How To

Ethics and Compliance Programs: What It Means to Comply

The Network's Ralph Childs answers readers' questions about compliance, ethics and best practices for educating management and employees.

May 01, 2005 — CSO — Childs founded The Network in Atlanta in 1982. A former FBI special agent, he was running a security consulting firm and realized that his clients needed help with core issues such as employee theft. Childs is a member of ASIS International and the Society of Former Special Agents of the FBI. He is also an associate member of the Association of Certified Fraud Examiners.

Q: What's changed in compliance?

A: The biggest change is that compliance has been transformed from a good idea to a mandate. In the wake of devastating corporate scandals, governance has taken center stage. Publicly traded companies have been forced to protect investors from fraud or face stiff penalties. For example, executives found guilty of retaliation against a whistleblower under Sarbanes-Oxley face substantial fines and up to 10 years in prison.

Many private organizations are adopting practices similar to those required for public companies. Certain industries, notably higher education, have been proactively adopting best practices surrounding workplace ethics.

The increased focus on ethical behavior offers security professionals an opportunity to improve detection and prevention of many illegal and unethical activities. Given the spectrum of issues facing any organization, it makes sense to train all employees about ethics.

Q: What role does security play in an organization?

A: Security is a critical team member in helping an organization develop processes that will not only assist with compliance but will also minimize risk. Security professionals offer knowledge and expertise that should be influencing employee communication and training regarding illegal and unethical behavior.

Q: Where do you see security and compliance merging?

A: Every organization faces risk from many angles. Traditionally security has attempted to prevent and detect some of the most damaging activities, while compliance managed and documented employee awareness of behaviors outlined in the code of conduct. Introducing compliance as a factor in areas like insider trading and illegal loans to executives has blurred the lines. Issues that were traditionally seen as security-related and those that were viewed as compliance-related are now often the same issues. Ideally compliance and security are working hand in hand to develop strong processes and communication that help the organization to both comply with regulations and stop the cycle of unethical behavior.

Q: The changes to the federal sentencing guidelines say that all levels of management need to be trained about ethics. If you have a decentralized management team, what is an efficient way to do this?

A: When communicating with a decentralized management team, you should be thinking in terms of both education and documentation. You need to develop communication tools that describe the behaviors that are encouraged as well as those behaviors that are not condoned. Information should be disseminated to all employees through a variety of venues and tools, such as in town hall meetings and on intranet sites.