Board of Directors are now taking an active role in shaping reality scenario's of their responsibilities in relation to their Governance, Risk management, Compliance and IT-Security (GRC) (Part 3/3)
EU directives and local regulatory compliance enforcement have now developed a clear plan on how a Board should fulfill its transparency, ethics and accountability (TEA) compliance responsibilities by providing reasonable oversight, developing an organization of culture and integrity, and by receiving and providing adequate role and responsibility relevant training, and by giving proper and direct access to ethics officers, committees. In short, the board must encourage the entire palate of GRC enforcement across the organisation.
After years of globalization, companies are dependent on complex, multi-level supply chains and distribution networks that span the globe. At the same time, the public – including investors, but also employees and consumers - are increasingly demanding transparency and corporate social responsibility throughout the manufacturing and distribution process. The result is that companies face reputational harm from revelations of abuses and lapses in the supply chain, even though they may have limited knowledge or control over their farflung business partners.
In this paper, we will explore each of the four Board responsibilities outlined in the U.S. Sentencing Guidelines with respect to ethics and compliance programs:
As part of the Board's oversight role, it must ensure that the company's ethics and compliance program is fully equipped to address challenges. To accomplish this, the Board must see to it that the program has the right people in place, the right resources to draw from, and the right support from both management and the Board.
First, the full Board should have knowledge and oversight of the company's key risk areas. In addition, the full Board should have knowledge of the ethics and compliance program, and a committee should be delegated oversight responsibility for the program.
- Is the Board of Directors knowledgeable about the content and operation of the ethics program?
- Does the Board exercise reasonable oversight of the implementation and effectiveness of the Program and the organization's culture?
- Does the organization have a high-level person and a person with day-to-day responsibility assigned to manage the program? Is there a defined relationship to the Board of Directors?
- While organizational culture may feel like an amorphous blob of a term to some, the power of a company's culture should not be underestimated. When a rule, policy or a code conflicts with an organization's culture, it is culture that prevails almost every time. Therefore, in order to have an effective ethics and compliance program
A lack of accountability
The ethics officer should ask the Board what its members see as the company's weak links and what the Board is doing to set the cultural tone. If successful, the Board will in turn ask the ethics officer what she views as the company's main cultural risks and why. The Board should also discuss how the organizational culture is perceived by various stakeholders, how to support the culture through language and branding, and what tools to use to shape the culture.
First, stakeholder perceptions can be gathered in a variety of ways. Employee feedback can be collected from surveys, focus groups, and message boards. Their perceptions are also reflected in the types of issues and concerns collected by a company's whistleblower hotline and through its HR processes. Surveys, focus groups, and social media can also be used to collect and analyze the perceptions of customers and suppliers.
PROMOTING AN ORGANIZATIONAL CULT URE THAT EN COURAGES ETHICAL CONDUCT
a company needs to pay as much attention to culture as to policies, training, auditing, etc.
That being said, some Board members may still cringe at the word culture, so it is useful to draw on concrete examples when discussing it. To illustrate, the answers to the following questions all reflect a company's culture:
• Will employees take personal responsibility to address issues or is it the job of somebody else?
• Will employees speak up if they see questionable business conduct?
• What happens to great performers who violate the Code?
• Cultural weak links differ from organization to organization, and it is important to identify them with the Board. The most common weak links include:
• A lack of understanding of rules, roles, and responsibilities
• A pervasive feeling that employees are not respected
• Widespread conflicts of interest, typically involving employees acting solely out of selfinterest
• A prevalent attitude that making numbers is everything
• A feeling that dissent is unwelcome and there is minimal upward communications
In 2012, corporate fraud prosecutions resulted in a 91% conviction rate
What's more, antitrust/competition prosecutions are on the rise, product safety and quality issues are increasingly viewed as ethics and compliance issues, business partners and supply chains are under scrutiny with such laws as the California Transparency in Supply Chains Act.
Reasonable oversight
How does one define reasonable oversight? The goal is to actively engage all Board members in the oversight process without turning them into micromanagers. When NAVEX Global conducts Program Effectiveness Assessments, we ask the following questions:
• Is the Board (or a committee thereof) accessible to individuals with day-to-day responsibility, including meeting with them in executive session?
• Does the Board (or a committee thereof) receive timely reports of significant issues and investigations involving the company or any elected officers?
Importantly, the Board should also lead by example and ensure accountability. This means Board members should practice the company's values and meet its compliance requirements. It also means ensuring that senior management is held accountable to the same standards as all other employees.
Finally, the Board should take an active role in shaping the big picture of ethics and compliance in the company.
It should provide long term perspective, acting as a compass in a 'glocalized' world.
And of course, the Board should be ever mindful of the reputation of the organization. As such, the Board should help set the tone in the company and support a culture of integrity, which leads directly into our next topic.
RECEIVING EFFECTIVE AND ROLE-RELEVANT TRAINING
Even as the Schools are an important tool for shaping organizational culture as a whole, so is training essential for ensuring the Board knows – and can meet – its ethics and compliance responsibilities. It is up to the ethics officer to ensure that Board training does just that. Typical elements of the training include:
• Frameworks for ethics and compliance programs (U.S. Sentencing Guidelines, global requirements, riskbased)
• Specific compliance and ethics environment and risks to the organization
• The elements of the company's compliance and ethics program and/or an assessment of the program
• The Board's oversight responsibilities
• The company's culture of integrity, its challenges and building blocks – with a focus on the Board's observations and potential areas of impact
Cases relevant to the Boards' roles and responsibilities
In particular, there should be an emphasis in the training on Board-specific risks to the company. These commonly include conflicts of interest, external relations with government and the media, personal integrity, executive accountability, and compensation (the Board's own or awards to company management).
While ethics officers sometimes assume Board members know the information already, it is important to have open and detailed discussions about the risks faced by the Board. Officers often find that Board members are not only willing but eager to discuss such topics as insider trading, unintended influence, and gifts and gratuities.
The most common mistakes ethics officers make in their discussions with the Board include:
- Showing too much deference to the authority of the Board
- Presenting irrelevant information
- Not providing context for the information being presented
- Focusing too narrowly on the Sentencing Guidelines
- Acting as status reporters rather than strategic business thinkers
- Failing to prioritize risks/concerns
- Communications with the Board should not be one way transmissions of information from the ethics officer to the Board members. The Board should ask questions, too, and if they are not asking the following ones, the ethics officer should cover them proactively:
- Do leaders set the right tone? How are they perceived by employees?
- Do we have a 'make plan at all costs' culture? Is candor rewarded or punished? How much fear of retaliation is there?
- How are we at discipline? Are top performers and high-level people held accountable to the Code of Conduct in the same way as other employees?
- Are there any risks that aren't being addressed as they should be?
- Do you have the resources you need to do your job appropriately? Do you feel you have access to the CEO and us whenever you need it?
- What trends in issue types or company locations are you seeing?
- Is there anything I should know? What keeps you up at night?
Gone are the days when Boards of Directors could fill their seats with honorary members who had little knowledge of and took little part in the ethics and compliance efforts of the organization.
What is the net effect on the Board? CEOs and Board members are increasingly under the microscope – and under pressure to uphold both compliance and ethics oversight and company leadership responsibilities.
Source: Four Key Board Responsibilities for Monitoring Risk and Compliance. Navex Global is one of the sponsors of the 7th annual GRC Summit