Values and attitudes about how to do business may differ from country to country, but there are ways multinational companies can encourage ethical behaviour throughout the organisation. Kris Curry, an EY principal in forensic and integrity services, talks about tools, frameworks, and practices companies have at their disposal to help employees, contractors, and vendors conduct themselves with integrity even in challenging markets.
What you’ll learn from this episode:
- Ethics and compliance are a shared responsibility within a global organisation.
- Risk assessment and mitigation help organisations do business ethically in markets that pose ethical challenges.
- A company’s organisational behaviours rest on four pillars: governance, culture, controls, and insights.
- A robust system of open reporting is part of the ethics and compliance framework and consists of multiple channels to report potential misconduct.
Play the episode below or read the edited transcript:
To comment on this podcast or to suggest an idea for another podcast, contact Sabine Vollmer, an FM magazine senior editor, at Sabine.Vollmer@aicpa-cima.com.
Sabine Vollmer: Kris, do investor shareholders, regulators, and consumers have conflicting expectations of what corporate responsibility and ethical corporate behaviour is?
Kris Curry: Sometimes ethical behaviour can differ, but we believe corporations must govern themselves utilising more than just ethics. They have a lot of tools at their disposal – that could be things like evaluating the values of the organisation, the morals, and the laws that govern them within a particular framework. What we typically see is the output of a lot of that. What companies have put in place is to develop a code of ethics. And what a code of ethics does for these differing sets of opinions is it lays out a clear set of expectations. It takes into consideration a diverse set of information, but it can spell out for all stakeholders the intended conduct of a company. And I think by doing this you can get in front of some of those potential conflicts in the differing of expectations.
Vollmer: Are there any other tools available to combine these different tools, other than the code of conduct?
Curry: Certainly. We see companies establish a pretty robust framework when they get to thinking about their compliance organisation. In addition to the code of conduct, we see them go a few levels deeper in putting things in place, like policies and procedures, training to their organisation, communication around their values and behaviours. And ultimately, monitoring against that to make sure that employees are following those set of expectations appropriately in their organisations.
Vollmer: Can you quickly explain the difference between ethics and compliance?
Curry: Ethics is something that is a general set of guidelines that you think about for how you govern yourself or your activity. And compliance, to me, is more of a set of policies and procedures that gives instruction to a framework in which you must operate. I think a different way to think about this is, when you think about ethics, to also think about integrity. And I think when you can talk about integrity, that’s something personal to you, what guides you from a day-to-day perspective, or really gets at the behavioural issue.
Vollmer: And who is in charge of ethics and who is in charge of compliance? Same people?
Curry: I think it’s a shared responsibility. As a former chief compliance officer myself, this used to be a daily question that I would get. I never thought that my key responsibility was to institute ethics or integrity into the organisation. I thought that that was a shared set of responsibilities within the management of the organisation, and collectively, we all have a responsibility to do that. There is a compliance function, and they have an obligation to put a governance structure in place and make sure that the organisation is operating appropriately under that governance structure.
Vollmer: When you have an organisation with a global supply chain, doing business in markets where cultural values don’t align with the corporate cultures can be a challenge. How does an organisation do that and maintain its integrity?
Curry: We get asked this question quite a bit as we help companies think through different markets that they potentially might enter into. And it is a bit of an ethical challenge or a dilemma for them, but I do think it’s possible to operate there. Again, a company that has established a pretty strong framework, or whether it’s understanding and holding true to their core set of values, is a good place to start. But one of the additional steps that we would like companies to help think through, is to think about performing a risk assessment. To step back and say, “Let me understand everything I possibly can about the market that we’re thinking about going into. What are the risks that exist there? And how do I put together a mitigation plan or a framework that’s going to allow me to operate ethically within that market?”
That might mean stepping away from certain jurisdictions or certain activities within a market, if it does find you in conflict with your values and behaviours. It sounds very simplistic, but I think it does take some courage and it is certainly possible, and we’ve seen a number of multinational companies do this and do it successfully.
Vollmer: Are there best practices to do this? And can you go in a little bit of detail of explaining how they work?
Curry: Certainly. Maybe I’ll start by answering what doesn’t work well and then get to your question around best practices. Through the course of our work, we have the opportunity to evaluate a number of different compliance programmes and frameworks. Why they fail in a number of these markets is, you have a framework that is best described by those employees as being very dense and hard to understand. A simple thing like policies and procedures, which should really provide an employee an instruction or a framework of how they operate, sometimes has gotten so complex that they find themselves sort of at a loss. They don’t know how to get from point A to point B.
And what we have been really focused on and helping companies think through is what we call our integrity agenda. And its aim is to help companies get from their intention, taking it from their missions and values and how they develop the code of conduct, and getting to a point where you can help a company think through or understand and realise the organisational behaviours that they’re looking for, sort of those unwritten norms. And to do that, we think about it in four fundamental elements. We look at things like the governance structure of an organisation. We take into consideration things like the board, line management, corporate functions, how is that all structured, how do they work together, how do they operate.
Secondly, we’ll look at the culture of an organisation, and that's really to understand what is their commitment to integrity, how does it guide decision-making in their organisation.
Thirdly, we’ll look at things like controls, what is the control framework that a company has in place. What are the procedures that they have that imbed integrity in day-to-day operations? We’ll look for things that are both preventing and detecting potential violations of law or policy.
And lastly, we’ll try and draw in insights. That’s sort of like our fourth pillar, data-driven insights, information about emerging risk, how a company is performing in relationship to their broader values and behaviours.
So, we’ll take all that together and the goal is, by looking at these four elements, we’ll come up with outcomes or measures for the company, that they can say, “How do we ultimately get to or drive to the behaviours that we would expect of our organisation?” And it’s something that, as you spend more time in it and you’re looking at more data, you can clearly begin to pinpoint why your company is straying from what you were intending to try and achieve.
Vollmer: When a company wants to evaluate its framework, it could look at these same issues, right?
Curry: Absolutely, absolutely. It’s very much the cornerstone. How we developed our integrity agenda is by spending a lot of time helping companies look and understand some of the actions, whether it’s an investigation that’s happening, whether they bring us in to just do a retrospective review. And what we found is in those four pillars, around governance, culture, controls, and insights, if you can dig in to any of those four areas, it can begin to really paint a picture for you, on what’s driving the behaviours of your organisation. And what are the different levers that you might want to pull or think about employing in your organisation to drive to better outcomes.
Vollmer: What is a robust system of open reporting, and how does it work?
Curry: When we talk about an open reporting system, what we’re talking about is multiple channels or means in which an employee and an organisation, or a shareholder or anybody else, could report potential misconduct. And that can come in a variety of different things. That could be a potential HR violation, that could be a financial violation, that could be something around fraudulent activity. But it’s a concern that an employee or individual has, and they have the ability to elevate that or escalate that to the organisation so that it has an opportunity to be investigated. A well-rounded and informed open reporting system allows for not just the hotline, because that might not work in all cultures.
It could be an email way that you can get it in, a text, having people inside an organisation that you can report to. But understanding that, in the variety of jurisdictions in which you’re going to do business, it can’t be one-size-fits-all. And you have to be willing and establish a number of different mechanisms where people can feel comfortable that they can come forward, they can have a conversation, they can report an issue, and do so without fear of retaliation.
Vollmer: So, this system of open reporting is part of the ethics and compliance framework.
Curry: Absolutely. I think we have a unique responsibility where, many times, we’re touching very sensitive information. And we have the ability to really make sure employees feel comfortable that they can come forward and report these things to you, you are seen as a trusted and valued member of the organisation. So, making sure that there’s multiple mechanisms that individuals inside an organisation feel comfortable to bring those issues forward is key to their success.
Vollmer: Other than a hotline and — which is probably the most known way of reporting something anonymously — what other open reporting channels could there be?
Curry: So, typically, we do see hotlines as the norm; most companies have that. We might also see things such as different apps being created, where people can report things via an app, they can report it via a text message. I do know there are a handful of compliance officers that have established office hours where employees can come in and just talk about general issues. That does not work in all areas. But making sure that you have a variety of different mechanisms that would work for the culture and for the variety of employees that you have is really what we would usually recommend as best practices.
Vollmer: When you look at the reporting mechanism and the culture, are there some similarities to certain cultures that tell you that “This mechanism will work, but that won’t”? Are there some guidelines? Or do you just have to figure it out market-by-market?
Curry: When companies first start, typically it’s finding out what works. I think you have a general sense or a gut feel as into one market versus another, as to the likelihood that someone’s going to report an issue. I think companies also have data that they can begin to take a look at and track over time to look for trends and patterns. So, for example, in a particular market, if there’s never been an issue reported, that’s probably an outlier. By the same token, a particular market might have multiple issues being reported. So, if we go back to what we talked about in the integrity agenda, that would be that insight bucket.
So, how are the insights that you’re collecting across your organisation telling you about signs and signals around your reporting system? That might be a good indicator that perhaps you need to either advertise it more, you need to talk about it in town halls, you need to make sure that employees understand that it is acceptable, it’s actually something that you encourage and that you want to happen in your organisation. So, that’s those tangible insights. And then, taking action on them to drive the behaviours that you’re looking for in the company.
Vollmer: And what role do and can accountants and finance professionals play in such a system of open reporting?
Curry: So, as compliance professionals, again, I think we have a unique role that we can play, whether it’s something as simple as an issue that gets reported to you and making sure that you do the right thing with that and following it through. Or, seeing something, as you’re going about the general course of your business, and then, obviously, reporting those issues.