The Risk Desk is the
sector's leading monthly on key issues relating to price, market,
and credit risk management, governance best practices, regulatory
risk, market trends and other topics of interest to trading management
and risk officers in the power and gas sectors.
Survey
Says Biz Ethics, Compliance on Upswing
More Than 150 Companies From Around the Globe “Took the Pledge”
this month to adopt Consider Ted Stevens. This month the Alaskan
senator was brought up on charges of failing to reveal some $250,000
in kickbacks from an oil services contractor on Senate disclosure
forms. The charge is both an ethical lapse and an indictment that
brought Stevens before a federal judge, but it is also the culmination
of a years-long investigation of Alaskan lawmakers who have been
openly ridiculed for their $300 million pork-barrel project nicknamed
“the bridge to nowhere.” Yet all the press coverage
centers around the fall of the Senate’s longest-serving Republican,
described as “seemingly invincible” and a political
institution in his own right.
The case is an important lesson on the intersection of ethics, compliance
and reputational risk and how tightly these diverse risk management
elements are interwoven. So it’s appropriate that Stevens’
apparent tumble comes just as LRN Risk Management Practices rolls
out its second annual survey measuring corporate success in governance,
risk management and compliance (GRC). It’s a chance for companies
to measure their peers and “assess where they are on the curve
toward mastering best practices and creating corporate-wide ethical
cultures,” the firm says.
If you’re not familiar with LRN, it’s a business ethics
and corporate compliance management firm with a very top-tier client
base (think Dow Chemical, Disney, El Paso, Pfizer, Unilever) and
offices in LA, New York, London and Mumbai. The firm emphasizes
management tools and workforce education with the idea that a “values-based”
corporate culture can drive business performance. This month the
company rolled out a brand new set of educational tools, online
and offline, that include legal and ethical training for employees
as well as leadership workshops for board members and executives.
The firm says that “from the boardroom to the break room,
companies must not only communicate their values, they must truly
engage their employees in their values and inspire them to live
them.” It’s a good line, but how are companies actually
doing at making that a reality?
Turns out they aren’t doing too badly. The survey conducted
this Spring canvassed more than 450 senior risk, audit, legal, ethics
and compliance executives across a range of industries from power,
energy and oil and gas to financial services, insurance, manufacturing
and health care. Most of the firms, 87 percent, are headquartered
in the US.
The survey found that companies are increasingly integrating ethics
and compliance risk assessments into the enterprise risk management
process. Overall they’ve been improving these risk programs
through business risk assessments that encompass the entire company
and through better executive risk management training. LRN also
learned that companies with mature ethics and compliance functions
have a huge advantage, “having developed critical experience
and skills to assess risks, educate employees and minimize violations.”
The vast majority of the companies (78 percent) have had an ethics
and compliance program for more than three years – only smaller
companies with less than 2,500 employees had launched their compliance
function in the past year (about 5 percent of those surveyed).
That’s good news because, as the survey says, the world has
become a riskier place since its first survey 12 months ago, as
businesses and governments move to adapt to economic downturn, global
competition and tighter regulations. “Scandals like tainted
pet food and lead paint in toys made in China were effective reminders
about the need to manage and reduce ethics and compliance risks,
not only within organizations but also within their networks of
supplier and business partners. The meltdown of the sub-prime mortgage
sector pushed businesses across all industries to re-examine their
internal decision-making processes for these types of conflicts
of interest and long-term ethical and reputational risks,”
LRN says.
In response, the survey found that companies have an increased awareness
of the issues, are building more stringent risk management and mitigation
programs and are increasingly conducting corporation-wide “cultural
assessments.” The survey says it’s a sign that firms
are moving past textbook compliance to “recognizing that the
entire company culture is at stake.”
The major practical finding of the survey came as a surprise even
to LRN: electronic data protection topped the list of perceived
risks across all industries. LRN thought the top concern would be
anti-corruption efforts, since the Justice Department has been increasing
its scrutiny in these areas over the past couple years. But the
top report concern was data protection, followed by data privacy
and then conflicts of interest. “These three risks far outpaced
other perceived risks including sexual harassment, environmental
safety and health issues, anti-corruption and bribery.”
But it makes sense: Corporations today are deluged with an ever-rising
tide of data in every facet of their organizations. Wed that to
new, stringent regulations about data management and data security
(such as last year’s eDiscovery Rule about archiving data
for future legal disputes), and it’s bound to push up a risk
manager’s blood pressure. New data compliance issues are blurring
the boundaries between IT and legal, so companies need to develop
comprehensive privacy and security policies, manage their internal
data usage and educate employees about how to handle the data. There’s
also the need for audits that cover everything from internal data
practices to Internet use to cross-marketing and data sharing among
affiliates and partner companies.
The survey found “encouraging” signs that companies’
GRC risk management programs are maturing. About 90 percent have
a formal ethics and compliance risk assessment and more than half
integrate that into their other risk programs. On the downside,
only about half involved the board of directors or C-suite in the
assessments. But that’s changing. The survey found that 80
percent of companies – a significant increase from last year’s
survey – now offer formal ethics and compliance training to
CEOs and senior management. This shows, LRN says, “a growing
recognition of the critical importance of developing a strong tone
from the top.”
Companies also report that they are more confident in their ability
to manage and mitigate risks, but the survey found that overall,
firms haven’t begun to invest in “holistic programs
that move their culture beyond compliance into values-based self-governance
that drives superior business performance.”
More good news: Companies are more apt to share their risk assessment
results with senior management and the board (about two-thirds in
the survey). Nearly 25 percent also share the findings with employees,
“reinforcing ethical awareness and demonstrating the company’s
commitment to fostering an ethical workplace.”
Only 40 percent have business managers actually involved in the
risk assessment process, and that’s a lost opportunity, LRN
says. “Middle management’s proximity to operations enable
them not only to have a more in-depth knowledge about where the
ethics and compliance challenges may lie but also to gain the subordinates’
trust and become the channel of choice when potential violations
are reported. Not tapping into these two key advantages of middle
management creates a critical gap in the risk assessment and detection
processes.”
If firms want supervisors to be the conduit for employees to report
violations, those managers should be involved in all steps of the
risk management cycle, the survey says. Among other things, it “could
substantially improve employees’ willingness to report violations
to managers.”
About 60 percent say lack of resources is their major challenge
in mitigating risk, but 40 percent said making risk management relevant
to employees is also a problem. The code of conduct remains the
most common risk prevention tool for employees, but online and classroom
education are growing in popularity. And that’s a good thing,
says LRN.
“The search for relevancy and engagement is critical in risk
prevention,” the survey says. “Adults pay less attention
to information that does not directly affect their jobs… Learning
resources that allow people to control their own progress, interact
with the materials and gauge their learning through self-tests have
proven to have higher impact on adults than one-dimensional lessons
that workers passively read or listen to.” Many more companies
are engaging senior management through formal education programs
as well.
The survey found that interactive games, used by about 10 percent
of companies in the survey, have become a successful way to translate
ethics and compliance issues to employees. No doubt that finding
leaves anyone over 30 rolling their eyes – and you’d
be right. In addition to the practicality of using online games
for training in an increasingly mobile and dispersed workforce,
the survey says that “companies are faced with the need to
accommodate a fast-changing workforce that includes more Millennial-generation
employees who have grown up their entire lives playing video games.
For these workers, interactive gaming is the most familiar and effective
method of getting information – and they are often far more
skilled at interactive gaming than they are at reading printed documents.”
Frightening but apparently true, and a trend we’ll no doubt
see more of in coming years.
With an increasingly global workforce, it’s also important
to have a consistent, unified ethical culture throughout an organization.
This is a considerable challenge and the survey found that multinational
corporations rate themselves lower on the accuracy and timeliness
of risk management at regional offices than at HQ. One telling hole
in the risk management process for multinationals: “The largest
combined number of companies gave their home offices the highest
ratings for timeliness and accuracy, and the largest number of companies
combined gave their regional offices the lowest ratings.”
It’s still tough for companies to detect violations. The survey
found that 50 percent of companies say employees aren’t motivated
to report violations (up from 30 percent last year) because they
fear retaliation. The other half of those surveyed “indicate
they have no significant problems in this area.”
LRN says it’s ironic that employees are increasingly reluctant
to blow the whistle even as companies put more effort into educating
them about ethics and provide a way to report violations. It said
90 percent of multinational companies have at least three methods
for reporting violations and all companies have a confidential or
anonymous channel. But the survey also found that only 20 percent
of companies emphasize the use of that confidential channel. “This
could mean that in too many companies, employees simply don’t
receive a clear message that confidentiality is valued.”
It could also mean simply that employees may be confused about what
do to as the number and complexity of regulations grows. About 30
percent of companies reported that “employees just don’t
understand the rules.”
In other words, while businesses are doing better at taking an optimized
approach to managing ethics and compliance risks, there’s
still work to be done. Companies need to “make the leap”
from an approach that reacts to events to a strategic approach that
helps all levels of the enterprise understand GRC issues. This can
make ethics and compliance risk management a competitive advantage,
LRN says.
“What is required to transform their ethics and compliance
programs from predominantly reactive, rules-based initiatives to
highly responsive, values-based programs woven into their organizational
culture? Making the transition first means ensuring they have all
the basics of a solid ethics and compliance program that contains
strong risk management procedures to meet all regulatory compliance
requirements. More important is transitioning their programs to
go beyond ‘check the box’ risk management processes
by refocusing the soul of the program onto values-inspired business
conduct,” the survey says.
“Employees must move beyond making business decisions to satisfy
regulations and rules because they are not enough. Such narrow motivation
tends to lead to frequent confusion over gray areas. Rules-based
motivation fails to inspire and engage people to be their best selves.
Companies must seek to create a business environment based on trust,
transparency and self-governing behavior, by embedding values into
the heart and minds of their employees.”
LRN says a strong control environment and a culture of corporate
ethics are crucial to effective enterprise risk management. Want
to take a quick measure of your own firm’s risk culture? Have
a look at how you’re faring on the five steps for a sustainable
compliance risk management process:
• Define business ethics and corporate compliance risks to
create a comprehensive
risk profile.
• Prevent ethics and compliance lapses/failures with hard
and soft controls, including
business ethics and corporate compliance training.
• Detect noncompliance with the law, regulations, company
code of ethics and corporate
governance practices via multiple reporting methods.
• Respond swiftly and publicly to allegations and potential
violations.
• Evaluate results and make continuous improvements.
For more on the survey, visit www.lrn.com.
