Building an Ethical Culture

By Eric R. Feldman

While the code of conduct should address vulnerabilities that all types of businesses share—such as theft, accounting irregularities, and corruption—it should also focus on vulnerabilities unique to the company. These can be determined from an ethical-hazards risk assessment. For example, companies should examine how potential hazards might be created by perverse incentives, such as compensation based 100 percent on financial goals. Another factor is unintended consequences of policies, procedures, or expectations to determine where employees could possibly be motivated to make the wrong ethical decisions for what they believe are the right reasons. For example, unethical behavior can be justified in employees’ minds if that unethical behavior leads to a contract that will save the jobs of colleagues.


What is the relationship between ethics and other performance metrics in the company? A mantra frequently used by management gurus holds that “what gets measured gets done.” In the world of corporate ethics, standards for expected behaviors are often in direct competition with financial, operational, and other business metrics. If a manager’s compensation, bonus, and promotion opportunities are based solely on financial objectives, without mention of how the business gets done, the underlying message resounds loudly: Ethics is not the driver of our culture. Money and profits matter above all.

Unrealistic financial objectives can push otherwise ethical employees over the edge. Employees often see such pressure explicitly spelled out in what they perceive as unrealistic goals and performance metrics that are not properly calibrated with the company’s ethical values.


Once it develops its code of conduct, the company must make sure that it is disseminated and understood, which will require training. Government agencies often look at how management conducts its ethics training to determine whether the company seems serious about trying to establish an ethical culture. For example, live training exercises using real-life scenarios are considered an effective way to help employees understand what will and will not be tolerated within the organization. Conversely, a training program that relies solely on computer-based modules is not considered effective.
Such training should be conducted at every opportunity. For example, scenario training can be integrated into small team business meetings at every level of the organization throughout the year.


After a company develops ethical standards and trains employees on them, it cannot simply sit back and assume that ethical practices are being followed. The company needs, in essence, to occasionally conduct an ethics audit—some sort of random check or inquiry that assesses how employees feel about the organization and the role that ethical objectives really play in their day-to-day business decisions. Moreover, the code should be regularly referenced in staff meetings.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.