Ethics and compliance strategy, how to mitigate organisation’s risks using the strategy? Organisations are facing more risks than ever. The unstoppable rise of globalisation, digitisation and interconnection of today’s world reality has exposed companies to many risks that threaten their ability to do business. Risk reduction or risk mitigation is about taking the appropriate steps to reduce the adverse effects of threats and disasters on an organisation’s business continuity. Threats that might put a business at risk include employee risk or third-party corruption. Businesses need to prepare for threats around reputational risk and alongside enterprise risk management. And it’s essential to line up their current strategies with a practical ethics and compliance strategy.
Companies confront ethics and compliance issues every day. Once upon a time, the idea of business ethics was more of an abstract or philosophical notion that seemed more suited for discussion in a university lecture or at a business conference. Today, however, organisations of all sizes and industries must have concrete ways of addressing ethics and compliance issues as a principal component of their business processes. There are four critical elements to an ethics and compliance strategy. These include tone at the top, corporate culture, risk assessments, and testing and monitoring.
Setting the tone at the top
The ethical atmosphere created within an organisation by the attitudes and behaviours of the organisation’s leadership is often referred to as the “tone at the top.” Tone at the top is a significant factor in determining whether fraud, bribery, or corruption are likely to occur. That’s because employees lead by example. If their leaders show a robust and zero-tolerance approach to fraud, those who report to them are likely to follow.
An organisation with a solid ethical culture is usually led by a board of directors and senior management personnel who actively promote compliance and zero tolerance for fraud and other unethical business behaviour. Effective tone at the top will communicate to the organisation at all levels the expected type of conduct, what is considered unacceptable, and the consequences for transgressions. The top leaders should follow a zero-tolerance approach, and the message it sends to employees is vital in creating a maintaining culture of ethics and compliance at the organisation.
Corporate culture
Speaking of culture, the prevailing norms, expectations, and recognised acceptable behaviour form an organisation’s corporate culture. By making ethical conduct and compliance with all regulations a part of those norms, the organisation will help promote positive behaviour and integrity among its staff.
Similar to establishing an effective tone at the top, fostering a positive corporate culture hinges on effective communication, and it needs to permeate different layers of the organisation. In other words, providing printed handouts once a year or sending occasional emails about ethical behaviour probably isn’t enough to move the needle and influence the culture at a company. Employees need to hear from leaders how they can help cultivate an ethical workplace. Videos, team-building exercises, new employee orientations, and employee appreciation events provide opportunities to recognise positive behaviour and reinforce the company’s values.
These messages sink in when employees see their colleagues recognised and rewarded for maintaining a compliant and ethical corporate culture. When the tone at the top and corporate culture are tied together, everyone understands what is acceptable and expected in being a part of the organisation’s success.
Risk management
Before a security system is installed at a home or business, the provider will inspect to determine risk areas that need attention. Establishing an ethics and compliance framework at an organisation is a similar process. First, conduct an expert risk assessment to uncover vulnerabilities that need to be addressed with new strategies. This requires looking at how business is conducted, from everyday accounting practices to how goods or merchandise are handled in the warehouse. Examined various roles at the company: Are there proper separation of duties? Are employees qualified for their responsibilities? Is the workforce trained to recognise the red flags of unethical behaviour and fraud?
Once those trouble spots identified, they can be isolated and addressed as part of the organisation’s comprehensive approach to ethics and compliance. The risks should be prioritised – which ones pose an immediate threat? Could they effectively shut down the business? Do they pose a risk of financial, legal, or reputational risk – or all of the above?
Once prioritised, assigned the various identified risks for responsibility among company officials. Perhaps the CFO is responsible for assessing and implementing a solution for a problematic accounting practice, for example. Or the compliance officer should be assigned to oversee and improve the way the company handles anonymous fraud tips, as another example. The board of directors (or ownership and executives) must provide oversight to ensure that problem areas have adequately addressed and the organisation is proactive in mitigating risk.
Testing and monitoring
When new processes for ethics and compliance have been implemented (such as an anti-fraud policy and employee code-of-conduct, anti-bribery and anti-corruption training, separation of job duties and responsibilities, an anonymous reporting process for unethical behaviour, and anti-fraud and anti-corruption policies), a thorough testing and monitoring regimen is critical to ensure the new approach is working. After all, having the best processes on paper won’t make a positive difference if nobody is monitoring how they are being used whether they are having success. A schedule should be in place that promotes frequent, regular check-ups of the ethics and compliance controls, with metrics that show results.
For example, surprise audits can be an effective way to test if new financial controls have reduced the number of accounting irregularities reported in a quarter compared to previous results. Before implementing ethics and compliance controls, the risk assessments should have identified risk areas with the new processes to mitigate that risk. Only by testing and testing frequently can the organisation determine if the new controls have the desired effect. If they are not, the company should develop new solutions that specifically robustly target these problem areas – and, in time, test them again.
Addressing ethics and compliance issues at an organisation can seem to be a daunting task. With careful preparation, expert help, and a common-sense approach, any company can develop or enhance its corporate culture to be proactive in mitigating ethics and compliance risks. The benefits will be obvious – increased productivity, better security, and empowered employees who understand that their organisation values integrity and an ethical work environment.
Risk mitigation is one element of risk management, and its implementation will differ by organisation. Meanwhile, ethics and compliance strategy are essential for a successful risk mitigation process within the organisation.
ABAC® Center of Excellence is an independent certification body powered by CRI Group. ABAC® offers a complete suite of services and solutions designed to educate, equip and support the world’s leading business organisations with the latest best-in-practice risk & performance assessments, systems improvement & standards certification. Find out more about ABAC®!
ABAC® programs protect your organisation from damaging litigation & safeguard your business in the global marketplace by providing certification & training in internationally recognised ISO standards, such as ISO 37001 Anti-Bribery Management Systems, ISO 19600 Compliance Management Systems and ISO 31000 Risk Management Systems.
Based in London, CRI Group works with companies across the Americas, Europe, Africa, Middle East and Asia-Pacific as a one-stop international Risk Management, Employee Background Screening, Business Intelligence, Due Diligence, Compliance Solutions and other professional Investigative Research solutions provider. We have the largest proprietary network of background-screening analysts and investigators across the Middle East and Asia. Our global presence ensures that no matter how international your operations are we have the network needed to provide you with all you need, wherever you happen to be. CRI Group also holds BS 102000:2013 and BS 7858:2012 Certifications, is an HRO certified provider and partner with Oracle. Contact CRI Group today for further information on how CRI Group can help your business.
