An interactive Q&A with governance, risk and reputation strategist Dr Andrea Bonime-Blanc
In this monthly column, Andrea Bonime-Blanc, ‘The GlobalEthicist’, answers readers’ strategic governance, risk, ethics, compliance and reputation related questions. Submit your questions to Ethical Corporation’s editor, Zara Maung, at Zara.Maung@ethicalcorp.com. Each month a question will be selected for a response.
Q: What should a board look for to take comfort that an ethics and compliance programme is not just implemented but also effective?
Submitted by Willem J Punt, group ethics officer and head of culture and conduct risk at First Rand Bank, South Africa
A: Holding responsibility for the overall governance and oversight of the financial and operational resilience of an organisation, boards are also responsible for oversight of the non-financial, sometimes intangible, aspects of their company – those aspects that are directly related to integrity and reputation and to perceptions and behaviours of key stakeholders.
Whether these intangible, non-financial concepts are called ethics, compliance, integrity or even corporate responsibility or corporate citizenship, boards must find a way first to understand what their company has in place; second to glean whether what is in place is merely superficial or actually implemented and effective; and third to understand how their company’s programme compares with industry, national, geographical and other desirable standards.
So, first and foremost, the board needs to know what an effective ethics and compliance programme consists of. The following list provides a summary of the emerging global consensus of the elements of an effective ethics and compliance programme: nine elements ranging from having the right resources, code of conduct, policies and training to more strategic concepts about reporting structure and access to the highest-level decision-makers in the organisation.
The elements of an effective ethics and compliance programme:
- E&C risk assessment – Conducting a periodic and targeted ethics and compliance risk assessment
- Code and policies – Having a code of conduct and related system or framework of policies
- CECO Resources – Creating an office of the chief ethics and/or compliance officer (CECO) with sufficient resources and budget
- Board and C-Suite access – Giving the CECO access and reporting to the highest levels of the organisation, including management and board
- Training and communications – Providing appropriate ethics and compliance training and communications
- Internal controls alignment – Implementing a system of internal controls and proper delegation of approval authority
- Helpline/hotline system – Devising a system to solve concerns and problems, including anonymous reporting options
- Consistent discipline – Implementing a consistent system of internal discipline
- Auditing, monitoring and evaluating – Periodically auditing, monitoring and evaluating your ethics and compliance programme
Let’s assume the board is savvy about this emerging paradigm. Next, the board needs to know how to distinguish between shiny marketing presentations by management about how “effective” their E&C programme is and whether it is truly effective. The board needs to know what questions to ask management, what data to look at and what extra probing must be done.
Among the key questions the board should be asking:
- Has a baseline E&C risk assessment been conducted?
- Are periodic follow-ups being conducted to ascertain risk mitigation and/or resolution? What is the data showing?
- Is the code of conduct up to date, reflecting the risks and providing effective guidance to employees? What employee feedback are we getting? What is the hotline/helpline data showing?
- Are there sufficient resources and budget given the risk profile and history of the company? How do we know this? Have we benchmarked appropriately?
- Does the top E&C officer have direct and unobstructed access to the board at any time?
- Does the top E&C officer have a periodic (preferably quarterly) slot to present results to the board?
- Does the E&C office have sufficient independence from management – both administrative and substantive?
- Does the company conduct culture surveys?
- Are these surveys asking ethical climate questions?
- Do employees feel safe to speak up without retaliation? How do we know that they do?
- Is management following up on culture results with action plans?
- Are employees, including top executives, being held accountable for not only financial results but also cultural and values-based performance?
Asking good questions is not enough – the board needs to go further to probe, test and confirm aspects of the E&C programme to understand whether it is effective. To truly get under the hood of the programme, the board should consider the following:
- Executive sessions with the chief ethics and compliance officer
- Presentations by key risk owners to an audit or risk committee and/or executive sessions with them
- Periodic contacts with key personnel – officially or unofficially
- The use of outside experts to provide independent, sector and global perspectives on key issues and risks
- The use of outside experts to review the effectiveness of one or more aspects of the E&C programme or the entire programme itself
- Kicking the tyres unofficially – visit, call, chat
- Having one or more members of the board who have expertise in ethics, compliance, risk and/or reputation management
Finally, there are some architectural or structural measures that enlightened companies are beginning to consider and implement that are helpful to both management and the board. One is to have a more holistic and strategic senior role – the office of a chief risk, integrity and reputation officer, a concept I first presented in this column.
By creating a more strategic (yet customised) approach to managing these issues, management is able to better coordinate, address and even resolve key issues and the board is able to rely more heavily on an expert executive to report regularly to the board, all of which ultimately benefits the organisation and its key stakeholders.
Dr Andrea Bonime-Blanc is chief executive of GEC Risk Advisory, and has recently authored The Reputation Risk Handbook: Surviving and Thriving in the Age of Hyper-Transparencyboard CSR strategy Globalethicist measuring sustainability