Corporate Ethics Programs and Security

Rose Shyman added an ethics program to her duties as director of global security at American Standard Cos.

Organizational integrity is a many-legged stool that more and more businesses are determined to build. The concept has taken hold in the wake of what's been perceived, with justification, as a period of swashbuckling recklessness in business behavior, and in recognition of the resulting overlay of new regulatory and compliance measures intended to drive greater business discipline.

The legs of the stool consist of clear financial controls, models for effective management and governance, corporate reputation, security, compliance, employee morale and productivity, respect for customers and other stakeholders, and an ethical framework to guide both individual and collective business behavior. Surmounting the legs are policies and processes that support all of these attributes.

Among the key success factors in any push toward organizational integrity is the creation of values statements and codes of ethical conductexpressions of what a business believes and how it expects people to model those beliefs. Since CSOs are increasingly entangled in the machinery of organizational integrity, it's not surprising that ethics responsibilities are now becoming a part of many CSOs' roles.

To look more closely at how an ethics program operates within the purview of the security function, CSO Senior Editor Todd Datz spoke to Rose Shyman, global security director and ethics officer at American Standard. Shyman has been at American Standard since 2001. In late 2002, as the company's ethics initiative launched, she added responsibility for its administration to her other security duties.

CSO: What prompted the establishment of American Standard's ethics and integrity program?

Rose Shyman: It actually started about five years ago after [Chairman and CEO] Fred Poses joined the company. He set a goal to move the company to a new level of performance. He wanted to raise the standard in everything that we do in the organization. So he saw [creating] a common set of values and a code of conduct as a way to enhance performance. He thought [such guidelines] would take the guesswork out of decisions that affect our business. Our company was so decentralized before Fred joined; each of the businesses had their own set of values. This was a way to be under one common [framework].

An employee can use the values and code of conduct to make decisions. Some of us have to think about what the right decision is; we've given employees the tools to make those decisions. What's unique is not having the values and code, it's the way we've positioned it: that it will help us enhance our performance, that we see it as a strategic initiative.

How did ownership of the program fall to the CSO?

Our general counsel felt that our values program should not be owned by the legal department. We are striving to create an ethics culture at American Standard, one he felt the businesses should drive. As a result, the general counsel and Fred Poses appointed one of our business leaders to chair the ethics and integrity council [Craig Kissel, president of the Vehicle Controls division, Wabco], and also insisted that the security function administer the program. We felt that this was the right thing to do for our people.

What are some of the reasons it works well to have it under security?

We believe that the roles [of security and ethics] are naturally aligned. Corporate security has an inherent compliance component. Compliance is one facet of our ethics program. Security also focuses on modeling desired behaviors through awareness programs. The same is true of our ethics program's goals.

What are some of the ways of operationalizing the program?

We have approximately 65 "ethics advisers" who are represented functionally and geographically across the businesses [see "5 Steps to an Ethical Culture," this page]. These are essentially go-to folks in the field who provide guidance to employees dealing with ethical situations. We have quarterly conference calls, educational sessions where we provide the advisers with [ongoing training]. We invite subject-matter experts to attend the calls to provide education on various different topics. For example, we [recently] invited our VP/comptroller for American Standard to talk to the group about financial integrity, which is highlighted in our Code of Conduct and Ethics. We offer online ethics training as well. [The ethics advisers are] the group that helps provide guidance in all we do.

When employees call your values hotline with an ethics concern, what's the process?

[Editor's note: American Standard uses The Network as its third-party provider of hotline reporting services. The Network's Ralph Childs responded to readers' questions about compliance and ethics in the May Security Counsel column.]

An operator takes the call and asks a set of questions. You know, who they are, their title, what [line of] business they're from and so forth. In some cases [callers] want to remain anonymous, and that's fine. They present the facts of the case. We capture as much as we can within a case file. Then the case file is sent to me.

[Editor's note: Each case is given a code that allows anonymous complainants to follow up with the hotline.]

Once I receive the case, I read it, I evaluate it and I determine who within the business should investigate. Most of the cases we receive through the hotline are employee-related. These cases are sent to the senior HR business leader. Other employees copied on those e-mails [include] our chief auditor, our legal counsel and the chair of our ethics council. They have oversight, and they do all work together to investigate the case. But the person the case is sent to is primarily responsible for investigating and seeing that action steps are put in place and the case is resolved. We try to close cases within 10 business days. We then provide a response back to The Network, so that when the caller checks back to find out what has come of the case, they're able to [learn] that the case has been investigated. The employee then has the opportunity to respond to what we dowhat the investigation entailed and what resolution came out of it. Once we've...taken the investigation to conclusion and to resolution, we close the case.

If an employee is unhappy with the resolution, is there an appeals process? Once a case is resolved, is that it?

In some cases, we've hadif the individual has identified themselveswe've had someone in the business call them and talk to them [about the resolution]. In other cases, once the investigation has been conducted, and we feel we've taken it to the [appropriate] level, then we just close the case.

Have you received a lot of good tips from people calling the hotline or sending e-mails?

We had a global implementation of our Drug-Free Workplace

program...over this past year, and we received an anonymous tip through the hotline that one of our employees was coming to work every day under the influence of some type of substance. As a result, we forwarded it to the HR leader, and it was investigated. So going back to what we talked about earlierhow the components of security and ethics play hand-in-handthis is one way we saw this work well. Here we had a companywide global [antidrug] initiative where our ethics hotline added value to that process.

What types of issues that are raised through the program?

Employee relations, supervisor-employee types of issues. Policy issues is another big one. Discrimination is another big one. But there are others, too, such as sexual harassment, substance abuse and safety issues.

Has anything surprised you? Anything you wouldn't have predicted?

No, I can't say that there were any that surprised me at all. [In our benchmarking studies] we found that companies were quite comparable in the types of cases that [surfaced] through the hotline. I'm highlighting cases that came through the hotline, but we've also had other cases, a conflict-of-interest or fraudulent nature, that came [to our attention in other ways]such as through our audit and legal departmentsthat are certainly common to any business.

What have you learned from doing this?

I've certainly learned a lot about our culture here at American Standard. I think that the work we do around security and ethics has to be trickled down within the businesses. We've found that in all the work we're doing, the support we get from business leadersand the way in which they send those messagesis really critical. Over the years, our leaders have done a great job of sending these [ethics] messages, not only visuallythrough posters and wallet cardsbut also walking the talk, by modeling what we expect of our business leaders.

And in terms of the process?

We're continually looking to streamline, to make [the process] better for our people and for our business. For example, putting a prioritization process in place for turnaround. So [we can identify] cases that we need to address and investigate within 24 to 48 hours [versus 10 business days]. If it's a safety-related case or a crisis that could have a high-impact on the company's reputation and corporate brand, we would want to highlight it right when that e-mail is sent. And make a phone call to the right leaders to say, "This needs to be addressed immediately."

So there's a heightened level of prioritization and action that needs to take place [in] some cases. Otherwise it becomes sort of a routine, right? A case comes through, we get bogged down with e-mails. And that [crucial] e-mail might be sitting in someone's inbox. Maybe they don't see it for a day or two. It's [a matter of] putting a heightened level on a case that has to be investigated immediately.

Other thoughts?

It's not enough to provide a reporting channel; you have to understand the reporting [mechanism] in the context of why it's important. Our value statement was translated into 21 languages and made available to all of our 61,000 employees. As it relates to the security director, the way I would position it is that if you're not administering an ethics program as I am, there should be a [senior-level security representative] working very closely with audit and legal. Because the cases that come through typically have those three componentseither a security or safety component, a legal component, or an audit component. And I should also add HR to that.

But the role the security director plays is absolutely essential.


Copyright © 2005 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)