Corporate Ethics Compliance * • Required by Federal Sentencing Guidelines, Department of Justice, the Sarbanes-Oxley Act, the U.S. Securities and Exchange Commission, the NYSE, and the Office of Inspector General: Department of Health and Human Services, and many other agencies. • *This presentation is from Katherina Wulf’s “Ethics and Compliance Programs in Multinational Organizations” Corporate Ethics Compliance • • • • • • • • • • • • Elements of Corporate Ethics Compliance Element 1: Risk Assessment Element 2: Corporate Culture Element 3: Oversight by the Board and Senior Management Element 4: The Ethics and Compliance Office Element 5: Code of Conduct Element 6: Receiving complaints Element 7: Training and Communication Element 8: Assessment of compliance activities Element 9: Incentives and discipline Element 10: Response to misconduct Element 11: Employee screening 4 Structural Elements of Ethics Compliance • Element 1: Risk Assessment • Element 2: Corporate Culture • Element 3: Oversight by the Board and Senior Management • Element 4: The Ethics and Compliance Office Element 1: Risk Assessment • potential exposure to criminal conduct; a broad view of the risks that could impact the organization’s reputation for ethical and legal conduct. Element 1 • Step 1: Decide whether to do it separately or as part of enterprise assessment • Step 2: Appoint a risk management team – “general counsel, the chief ethics and compliance officer, legal subject matter experts, and, if necessary, business unit or functional heads such as internal audit, human resources, finance, IT, regional heads, other subject matter experts, and outside attorneys or consultants.” (Wulf) Element 1 • Step 3: Risk Identification – “internal and external sources of risk information, including the organization’s past audit results and litigation or claims history, the size and root causes of incidents in the organization’s industry, and major trends” (Wulf) Element 1 • Step 4: Data Gathering and Analysis – Gather data • • • • Current risks Tools to identify risk Strategies to mitigate risk Emerging risks – Analyze data Element 1 • Step 5: Risk rating – “the likelihood of occurrence, the severity of the risk, and the effectiveness of existing mitigation controls of the various risks. Adjustments to the rating scale may be required depending on each organization’s appetite for risk, as well as any characteristics particular to an industry or operating environment.” (Wulf) Element 1 • Step 6: Risk Communication and Information – “a detailed description of the risk assessment, the determined risks, and the action plan…to address, monitor, and manage” these risks. (Wulf) – Convey this information to senior management, and to all relevant parts of the organization. Element 2: Corporate Culture • Step 1: Analysis of the Existing Corporate Culture – “A corporate culture is made up of these shared values of different stakeholders that are reflected in their collective actions…The total sum of all the collective values and behaviors of all employees and managers is the company’s culture.” Element 2 • Step 2: Assessment of the Corporate Culture – Codes of conduct accord with culture – People aspire to go beyond mere compliance – Informal norms, rituals, stories, and traditions demonstrate to people what behavior is expected – Business objectives are “reached in a manner that is true to your values.” – Appropriate behavior gets rewarded/punished, perception of fairness, the leadership is willing to talk about ethics Element 2 • Step 3: Implementation of an Action Plan – “a shared vision of the future and a shared set of values that clarifies the organization’s intentions and gives employees purpose and meaning (is) integrated into all business operations and decisions.” – “the organization’s processes and systems must reflect the shared values and behaviors with appropriate consequences for those who are not willing to comply.” Element 3: Oversight • Step 1: Right Tone from the Top • Step 2: Monitoring the Program’s Key Components • Step 3: Regular Updates for Senior Management and the Board • Step 4: A Code of Conduct for the Board of Directors Element 4: The Ethics and Compliance Office • Step 1: The Organizational Structure options – “the stand-alone structure, with the ethics and compliance office as a separate business unit. – the semiautonomous structure, the ethics and compliance office is administratively a component of another business unit. – In the centralized structure, the ethics and compliance office is responsible for the program for the entire organization. – the decentralized structure, in which the rather small ethics and compliance office develops the program, but each business unit then has its own ethics and compliance office that implements the program according to its own needs.” Element 4 • Step 2: Leadership Credentials and Competencies of the CECO – CECOs often have a background in law, auditing, human resources, or security – knowledgeable of the business operations and the company’s strategies and goals. – able to work with the board of directors, senior management and many different departments. – a passion for ethical conduct and compliance. Element 4 • Step 3: Professional Development and Certification – Be a member of a professional organization and stay current. • (e.g., Ethics and Compliance Officer Association, www.theecoa.org/imis15/ECOAPublic/) • Step 4: Reporting Structure of the CECO – Options: CEO, Board, general counsel Element 4 • Step 5: Outsourcing the Ethics and Compliance Function – If the program is completely outsourced, the organization is still responsible for meeting the regulatory requirements. The company loses controls over the ethics and compliance operations, but it is still liable. Element 4 • Step 6: The Relationship with Senior Management and the Board • Step 7: Resources and Budget – Sufficient staffing and budget to maintain hotline, provide training, do risk assessments and audits, record keeping. • Step 8: Ethics and Compliance Committees or Councils