An Effective Ethics Program: It’s Really Not About You

Recently a colleague at another organization had sought my input regarding her plan to initiate a formal ethics program. Pam’s organization had grown both organically and through acquisition, and with it new and more delicate issues had arisen. As its senior human resource executive, she had begun to sense that the burgeoning and increasingly diverse employee population could no longer simply rely upon an employee handbook and online training modules to guide day-to-day ethical decision-making.

Pam had done her homework. She understood the basis for developing a comprehensive Code of Conduct; establishing a Fraud & Ethics Hotline; and senior leadership setting the “tone from the top.” But where Pam got stuck was identifying the individual who would lead the Ethics Program and provide its “face” and its “voice”.

We delved into the importance of objectivity and consistency in all program activities and all communication issuing forth from the Ethics Officer. Pam recognized that such communication will range from informal dialogue to formal drafted opinions. We weighed the advantages and disadvantages of various professional backgrounds from which she could draw forth a qualified individual. Successful Ethics Programs  have been led by professionals with backgrounds as diverse as Legal, Internal Audit, Human Resources, Technology, Education, and Theology.

We agreed that the common thread of objectivity must prevail. An effective ethics leader is neither solely an advocate for the employee nor for the organization, but is instead an advocate for the shared values embodied in the organization’s Code of Conduct and associated policies. Thus, an ethics leader doesn’t bring his/her own personal opinions, viewpoints, morals, or theology to bear when reviewing a matter, but instead adheres to the organization’s documented guidelines.

Quite frankly, when an ethics leader acts in accordance with the organization’s culture of shared values, he/she will occasionally have to issue a formal opinion that will contrast with his/her own personal opinion. The outcome is about the good of the organization—not about personal preference or moral judgment. It’s not about you.

Over the course of time, this consistently objective approach will result in a library of ethics opinions that will provide predictability and precedent for leaders, employees, and successor ethics leaders to rely upon. Employee trust in the impartiality of the program will accrue through this neutral approach, further strengthening the organization’s culture of compliance.

And with that, Pam set off to recruit the ethics leader that would best represent her organization.

Compliance & Ethics Guidance: “Require” or “Recommend”?

In our capacity as Compliance & Ethics professionals, we are invited daily by business line management to provide guidance on diverse topics. Because we are managing compliance and ethics across an entire organization, each topic must be reviewed with multiple internal stakeholder interests in mind. Externally, we are subject to scrutiny by our customers, our regulators, our industry, and the press. Thus, no review is undertaken in a theoretical vacuum, nor is any resulting guidance intended to provide a one-size-fits-all solution to all similarly-situated topics. Business line management doesn’t always understand those underpinnings when receiving guidance from us.

A frequent question heard by many C&E professionals upon delivering compliance guidance or an ethics opinion is, “So, is this a requirement…or merely a recommendation?” Management attaches very different treatment to our response to that question. Requirements may entail additional cost—whether an opportunity cost of a forgone initiative or a hard cost like implementing additional information system controls. Recommendations may at first blush appear to be optional activities that can be ignored and forgotten. The seasoned C&E professional knows that she must not leave management with any ambiguity about the risks of alternative future courses of action. We only add value to our organizations when we can achieve alignment between management’s risk appetites and our own governance, risk management and control frameworks.

A little confession here…at the onset of my career as an internal auditor, I wrote my recommendations as if they were self-evident edicts born of a brilliant mind. Fortunately I was also paired with managers and mentors who were equipped to deliver humbling learning opportunities to me, for which I have been ever grateful. Those formative leaders challenged me to support my assertions with specific corporate policies, statutes, or regulations. If my assertion was one supported by a matter less well-defined, such as fair trade practices or a matter of public policy, then I was urged to develop recommendations that objectively balanced the strategic interests of the business with the external interests, so as to allow management to make fully-informed decisions. These distinctions served me well. Perhaps you can relate to this transformation from your own career path.

Today I continue to improve my craft. I take great care in drafting compliance memoranda and ethics opinions that ensure well-substantiated transparency. I employ the word “require” when I seek to guide management away from the expedient pitfalls that ultimately lead to reputational loss, fines, lawsuits, or jail time for corporate officers. I employ the word “recommend” when I seek to guide management toward actions that will improve the customer experience; enhance the value of the brand; or reduce aggregate regulatory risk. To overuse “require” when “recommend” would suffice is to invite the “Chicken Little” effect and diminish Compliance & Ethics’ effectiveness. To overuse “recommend” when “require” is truly appropriate is to dilute our own integrity as C&E professionals and ignore our fiduciary duty to our organizations.

As such, when providing compliance and ethics guidance to management, I recommend (but not require) that we choose our words purposefully and substantiate objectively.

When Crisis Erupts: Surmount or Surrender?

“The easiest period in a crisis situation is actually the battle itself.

The most difficult is the period of indecision -- whether to fight or run away.

And the most dangerous period is the aftermath.

It is then, with all his resources spent and his guard down, that an individual must watch out for dulled reactions and faulty judgment.”  

~Richard M. Nixon, 37^th President of the United States

As a Chief Compliance & Ethics Officer, you know that the eventuality of crisis striking your organization is not a matter of “if”, but only of “when.” You spend your career crafting and implementing a governance system of policies & procedures, training, monitoring, and reporting whose value will ultimately be assessed in those moments and days following the crisis. Not all systems (nor all leaders) will survive the test.

Crisis will not politely schedule an appointment with you on a lazy afternoon, but will more likely descend upon you furiously, publicly and embarrassingly at the most inopportune of moments. Crisis will arrive in the guise of a viral tweet, a regulatory inquiry, or a criminal indictment. A loyal staffer will hesitantly summon you from a meeting into the hallway to advise you of the breaking news. And so begins the moment of decision.

As Compliance leaders we have trained our entire lives to guide and protect our organizations from harm. The very same principles that we have employed to prevent and mitigate risk will come into play when we must navigate our organization, its leadership and its board through and beyond the crisis. Decisive action that engenders trust must remain at the forefront of the response.

Thus, together we must continue to:

•        Act ethically and decisively;
•          Communicate frequently and transparently; and
•          Modify practices appropriately.

Act ethically and decisively

Crisis does not represent your organization in its entirety. Your mission, your values, and your people remain fundamentally sound, even when something has gone awry. Therefore, even as you and your leadership team are undertaking an investigation and crafting a response to the statement, incident, or charge, you will continue to direct your employees to perform their day-to-day responsibilities with the accustomed level of adherence to ethics, compliance, and mission-focus. Your organization will survive the crisis, and so the continued service to your employees, clients, customers, vendors and shareholders must remain highly-functioning.

Communicate frequently and transparently

Do not compound the temporary negative impact of a crisis by shrouding the crisis in a cloak of shame and secrecy. While not proud of the event that has triggered the crisis, you remain nonetheless committed to your employees, your customers, your brand, and your mission-focus for the long run. Within that long view context, communicate quickly that leadership is:

·         aware of the situation;

·         taking it seriously;

·         cooperating fully; and

·         is committed to resolving it.

Convey that future communications will follow as additional information becomes available, and adhere to that pattern, even if only limited information becomes available. Your stakeholders are better served by hearing the truth from you, than the mistrust that will take root if they begin to receive their information—accurate or misconstrued--from external sources.

Modify practices appropriately

While some crises will end with a conclusion that the crisis was merely malicious and unwarranted, often the investigation will reveal a compliance or control weakness that must be addressed by your organization. Once identified, own both the root cause and the solution, communicating the same to your stakeholders. Then set to work implementing the required changes that will ensure the situation has been appropriately addressed. If additional training is warranted, then make every effort to involve the affected employees in designing and testing the training before it is rolled out to the larger audience. Schedule subsequent time to review the modified practice and test its effectiveness, regardless of whether required to do so by a regulatory body or not.

***

Crisis will erupt. You will be called upon to act in the best interest of your organization and its stakeholders. If you have prepared yourself, your leadership team, and your board in advance of this moment, then you will pilot your organization to a brighter tomorrow with the flag flying high. Otherwise, armed only with dulled reactions and faulty judgment, you will find yourself waving the flag of surrender.

Starving for Compliance? Bring your Risk Appetite

“If it's your job to eat a frog, it's best to do it first thing in the morning. And if it's your job to eat two frogs, it's best to eat the biggest one first.”  ~Mark Twain

 

As Audit, Compliance & Ethics professionals, it is often our job to “eat a frog” and you likely find yourself sitting down to a banquet of frogs when crisis strikes your organization. Some of us consciously chose to enter the AC&E profession, while others with whom I’ve spoken tell me how their roles morphed into compliance functions. Either way, once we’ve accepted the responsibility to safeguard our organization’s enterprise risk management program, we must faithfully deploy an appropriate compliance framework.

One cannot simply purchase a compliance program at an online retailer, download it to your tablet, and check that task off your list. There is no one-size-fits-all compliance program that is going to align perfectly with every organization’s ERM model. The design of the compliance program begins with a studied understanding of the organization’s risk appetite. Delivering an off-the-shelf or generic compliance program to an organization without factoring in its risk appetite is like delivering a freeze-dried meal to a guest’s table without inquiring of her culinary preferences.

Risk appetite is that level of risk that an organization is prepared to willingly accept before mitigating actions are required to reduce it. Formulating the risk appetite requires the Board of Directors to consciously identify its consensus balance between the anticipated benefits of a chosen course of action and the threats that an uncertain future inevitably brings. Each area of risk may enjoy differing risk appetites. For instance, a well-capitalized organization bearing a trusted brand may be more averse regarding reputation and litigation risks, but more inclined to accept a moderate degree of financial and strategic risks. Such may be the variations found also in compliance risk appetites.

A compliance purist—if such a person exists—would trend strongly toward risk aversion. A Gordon Gekko (credit to Oliver Stone’s “Wall Street” fame) would trend strongly toward risk hunger. Since compliance is not generally viewed as a profit center, a typical organization’s Board of Directors will formulate a compliance risk appetite that represents its view of an appropriate balance (i.e. expects ethical business conduct that achieves its mission). A publicly-traded company may seek to maximize shareholder value and profit, but likely seek to avoid criminal and civil prosecution. A non-profit organization may seek to maximize its impact serving the largest number of people in a community, but likely seek to minimize its administrative cost ratio and excessive CEO compensation.

Organizations that design, employ, and monitor compliance programs that align with the Board of Directors’ risk appetite will encounter fewer compliance failures over the long-term. I am careful to point out that all organizations, no matter how well-run, will experience a compliance failure at some time. A risk appetite acknowledges that while risk may be mitigated, it generally cannot be entirely eliminated. To eliminate all risk is to forgo meaningful opportunities that competing organizations would be willing to accept, thus neutralizing your organization’s effectiveness in the space in which it competes. This fact does not apply only to for-profit companies, because non-profit organizations also compete for scarce resources and relevancy. Risk must always be recognized as a factor to be managed.

Whether you are designing a new program or enhancing an existing compliance program, you will want to ascertain your organization’s defined compliance risk appetite. Your compliance program, including training, monitoring, and Board-level reporting, must align to that risk appetite to provide appropriate risk management tools to support your organization. Finally, periodically revisit the relationship between the stated risk appetite and your program elements to ensure that you are making appropriate adjustments.

Don’t starve your compliance program. Embrace the risk appetite. Be prepared to one day confidently defend your compliance risk management program to your external auditors and prudential regulators…and enjoy that frog sooner than later.

Regulatory Compliance: Tear Down That Ivory Tower!

I recently ran into a Compliance colleague, “Jill”, whom I hadn’t seen in a while. As we exchanged pleasantries, Jill explained how busy she has been at her organization, to a point where she “couldn’t even get out of her office for lunch most days.” I understood her sentiment, but I challenged Jill’s premise that her most effective oversight of her Compliance Management Program was being accomplished sitting at her desk with her nose to the proverbial grindstone.

“What do you mean?”, Jill inquired.

“For starters, how are you assessing the compliance culture within and across your organization?”, I responded. I waited for the predictable response.

“I receive reports from each department head on a quarterly basis. I meet with those same department heads at least annually as we update our risk assessment. “ And then she punctuated her response, “I always know what is going on from a Compliance perspective.”

We visited for a few more minutes before continuing on our respective journeys. I have the utmost respect for Jill, and the many colleagues with whom I’ve engaged in similar conversations over the years. But I was reminded again that day that differing viewpoints pervade our Compliance Management profession.

I liken the practice of our craft to that of a world traveler. In fact, given the international nature of Regulatory Compliance, many of us have become world travelers from time to time. But one cannot truly experience traveling the world by reading other people’s written accounts of foreign lands. Similarly, Compliance professionals cannot simply read stacks of reports, formally engage depart heads once or twice annually, and conclude that they have traveled the organizational “globe”.

We’ve got to come down out of our ivory towers. In fact, we’ve got to tear down our ivory towers in the Compliance Department and never return to our old ways. Instead, let’s engage leaders at all levels across our organizations as often as possible. Informal dialogue that may occur within the context of a scheduled project meeting, or a chance meeting in the hallway, can often generate useful information that lends itself well to a holistic risk assessment.

Leaders want to tell you what concerns they are facing, and when those concerns signal regulatory compliance exposure, you have an opportunity to collaborate further toward a resolution. Internal Audit provides another natural source of regulatory compliance risk data gleaned from its expansive reach throughout your organization. Regulatory Compliance also finds a natural ally in the Information Technology Department, where governance, risk management and compliance looms large over an ever-evolving landscape. Compliance professionals grow to become trusted confederates with leaders of lines of business, Internal Audit and Information Technology.

So join me! Grab your water bottle or coffee cup, and explore your organization more freely. Engage others daily and take a more genuine interest in the regulatory compliance challenges facing your fellow leaders. Collaborate with them to develop lasting compliance solutions. Your risk assessments and resultant regulatory compliance program will flourish, producing more meaningful results for the entire organization. You won’t want to return to the ivory tower.

YOUR DREAM TEAM: Where Everyone is a Compliance Leader

"In looking for people to hire, you look for three qualities: integrity, intelligence, and energy. And if they don't have the first, the other two will kill you." ~ Warren Buffet

“The supreme quality for leadership is unquestionably integrity. Without it, no real success is possible, no matter whether it is on a section gang, a football field, in an army, or in an office.” ~Dwight D. Eisenhower

Who leads legal and regulatory compliance at your organization?

How many of your employees are in a compliance role?

Before you respond, consider this…every employee in my organization is in a compliance role...and is charged with being a compliance leader. We only hire compliance leaders to fill each open position throughout the organization. Sales. Operations. Human Resources. Accounting. Facilities Maintenance.

You may be wondering why an organization would engage in such a hair-brained staffing strategy. (You may also be wondering how much longer such an organization could remain in business.) But hearkening back to the words of Warren Buffet and President Eisenhower above, how else could you possibly select talent?

In today’s increasingly complex international regulatory topography, no function within your organization escapes the need to develop policies, processes and training that will address compliance requirements at all employee levels. A CEO cannot simply rely upon on an Internal Audit function, a Legal Department, or a Regulatory Compliance team to identify and mitigate all enterprise-wide risks.

Further, day-to-day compliance and risk management responsibility cannot fall solely upon the shoulders of department heads or supervisors. As leaders, each of you knows that there are far more events occurring for which you are unaware than those that do rise to your attention. Each of our employees—from the most senior to the newly-hired—must understand his/her vital role in preventing, identifying, reporting, and resolving the compliance issues that affect his/her respective role and department.

We must hire individuals that bring the added skill of compliance awareness. I want:

• a talented facilities maintenance employee who also appreciates the impact the EPA and OSHA have at our organization;
• a certified public accountant who also appreciates the impact that the SEC and PCAOB can have;
• a customer-focused call center agent who also appreciates the impact that the FTC and FCC can have; and so forth.

Myself, I’d rather have thousands of sets of eyes mitigating risk globally than to rely only upon my own comparatively limited viewpoint. So, let me ask those questions a different way now…

Who doesn’t lead legal and regulatory compliance at your organization, and why not?

How many of your employees aren’t in a compliance role, and why not?

BUILDING EFFECTIVE COMPLIANCE PROGRAMS: It Takes a Village

“No member of a crew is praised for the rugged individuality of his rowing” ~Ralph Waldo Emerson

“If everyone is moving forward together, then success takes care of itself” ~Henry Ford

I had recently been contacted by an individual who had been tapped by her organization to launch a corporate compliance program. My colleague approached me with that perennial question, “How did you build your program?...” I paused to consider my response.

Despite the mythology to which some may wish to subscribe, individuals don’t design, build or improve corporate compliance programs alone. While certainly individuals contribute significant leadership, ideas, and work product to a successful compliance program, it is truly the efforts of interconnected contributors that weaves the fabric of the program.

From scoping and documenting the program charter through defining and populating a comprehensive compliance risk universe, it takes a village of invested professionals to build the program. Since a compliance program likely encompasses several lines of business and diverse operating functions spread across multiple locations, personal interaction with a variety of leaders and staff is necessary to identify, quantify, and rank risks across an organization. I don’t know about you, but I certainly have experiential limitations regarding various functions outside my areas of expertise. Without those subject matter experts, my program would be neither comprehensive nor effective.

Thus, while it would have been terribly tempting to my ego to lead my fellow professional colorfully through an anecdotal reprisal of my rugged journey to locate the holy grail of corporate compliance on a lonely mountaintop, my better angels prevailed. “Katherine, I’d be pleased to share with you how we built our program, and the lessons we’ve learned…” And with that discussion, another member was added to the compliance program “village.”

EXPOSING MY DIRTY LAUNDRY: Responding to Ethical Incidents in Advance

“Ethics is knowing the difference between what you have a right to do and what is right to do.”

~Potter Stewart, former U.S. Supreme Court Justice

“The time is always right to do what is right.”

~Martin Luther King, Jr., U.S. civil rights leader

Today’s revelation that former Olympus Corporation Chairman Tsuyoshi Kikukawa had received a suspended sentence for his role in a $1.7 billion accounting fraud is a reminder that neither business ethics courses nor prior real-world examples have stemmed the tide of high-profile executive wrongdoing.  In addition to former Olympus Executive Vice President Hisashi Mori, Hideo Yamada, the former auditing officer, also received a suspended sentence, debunking any myths that corporate audit and compliance professionals are above temptation.

Sufficient ink has been dedicated to detailing the corporate, government, and NGO ethical downfalls throughout the modern age. Fraud observes no geographical, political or industry boundaries. Ethical lapses remain pervasive and persistent, but I believe they are preventable.

What are you doing within your organization currently to acknowledge and mitigate the risks posed by executive ethical lapses?

Tone at the top is more than an email, a poster, or even a video distributed by your chief executive officer expounding the importance and benefits of maintaining an ethical cultural. Real ethical leadership takes root within an organization when the board of directors and senior leadership infuse the culture with relevant actions.

·         Strategic planning conferences and periodic governance meetings should include ethics discussions on the agenda.

·         Tabletop exercises should be built around current ethical lapse events in your industry.

·         Internal metrics should be tracked and benchmarked against other like organizations.

·         Employees at all levels must be encouraged to ask questions and report observed ethical lapses in good faith without fear of retaliation.

What are you doing when a significant ethical lapse strikes from within your own organization?

At one time or another nearly every organization, be it for-profit, government agency, faith-based, etc., will need to address an ethical incident that emanates from within its own walls. More than just the fear of negative publicity or criminal prosecution should drive the organization’s response. Many a relatively minor ethical incident has morphed into fodder for bloggers and 24/7 cable news outlets simply due to senior level fumbling and obfuscation amidst embarrassing revelations.

In fact, the best time to publicly address ethical lapses within your organization is before one has emerged.

·         Plan, document and test your organization’s Ethical Incident Response Plan (E-IRP).

·         Educate senior leadership regarding effective and transparent communication strategy, obtaining communication training in advance where needs dictate.

·         Communicate in a coordinated, transparent and timely manner both internally and externally to your organization, erring on the side of humility and candor.

Organizations are governed and led by human beings. Men and women, regardless of demographic variables across cultures, shun the humiliation and ridicule that scandal generates. Applying an objective E-IRP model in advance of ethical lapses will mitigate the risk that my dirty laundry—or yours—will hang too long on the proverbial corporate clothesline.

Why I Love Regulatory Examinations

“The superior man understands what is right; the inferior man understands what will sell.”

~Confucius

“Happiness does not come from doing easy work but from the afterglow of satisfaction that comes after the achievement of a difficult task that demanded our best.”

~Theodore Isaac Rubin

To this day, I enjoy going to the dentist. Almost nothing feels as good as that squeaky-clean sensation after the hygienist completes a thorough cleaning. When I was a child and others feared that periodic visit to the reclining chair, I looked forward to the cleaning, fluoride, and constructive criticism about my brush I received as I sat there. While not cavity-free, I have experienced far fewer than I otherwise would have.

Similarly, I’ve never experienced an unfavorable regulatory examination, though my experiences haven’t been “cavity-free.” Jokes comparing audits to root canal aside, I believe the same lessons learned in the dentist’s chair apply equally well amidst the increasingly complex regulatory landscape we face in our organizations. We each lead our organizations with our mission top of mind, but those of us who achieve the greatest success know that we must continuously improve our products/services, our processes, and our people. That is where our regulatory examinations and internal audits come into play.

But some of us have also led in organizations where government regulators were regarded by some of our colleagues as the barbarians at the gate. Those doomsayers would have us believe that examiners and auditors are the malicious brainchild of fiendish state and federal bureaucrats committed to descending our state or nation into communism. 

I’m not a fan of senseless or redundant government regulation by any means, but even Ronald Reagan retained most aspects of the federal regulatory infrastructure throughout his tenure. Judicious regulation has its rightful place in the untamed marketplace, and thus serves to balance the interests of fair-minded consumers and businesses against the carelessness of the few.

A fair-minded organization operates with a high-degree of transparency and employs efficient controls and feedback mechanisms to drive improvement. While operational metrics, financial reporting, and focus groups can provide much important data, the superior organization incorporates the findings and observations of its internal auditors, external information security auditors, and state & federal government regulators into its continuous improvement mechanisms.

I have had the pleasure to speak with countless committed regulatory professionals throughout my career. Well-educated, knowledgeable about their industries, insatiably curious—these men and women have provided me and my colleagues with great insight not only into our own organizations, but have also previewed industry trends before they became regulatory mandates.

Because we were willing to listen, anticipate and prepare, we were able to adapt practices, install or modify systems, and educate our employees and customers in a manner that displayed our genuine integrity as an organization. While I’ve led at organizations that have garnered awards and praise, I am pleased not to have worked at organizations that have headlined the scandal pages.

The truth is…regulatory professionals care deeply about their respective agencies’ missions. As within our own organizations, they are also subject to the ambiguity and uncertainty that new laws, regulations, and political battles entail. Without speaking ill of a rule, regulation or politician, a forthright regulatory professional will admit when the landscape is rocky, shifting or unstable. A wise leader walks that rocky road with the regulator, listening closely, communicating openly, and seeking clarity where clarity may be had. And even when we must agree to disagree on a matter, the relationship remains strong well into the future.

A forward-leaning organization positioned to succeed well into the future expands itself atop a firm foundation build solidly into the regulatory landscape. When regulatory examinations and internal audits inevitably occur, the transparent integrity and compliant processes we employ will carry the day. Importantly, our ability to humbly accept and evaluate the findings, recommendations and observations that are shared with us (formally or informally) may well drive adaptions or improvements that our stubborn competitors will be unwilling to receive. Hubris begets truth decay.

COMPLIANCE & ETHICS: STAND YOUR GROUND OR STAND DOWN?

“When restraint and courtesy are added to strength, the latter becomes irresistible.”  --Mahatma Gandhi

Building upon the topic of my last article, I want to explore how you respond when called upon for your compliance or ethics perspective.

On the one hand, as the cliché goes, to him whose only tool is a hammer, every issue is a nail. At some phase of our own careers we may have found ourselves expounding first and asking critical questions later. At the very least we have encountered compliance professionals who may have operated from this viewpoint. As I recall one individual saying to me years ago, “If he didn’t want my honest opinion, then he shouldn’t have come to me for compliance advice!” At this end of the spectrum, every situation that arises, every request that is received, is met with an oft-detailed compliance laundry list that can bog down many a promising business initiative.

At the other end of the spectrum is the laissez-faire attitude toward compliance and ethics. In such an environment the duty of care is subjugated to the operational imperatives of running the business. Time is money. Rules were made to be broken. What they don’t know won’t hurt them. And so forth. Where compliance has become a reactionary repair mechanism and ethics don’t weigh into substantive decision-making, an organization will eventually find itself on a collision course with the U.S. Federal Sentencing Guidelines and other civil and criminal laws. The wise compliance and ethics professional attempts to improve this culture, but if unsuccessful may best be advised to exit amidst a noisy withdrawal.

Between the Compliance Overlord and the Compliance Pushover models described above do we find the middle ground upon which the majority of us practice our profession. As we often must confess, the black-and-white scenarios aren’t the ones we’re generally called in to decide. Management can make those clear-cut calls on their own with ease.

When management encounters the Overlord too frequently, then management will avoid consulting compliance and ethics professionals. A resulting pattern of inconsistent and self-serving decision-making increases in this environment, exposing the organization to decreased morale, employee confusion, and potential litigation.

When management encounters the Pushover too frequently, then management will only seek out compliance and ethics professionals to rubber-stamp otherwise questionable or insubstantial decisions. A resulting pattern of patchwork compliance counsel that largely misses the breadth of business line decision-making spreads in this environment, exposing the organization to rogue players, overly-confident self-assessments, and potential litigation or criminal prosecution.

In short, know when to stand your ground and know when to stand down and let management carry on.

When our organization’s compliance & ethics culture is strong, visible, and active, then management and employees know that they can rely upon us to exercise good judgment in the face of ambiguity. Your good judgment is best understood within and across your organization when exercised judiciously. When you get to know your management colleagues, truly understand their business strategies and objectives, and defer to their expertise when compliance and ethical standards are being substantially met, you will earn that reputation for wise and judicious counsel.

When you weigh in on matters sparingly and appropriately, your organization will prosper ethically in your stead.

COMPLIANCE NEVER SLEEPS

Ever so slowly a consensus appears to be emerging that the economy has been improving in the United States. Though some economic indicators, including the unemployment rate and consumer sentiment, remain stagnant, we are witnessing a rebound in private sector hiring, new construction, and equities investing. Equity is returning to homeowners and mortgage refinancing has returned. Innovation continues to flourish across industries.

And the imperative for vigilant corporate compliance programs and professionals has never been greater.

Lest you brand me a killjoy at the party of renewed American prosperity, let me encourage you to pause and reflect upon the post-recessionary periods of the past several decades.

When organizations emerge from the austerity and uncertainty of a recession, like action movie survivors emerging from a post-apocalyptic underground bunker, leaders seek to return to the familiar and comfortable patterns of pre-recession growth. We want to sell things. We want to build things. We hire people and purchase systems and tools to do both. And we want to do it quickly to make up for lost time and to satisfy pent-up consumer demand.

I propose that, as leaders, we should also pause to reflect upon the patterns and practices that led to the recession in the first place. On a microeconomic level, the organizations whose actions precipitated the recessionary events often succumbed to false notions of success built upon skewed compensation plans, short-term corporate financial results, and process or quality breakdowns. While the industries may change from financial crisis to financial crisis, the factors that string the past two decades’ mortgage banking, energy trading, and technology busts together are not very dissimilar.

So, what is the difference between the company that succumbs and the company that succeeds over the long term in the very same industry? I would conclude that it rests upon universal adherence to an unwavering compliance program. Like guardians at the gate, the joint efforts of Compliance, Audit, Security, and Ethics professionals stand firm against cultural shifts within some organizations that allow foundations to crack.

As we move beyond this most recent recession into our blossoming period of prosperity, I encourage you to take a moment to re-evaluate your investment in your organization’s compliance program. Even as you bolster production and sales efforts to meet consumer demand, bolster compliance resources within the organization.

·         Publicize your Code of Conduct and Ethics Hotline.

·         Revisit traditional and emerging high-risk areas of compliance and control exposure.

·         Renew your leadership commitment to the truth that your corporate compliance program is a competitive advantage.

Preparing your compliance program today to withstand the inevitable recession of tomorrow will ensure long-term prosperity for your organization.

COMPLIANCE: A VALUE-ADDED SERVICE TO THE ORGANIZATION

“It’s a sign of troubled times when the concept of ‘pressure’ becomes an acceptable excuse for ethical shortcuts and moral shortcomings. Pressures are just temptations in disguise and it’s never been acceptable to give in to temptation.”  ~Michael Josephson

As a profession, we have worked diligently to shed the stereotype that long-plagued us, that of being a legalistic cost-center who impeded organizational growth. [While you may not have ever personally experienced the stereotype, let me assure you that many of us have received the sarcastic “oh, here comes Audit/Compliance…”]

Like me, many of you regularly engage in projects within your organizations to provide the compliance and ethics (C&E) perspective.  In some organizations, we are routinely invited to project planning sessions and kick-off meetings, remaining to consult with the project team until implementation. In other instances, we become aware of an in-process initiative that contains elements of regulatory risk and invite ourselves into the project. Either way, C&E professionals provide valuable subject matter expertise to ensure that the organization’s we represent are well-grounded in compliant activities.

That being said, I was reminded recently that our work is not over. A colleague had relayed to me a situation at her organization that continues to cause dismay to C&E professionals. During a stakeholder meeting to explore system integration and replacement options, my colleague put forth a variety of system security and operational suggestions to strengthen the information security and consumer compliance framework from inception. After dismissively alluding to costs associated with these suggestions more than a few times during the meeting, the project leader looked up at my colleague and replied, “Well, we may not be able to incorporate each of these items, but—you know—sometimes you just have to go along to get along…” Apparently, the project leader even slyly winked at my colleague as this was said.

I get a little choked up as I recount my colleague’s reply, as with a spine of steel she looked back (without a wink) across the table and said, “Well, no. This organization doesn’t knowingly build non-compliance into its new initiatives, so I wouldn’t sign off without the controls in place.” When the project leader published the next version of the system requirements, each of the compliance components had been incorporated as submitted, and had been risk scored accordingly.

We are going to be asked to participate in many initiatives over the course of our C&E careers. Certainly we will always seek the most cost-effective and internally-conducive methods to achieve compliant outcomes, because we believe in our organizations and wish to help them succeed in the marketplace.

But occasionally we are going to be asked to step beyond the fiduciary responsibility with which our Board has entrusted us, and which society expects of us. It is in those moments when our fidelity to doing the right thing will supplant simply bowing to doing the popular thing. It is in that moment of fortitude and loyalty to duty that we will have added true value to our organization…

REGULATORS, AUDITORS AND EXAMINERS --OH MY!

Q: What do you get if you cross a wild, ferocious, man-eating tiger with an internal auditor?
A: A dull tiger.


OK, by a show of hands, how many of you are excited when you receive the audit engagement letter or regulatory exam notification? Do you mark the dates on your calendar with the same enthusiasm with which you block off your two-week mid-winter Caribbean vacation?

Given what I've observed over the years, I think not. I am here to suggest that we can and should embrace those individuals entrusted with auditing and examining our Organizations--and, no, I have not lost my good sense.

I recall my days as a bank auditor, when my arrival on site appeared to suck the joy right out of the room. Mind you, in hindsight I can humbly admit that the process owners certainly knew their craft far better and more realistically than my well-studied audit manuals could have prepared me. And while I and many of my fellow auditors throughout history have long sought to conduct dispassionate audits with collegial objectivity, management frustration often bubbled just below the surface, bursting forth as certain numbered comments touched unforeseen raw nerves.

The passing of years witnessed my migration away from the internal audit function toward the risk management function via a brief passage through a regulatory agency. At each stage, I tried to bring all perspectives together into one cohesive approach to audits and regulatory exams. I do not believe that I am alone in this regard, as many Leaders more experienced than me have found themselves reconciling multiple facets of the audit/exam process throughout our careers.

What I find fascinating is how many otherwise well-balanced, seasoned Leaders bristle at the notion that they could learn from--let alone seriously consider--the noted exceptions or discussed observations during an operational audit or regulatory examination. The very same Leaders who would pay consultants handsomely to deconstruct and reorganize entire Divisions within the Organization, or who engage high-end vendors to supplant legacy technology with enterprise solutions, will balk at the suggestion that a professional committed to assuring the safety and soundness of the Organization would be any less committed to objective and sustainable improvement.

I am certainly not suggesting that we butter up, befriend or brown nose the independent auditor or government regulator charged with overseeing the thorough examination of our Organizations. I am suggesting that we, as Leaders, owe our Organizations a fiduciary duty to approach the audit/exam with an open mind and a willingness to accept that--despite our best efforts--our Teams could be performing one or more functions with greater care. Unlike the consultants and vendors we hire, our auditors and regulators are not primarily driven by a profit motive or to extract repeat business.

My first-hand experience with administering audits, especially those supported by early warning systems, was to (1) gain a better understanding of the operational processes; (2) identify remedies that had been made to previously-identified exceptions; and (3) offer best practice guidance and foreshadowing of regulatory effects that would impact the process owner's area of responsibility. Our Audit Team certainly wasn't there to one-up management or disrupt well-functioning operations.

On the Risk Management side, despite others' tendencies to view regulatory examinations as declarations of war against the various Organizations, I sought to assume the best intentions. Though it comes as a shock to some, I generally received what I had assumed: professional auditors/examiners (a) conducting objective assessments; (b) examining and documenting the sufficiency of mitigating controls; and (c) offering improvements supported either by industry best practices or foretellings of regulatory rule making. And although I had observed other Leaders come to blows in heated battle with examiners, I never found myself in that adversarial position.

We will all certainly continue to look forward to that two-week mid-winter Caribbean jaunt with much more excited anticipation than any audit or regulatory exam, but as Leaders we can certainly adopt a more collegial and consultative approach to those periodic and foreseeable occasions. You won't be disappointed.

GETTING TO "NO"

"Everyone must choose one of two pains: The pain of discipline or the pain of regret." ~Jim Rohn

"If a warrior is to succeed at anything, the success must come gently, with a great deal of effort but with no stress or obsession." ~Carlos Castaneda

 
I am obviously a proponent of workplace and societal effectiveness, especially when working in financial institution teams to accomplish myriad objectives that contribute to achieving the core aims of the organization. Often we are called upon to exhibit flexibility and efficiency to work effectively in those teams. And while many of us are familiar with Fisher & Ury's excellent negotiation read, GETTING TO YES, my friend, Monty Rainey, raises some interesting points in his article regarding the questionable effectiveness of Multitasking that led me to consider the alternative wisdom of "getting to no."


"Just Say No" became the popular cultural refrain in response to the epidemic of youth drug use a generation ago and remains equally important today. When faced with cataclysmic outcomes such as drug addiction, child abuse, or genocide, we may find it unquestionably simple to resoundingly say "no" to the heinous perpetrators and actions that lead to pain, suffering and death of countless individuals globally. Why, then, do so many of us lack that same resolve to say "no" when it comes to the everyday requests we find ourselves bombarded with via email, telephone, and in person?

As Stephen Covey aptly said, "(with people) if you want to save time, don't be efficient. With people, slow is fast and fast is slow." Yet, how often do we find ourselves attempting to efficiently multitask our family, household and faith life responsibilities? The internal conversation goes something like this: "Well, if I can review this proposal while helping Timmy with his Algebra homework after picking him up from hockey, then I can microwave some soup and help Betty with her science fair project that's due tomorrow once Lilly brings her home from ballet. That should leave me enough time to complete my presentation while I watch the 11 o'clock news." Did you smile knowingly, even just a little bit?

Our spouses, our children and our friends deserve the quality of our time, not simply the spectre of our harried presence. While there are admittedly differing viewpoints, as noted by Maureen Salamon (Healthday), this tendency to overschedule and multitask has even infiltrated the lives of our youth, causing varying degrees of unnecessary stress in children.

Applying that same perspective to our financial institutions and our teams, I invite you to review the outcomes you seek to achieve and I encourage you to examine the expectations and roles--both explicit and implicit--that each contributor is fulfilling to ensure that each member of the team has been assigned an appropriate share of the effort. As Leaders, we must factor into our review the cultural perceptions that each team member may have regarding priorities and imperatives, and ensure that an expectation of work-life balance is clearly communicated to everyone.

We must empower our team members to know that it is acceptable to choose to say "no" when a proposed additional task or project would impede an organizational objective of higher importance. While we must also be careful not to create the false impression that no one is expected to remain flexible when higher importance objectives arise, we should  emphasize that increased efficiency and decreased error rates can be achieved when one is allowed to "Just Do It"--to focus upon the highest priorities first--instead of attempting to juggle too many multitasked items. 

A confident and integrity-driven Leader knows that he can trust his team members to plan accordingly to meet or beat each milestone on the timeline. Given that trust, those same team members are better able to balance their lives outside of the organization, thus moving them personally into better alignment with their loved ones and their community. The most effective project leaders and team members I've observed are those men and women who know how to kindly say "no" and then get back to the task at hand. The strongest banks and credit unions will continue to be led by those focused Leaders.

TODAY'S QUESTION: Do members of your team continue to labor under the illusion of multitasking? What can we do as Leaders to authentically convey the effectiveness of focused attention and remove the expectation of multitasking?