Six steps to building a strong ethics and compliance programme

In today's globalised business world, organisations are under increasing pressure to comply with an ever-growing framework of regulations - or risk the substantial threats to revenue, operations and reputation that compliance failures can lead to

At the same time, investors, employees and customers are now looking beyond traditional measures of corporate success, placing increased emphasis on issues of sustainability, ethics and social responsibility.

As global enforcement of regulations increases, punitive fines continue to swell and public demand for ethical business grows, the question of whether to develop an integrated ethics and compliance programme is an easy one to answer. 

In short, it’s not a question; it’s an imperative strategic decision that offers numerous benefits: a better reputation, greater transparency, a stronger legal defence, more robust processes and better use of data, for starters.

Yet we are navigating strange and challenging times, and implementing an ethics and compliance programme can be an intimidating, if not overwhelming, experience - especially if starting from scratch.

“The coronavirus pandemic has helped to build a strong case for compliance and ethics,” says Vera Cherepanova, ethics and compliance consultant at Studio Etica and the lead author of NAVEX Global’s Definitive Guide to Ethics and Compliance. “Our wellbeing, and the wellbeing of others, depends on how compliant we all are. In the same way, the wellbeing of organisations depends on our individual and collective conduct.”

Ahead of the launch of the new guide, which will help organisations develop and implement their own ethics and compliance programme, here are the six key steps to consider as you pursue your own plan.

1. Get board buy-in

The first step lies in gaining support from organisational leadership; admittedly, no easy task. “This step is the most important,” says Cherepanova. “Without leadership buy-in, the other steps probably won’t happen.”

Those seeking to implement an ethics and compliance programme must push for time with the C-suite and stress the vital role it can play within the business, from growing the organisation’s reputation to facilitating transparency and mitigating risks posed by both internal actors and external third parties.

Equally, paint the alternate reality: without a robust programme, the organisation is playing a high-risk game likely to end with costly fines, ongoing legal and remediation fees, unhappy employees and a reputation forever tarnished in the eyes of prospective customers and the wider public. 

Ultimately, align the programme with the board’s overarching business strategy and you’ll stand a better chance of piquing their interest. Gaining this top-down support will help mitigate potential challenges that surround participation, engagement and understanding of the compliance programme down the line.

2. Create the right framework

Once that critical first step has been taken, project leaders need to create a suitable framework for the ethics and compliance programme. Take the time to consult with stakeholders across the business to better understand how compliance relates to different functions because not everyone will understand its value right away. 

“Depending on how the organisation is structured – how many offices it has, in which countries and so on – the decision must be taken where the compliance function will sit, where it will report to and what status it will have in the organisational hierarchy,” says Cherepanova.

Jon Green, company secretary and general counsel of Essentra, a global provider of essential components and solutions serving 34 countries, agrees. “Compliance needs to be embedded as part of everyday business management and thinking. It’s not a standalone box-ticking exercise, which doesn’t add or preserve any value,” he says.

Alongside such internal considerations, you should also factor in the jurisdictions your organisation operates within, as well as the relevant legislation to abide by, as this will impact regional implementation of the programme.

Understand how compliance relates to the daily life of the business internally and externally, and you’ll be better able to identify the most suitable framework for your programme, whether centralised, decentralised or independent.

3. Establish governance structures

When establishing your compliance programme framework, you’ll engage with a wide range of stakeholders across the business, including representatives from legal, risk management, human resources, procurement departments and even further afield. 

During these conversations, it’s important to discuss the potential programme framework and listen to feedback. In the long run this will result in a much smoother process. The more key people who understand and want to contribute to the vision, the better.

Cherepanova explains: “There are many compliance and ethics-related risks facing a modern organisation. Obviously, the compliance function can’t have expertise in every area and that’s why collaboration with other functions is key for a holistic coverage of all risks.”

As part of these collaborative discussions, look to clarify and define each stakeholder’s role and responsibilities. Establishing clear procedures and timelines will ensure a more robust governance structure, minimising crossed wires and mixed messages, which will be central to the programme’s long-term success.

4. Conduct a risk assessment

The successful completion of a risk assessment depends upon both the business-wide participation and appropriate oversight granted by departmental stakeholders, as well as a coherent plan of execution. Leveraging the expertise of individual functions will quickly highlight the specific risks facing the business.

“There is no one-size-fits-all programme,” says Essentra’s Green. “It is important to have something that works in the context of your business, your risks and your people, otherwise the investment is wasted.”

This is precisely why risk assessments are so essential. To underline their value, NAVEX Global’s 2020 Definitive Risk & Compliance Benchmark Report shows industry professionals responsible for the most advanced ethics and compliance programmes use the results of risk assessments to aid decision-making more frequently than any other information source.

Embrace a position of utmost scrutiny when assessing the risks and you will ultimately create a more robust programme that offers better protection against the unique threats your organisation faces.

5. Implement appropriate compliance controls

Once the organisation’s risks have been identified, either through the initial assessment or as part of an ongoing review, they must be mitigated through the implementation of appropriate internal and external compliance controls. 

This will typically include establishing rules and policies for employees and stakeholders, training employees on the rules and regulations they must adhere to, providing a means of reporting breaches of those rules, and putting procedures in place to measure and mitigate external risks, such as those posed by third parties.

It’s also critical to bear in mind that with the actions you take, you can demonstrate the “how” and the “why” to regulators, should you be required to. This means leveraging accessible, easy-to-use technology and embracing clarity when communicating the programme across the organisation. Being able to demonstrate appropriate controls can lead to greater leniency from law-enforcement agencies should the worst happen. 

6. Establish effective integration, reporting and measurement

With legislation continuously being updated and refreshed, it is vital to keep abreast of changes while also ensuring the compliance programme you’ve developed is respected and adhered to across the organisation. This may present challenges if the value of compliance is not fully understood, but the new programme must be integrated into all business units, even those that may perceive it as a hindrance.

Therefore, building relationships to combat those perceptions is essential. Knowing how to tailor the narrative to each stakeholder and business unit will help you to gain support more quickly, making it easier to establish effective monitoring and review processes. 

Yet this is only the first step. Once results start coming in, you must impose effective tracking of the programme, and the data insights it generates. This will not only justify its level of efficacy, but also identify areas of opportunity. 

“Implementation was simple,” says Green. “Our current challenge is continuing to develop [our tools and programme] to keep up with the pace of change in compliance thinking and working practices. Technology plays a major role in helping us to do that.”

Do the right thing

Ultimately, most employees want to do the right thing. The goal of any ethics and compliance programme should be to enable them to do just that. Much of the time, compliance isn’t difficult; it’s simply common sense. 

Green concurs: “Don’t burden or confuse people with what they don’t need to know. Tell them in simple terms what they need to know and how they should react if they spot a red flag or are otherwise uncertain.”

Organisations need not be intimidated by the prospect of creating and establishing an ethics and compliance programme. By breaking it down into a series of key steps, you too can implement a manageable and effective programme that will protect your people, reputation and bottom line. 

NAVEX Global’s Definitive Guide to Ethics and Compliance launches soon. In the meantime, click here for more detailed and expert-guided advice on managing your Ethics and Compliance programme.