and respond to noncompliance.
An important aspect of a high-performing program, and one that cannot be overstated, is enhancing the culture. A strong culture that provides important benefits would including a “safety net” for when formal controls are weak or absent, and an open environment of trust, accountability and integrity – all of the ingredients that help drive overall workforce productivity.
A well-designed compliance and ethics program is only half the picture. Critical to its success and its ability to meet the challenges of constant change, increasing complexity, rapidly evolving threats, the need for continuous improvement requires organizations to have the commitment of both senior management and the board, adequate authorization and funding, the appropriate tools to facilitate measurement and rolling-up information, comprehensive training on the measurement process and an early socilaization of approach.
Effective program implementation
Implementation is often the most difficult aspect of any program. This is the juncture where most failure occurs. However, if executed well, it can represent the biggest opportunity for positive influence on the organization’s performance and culture.The engaged involvement of key stakeholders is critical to a successful implementation or major enhancement of a compliance and ethics program, i.e. the dialogue and agreement up front, by all the major parties, regarding the objectives, goals, and overall purpose of the program will be critical to the project’s eventual impact. By working together, compliance and ethics officers, executive management, and the board can help ensure a compliance and ethics program not only contributes to the improvement of the organization’s governance practices but the success of its company’s strategy as well.
Integrate compliance and ethics - Address the “letter of the law” while promoting the “spirit of the law”. For some companies this means making a breach of company policy as serious as breaching laws, resulting in “internal” standards being as important as ‘mandatory’ standards.
Embed compliance and ethics risk management processes into the business - Organizations must systematically assess and prioritize present and emerging compliance and ethics risks. Such analysis should take into account the organization’s culture, compliance and ethics history, as well as industry issues. Business processes should incorporate compliance and ethics program needs. Boards should routinely discuss these risks, and how they are addressed, with management.
Demonstrate leadership - The board should ensure senior management consistently communicates and models the organization’s values and behavioral expectations identified in the compliance and ethics program.
Require accountability and ownership - In order to have the compliance and ethics program “make a difference”, it should foster a corporate culture that places responsibility on individuals for their actions and motivates everyone. The board and management should ensure employees have appropriate training and information and should participate in such training themselves.
Provide an open culture - Issues and problems should be, and in some cases are, required by law to be investigated and proactively managed to resolution. Unethical or illegal behavior should be addressed promptly. Employees must be required to raise and resolve violations of compliance or ethics standards. To do so, they must feel confident that they can take action without fear of retaliation. Such fears have been reduced, but not eliminated, with the introduction of the “whistleblower
Whistleblower
A whistleblower is a person who tells the public or someone in authority about alleged dishonest or illegal activities occurring in a government department, a public or private organization, or a company...
” protections of the Sarbanes-Oxley Act
Sarbanes-Oxley Act
The Sarbanes–Oxley Act of 2002 , also known as the 'Public Company Accounting Reform and Investor Protection Act' and 'Corporate and Auditing Accountability and Responsibility Act' and commonly called Sarbanes–Oxley, Sarbox or SOX, is a United States federal law enacted on July 30, 2002, which...
and the Canadian equivalents. The board should inquire of management the steps they are taking to create this open culture.
Measure performance and results - Compliance and ethics processes and results should be monitored and measured. Objective data should support evaluations that are more subjective. Evaluation results should provide the basis for continually improving the program.
Measuring program performance
By using accurate, timely data on the organization’s performance, managers know whether they are moving the entity closer to its objectives. Measuring compliance and ethics program performance help organizations gauge their improvement and learn whether the company's tactics are contributing to the success of the company's strategy. Keeping the board informed is a critical activity and robust performance reporting facilitates that important effort too. An organization’s compliance and ethics program should be measured like any other critical capability.There are numerous benefits and challenges to measuring the performance of a program. A well-known maxim is "what gets measured gets done.” The compliance and ethics program and capability is no different.
The Open Compliance and Ethics Group, OCEGTM, a non-profit organization that provides a performance framework for integrating governance, compliance, risk management and culture, has developed a Measurement and Metrics Guide (MMG) for assisting in measuring and reporting on the performance of compliance and ethics programs. This measurement platform advocates that program objectives be aligned with and contribute to the enterprise objectives in a tangible way. In order to achieve desired program outcomes, an organization should design processes and practices that effectively measure program dimensions on three key dimensions: effectiveness, efficiency and responsiveness.
Effectiveness describes the quality of a program along two dimensions: design effectiveness and operational effectiveness.
Design effectiveness describes the degree to which a system or process is logically designed to meet legal and other defined requirements. Does the system or process contain all the necessary elements to thoroughly evaluate risk? Has it been designed for maximum effectiveness? If not, what features must be added to improve the system? Design effectiveness is very much a logical test that considers all requirements, risks and boundaries and determines if the system is appropriately designed.
Operational effectiveness describes the degree to which a system or process operates as designed. If the system has been well designed, does it function correctly? Does it operate the way it was designed? If not, how must it be managed to elevate its level of operation? Operational effectiveness helps management understand if, given a strong design, the system is operating as it is intended.
The concept of efficiency captures the cost of the process or system – not simply financial efficiency, the amount of money spent but also the cost of human capital expended.
Financial efficiency describes the total amount of financial capital required to execute a process.
Human capital efficiency describes the type and level of individual(s) required to participate in the process. While human capital costs can be partially captured in purely financial terms, intangible opportunity cost
Opportunity cost
Opportunity cost is the cost of any activity measured in terms of the value of the best alternative that is not chosen . It is the sacrifice related to the second best choice available to someone, or group, who has picked among several mutually exclusive choices. The opportunity cost is also the...
s must also be captured. In other words, if the program relies too heavily on senior executive time and focus, it may represent more than just purely financial costs (salary, benefits, and other overhead). An organization must also recognize the intangible costs of the loss of executive time and focus on other strategic objectives such as growth, profitability, talent retention, and customer loyalty.
Responsiveness should be looked at on two dimensions — the system's ability to operate quickly and flexibly in response to changing circumstances. Cycle time describes the amount of total hours and/or total duration that it takes to execute a process. Flexibility/adaptability describes the degree to which the system can integrate changes including new requirements (e.g. a new law, rule or regulation) and/or new business units (due to merger and acquisition activity.)
These changes may be internal; as managers study the results of past performance evaluations and make needed alterations. Or they may be external. New regulatory environments, changing market conditions, or altered public perceptions and concerns require the organization to make adjustments. A responsive system adapts quickly to changes in the environment. It also develops a long-range perspective, foreseeing more distant changes and preparing for them.
A solid measurement system and approach should be implemented that embodies these principles: Focused on Business Objectives, Outcome-Oriented and a Simple Measurement System.
Business objectives should include a program metrics and measurement, helping management understand how the program contributes to overall enterprise objectives. But while process and activity metrics are important, the outcomes are the ultimate goal – never lose sight of this.
The measurement system and approach should be simple, cost-effective and elegant to ensure sustainability. Management should look for opportunities to gather data from existing systems rather than creating whole new systems to create data. If it costs more (both in time and capital) than it is worth, the measurement program will ultimately go away.
Senior management and the board of directors should commit to a measurement approach and ensure that a high-level executive is charged with overall accountability. This should include a commitment to the longevity of the program as it will take a few years to realize the full potential of a measurement program.
The measurement system and approach should be a positive contributor to help improve performance. It should not be used for punitive purposes.
Key metrics and indicators should be specific/simple, measurable, actionable, relevant and timely.
Balance of Leading and Lagging - Lagging indicators show how the company has already done (revenue growth in the past quarter; number of workplace accidents in the last year). Leading indicators are those that may predict future performance. Examples are on-time delivery rate, which can lead to higher customer satisfaction ratings and, in turn, more sales to existing customers.
Indicators should provide visibility into both short-term and long-term objectives. Overemphasis on short-term objectives can stifle a company's long-term growth, by short-changing new product development. Emphasis on short-term financial results, such as quarterly profits, can lead to reduction in spending on research for new product development, or purchasing cheaper components to raise profit margins, leading to lower product quality, more product returns, complaints from customers, and loss of business.
Focus on Internal Trends before External Benchmarks - Program metrics and measurement should help management understand internal trends. Once internal trends are understood, the use of external benchmarks will be more meaningful.
Performance measurement system should be reviewed and improved on an ongoing basis. It is only by gaining experience measuring performance that the organization can really refine and improve the system.
Future outlook for compliance and ethics programs
Organizations are exposed to governance, compliance and ethical risks daily. Coupled with the current economic, regulatory and social climate, these risks have propelled corporate governance, compliance management and integrity to a top business priority. More than ever, the business community understands the need to articulate and integrate the principles of good Governance, Risk Management, and ComplianceGovernance, Risk Management, and Compliance
Governance, Risk Management, and Compliance or GRC is the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts,...
(GRC) into the fabric of day-to-day business.
The integration of governance, risk management, compliance and ethics help an organization more effectively and efficiently drive performance. Governance establishes objectives and, at a high level, the boundaries inside of which the entity must operate. Risk management helps the organization identify and address potential obstacles to achieving objectives. Compliance management ensures that the boundaries are well set, and that the organization does indeed conduct business within those boundaries. A strong culture provides a safety net when formal controls and structures are weak or nonexistent — while, at the same time, providing an environment that helps the workforce reach its highest level of productivity.
High performing organizations master each of these disciplines and integrate them for maximum effectiveness, efficiency and responsiveness. Integration allows an organization to use a common operational approach to address all of these requirements and it allows an organization to leverage innovation in one area across the enterprise.
Governance, Risk Management, and Compliance
Governance, Risk Management, and Compliance
Governance, Risk Management, and Compliance or GRC is the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts,...
(GRC) management capability is the solution to addressing increasing stakeholder expectations. Solid financial results are no longer sufficient. Stakeholders are demanding more. They want to know about non-financial results and the intangibles that will ensure financial growth. They want increased reporting and transparency and insight into an organization’s strategy, risks, and operations along with an understanding of the manner in which business is conducted. As with the quality movement of the mid-1980s to early 1990s, these stakeholder demands are becoming baseline expectations.
Compliance and ethics practices can no longer be viewed in isolation of the rest of the organization, as some function off to the side to keep an organization out of jail. It must become part of the overall business strategy and operations, pervasive throughout the entire organization. Ultimately, taking this integrated approach will lead to better overall performance and compliance will become less of a burden on the business.
See also
- Risk ManagementRisk managementRisk management is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities...
- Corporate GovernanceCorporate governanceCorporate governance is a number of processes, customs, policies, laws, and institutions which have impact on the way a company is controlled...
- Business ethicsBusiness ethicsBusiness ethics is a form of applied ethics or professional ethics that examines ethical principles and moral or ethical problems that arise in a business environment. It applies to all aspects of business conduct and is relevant to the conduct of individuals and entire organizations.Business...
- Governance, Risk Management, and ComplianceGovernance, Risk Management, and ComplianceGovernance, Risk Management, and Compliance or GRC is the umbrella term covering an organization's approach across these three areas. Being closely related concerns, governance, risk and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts,...
- Legal governance, risk management, and complianceLegal governance, risk management, and complianceLegal Governance, Risk Management, and Compliance or "LGRC", refers to the complex set of processes, rules, tools and systems used by corporate legal departments to adopt, implement and monitor an integrated approach to business problems....
- Society of Corporate Compliance and EthicsSociety of Corporate Compliance and EthicsThe Society of Corporate Compliance and Ethics is a nonprofit, individual membership association which provides resources for ethics and compliance professionals from various industries...
- Health Care Compliance AssociationHealth Care Compliance AssociationThe Health Care Compliance Association is a nonprofit, individual membership association which provides resources for ethics and compliance professionals in the United States. It serves over 7,200 members through publications, education programs, conferences and professional networking including...