In June 2020, the U.S. Department of Justice published detailed guidance, the “Evaluation of Corporate Compliance Programs” (ECCP) that made the point that programs must evolve to remain effective and avoid operating on cruise control, noting:
A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale. ECCP, p. 15.
Despite the strong hint from DOJ to avoid cruise control, E&C programs make the same five major mistakes again and again. Correcting these mistakes doesn’t require a major budget increase or onboarding a new system.
- Relying on Rules to Change Behavior
Although many companies now understand the value of values in motivating employees to do the right thing—even when not required and no one’s looking—there’s work to be done. Many programs have long, convoluted compliance policies steeped in legalese, send out punitive communications on the assumption that prospective penalties will change behavior, and use Codes of Conduct that are lists of rules without reference to real life situations employees face.
During the pandemic, organizations faced unprecedented challenges and risks to their operations and ethical culture. Those that met the challenge relied upon shared values to motivate employees and stay true to their mission. Motivating employees to pivot, adapt, and in some cases self-isolate in plants and facilities for days on end was made possible by shared values, not directives or threats of penalties for non-compliance.
- Ignoring the Power of the Positive
Many, if not all, of the E&C programs we assess and review are in organizations with sound ethical cultures and have inspiring stories about doing the right thing, recovering from compliance meltdowns, or meeting unexpected challenges. Yet few actively leverage the power of the positive in their E&C programs.
Talking candidly about risks and how to deal with them can build trust. As a case in point, 64 % of respondents in LRN’s 2022 Program Effectiveness Report said that their leadership communicated candidly about the challenges of the pandemic and 82% reported that their ethical culture emerged stronger from the COVID crisis.
These messages resonate more strongly than summaries of penalties and a long list of prohibitions. They are consistent with the 2020 DOJ ECCP focus on, “What communications have there been generally when an employee is terminated or otherwise disciplined for failure to comply with the company’s policies, procedures, and controls (e.g., anonymized descriptions of the type of misconduct that leads to discipline)?” Similarly, showcasing instances of moral courage or ethical leadership by employees can create powerful role models.
- Clogging Up the E&C Program with Legalese and Bureaucracy
Even E&C programs that focus on values in their codes of conduct or training frequently stop short of making their policies and procedures employee friendly. Programs that still cling to the old model of complex rules, regurgitation of statutes and a maze of procedures and processes aren’t doing their employees any favors and are hindering their ability to move to mobile-friendly training and program access. DOJ’s 2020 ECCP reflects this shift in approach and asks if compliance policies are searchable and employees can readily understand them.
Ease of access is equally important. During the pandemic, Dell Computer was able to move its annual compliance training and other critical features of its E&C program onto its mobile app, freeing up employees from their home computers as families struggled with remote learning and other challenges (as recounted in LRN’s 2021 E&C Program Effectiveness Report).
- Engaging in Blind Benchmarking
Although best practices in ethics and compliance can evolve by organizations benchmarking their programs to learn about innovations and shifts in approach, benchmarking can go too far and provide a false sense of security. The DOJ 2020 ECCP, as quoted above, warns against letting an E & C program become a “snapshot” frozen in time and stresses the importance of on-going risk assessments, not benchmarking, in shaping every aspect of the program.
The ECCP stresses the importance of using the organization’s unique risks to tailor its E&C program. For example, two Fortune 500 companies in the retail sector may have similar profiles in terms of employees, locations, and structure but significantly different risks if one of them is in a tight vertical market with significant potential for antitrust risks or the other is sourcing materials in areas suspected of human rights violations or trafficking. Moreover, a company with a history of compliance problems or regulatory action will need to focus on ensuring those problems do not happen again, as regulators react badly to repeat offenders. When it comes to E&C programs, one size does not fit all and your risk assessment is should serve as the program’s “north star.”
- Seats at the Right Tables
Best practice in the E&C area contemplates a critical role for the E&C program in identifying and mitigating risks and managing third parties is a high-risk area for many companies. Third-party controls designed to mitigate that risk are a key feature of many programs.
Serious gaps occur, however, in delegations of authority and procedures that relegate the E&C team to an advisory function, without authority to decide whether a third party with red flags should be on-boarded or a proposed acquisition or joint venture should proceed. Too often, the sales, marketing or operations team has final decision authority. However ethical these teams may be, they lack the expertise and knowledge to appreciate the serious risks third parties can pose in the anticorruption area in particular.
More generally, E&C has a significant role to play in Environmental, Social and Governance (ESG) programs and reporting. The “G” relates to strengthening good governance and promoting strong civil institutions, wherever an organization operates. Viewing and connecting ESG initiatives to E&C programs enhances both.