What are your company’s objectives in establishing an ethics and compliance program? For many years, and for many organizations, meeting the normative standards has been enough. The seven steps of an effective program set out in the US Federal Sentencing Guidelines for Organizations have been the benchmark for more than 25 years.
But the seven steps are not magic beans. Despite the tremendous effort it takes to build the framework of a program, a framework alone is just the starting point. Organizations that are committed must honestly ask, how will enacting the standards effectively reduce the risk of misconduct in our organization? While few companies would say that their objective in setting up a compliance program is to “check the box,” it is increasingly clear that an effective program requires more than just establishing a compliance program that meets the seven steps of the Sentencing Guidelines.
What else is needed? What many organizations have known for years is now clearly in the sights of regulators and prosecutors: Corporate culture is a significant influencer of behavior. To have an effective compliance program, an organization must understand how its work environment influences positive and negative behavior. Ethics and its role in influencing corporate culture need to be taken quite seriously. What was once seen as a soft “nice to have” is now the baseline.
In 1991, when the Sentencing Guidelines were first drafted, not only was the term “ethics” not included, neither was the term “compliance.” The original objective was to establish “an effective program to prevent and detect violations of law.” An effective program was one that prevented and detected criminal conduct.
In the intervening 25 years, the emerging standard now looks more deeply at corporate culture as a root cause of misconduct. Programs are now expected to address preventive measures, and companies are being held accountable for the effectiveness of their programs. So, what are the new standards?
In June 2020 the U.S. Department of Justice (DOJ) published updated guidance for prosecutors on evaluating compliance programs.
The “critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.”
To guide the program evaluation, the document lays out three “fundamental questions” prosecutors must ask:
1) Is the corporation’s compliance program well designed? Does the program address the specific risks faced by the organization? Are their adequate policies and procedures? Are training and communication efforts tailored to the unique requirements and needs of the organization?
2) Is the program adequately resourced and empowered to function effectively? In other words, is the program being implemented effectively? “The company’s top leaders—the board of directors and executives—set the tone for the rest of the company. Prosecutors should examine the extent to which senior management have clearly articulated the company’s ethical standards, conveyed and disseminated them in clear and unambiguous terms, and demonstrated rigorous adherence by example. Prosecutors should also examine how middle management, in turn, have reinforced those standards and encouraged employees to abide by them.”
3) Does the corporation’s compliance program work in practice? “To determine whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors should consider whether the program evolved over time to address existing and changing compliance risks. Prosecutors should also consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future.”
While this guidance is not law, best practices in the ethics field have always been to meet and exceed standards and guidance laid out by the DOJ or the U.S. Securities and Exchange Commission (SEC). All companies should seek to be at a normative baseline compared to other companies in their industry.
So now the bar has been raised. How should organizations work toward ensuring these guidelines are met?
Defining Ethics and Compliance
What Needs To Be Included in a Basic Ethics and Compliance Program
The seven steps of the Federal Sentencing Guidelines are far from obsolete. To review, they are:
Organization establishes standards and procedures to prevent and detect criminal conduct
Oversight by high-level personnel
Due care in delegating substantial discretionary authority
Effective communication to all levels of employees
Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal
Consistent enforcement of compliance standards, including disciplinary mechanisms
Reasonable steps to respond to and prevent further similar offenses upon detection of a violation 
Research undertaken by the Ethics & Compliance Initiative (ECI) has shown that in organizations that maintain even minimum standards, such as adhering to the seven criteria of the Sentencing Guidelines, employees are still twice as likely to report misconduct than companies that have no program in place.
Nevertheless, these guidelines alone won’t help an organization meet the current standards expected by the DOJ. So, what else is needed to ensure that an organization is doing all that could be reasonably expected to deter misconduct?
In 2016 ECI issued a report of a blue-ribbon panel that outlined 15 objectives which define a high-quality ethics and compliance program. In comparing ECI’s 15 objectives with the Sentencing Commission’s guidelines, it’s apparent that best practices have evolved from creating a program to effectively managing a program. ECI reported in its Global Business Ethics Survey that organizations which achieved some or all of these objectives had created an organizational culture that was meeting the highest standards of deterring misconduct.
To understand the significance of this shift, we first need to have working definitions of compliance, ethics, and culture.
What’s the Difference between “Ethics” and “Compliance”?
There is more than a semantic difference between ethics and compliance. They represent different disciplines that require different approaches. Failure to truly understand how each applies in your organization creates challenges in developing an effective program.
Hui Chen, former compliance counsel at the Department of Justice, presents a compelling characterization:
We like to think of compliance as a good thing, because it means that we are following the rules. But compliance can also denote conformity and even passivity.
Think about the speed limit sign on your local highway. Compliance standards are clear: The speed limit is painted on the sign in large numbers. But what goes into each individual’s decision to obey? Yes, if there is a law enforcement officer in sight, then we conform. As Hui Chen lays out, compliance is a singular objective behavior that is externally applied.
But what happens when no one is looking? Do we conform as quickly? If not, why not? The reality is that we conform to standards based on a weighing of our internal standards consistent with our own ethical values.
It is the collective ethical values of leaders and employees, in alignment with the organization’s cultural values around us, that guide decision-making. Principles of conduct cannot just be mandated like so many speed limit signs. Compliance is driven by ethics.
Until recently the common wisdom was that each employee embodies sufficient ethical values. To unleash ethical values, organizations only need to remove barriers from employees bringing those values out into the open.
But, as Pat Gnazzo, a leading business ethics expert, explained,
we used to assume that employees would bring positive values to work. Now it isn’t so clear. The diversity of individuals’ values in our society means that organizations have to set specific values expectations for how employees must make ethical decisions. Conformity with the rules isn’t enough. Organizations need to trust that their employees have the right values to make the right decisions—the decisions that need to be made when no one is looking.
The ethics of an organization is not a given. Organizations need to cultivate the environment where ethical expectations are as clearly stated as compliance standards.
Compliance depends on ethical values, which in turn depend on the organization’s culture.
What Kind of Culture Do You Need?
A “Culture of Compliance” Is Not What It Seems
Not long ago, leaders would talk about the need for a “culture of compliance.” But is that what an organization really needs?
A global pharmaceutical company with a European headquarters had a large US-based operation. In a time of huge fines being levied for off-label marketing of drugs, pharmaceutical sales reps were becoming very risk-averse. The fear of crossing the line was hampering their ability to creatively find legal and permissible solutions. Sales goals were not being met.
The company’s US-based ethics organization saw an opportunity to build trusted relationships with sales and marketing. They worked hard to be seen as partners, working collaboratively to find workable solutions within the regulations. Yet corporate headquarters balked. Partnership was seen as a sign of being soft. Instead, they released a global video portraying ethics officers in black paramilitary uniforms, spreading across the globe to stop corruption.
A culture of compliance based on fear is not sustainable. Companies cannot rely only on fear of enforcement to deter misconduct. Companies must be able to rely on each employee’s decision to do the right thing in the countless decisions that are made daily outside the purview of the “compliance police.”
Elements of an Ethical Culture
The type of organizational culture needed to guide and promote ethical decision-making is built on business objectives designed to build trust. ECI’s 2018 Global Business Ethics Survey laid out 15 business objectives of a “High-Quality Program” (HQP):
15 High-Quality Program Business Objectives
1) Leaders are expected and incentivized to personally act with integrity.
2) Values and standards are clearly communicated.
3) Leaders are assigned responsibility for identifying and mitigating E&C risks.
4) Leaders create an environment where employees are empowered to raise concerns.
5) The E&C program aligns with the larger objectives of the business.
6) All employees are expected to act in line with company values, and held accountable if they do not.
7) Employees are provided guidance and support for handling key risk areas.
8) Resources are provided to support employees in ethical decision-making.
9) Disciplinary action is consistently taken against violators.
10) Investigations are objective, consistent, and fair to all parties.
11) The organization directly communicates with individual reporters.
12) The organization provides broad and varied avenues for reporting.
13) Proactive processes are created to prevent retaliation.
14) The organization appropriately discloses wrongdoing to authorities.
15) Key risk areas are identified through a robust assessment process.
Each of these objectives cannot be assigned as projects to be completed. Each of them demands thoughtful evaluation of what needs to happen in order to achieve it. Some of the objectives may already be part of the business rhythm. Others may take years to achieve.
Critical to this process is the recognition that responsibility for maintaining ethical standards rests with every individual employee. According to ECI research, once a program is in place, moving toward a higher level of quality generally involves moving the responsibility, message, and accountability for ethical behavior to leaders across the organization. “When executives and managers recognize and own their role in shaping the conduct of the organization, ethics and compliance becomes a part of the culture.”
The good news is that there are definitive and objective steps an organization can take to create this desired culture. Research has shown that some of the business objectives of an HQP are more impactive than others; therefore, they can provide a good place to begin focusing close attention. These include:
Leaders create an environment where employees are empowered to raise concerns;
E&C program aligns with the larger objectives of the business;
All employees are expected to act in line with company values, and held accountable if they do not;
Employees are provided guidance and support for handling key risk areas; and
Investigations are objective, consistent, and fair to all parties. 
The keys to achieving these objectives are less dependent on establishing programs and policies, and more on understanding what employees’ innate drivers of behavior are and how organizations can guide individuals to do what they most likely want to do anyway.
Steps to Build an Ethical Culture
Creating an ethical culture starts with asking a simple, but difficult question: What would cause good people in your organization to do bad things?
Author Ron Carucci says:
Despite good intentions, organizations set themselves up for ethical catastrophes by creating environments in which people feel forced to make choices they could never have imagined. Former Federal Prosecutor Serina Vash says, “When I first began prosecuting corruption, I expected to walk into rooms and find the vilest people. I was shocked to find ordinarily good people I could well have had coffee with that morning. And they were still good people who’d made terrible choices.” 
It turns out that we have less control of our needs and motives than we like to think. As researchers go deeper into the human psyche, we are learning that much of what frames our decisions is not based on a rational view of the choices before us, but rather on deeper innate needs that subconsciously influence how we see the world and that even filter what we see. So although you would like to think that managers and employees in the field will rationally execute your company’s objective strategies, subjective and unpredictable aspects of human nature cloud decision-making. Because many aspects of these unconscious motivations originate in external factors such as culture, you need to be aware of how we all process the external stimuli that drive our actions. Otherwise you cannot hope to influence that behavior to help your organization meet its goals.
Leaders must design workplace contexts that encourage good behavior. Keeping prosocial values top of mind for employees as they make decisions will reduce the likelihood of transgressions while making workers happier and more productive.
Clinical psychologist Merete Wedell-Wedellsborg identifies three psychological dynamics that can lead to crossing of ethical lines:
Omnipotence: When someone feels so aggrandized and entitled that they believe the rules of decent behavior don’t apply to them.
Cultural numbness: When others play along and gradually begin to accept and embody deviant norms.
Justified neglect: When people don’t speak up about ethical breaches because they are thinking of more immediate rewards such as staying on a good footing with the powerful.
This work of looking at the underlying behavior in decision-making has blossomed in recent years alongside the prevalence of behavioral economics taking a leading role in predicting markets.
The application of behavioral economics in the business ethics field has engendered a new discipline called “behavioral ethics.” Max Bazerman from Harvard Business School, who has been at the forefront of this field, defines behavioral ethics as:
…the study of systematic and predictable ways in which individuals make ethical decisions and judge the ethical decisions of others that are at odds with intuition and the benefits of the broader society. By focusing on a descriptive rather than a normative approach to ethics, behavioral ethics is better suited than traditional approaches to address the increasing demand from society for a deeper understanding of what causes even good people to cross ethical boundaries.
Behavioral ethics addresses the psychological tendencies that lead even good people to use information and make decisions in ways that lead them to behave unethically, even when they would not expect to behave that way in advance.
Bazerman divides these tendencies into two categories:
Behaviors that the actors know to be wrong, but they are unaware of the forces that are leading them to cross ethical boundaries (intentional unethical behavior), such as situational influences of pressure or conformity.
Bounded ethicality, which describes the tendency of individuals to engage in unethical action without even knowing that they are doing so (unintentional unethical behavior), such as being subconsciously swayed to certain decisions without the awareness to see what is actually occurring.
In other words, the reasons why good people make bad decisions is often the result of factors they are not even aware of. The good news, though, is that addressing these dynamics is possible within the constructs of establishing a positive organizational culture.
Getting to the Core of Influencing Behavior
How can an organization create a truly ethical culture that reduces the risks of even good people engaging in misconduct?
The starting point is to look at influential behaviors embodied in certain critical values. By definition, all values guide behavior—for better or worse—but in the context of a business, some values guide behavior in particularly productive ways. Perhaps this is why the work of legendary psychologist Abraham Maslow still has so much to offer. The more we appreciate how great a role psychology plays in decision-making, the more we need a way to look at subconscious influences on behavior—such as values—in language that meets the needs of pragmatic business leaders.
Maslow’s famous hierarchy of human needs presents our subconscious motivations in terms of individual and collective levels of awareness that organizations can use as a tool. One key level of awareness based on Maslow’s theory is a communal desire to feel attached to others and connected to something bigger than ourselves. Three of the values found at this communal level of awareness—integrity, commitment, and transparency—stand out for their roles in fostering identification and community . These key “power values” influence specific behaviors that will have a positive influence on an organization’s culture. By focusing on the specific behaviors that make up integrity, commitment, and transparency, you can transform the negative behaviors that impede effective performance into positive behaviors that support effective performance. Company culture becomes a measurable and manageable tool with which to rev up performance and reduce risk.
The three power values are powerful catalysts for another reason: They are already the personal values that your employees commonly hold. When the power values are highly visible in an organization, they clarify its intentions and give employees a unifying sense of purpose and direction. Employees who share their principles, goals, and outlook—the essence of the power values—can let their guard down a bit. They can trust that they will be understood, that there will be fewer booby traps, and that their leaders and coworkers will generally act in a predictable way, consistent with their shared values.
Organizations whose employees live these power values are marked by dedication, openness, and personal responsibility. Employees in those companies take the initiative to ensure that their company can achieve its goals in the short term without sacrificing long-term sustainability. As you come to understand the unique challenges of living up to your employees’ expectations of integrity, commitment, and transparency and begin to see where unaligned principles, goals, and standards are creating friction and risk, you can identify the linchpin behaviors that will have a cascading impact throughout your organization.
The word integrity is more than a synonym for honesty. It refers to integration—making the parts of something into a whole. Integrity is a matter of combining one’s various words and actions into a harmonious whole. People who act with integrity are doing what they said they would do, living their values through their actions. An organization that is acting with integrity is consistent and predictable in its business processes: what happens today will happen tomorrow. When employees see their managers act consistently and predictably and procedures are seen as fair, stress levels are lower because there are fewer surprises and fewer crises. For example, if jobs are assigned and success is rewarded fairly, employees can afford to trust their leaders and the organization and do not feel they need to connive just to get a fair shake. If they do not need to connive, they will not subsequently need to rationalize their conniving or deceive themselves that their conniving is honest—the slippery slope is avoided.
Integrity also addresses the challenges of justified neglect outlined by Dr. Wedell-Wedellsborg. “The human mind is skilled at justifying minor incursions when there is a tangible reward at stake — and when the risk of getting caught is low.”
Have you ever been at a company where everyone seemed passionate about the work they were doing as well as the work the organization was doing? There is electricity in the air. Engaged and committed employees will go the extra mile for their organization’s success because its goals are their goals. The key to fostering that kind of commitment is to ensure that employees feel that bringing their personal values to work is not a risk. Rather, it is part of the culture.
Cultural numbness can creep in when commitment waivers. “No matter how principled you are, you must recognize that, over time, the bearings of your moral compass will shift toward the culture of your organization or team.”
Transparency is your organization’s insistence that the truth be heard, even when it is hard, and that it be clear what behaviors are expected and whether those behaviors are consistent with the organization’s principles. Can your people be open and honest with each other? Do they have full access to the information they want or only to the information someone else is willing to provide? Transparency can go a long way toward preventing disappointing performance and unethical behavior, especially when it saves people from their own self-deception, rationalization, or disengagement.
But transparency is an issue only when the information one seeks is hard for the other person to deliver or when the information one wants to convey will be hard for the other person to hear. Transparency therefore embodies the value of honesty. Employees at all levels mustbe determined to act according to their principles. The company’s culture can help by establishing a norm of speaking up, particularly if leaders make a habit of speaking up even when it is embarrassing or difficult for them to do so. To the extent that people’s discomfort is fear, establishing a norm of respect and open communication lowers the hurdle, particularly if leaders make a point of tolerating speaking up even when the news is hard for them to take.
How does an organization go about creating a culture in which difficult issues can be discussed? The first step is to understand that these challenges exist because of a gap between what employees believe (their principles) and how they act (the standards, or social norms). Transparency is being true to yourself, consistently linking your actions to your principles. Transparency thus encourages honesty, which, according to surveys, is the prevailing personal value of employees all over the world. More than any other value, employees expect honesty of themselves and of those with whom they work.
According to Wedell-Wedellsborg, “the psychological counterweight to omnipotence is owning your flaws.” It’s a mature capability to look in the mirror and recognize that you are not above it all. Especially if you’re in a leadership position, assume you have weaknesses and think about them regularly.
Sometimes, you’ll need help with this. The best performing executives I see have close colleagues, friends, coaches, or mentors who dare to tell them the truth about their performance and judgment. You should cultivate a similar group of trusted peers who will tell you the truth even when it is unpleasant. In addition, make sure to encourage an “obligation to dissent” among your core team.
Putting the Pieces Together
Integrity, commitment, and transparency do not operate independently; each depends on the others. But an organization should probably not try to address all three power values at once. Rather, it needs to know which value requires the most immediate intervention. By understanding how the elements of the company’s culture affect each other, you can avoid unintended consequences and will be much more likely to create a virtuous cycle, with positive actions within one element of the culture promoting positive changes in the other two elements to create a positive feedback loop.
The goal of an ethics and compliance program is to reduce the risk of misconduct in the organization. The framework of a program, such as one based on the Sentencing Guidelines, can be the foundation of a successful program so long as the implementation of the program takes into consideration the true influencers of human behavior.
Research and experience have identified the most important program objectives and the most influential drivers of behavior to create a dynamic ethical culture. It’s up to the organization to find its best first step to start the journey.