“It’s a sign of troubled times when the concept of ‘pressure’ becomes an acceptable excuse for ethical shortcuts and moral shortcomings. Pressures are just temptations in disguise and it’s never been acceptable to give in to temptation.” ~Michael Josephson
As a profession, we have worked diligently to shed the stereotype that long-plagued us, that of being a legalistic cost-center who impeded organizational growth. [While you may not have ever personally experienced the stereotype, let me assure you that many of us have received the sarcastic “oh, here comes Audit/Compliance…”]
Like me, many of you regularly engage in projects within your organizations to provide the compliance and ethics (C&E) perspective. In some organizations, we are routinely invited to project planning sessions and kick-off meetings, remaining to consult with the project team until implementation. In other instances, we become aware of an in-process initiative that contains elements of regulatory risk and invite ourselves into the project. Either way, C&E professionals provide valuable subject matter expertise to ensure that the organization’s we represent are well-grounded in compliant activities.
That being said, I was reminded recently that our work is not over. A colleague had relayed to me a situation at her organization that continues to cause dismay to C&E professionals. During a stakeholder meeting to explore system integration and replacement options, my colleague put forth a variety of system security and operational suggestions to strengthen the information security and consumer compliance framework from inception. After dismissively alluding to costs associated with these suggestions more than a few times during the meeting, the project leader looked up at my colleague and replied, “Well, we may not be able to incorporate each of these items, but—you know—sometimes you just have to go along to get along…” Apparently, the project leader even slyly winked at my colleague as this was said.
I get a little choked up as I recount my colleague’s reply, as with a spine of steel she looked back (without a wink) across the table and said, “Well, no. This organization doesn’t knowingly build non-compliance into its new initiatives, so I wouldn’t sign off without the controls in place.” When the project leader published the next version of the system requirements, each of the compliance components had been incorporated as submitted, and had been risk scored accordingly.
We are going to be asked to participate in many initiatives over the course of our C&E careers. Certainly we will always seek the most cost-effective and internally-conducive methods to achieve compliant outcomes, because we believe in our organizations and wish to help them succeed in the marketplace.
But occasionally we are going to be asked to step beyond the fiduciary responsibility with which our Board has entrusted us, and which society expects of us. It is in those moments when our fidelity to doing the right thing will supplant simply bowing to doing the popular thing. It is in that moment of fortitude and loyalty to duty that we will have added true value to our organization…
