Increasing regulation and public scrutiny of corporate behaviour means ethics and compliance is now a vital part of the boardroom agenda. Board directors must continually review business culture and processes to stay ahead of the curve – we explore how.
“Ethics and compliance is a strategic board issue,” says Peter van Veen, ICAEW Director of Corporate Governance and Stewardship. “It's an area that is growing in importance and is becoming more and more specialised. However, that specialism is not always matched on boards.”
The emergence of ethics and compliance as a distinct corporate function can be traced back to activities by US law enforcement more than 50 years ago. “The very early beginnings of corporate ethics and compliance was arguably back in the 1960s, when there were a number of high-profile antitrust cases in the US. Executives were jailed and questions regarding compliance with the law came up in the prosecution of those cases,” explains Hui Chen, Senior Adviser at R&G Insights Lab. “The next big push came in 1991 when the US Government’s Sentencing Commission created a whole chapter on sentencing organisations.”
Since those two catalysing periods, corporate ethics and compliance has only continued to rise in prominence. High-profile corporate and damaging scandals in the past 30 years, such as Robert Maxwell’s mishandling of pension funds in the UK or Enron’s collapse in the US, have precipitated more regulation and understandable public interest in corporate behaviour. Add to that a growing focus on organisations’ environmental, social and governance activity and it’s understandable that compliance and ethics work now tends to be managed by a separately funded corporate function.
Ethics and compliance: values and rules
However, ethics and compliance is about much more than just following a rule book, and there is a clear distinction to be made between ‘ethics’ and ‘compliance’ too. “The culture of compliance is, effectively, about people doing what they are told,” says Chen. “The culture of ethics is a more value-based concept and you have to consider how to approach it and measure it.”
The disciplines of ethics and compliance also complement each other. “You absolutely need the rules but, more importantly, you need the organisational will to do the right thing,” states Andy McClarron, Chief Ethics and Compliance Officer at a UK FTSE 250 company. “If you have a culture that’s designed to do the right thing, your rules are more effective, because people are more willing to follow them.”
And it highlights the increasing importance of culture as organisations become larger. “You can have the most outstanding formal processes in the world, but the bigger an organisation is, the more complex it becomes and the more critical culture is as a mechanism of control. And that is because culture is about the behaviours of what people do every day,” explains Emil Yiannopoulos, former partner at PwC Greece and non-executive director on a number of boards.
Van Veen says there are four good tests of whether senior managers really back a strong ethics and compliance culture: “First, when setting up the programme, is training mandated for all staff, including the directors and the board? Second, when acquiring new businesses or winning new customers, if Compliance do their due diligence and flag significant issues, what is the management’s response to this? Third, procurement: you need to understand your supply chain and if you start asking probing questions of long-standing suppliers, this is not always well-received. How do management and the board support this? Finally, how do senior management and the board deal with staff who raise concerns that the code of conduct is not being adhered to?”
The way individual businesses approach ethics and compliance may vary, depending on their size, sector, jurisdiction, and so on. Because of this complexity and the need for specialist skills and experience, ‘ethics and compliance’ as a discipline in its own right has grown beyond an extension of the legal function.
In particular, ethics and compliance has a much greater preventative and restorative remit than what a typical general counsel and legal team do, as Van Veen explains: “The job of the compliance team is to identify issues and discover their cause. They then have to figure out how to fix them and put in place or modify the processes and training to bring about change.”
The role of the board
An organisation’s board has a key role to play in supporting a high-profile, well-resourced ethics and compliance programme – and it’s also something that regulators have increasingly come to expect. “It is critical that boards really understand what the risks are, and are regularly informed by the executive,” adds Van Veen. “The board needs to ask the key questions. So, what are the compliance risks faced by the company? What are the ethics risks? And where should the emphasis of the company’s efforts be to manage these risks?
“The whole ethics and compliance space is becoming more and more codified by various regulators. The US authorities, in their guidance, have started outlining what they think good looks like in terms of reporting lines. For instance, compliance should have direct access to the audit committee. Regulators want to see this, because it’s a reflection of whether the company takes compliance seriously.”
Along these lines, ethics and compliance functions most commonly report into the audit and risk committee of the board. “In a lot of organisations, the audit and risk committee is the natural home that has been found for ethics and compliance. In my role, I go to the audit and risk committee at least twice a year and the full board once a year,” explains McClarron.
Some companies opt to have a separate ethics and compliance committee as part of their board. This tends to be where there are significant compliance issues that the company is grappling with or the company operates in a highly regulated industry. However, there are organisations that adopt this approach simply because they find they don’t have enough time for compliance to be covered fully within the audit committee.
“We have a standalone risk and compliance committee that is separate from the audit committee,” says Caroline Wehrle, previously global head of risk and compliance of a FTSE 100 company, and a non-executive director at a large UK housing association. “This allows us the time to invest in those conversations across risk and compliance. Social housing is a highly regulated business and we want to make sure that we are really operating the best practices we possibly can be.”
Where there are separate committees, it is critical to ensure that the two connect and work collaboratively. Wehrle details the process at her housing association board: “We’ve built specific connection points and mechanisms to make sure that the complete picture of risk comes together and that nothing falls through the gaps or is duplicated. At minimum, there is one joint meeting between the risk and compliance committee and the audit committee each year on topics that are of interest to both sides, such as cybersecurity. In addition, every member receives the other committee’s reports and papers. We also have one member who sits on both committees and reports in each direction.”
Whichever approach is chosen for how the board engages with ethics and compliance matters, it is important to ensure that the board members are aligned on their approach. Here, workshops and training when setting up a programme or conducting a major review can help, and induction processes for new non-executive directors and ongoing training can build on this. “It’s entirely plausible that you’ll have different individuals around a board table whose perspective on what is ethical differs,” says Wehrle. “So we had an ethics workshop as a board to discuss this and determine a position together.”
Speaking up and whistleblowing
Developing a culture of ethics and compliance at an organisation includes enabling and encouraging individuals to speak up when issues arise. In many jurisdictions, there are regulatory requirements that companies operate ‘speak-up’ or whistleblowing lines, such as the EU’s Whistleblowing Framework.
There are many ways that speak up processes can be organised, whether they are operated by the ethics and compliance function or an independent supplier. But, again, regulation only goes so far. For the processes to operate effectively, they must be supported by the right culture. “Whatever the design, you have to get to the point where people are comfortable raising issues, and that is a considerable task in itself,” says McClarron. “Then when issues are raised, are they dealt with professionally and promptly and appropriate action taken?” Key to this is ensuring that anyone speaking up has their anonymity protected and there is no scope for retribution.
To encourage such an open environment, boards have an important role to play in setting the tone from the top of the organisation. Regular and robust culture assessments will help, too, offering insight into how organisational culture is evolving, as well as areas for improvement. “Our board runs focus groups with staff, where they’re just testing the temperature and testing the culture,” explains McClarron. “One of the board members will go and there will be 12 or 13 employees in the room. They’ll have a conversation about culture and the code and values and so on. Boards coming in and talking about these things can have a very big impact.”
As Van Veen sums it up: “If the tone at the top is lacking and the board – which includes executive management such as the CEO and CFO – is not 100% committed, then why should others further down the organisation be?”