By Eric R. Feldman
How strengthening a company’s ethics can help it manage the risk of fraud.
In a healthy organizational culture, there is a natural, not forced, focus on business ethics, and ethical practices are integrated into the fabric of doing business. Coupled with a strong anti-fraud program, foundational ethics policies result in a decreased risk of fraud. For example, organizations with a published and publicized code of conduct had a 27 percent lower median loss, and a 53 percent reduction in fraud duration, according to a study by the Association of Certified Fraud Examiners. The same study found that organizations with whistleblower incentives had a 31 percent lower median loss, and a 59 percent reduction in fraud duration.
The costs to the bottom line when companies don’t take steps to prevent fraud go well beyond the direct dollar impact of any actual fraud that occurs. There are the related costs incurred from the impact on the brand as well as the more concrete costs of government enforcement actions. In 2012, for example, the Securities and Exchange Commission alone brought 734 enforcement actions against companies, resulting in more than $3 billion in penalties and other fines. Clearly, it is worth the investment in time and resources to develop and maintain an ethical culture.
As a former federal inspector general who is currently assigned to serve as an independent monitor on a variety of cases to help rebuild confidence after instances of corporate misconduct, I have observed several themes and best practices that successful companies have used to help strengthen their ethical culture and better manage their fraud risk. These practices relate to the code of conduct, metrics, training, due diligence, risk assessments, tone, and practice.
A company’s code of conduct must be a useful, living document that is referenced beyond new employee orientation. It must clearly spell out responsibilities of both the company and the employee, including an employee’s duty to report observed misconduct or violations.
While the code of conduct should address vulnerabilities that all types of businesses share—such as theft, accounting irregularities, and corruption—it should also focus on vulnerabilities unique to the company. These can be determined from an ethical-hazards risk assessment. For example, companies should examine how potential hazards might be created by perverse incentives, such as compensation based 100 percent on financial goals. Another factor is unintended consequences of policies, procedures, or expectations to determine where employees could possibly be motivated to make the wrong ethical decisions for what they believe are the right reasons. For example, unethical behavior can be justified in employees’ minds if that unethical behavior leads to a contract that will save the jobs of colleagues.
What is the relationship between ethics and other performance metrics in the company? A mantra frequently used by management gurus holds that “what gets measured gets done.” In the world of corporate ethics, standards for expected behaviors are often in direct competition with financial, operational, and other business metrics. If a manager’s compensation, bonus, and promotion opportunities are based solely on financial objectives, without mention of how the business gets done, the underlying message resounds loudly: Ethics is not the driver of our culture. Money and profits matter above all.
Unrealistic financial objectives can push otherwise ethical employees over the edge. Employees often see such pressure explicitly spelled out in what they perceive as unrealistic goals and performance metrics that are not properly calibrated with the company’s ethical values.
Once it develops its code of conduct, the company must make sure that it is disseminated and understood, which will require training. Government agencies often look at how management conducts its ethics training to determine whether the company seems serious about trying to establish an ethical culture. For example, live training exercises using real-life scenarios are considered an effective way to help employees understand what will and will not be tolerated within the organization. Conversely, a training program that relies solely on computer-based modules is not considered effective.
Such training should be conducted at every opportunity. For example, scenario training can be integrated into small team business meetings at every level of the organization throughout the year.
After a company develops ethical standards and trains employees on them, it cannot simply sit back and assume that ethical practices are being followed. The company needs, in essence, to occasionally conduct an ethics audit—some sort of random check or inquiry that assesses how employees feel about the organization and the role that ethical objectives really play in their day-to-day business decisions. Moreover, the code should be regularly referenced in staff meetings.
Corporate ethical culture is not static, and even the best policies can easily be undermined by poor hires, unwise promotions, and ill-advised partnerships or acquisitions. Thus, an important aspect of maintaining an ethical culture is having measures in place for filtering out “bad apples,” both when hiring individual employees or executives and when partnering with, merging with, or acquiring other entities. Those checks should be conducted not only initially but whenever a relationship changes, such as when an employee is promoted.
For these screening and due diligence processes to be effective, they must be set up to recognize and value ethical behavior and sound decision making over profit generation—though measuring these intangibles is not always easy. Due diligence for new hires might include, for example, scenarios of ethical dilemmas used during the interview process to gauge the candidate’s attitude. Vendors and suppliers might be queried about their own codes of conduct and ethics training in addition to checking their record of corporate behavior. Ethics criteria, such as an employee’s commitment to modeling ethical behavior and sharing ethical dilemmas with staff, should be factored into performance appraisals and promotion criteria as well.
With regard to third-party contractors that pass the initial vetting, companies might also consider making their ethics and compliance resources available to them (and their subcontractors) to ensure consistency in the ethical approach to business decisions and actions.
What leaders say, or fail to say, affects the tone and culture of the organization as much as a formal code of conduct. One key driver affecting the actions of subordinate employees is the extent to which company leadership at all levels is viewed as personally committed to a company’s ethical culture—and the extent to which they are seen as taking every opportunity to communicate and demonstrate ethical priorities. Conversely, an atmosphere that breeds mistrust, cynicism, or indifference can erode loyalty and push ethical leaders and employees out the door.
While visible engagement of senior leadership and the board of directors on ethics matters is a critical element in building and maintaining a strong ethical culture, the “tone at the top” of an organization is often over-relied upon as the singular requirement of a strong ethical culture. The reality remains that it is not the C-suite that has the greatest impact on employees. Rather, it is their immediate supervisor who exerts everyday influence. Employees see “leadership” as their supervisor or the local management at their work location. For that reason, a comprehensive training and review program targeted at front-line managers can have the greatest impact on the ethical culture.
Management must also prove that it means business by supporting whistleblowers. Although most organizations have established anonymous reporting hotlines where employees can confidentially report observed misconduct, the 2011 Ethics Resource Center report found that retaliation against employee whistleblowers rose sharply. More than one in five employees (22 percent) who reported misconduct say they experienced some form of retaliation in return. That compares to 12 percent who experienced retaliation in 2007, and 15 percent in 2009.
Employees continue to identify the fear of retaliation, and a perception of a lack of management responsiveness to their reports, as the main reasons for not reporting misconduct. Although the percentage of employees who report observed misconduct is higher than in previous years, 35 percent of employees responding to the survey said that they did not report observed misconduct at their companies.
Employee fear of retaliation as well as hesitance to use reporting hotlines are indicators of a weak corporate ethical culture, undermining or eliminating opportunities to strengthen controls and mitigate risks. Hotline reporting trends provide valuable insights into the areas of an ethics and compliance program that requires additional focus and attention, and can transform a reactive program into a proactive mechanism to prevent fraud and misconduct.
Strengthening the corporate ethical culture as part of a comprehensive anti-fraud program can help organizations better manage fraud risk. The payoff is likely to far exceed the costs.
Eric R. Feldman, CFE (Certified Fraud Examiner), CIG (Certified Inspector General), is managing director of corporate ethics and compliance programs for Affiliated Monitors, Inc.