Characteristics of an Effective Ethics and Compliance Culture

by Joe H. Smith

Corporate culture statements tend to possess certain common elements. There is the recognition that acquiring and holding onto the trust of customers, employees and stakeholders is of great importance. That to achieve a state of trustworthiness the company needs to conduct itself with integrity and honesty and, as a component thereof, compliance with applicable laws and regulations and internal rules is essential.

Compliance professionals have long been attuned to the importance of corporate culture. Experience has demonstrated that, for an ethics and compliance culture to be effective, it must be promoted, encourage ethical conduct, and possess a commitment to compliance with the law. The Anti-Fraud Collaboration of the Center for Audit Quality, Financial Executives International, The Institute of Internal Auditors, and the National Association of Corporate Directors have all published reports on the benefits of assessing the corporate culture. The outcomes resulting from an effectively implemented culture are clear: a safer work environment, more productive personnel and processes, and greater profitability.

Presuming there must be more to a corporate culture than a paragraph of well sounding phrases and that it should in fact help steer employees to choose to do the right thing and ensure the value system is embedded in daily work practices, how does a company go about creating a meaningful culture? The following are suggested steps to follow to breath life into an ethics and compliance culture statement.

Step 1: Values
Define the values that will shape the way a company does business, which would include such concepts as integrity, respect, diversity, safety, conscientiousness, and creativity. Depending on the nature of the enterprise, certain concepts may possess a higher priority than others. For example, a manufacturing facility might identify safety as its greatest core value.

Step 2: Code of Ethics and Conduct
This step is an outcropping from Step 1. Guidelines need to be provided about behavior and principles to govern decision-making. However, to be effective at guiding everyday work practices, specific direction needs to be provided to employees on how to apply the code to issues they are likely to encounter. Considering the qualitative nature, it is suggested that procedures be implemented to ensure all employees receive appropriate training on the code and that follow-up assessments are undertaken to obtain assurance that the employees understand it.

Step 3: Risk Assessment
To adopt a successful culture and provide for its continuity, assessing the risk to compliance and the culture statement itself should be periodically preformed. Is the culture at risk from planned or reactive changes to the organization, what impact might change in business practices pose, and could new laws or regulation affect the way the entity conducts its affairs? It is suggested that consideration be given to issues such as kickbacks, anti-bribery, asset misappropriation, and harassment.

Step 4: Policies and Procedures
The system of internal control and accompanying policy statements are an integral component of the culture. Essentially, it is through the control environment that the risks facing the company are mitigated. For example, an Anti-Money Laundering Program would be the vehicle to deter money laundering within a gaming facility. It is suggested that comprehensive training be provided to all employees on relevant policies and procedures and that interviews and testing measures be implemented to assess staff understanding.

Step 5: Awareness Training
It’s not enough to just train on policies and procedures, personnel need to acquire an awareness of relevant ethics and compliance issues, whether they originate with fellow employees, customers, or vendors. To adequately safeguard the organizational culture, staff needs sufficient understanding to recognize inconsistent behaviors.

Step 6: Inquiry and Reporting
Whether an employee, customer, or supplier, an understanding is needed of the entity’s ethics and compliance culture and an awareness of a process whereby they may ask questions or report concerns about violations of the culture statement, which might include violations of laws and regulations or company policy. Hotlines are highly recommended. Furthermore, it is suggested that a formalized investigative process be implemented that possesses the following elements:

  • Is there a prioritization method that considers the severity of the issue(s)?
  • Is there a formal protocol for deciding who investigates what?
  • Is there a formal protocol governing the performance of investigations?
  • Are investigations documented in formal reports that possess the following characteristics?
    – Investigations completed within prescribed time frames.
    – Investigations are through and reach a conclusion.
    – Explanation of actions taken, or not taken, because of the issues raised.
    – Management approval of actions taken, inclusive of possible external consultation.
    – If possible, callers made aware of investigation results.

Step 7: Communication
Having a communication plan that increases awareness and reminds employees that ethics and compliance is important cannot be overstated. All audiences need to be engaged via a variety of media. The following is suggested:

  • Communication of the ethics and compliance culture through the company website.
  • Senior management blogs setting the tone at the top about ethics.
  • Incorporate info about the culture in the company newsletter.
  • Prominently displayed ethics posters in areas such as employee breakrooms or cafeteria.
  • Ensure culture statement is distributed in all native languages of staff.

Step 8: Program Evaluations
At periodic intervals, it is suggested that the effectiveness of the culture statement to influence daily activities be evaluated, whether it be performed by an external party or the internal auditors. Employee surveys and focus groups are excellent measures to assess the relevance of the ethics and compliance culture.

Step 9: Leadership
Fundamental to the culture’s success is a strong commitment from management demonstrating its importance. By far, this step is the most important. Some of the ways this can be accomplished are as follows:

  • Key management personnel formalizing their commitment to the highest level of ethical conduct.
  • Compliance officer reporting directly to the board of directors.
  • Forming a compliance committee charged with overseeing the culture statement’s implementation.

The larger the organization, the more detached frontline staff will be from the executive suites. Consequently, it is crucial that the tone at the top echo down through the ranks of management; thereby, ensuring that the actions and behaviors of management will set the standard for all to follow.

In summation, to be effective, responsibility for the ethics and compliance culture must be shared by all employees. Adopting a culture that everyone can believe in will help to ensure internal rules function as intended and are not circumvented by lax ethical standards.

Joe H. Smith, CPA, CFE, CFF, CGAP, is a Senior Consultant for REDW, LLC and Commissioner for the Picayune Rancheria of the Chukchansi Indians Tribal Gaming Commission. He can be reached by calling (503) 314-2009 or email [email protected].