1. Defining Compliance and Ethics
(a) To have an effective compliance and ethics program, [ ] an organization shall—
(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
—U.S. Sentencing Guidelines Manual § 8B2.1 (Nov. 2006)
The Federal Sentencing Guidelines, as revised, make specific reference to the need to promote a culture that “encourages ethical conduct” and a “commitment to compliance with the law.”
For today’s ethics and compliance professionals, understanding the distinctions between “ethics” and “compliance” is not an academic exercise. “Ethics” and “compliance” are used together so often that the terms may seem interchangeable. But understanding how “ethics” and “compliance” differ and complement each other will help ensure that your program is even more effective.
While the definitions of “ethics” vary, for many in the business ethics field, “ethics” is often synonymous with the training and code of conduct aspects of an overall compliance program. “Ethics” has been the term used to deal with the employee-related education and preventative aspects of the program as opposed to the investigatory and post-violation aspects of the program. Training on code standards is often called “ethics training.” As a practical matter, “ethics” is often presented as a higher moral standard or value, sometimes reduced to aphorisms such as “do the right thing,” or thumbnail tests such as “how would you feel if your actions were recounted in today’s newspaper?”
However, the problem with seeing ethics so conceptually is that it fails to take advantage of how ethics can support an overall compliance program.
Here is one way to look at how ethics and compliance can support each other.
Have you ever thought about why the speed limit on your local highway is what it is? Whether it’s 55, 65 or 70 MPH, a local “compliance” officer, in consultation with “business” stakeholders, developed a policy regarding public safety that involved setting a speed limit and a protocol for enforcement as well as discipline for violations. Different stakeholders came together to determine what the standard should be as well as what to do about those who violate it. Sounds like a strong compliance program. But compliance is more complicated than ever. Compliance management is a complex responsibility requiring measurement and reporting against a dynamic and seemingly endless array of rules, agreements, standards, regulations, and legislation. Each area of compliance comes with its own requirements, and in many cases requires extensive knowledge of esoteric technical subject matter and a detailed database for the elements of compliance requirements, measurement, and reporting. In many organizations, compliance management has developed and remained as a series of silos, each meeting its own needs but not coordinated across organizational levels. This tendency to “silo” often results in duplication of planning effort, redundant reporting systems and misplaced priorities, and can waste the scarcest resource in business: management attention.
What happens in many organizations is that it is so challenging to just implement standards and enforce them, there is little attention paid to whether employees will actually follow them. And even less attention is paid to why employees would violate the standards in the first place.
Even the most dedicated compliance professional has violated the stated “standard” of a speed limit now and then. From our own personal experience we know quite well that merely posting a standard, whether it’s a speed limit or a gifts limit, in and of itself does not ensure compliance. So how do we get people to follow the rules? Or, more importantly, how do we get people to want to follow the rules?
Certainly one way to ensure compliance with the speed limit is to enact severe penalties for violations as well as dedicate significant resources for enforcement. While these actions will certainly send the message that the “organization” is serious about the rules, there are problems with only having a “stick” with the proverbial carrot. One is of course the economic cost of placing more “compliance” police officers in the field. Also, as we will discuss in a moment, there is a cost to our employees in terms of personal responsibility when they feel so heavily controlled.
But wouldn’t it be great if everyone respected the standards in the organization (and society as well) because every individual knew that following the standards would make the organization a better place to work as well as being more efficient and effective?
That’s where “ethics” comes in to support the compliance standards.
A common definition of “ethics” is: “the rules of conduct recognized in respect to a particular class of human actions or a particular group, culture, etc.” Note that the definition is NOT necessarily the stated rules of the group; i.e., the desired conduct by leaders. It’s that actual people act and make decisions, the social norms of behavior that govern day-to-day interactions. Closing the gap between the desired state and what people actually do is the goal of a successful ethics and compliance program.
If compliance is the articulation of the expected standards of behavior (the “what”), then ethics is the means by which the organization comes to comply, or not, with those standards (the “how”).
Why do we need to focus on both?
A company cannot achieve compliance without first addressing the behavioral issues in its culture that impact the ability, and the desire, to follow the rules. The companies that maintain the lowest risk of misconduct have created an environment where employees seek compliance as the most productive way to do their jobs. These companies have created an environment where values such as predictability, accountability and candor are embedded in the culture.
In her breakthrough Harvard Business Review article in 1994 , Professor Lynn Sharp Paine stated the case for a values-based approach to ethics and compliance:
A firm using a compliance-based program focuses its efforts on deterrence through threat of detection and punishment for violations of the law or the code of conduct. A firm using an integrity-based approach, on the other hand, focuses its efforts on establishing legitimacy with employees through internally developed organizational values and self-governance.
In a successful ethics and compliance program, the “what” and the “how” need to each be seen as core components that must meet the organization’s highest standards.
For the compliance aspects to be successful, the organization must first determine which standards are essential to meet regulatory and other criteria. Most organizations have many policies and procedures that are in need of updating and revisions. One of the more common breakdowns in the level of respect for standards on the part of employees is the perception that the standards are not tailored to the real-world work conditions that they face. In many organizations, employees are asked to follow policies and procedures that are outdated or so broadly construed that it hampers legitimate business activity. When this happens employees lose respect for the standards and begin on the slippery slope of self-defining which rules they will follow.
In the same vein, ensuring compliance through draconian enforcement can also backfire. Enforcing rules that are contrary to employees’ perceptions of what is logical or even fair will only work in the short-term. When employees feel too restricted from making their own judgments about right and wrong, they tend to become disengaged. The risk of disengagement is that employees will stop asking questions about how to solve a problem within the parameters of the standards and may become passive. Businesses need people who are thinking about new ways of doing business while following the rules. In today’s economy, businesses often don’t need people who become passive and will not pursue new lines of inquiry because of a perception that it’s too difficult to ask questions and break new ground.
Instead, most businesses want their employees to be self-motivated people who take personal responsibility for their actions. Leaders want their people to see code standards as a social contract of sorts, the rules of the workplace that create predictable behavior norms to allow everyone to focus on their work.
So how do we get people to want to follow the rules? How do we get employees to make “ethical” decisions, even in the face of pressure? This requires a further look into human nature.
The most current research in social psychology and behavioral economics shows that people are not cold, rational decision-makers, always looking for the opportunity to maximize their self-interest. These conclusions are quite significant because they fly in the face of the “old-school” maxims that employees would steal if they could, and therefore employers need to watch their employees’ every move. The logic is that we would all be cheating and stealing every opportunity we could if we could safely get away with it.
The fortunate reality is that the vast majority of people are happily willing to forego some sense of their self-interest for the good of others. Whether the motivation is to maintain a positive image, or be liked by others, or even something more altruistic, most employees want to feel committed and connected to their work environment. However, when they feel that their workplace is not conducive to such feelings, people begin to turn inward and look out for themselves.
Research data collected over the years by the Ethics Resource Center bears this out. Figure 1 shows the ERC’s ranking of risks from its 2007 National Business Ethics Survey. At first glance the data would seem to confirm the old-school philosophy. Overall, the greatest risks to companies are employees who put their own interests first. However, a look at Figure 2 reveals a key insight into human nature. In organizations with strong ethical cultures, violations such as “putting one’s own interest first” are far less. When employees feel they are part of an ethical culture, they will act beyond their own self-interest.
In periodic surveys conducted by the Ethics Resource Center, research has shown that “culture has a greater impact than a formal ethics and compliance program on outcomes such as observed misconduct, reporting of misconduct, and perceived ability to handle misconduct if faced with such a situation.”
We’ve all been in situations throughout our entire lives where the social norms of the group are at odds with the expected behavior of the company, society, or even friends and family. What determines what kind of behavior is acceptable? Once it’s known what the pressures are that exacerbate this gap, what can be done to reduce the pressure and better align social norms with expected standards of behavior? This is the role of the ethics side of the ethics and compliance program.
Ethics and compliance complement one another. A successful compliance program needs to address the behavior-based influencers that will determine whether employees will follow the rules. Conversely, an ethics program not linked to specific standards of behavior runs the risk of being too abstract and vague to be integrated into day-to-day work activities. The most successful programs present a clear message to employees as to what behavior is expected of them and what has to happen to allow those standards to be adhered to in all corners of the organization.