Before starting to design and implement policies within an organization, it’s important to conduct a proper risk assessment. Risk assessments ensure company policies and procedures help reduce the risks and potential threats within the workplace. Each company faces different risks based on factors such as location and industry type. There are certain elements that need to be included in all risk assessments. Similar to conducting a basic SWOT analysis, risk assessments encourage HR managers and executives to think harder about different threats and opportunities for the business. A SWOT analysis assists in defining clear goals, making a risk analysis investment worthwhile.

In our previous post, “5 Simple Steps to Conduct a Risk Assessment“, we focused on safety based tips for conducting workplace risk assessments, however, in today’s post we are focusing in on 5  risk assessment tips that help with setting the tone at the top and governing policies.

1. Evaluate ALL Areas of Misconduct

To conduct a proper ethics and compliance risk assessment, address all potential areas of risk- not just the most common or obvious ones. To ensure that all of the bases have been covered, evaluate risks that are specific to both the company and the industry that it operates in. As a starting point, go through previous files or cases relating to complaints or problems that occurred within the company and then focus on risks that are a bit harder to identify.  It’s important to examine the factors causing these risks to occur, as well as the ability company’s have to plan for and reduce the impact of risks. This analysis will helps with policy creation, aiding in the development of effective policies fostering an ethical corporate culture.

2. The More The Merrier

During the ethics risk assessment, gather opinions from as many employees as possible. Also, make sure they come from different levels within the company. There are different risks present at different levels and faced by different employees. Including a number of employees allows for a more complete picture of the company’s ”risk landscape,” as these employees can identify and communicate risks they encounter on a day-to-day basis. Depending on company size and the number of people included in this step, the article “Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks” recommends using methods such as distributing surveys, holding focus groups or other forms of meetings or individual interviews, to gather information.

3.  Benchmarking and Comparison

A useful resource for identifying risks and evaluating ethics and compliance program is to benchmark against competitors or industry leaders. This helps to ensure policies keep companies ”in check” with industry laws and standards. When observing the ethics program of an industry leader, look at their code of ethics, corporate culture and corporate social responsibility statements that can be easily accessed on corporate websites. Pay attention to the areas of risk they focus on and see if the policies they have put in place actually work as intended.

For example, Johnson and Johnson is an industry leader in the consumer health care field. If a company is one of their competitors or are looking for a superior quality ethics and compliance program, look at their corporate governance guidelines, annual reports and code of ethics to get an idea of issues that are important to them and how they handle them. Benchmarking is similar to leading by example. Industry leaders and companies known for their commitment to ethics and compliance want to lead the way for other companies to follow and incorporate best practices into their workplace.

4. Training and Awareness

The article “Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks” states that it’s also important to evaluate employee training related to the compliance and ethics program to make improvements to the training program:

“Measure employee knowledge. The ethics and compliance risk assessment should include a measurement of employee knowledge and awareness of the compliance program and supporting controls. Doing so can help pinpoint where training and communications programs need to be improved.”

In our post, “How to Encourage Employees to Use Internal Reporting Tools“, we discussed the impact of increased ethics and compliance program training and awareness at BAE Systems. BAE Systems credits increased employee awareness of compliance and reporting systems as a contributing factor in the increased use of internal reporting systems to help detect and uncover workplace misconduct. Employees must be aware of all policies and procedures that govern employee actions in order to create an ethical corporate culture.

When evaluating and developing training programs, consider the interests of the audience and make training interactive. Taking those two factors into consideration will lead to increased employee engagement and retention of information communicated- take a page out of the books at Cisco Systems, their ”Ethics Idol“ training program really got employees talking!

5. Set a Re-Evaluation Date

I know that this point was already included in our post “5 Simple Steps to Conduct a Risk Assessment“, but it’s just to important to leave out. Select a time or times each year where to re-evaluate corporate risk assessments. This allows companies to keep policies and procedures up to date and remain inline with updated laws and regulations. As the workplace evolves, adapt policies to these changes to help mitigate risk. To provide an idea of the frequency required for re-evaluation, the authors of the article “Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks” recommend that:

“The frequency with which an organization chooses to conduct ethics and compliance risk assessments depends on the nature of the organization’s industry, but if the methodology and process is adequately defined, it can reasonably be conducted on an annual basis where year-over-year results can be appropriately compared. Since operating environments, regulations and government enforcement priorities routinely change, it is inadvisable to conduct compliance risk assessments on a less frequent basis than every two years.”

At the end of 2008, Cisco Systems revealed their unique approach to ethics training for their workforce. Many companies look for ways to make training enjoyable for employees- Cisco Systems has been able to prove that you can effectively incorporate humor into an ethics training program and still get your message across. Ethics Program Manager Jeremy Wilson stated in this article by Andrew Singer published in “Ethikos and Corporate Conduct Quarterly” that “all too often training officers are inhibited by the thought that “legal would not like that.” Compliance-related topics are inherently dry, and companies shouldn’t shy away from seeking new ways to connect with your code and your employees.”

Connecting with a “Connected” Bunch

One of the key factors that allow Cisco to carry out a more creative approach to their ethics training is that all of their employees work on computers and are connected to the Internet. The “Ethikos” article by Andrew Singer also featured Christine Style, the Ethics Marketing Manager at Cisco, who mentioned “Cisco’s ethics office has at any time between two and five individuals working in it—yet it must get the message out to more than 50,000 employees. We are utilizing technology to do this, including communication instruments like blogs and discussion forums so we are not answering the same question 50 times.”

Even if your entire organization isn’t connected to computers and Internet, there may be certain groups within your organization that are, and these types of tools could be implemented into their training program.

Cisco’s “Ethics Idol”

Another way to connect with employees is to engage them with something that they are familiar with. At Cisco, they created animated videos as part of a series called “Ethics Idol”, a parody of the tv show ”American Idol”, in order to spark employee interest in the training process. Jeremy Wilson explained the premise of “Ethics Idol” in this article:

“Featured on Cisco’s Intranet, it presented a series of animated ethics scenarios that are evaluated by judges. Cartoon characters sing about different ethics situations—sales practices, procurement issues, and other common dilemmas. Employees also vote, making their judgment calls on each ethical situation. The ‘contests’ have also been run by DVD in a live setting. Cisco managers use ‘Idol’ handbooks that explain how to run the contest. Ethics Idol helped raise awareness to Cisco’s employees that each ethical dilemma is not always cut and dried, and if they should have any questions to refer to the Cisco Code of Business Conduct for guidance.”

In another article by Jim Duffy on NetworkWorld regarding Cisco’s innovate ethics training program, Jeremy Wilson was quoted saying “We even had several employees volunteer to sing or perform in future Ethics Idol modules. For the first time in Cisco’s history, employees are excited for the next round of ethics training.”

We have discussed the importance of ethics and compliance training in our article “How to Maximize Your Compliance Training ROI“. The example at Cisco Systems ties in nicely with the article because it shows that training can be something employees look forward to. During training, you are asking employees for their attention and time away from their work tasks, make the most of the time and present the content in the form of something your employees can relate to. Cisco Systems has done a great job tapping into their employees in order to get a strong return on investment in their training programs.