Ethics and compliance has shifted rapidly from simple concerns about regulatory compliance to wide-ranging conversations about company culture, reputation, and risk. The tools that ethics and compliance teams use—program assessments, culture surveys, and the like—have largely remained either high-level or very intensive, making it difficult to pinpoint problem areas or identify solutions, or requiring such a level of resources they’re not practical. Ethisphere’s Erica Salmon Byrne lays out a framework for a new, targeted “maturity check” to help ethics teams bridge that gap.
It’s an understatement to say that the ethics and compliance field has evolved over the past 10 years. Companies’ focus has shifted radically, from simply avoiding misconduct to actively doing the right thing and creating a culture of ethics that employees are proud to uphold. At the same time, compliance and ethics teams are getting involved in a wide range of business areas—from weighing-in on cybersecurity risks to considering corporate involvement in social issues. Ethics and compliance as a function has grown up, has a seat at the table, and more often than not, now reports to the CEO as well as directly to the relevant committee of the board.
This widened scope brings greater accountability for a broad spectrum of responsibilities, from regulatory compliance to addressing ethics issues that could impact corporate reputation. Today companies are held accountable for their own programs as well as those of their subsidiaries, business partners, and global divisions. Across such a wide area of accountability, the question becomes: how do you know what is really going on, and whether the ethics and compliance program is embedded into business practices everywhere?
While comprehensive program assessments—which are recommended by the DOJ every three years—provide insight into the state of every aspect of the compliance and ethics program, they are certainly not the only way to determine how a program is progressing. In some cases, companies may wish to shine a spotlight on a particular part of the business, such as during times of transition like an acquisition or before entering into a joint venture, or to have a closer look at a high-risk region or business unit.
Getting a Handle on Maturity
The U.S. Department of Justice’s recently updated guidance about evaluating corporate compliance programs reflects this shift toward focusing on how to make the right choice instead of just avoiding misconduct. It lists thought-provoking questions that provide insight into what prosecutors are looking for in a good compliance and ethics program, but it is not an answer guide. It provides little to no information about the absolute “right” way to run a corporate compliance and ethics program, instead leaving each organization to decide for themselves what their program should look like.
In light of this trend, conducting a program assessment every three years may not be enough to ensure that the compliance and ethics program is keeping up with an organization’s needs. After all, think about how much your organization changes in three years. Between these robust assessments, a more targeted “temperature check” of key program components, which we call a maturity check, can shed light on problem areas and help track the impact of program changes.
In addition to internal uses, these types of maturity checks can also be a great tool for evaluating potential joint venture partners or acquisition targets. Before partnering with a new organization, companies can ask them to undertake a brief assessment of their compliance and ethics program. This gives the acquiring company a clear picture of the state of the other company’s program, and helps to clarify the risk-ranking process. This sort of due diligence is becoming best practice for proactive companies seeking to avoid a nasty surprise after “buying a problem.”
In addition, maturity checks can help an organization monitor operations in high-risk business units or locations where the compliance and ethics program may not be uniformly implemented. These smaller parts of a company can complete a targeted questionnaire for their individual practices to understand how they measure up against the larger organization, leading companies, and applicable standards or guidance.
What to Address
We believe there are three key areas that provide the clearest indications of program maturity: program structure and resources; training and communications; and risk assessment, monitoring, and auditing.
- Program Resources: Setting Up the Right Structure: One of the most fundamental parts of any compliance and ethics program is its structure and resourcing. Does the function have appropriate seniority? It is sufficiently staffed? The answers to these questions can provide a roadmap to creating a program that meets the needs of the organization.
- Training and Communications: Spreading the Message: Simply having a strong, well-resourced program isn’t enough. For a program to be mature, it needs to have a presence in employees’ workdays. This is where training and communications come in. Is the message about doing the right thing reaching employees in a way they can understand and apply in their work? Spot-check evaluations between major program assessments can not only help you determine this, but also suggest best practices to implement.
- Risk Assessment: Knowing and Handling Risks: A compliance and ethics program should always be looking ahead to see how the organization’s risks are changing, evolving, and developing internally. This requires strong risk assessment and monitoring practices that account for the program’s most significant risk areas and track changes in an organization’s risk profile.
Benchmarking Program Maturity
Because program maturity may not look the same for every organization, it can be difficult to know how to measure it. One of the most common ways is by benchmarking, whether against applicable standards or the practices of leading companies.
Standards such as the ISO 37001 Anti-Bribery Management Systems Requirements and the NIST Cybersecurity Framework provide a way for companies to benchmark their programs against industry-leading best practices. By evaluating your program against the requirements of these standards, you can understand how your company measures up to established guidance.
It is also worthwhile to benchmark maturity against the practices of leading companies. Ethisphere’s World’s Most Ethical Companies® data set, for example, can provide objective, actionable insights into how leading companies are innovating in the compliance and ethics field and can offer suggestions for improvement.
Program maturity may not be a finite, concrete goal, but there are concrete steps companies can take to build their programs toward maturity. To accomplish this, it’s important to have a clear idea of where your program stands and how it stacks up to written guidance and other companies. Through brief maturity spot checks, companies can gain insight into where their program stands—and how it can move forward.
About the Author:
Erica Salmon Byrne is the Executive Vice President for Ethisphere, where she has responsibility for the organization’s data and services business and works with Ethisphere’s community of clients to assess ethics and compliance programs and promote best practices across industries. Ms. Salmon Byrne also serves as the Chair of the Business Ethics Leadership Alliance; she works with the BELA community to advance the dialogue around ethics and governance, and deliver practical guidance to ethics and compliance practitioners around the globe.