The Corporate Ethics Committee: Doing the Right Thing

Recent government guidelines spell out serious consequences if your company spots a risk and does nothing. But does that mean you should go looking for trouble? Yes.

I recently found myself reviewing the revised corporate sentencing guidelines in preparation for a meeting of our corporate ethics committee. This latest framework, which went into effect Nov. 1, 2004, has two important functions: It spells out the kinds of ethics policies corporate officers should establish and enforce, and it guides judges when they weigh penalties and mitigating factors they may consider in cases of corporate wrongdoing. The bottom line: These guidelines show the ethics buck stops at the top, including our desks.

"Directors and executives now must take an active leadership role for the content and operation of compliance and ethics programs," the U.S. Sentencing Commission's statement reads in part. "Companies that seek reduced criminal fines now must demonstrate that they have identified areas of risk where criminal violations may occur, trained high-level officials as well as employees in relevant legal standards and obligations, and given their compliance officers sufficient authority and resources to carry out their responsibilities."

The commission notably adds: "If companies hope to mitigate criminal fines and penalties, they must also promote an organizational culture that encourages a commitment to compliance with the law and ethical conduct by exercising due diligence in meeting the criteria."

I work for a global financial institution that has a tradition of "doing the right thing" as a core value of our corporate culture. As the CSO, this ethical way of life and the accompanying expectations have been an incredible asset to my group's ability to add value. Like the broken window theory that has guided crime reduction efforts in so many cities, we deal with even minor policy violationsregardless of the perpetrator's statuslest ignoring them would invite more serious transgressions. Security doesn't need to push its way into investigations of wrongdoing; we are routinely invited in by legal counsel, HR, internal audit and line-of-business managers. We are valued as business partners, not as corporate cops. It's a joy to be the CSO here.Our Ethics Are Healthy, But...Having said that, we are cognizant of the ever-changing risk environment in which we conduct our global operations. We know our safeguards aren't bulletproof. The cost of implementing those safeguards must be balanced against the likelihood of events. Our company has more than 50,000 employees. Experience has shown that people don't always do the right thing. We have an obligation to protect our clients' and shareholders' trust.

Sometimes I think about the pluses of our ethically grounded environment, and I can't help wondering: What if my career had taken me to the failed Bank of New England, or the once-mighty Enron, or other targets of criminal investigation and reputational meltdown? I've often wondered what signs my colleagues at these organizations might have seen, then escalated to top management and been told not to worry. What must it be like to be a CSO in a company whose senior management is up to their eyeballs in fraud and cover-ups? How would I act? What would I do? We've seen the aftermath for the auditors at these places. Would there even be a security, ethics or compliance organization at a company where pervasive wrongdoing was accepted practice?

So after I've reviewed the Sentencing Commission's new guidelines, here I am, sitting at our ethics committee meeting considering their implications. The drill here is to do a quick tabletop analysis to affirm that we are on top of these issues.

The guidelines now require companies to periodically assess the risk of criminal misconduct and to take steps that address identified exposures. Top management and the board must be more personally knowledgeable and engaged in making certain that our ethics and compliance programs are really effective. The guidelines impose a further check by requiring periodic evaluations to see how effective our programs are at preventing and detecting violations of the law. Meaning: We have to perform ongoing risk assessments because if we don't and something bad happens, the courtand shareholderswill hold the board and top management responsible.Devil's Advocate ChatAt our committee meeting, we found ourselves in an unusual position. We have become accustomed to setting the bar high when it comes to business ethics. We are used to feeling confident in our abilities to measure that we are doing the right things. Now we see this federal body establishing requirements with very serious sanctions.

We began discussing the business and legal risks of compliance with the guidelines to the letter versus compliance with the intent. What if we do a very aggressive risk analysis and find ugly things we've never seen before? What consequences might we face?

Indeed, why do we take on this risky exercise? Look at the oversight environment we find ourselves in: Sarbanes-Oxley reporting; the USA Patriot Act monitoring; crusading regulators, politicians and prosecutors seeking headlines; pressure in corporate America to install an invigorated board with more external members, all of whom are running scared of liability and not being aggressive enough; internal and external auditors making certain that every rock is turned over; the development and application of monitoring systems designed to detect unlawful conduct; employee newsletters and intranet messages re-advertising our whistle-blower hotline.

These are control-oriented times that can dull the thoughtful risk-taking that makes for business success.

The climate in the meeting room turned cloudy. We found ourselves assigning a darker cast to the internal business risks that have been at the center of our governance activities. We know there are holes in our security practices. We know that not every employee and agent can be as ethical as we would like. We know the velocity of the business masks weaknesses in our internal controls.

In addition, there are new risks associated with other business changes. We are expanding the elite group entrusted with controlling sensitive operations. We are moving high-risk jobs to vendors, including vendors in countries we know don't share our standards of care. Line-of-business managers may overlook risks or fail to alert higher-ups when they do see them. The lights must shine brighter on these vulnerabilities, and we need to raise the bar on risk oversighteven though we have to reduce the cost of our controls.

The thing about risk assessments, though, is that they always carry some risk themselves of coming back to haunt the company that failed to address the identified issues. This problem comes up around premises liability, for example. If not carefully thought through, the compliance assessments, hotlines and other documented findings outlined in the Sentencing Commission's guidelines could provide substantial grist for litigation, competitive analysis or other damaging results by revealing what you knew and what you didn't do in response.All Together NowOur committee reached a consensus. Management would address any shortcomings we might identify in risk assessments. Risk management, security, audit, compliance, ethics, counsel, HR and line management would all engage in risk identification. To make this work, we decided to virtually combine our security and corporate ethics committees and to maximize information-sharing and follow-up accountability with the audit committee. Corporate security has the assignment of working with internal auditors on a strategy for reporting ethical red flags. (I'm now on more board meeting agendas, rather than preparing information for the chief auditor. And I receive board-inspired suggestions for proactive risk reviews.)

Our committee felt that our investigation protocols already met the most stringent concerns of legal counsel because counsel works with HR to coordinate all internal inquiries. We were satisfied with our background investigation policies and procedures. We planned to scrub our existing business conduct policies to make sure compliance standards were at a sufficient level.

The committee identified a need to develop a new policy that top management would communicate to employees, outlining the rationale for the revised ethics and compliance program, along with key personal accountabilities, and how we are to approach risk analysis, incident reporting, training and employee awareness. We didn't want people going off on their own on risk analysis, so we knew we would have to staff this policy with key business leaders.

Training, of course, needed to go beyond the frontline employees. And while policy compliance training was always a part of our regulated environment for a large population of employees, it became a requirement for senior management, board members and outside agents. Our committee members wondered how to approach these groups. Because the training is so negatively focused, we were afraid we'd turn them off. (Can you hear the booming voices: "Why do I need be lectured on ethics?") Our answer: "We are going to test-market a program with some senior executives and a couple of board members we know are friendly to these issues. Then we'll take it further after tweaking it from their experience."

Now, we start early with employees. A senior executive addresses all new employee orientations on our values and their role in maintaining an organization committed to ethical conduct. We plan to upgrade everyone's annual compliance training, adding specific examples of ethical dilemmas and answers to frequently asked questions. We also have a module in our management training curriculum on "Integrity as a Cornerstone of the Business," delivered by a representative of corporate security. Consistent with another guideline requirement, all employees, vendors and agents already undergo background investigations.

One off-the-record question at our meeting was: "What if we do nothing in response to these sentencing guideline revisions?" As I said, this is a very ethical organization with precisely the culture sought by the Sentencing Commission. At day's end, we couldn't look each other in the eye and know that doing nothing was doing the right thing.

Copyright © 2005 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.