Interactions between Compliance and Ethics
Verschoor, Curtis C., Strategic Finance
This column has consistently emphasized the importance of a strong ethical climate in an organization because it enables a company to have superior ability to achieve all its objectives, including better financial performance. The most successful organizations have begun to combine their compliance and ethics efforts and even redirect the primary emphasis of their compliance efforts toward building business value through an ethical corporate culture rather than legalistic checking of the appropriate boxes.
Ernst & Young (E&Y) surveyed 95 leading companies as to how they approach the challenges of achieving compliance. The survey results describe key practices and trends, and the companies, mostly Fortune 1,000 in size, represent 12 diversified industries. The report, Corporate Regulatory Compliance Practices, highlights both common and unique practices. According to E&Y, the major focus of compliance efforts in leading-edge companies today is to build or hone a regulatory compliance program "as a means to anticipate, identify, advise on, and resolve regulatory and ethical business risks." In other words, it's the culture that makes it work, not stringent policing.
In contrast, the main emphasis of some compliance systems seems to be on how tough the program can be run, not its content or major areas of concern and emphasis. A February 13 Business Week article, "The New Ethics Enforcers," discusses a new species of executive. Described as "corporate cops" in the article, these executives are high-profile former government lawyers and judges who have been tapped to police employee behaviors. Noting that "the last breed of ethics chiefs didn't stop fraud," the article provides at least one important reason: Too many ombudsmen, ethics officers, and compliance chiefs reported to superiors too low in the organization. This is an ineffective strategy and likely doesn't comply with the guidelines of the Ethics & Compliance Officer Association or the U.S. Sentencing Commission, which require compliance and ethics leaders to report to a high level of senior management.
More than half the respondents to the E&Y survey stated their compliance function reports to the company's general counsel, followed by 12% that report to a risk officer. Reporting to legal counsel raises the possibility that behavior could conform to the letter of legal minimums yet not be consistent with the core values of the organization. Ethical behavior will result in legal behavior, but behavior that's merely legal may not be ethical and may not conform to an organization's professed code of conduct. Interestingly, compliance with SOX 404 requires careful attention to an internal control framework such as the COSO-defined control environment. COSO asserts that the most important aspect of internal control is an organization's ethical culture or DNA.
Additional challenges reported by the E&Y survey include insufficient documentation, with 40% of the respondents reporting only partial documentation. This situation can lead to inconsistencies among business units and increased regulatory risk. A best practice noted is the explicit mapping of relevant laws, rules, and regulations to match specific operational procedures, controls, training, and support activities. …