You’ve heard it before- a strong ethics and compliance program begins with a top notch workplace ethics and compliance policy. But do any of these sources ever tell you exactly what makes an ethics and compliance policy “top notch”? Most of the time, the answer is no, which is why I have decided to dedicate this post to helping you better understand the elements of a top notch ethics and compliance program. It’s important to understand that each company’s ethics and compliance policy will be different, as policies are built around a company’s processes and is influenced by the industry in which it operates. However, there are common elements that must be included in every company’s ethics and compliance policy- it’s the “little extras” that are included that separate the top notch ethics and compliance policies from the not-so-stellar ones.

Begin With the Basics

A good way to determine what to include in a corporate ethics and compliance policy is to identify the ethical risks your company encounters and provide solutions and guidance for those situations. Think about ethically compromising situations employees at all levels may face, document them, and build your ethics and compliance policy around them.

Basic elements of an ethics and compliance policy include:

• Compliance with the law- Compliance with local and industry laws are the most basic forms of compliance. I believe that companies need to challenge themselves to go beyond complying with the minimum standards. Build upon existing laws to take your company’s ethics and compliance program to the next level.
• Definition of unethical behaviour- Address various forms of unethical behaviour- harassment, discrimination, theft, fraud, retaliation, etc. Define each of these terms, provide real life examples and consequences for violating the policy. Some companies choose to adopt a zero tolerance attitude towards these issues. If your company does, make it clear.
• Integrity statement- Every company should promote honest business. Many companies include their mission, vision and goals for employee conduct in this section of the ethics and compliance policy. According to the Canadian Centre for Ethics & Corporate Policy,

“A code of ethics usually proposes specific principles and rules of conduct. A key objective of a code is to provide guidance on expected behavior as well as rationale for that behaviour. A code also provides a way for a company to measure and monitor performance designed to achieve objectives and to instill values.”

• Anti-Bribery, gifts and entertainment- To avoid involvement in bribery, let employees know where your company stands on the issue of gifts and entertainment. Some companies allow gifts to be sent or received if the gift is under a given value. Isuggest eliminating as much grey area as possible from your company’s ethics and compliance policy. Make it clear- no gifts!
• Reporting unethical behaviour- Employees are likely to uncover unethical practices in the workplace before senior executives. To catch violators earlier, let employees know how to report misconduct. Include hotline phone numbers, Ombudsman information, website addresses and other information pertaining to filing a complaint. This information is usually found at the beginning or end of the policy, or sometimes even both. 
• Confidentiality- In some cases, ultimate confidentiality cannot be maintained due to the discovery of a criminal act or a court case. Make a statement that confidentiality will be upheld to the highest possible degree for those making complaints or involved in internal investigations.
• Accurate accounting- Corporate accounting is highly regulated, but often violated. Here’s a great example of an accounting integrity clause that Exxon Mobil has included in its corporate ethics policy:

“It is the Corporation’s policy that all transactions will be accurately reflected in its books and records. This, of course, means that falsification of books and records and the creation or maintenance of any off-the-record bank accounts are strictly prohibited. Employees are expected to record all transactions accurately in the Corporation’s books and records, and to be honest and forthcoming with the Corporation’s internal and independent auditors.”

Ethics and Compliance Policy Template

One of my co-workers passed along this ethics and compliance policy template to me. The template was developed by the Sans Technology Institute, and has been made available for use within organizations. The sections outlined in this template cover majority of the issues that should be outlined in an ethics and compliance policy, but I would recommend using this as guidance only. Tailor your ethics and compliance policy to your business and be specific. For example, don’t just state that consequences will be handed down to those who are found guilty of violating the policy, include the punishments in the policy.

Don’t forget, go public with your policy. Place the document on your company website to increase accountability and transparency.

This week, HP agreed to a $55 million settlement with the US Department of Justice, ending the month of August in the news- the same place the company found itself in at the start of the month. Some of our other posts this week focused on information to include in investigation reports and how your company’s CIO and CSO can be used as key players in ethics and compliance. Here’s a review of our posts from this week:

Monday:

• Blog Post- Top 10 Investigation Report Must Haves

“Is this what you look like when it comes to preparing investigation reports? Writing investigation reports doesn’t have to be daunting. A standardized reporting structure improves the consistency of reports amongst investigators. Standardized reporting provides investigators with a reporting format to follow and reduces the time spent preparing investigation reports. This information is all fine and dandy, however, a question we frequently receive is, what information do I actually need to put in an investigation report?”

Tuesday:

• Blog Post- 3 Ways Your Chief Information and Chief Security Officers Can Be Ethics Heroes

“A company’s ability to effectively use technology to monitor, share and manage information contributes to the success of its ethics and compliance program. Some laws and corporate policies contain compliance requirements that can only be executed by a company’s IT department. In my opinion, a company’s Chief Information Officer (CIO) and/or Chief Security Officer (CSO) is equally as important as the Chief Ethics and Compliance Officer (CECO) when it comes to maintaining workplace ethics and compliance. Since CIOs are responsible for implementing IT systems and controlling the flow of information into and out of a company, CIOs help protect their company from data breaches and other technical risks. As ethics and compliance grows as an IT concern, an increasing number of companies have reported looking for CIOs, CSOs and other IT staff that not only possess the required technical skills, but also have personal values and morals that are similar to those of the company.”

Wednesday:

• Blog Post- 3 Things HP Should Add to Their Ethics “To Do” List

“So long sweet summer. However, for the folks at HP, the past month has been anything but sweet. In early August, HP announced the resignation of Mark Hurd following an internal investigation into sexual harassment allegations made against the now former CEO. As August ends, HP is making headlines again- this time following an investigation into alleged kickbacks paid by the company. HP agreed to a $55 million settlement, as the company was accused of paying kickbacks to the US government in exchange for business contracts. Here’s a look at the past month at HP, as well as some lessons the company should consider applying when rebuilding its corporate ethics.”

Thursday:

• Blog Post- i-Sight Ethics and Compliance Software on Display at the ECOA Business Ethics and Compliance Conference

“September is shaping up to be a busy month for us at Customer Expressions, as we announce today that we will be exhibiting the i-Sight Compliance and Ethics Investigation Software at the 18th annual Business Ethics and Compliance Conference. The conference is hosted by the Ethics & Compliance Officer Association and this year it’s being held in Anaheim, California from September 21-24th. We attended this conference last year when it was held in Chicago and are glad to be returning again this year.”

September is shaping up to be a busy month for us at Customer Expressions, as we announce today that we will be exhibiting the i-Sight Compliance and Ethics Investigation Software at the 18th annual Business Ethics and Compliance Conference. The conference is hosted by the Ethics & Compliance Officer Association and this year it’s being held in Anaheim, California from September 21-24th. We attended this conference last year when it was held in Chicago and are glad to be returning again this year.

The Business Ethics & Compliance Conference is the world’s largest, multi-industry gathering of ethics and compliance officers. Distinguished keynote speakers, leading subject matter experts, and the most prominent ethics and compliance officers in the field will address critical issues facing ethics and compliance practitioners today. This year’s keynote speakers include Sharon Allen, Chairman of the Board at Deloitte LLP, Dr. SH Lee, Chairman and CEO at Samsung Tesco Homplus and Greg Andres, Deputy Assistant Attorney General, Fraud Section at the US Department of Justice.

Some of the key issues to be discussed at this year’s conference include:

• Conducting Effective Investigations
• Workplace Social Media Policies
• Role of the Compliance Officer
• Evaluating Ethics and Compliance Programs
• Conflict of Interest Issues
• Ethical Corporate Culture
• Risk Assessments and Gap Analyses

“With recent events and the economic downturn, the focus on ethics and compliance is stronger now than ever before. Many ethics and compliance departments are small in size when compared to the number of people within their organization. As legislation and policies demand tighter controls over ethics and compliance related issues, ethics and compliance departments require affordable, effective solutions that make their lives easier.” said Joe Gerard, Vice President at Customer Expressions.

Mr. Gerard also states:

“Each person we speak with indicates a desired need for a system configured around their company’s specific processes- and we respond. We build a unique version of i-Sight for each client, which allows them to use their language, as well as a system that reflects their corporate structure, review procedures and reporting hierarchy. This increases the rate of adoption, improving the efficiency and quality of investigations.”

The ECOA is a member-driven association exclusively serving individuals responsible for developing and maintaining compliance, and business conduct programs within their companies. Dedicated to building trust and organizational integrity worldwide, the ECOA is the most-respected group of ethics and compliance practitioners in the world. By gathering those new to the field along with seasoned professionals, the ECOA facilitates peer-to-peer learning and helps to foster a global commitment to business ethics and integrity. Over 1,200 ECOA members represent nearly 500 organizations worldwide in over 30 industries.

To view the preliminary schedule for the conference, visit the ECOA website to download the PDF.

A company’s ability to effectively use technology to monitor, share and manage information contributes to the success of its ethics and compliance program. Some laws and corporate policies contain compliance requirements that can only be executed by a company’s IT department. In my opinion, a company’s Chief Information Officer (CIO) and/or Chief Security Officer (CSO) is equally as important as the Chief Ethics and Compliance Officer (CECO) when it comes to maintaining workplace ethics and compliance. Since CIOs are responsible for implementing IT systems and controlling the flow of information into and out of a company, CIOs help protect their company from data breaches and other technical risks. As ethics and compliance grows as an IT concern, an increasing number of companies have reported looking for CIOs, CSOs and other IT staff that not only possess the required technical skills, but also have personal values and morals that are similar to those of the company.

Here are 3 different ways your company’s CIO and CSO can become ethics heroes:

1. Access Controls

In many companies, access controls are based on an employee’s role in the organization or the department they work in. This practice keeps information on a need to know basis, limiting the risks and opportunities for information to fall into the wrong hands. Access controls can be adjusted during times of need, for example, if an employee requires information for a special project they are working on, they can ask permission to be granted temporary access to the information. The ComputerWorld article “Ethics: IT Should Help the Company Steer Clear of Corporate Scandals,” by Mary K. Pratt, she discusses the importance of access controls at Texas Health Resources Inc.:

“Consider the challenge of handling patients’ medical records. Even though the federal Health Insurance Portability and Accountability Act mandates that agencies keep those records private, caregivers still need to access them- when appropriate. So the organization’s electronic health records system gives doctors and nurses who are caring directly for patients quick access when they use the right authentication, Alverson says. But additional authentication is required to get records for patients who aren’t under the provider’s immediate care. The system records who gets access to what, allowing officials to audit and review cases to ensure there’s no inappropriate access.”

2. Tone from the CSO

The primary responsibility of the CSO is to implement systems in the workplace that provide all employees with the ability to work together to maintain security. I came across a document published by Cisco Systems, titled “Security at Centre Stage,” discussing the important contributions CSOs make to the workplace. The document states that, similar to the “tone at the top,” CSOs must act as leaders to make sure the tone at the top is heard by the IT department. From there, the IT department can develop policies and systems related to security and ethics that will be communicated to the entire organization.

At Cisco Systems, they have introduced the Corporate Security Programs Organization (CSPO) into the workplace to:

• Provide training and awareness to employees- Informing employees of the various security risks at each level and training them to mitigate such risks.
• Constant interaction- The CSPO believes strongly in communication and constant reminders to help employees change their ways and adopt practices for maintaining security.
• Award and recognize- The CSPO has an annual awards ceremony, rewarding individuals who have gone above and beyond in ensuring security.

3. Build Compliance Rules into Company Systems

Building compliance rules, company policies and industry regulations into business systems holds employees and companies accountable for their actions. This is similar to what we do when building i-Sight for each of our unique clients, as companies today must proactively investigate allegations of fraud, theft or abuse to prevent significant financial liability and risk to the organization. As legislation surrounding ethics and compliance continues to increase, the IT department must take advantage of technology and develop systems that are capable of monitoring and tracking these issues. The Cisco Systems document addresses the practice of building laws and regulations into corporate information systems:

“Then, security and privacy legislation gained momentum. What once were merely mandates for government agencies quickly became strict guidelines for the public sector—the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley (GLB), to name but a few. So the CSO took on more of an oversight role. ‘Any organization with state or federal regulations around protection schemes absolutely must have a security officer,’ says Felix Santos, CISO for Performant Financial, based in Livermore, Calif. Unfortunately, the CSO often became a mere compliance tactician or, worse, was served up as a ’sacrificial lamb’ in the event of a security breach.” 

This week we focused on the tactics Xerox used to rebuild its corporate impage after the 2002 accounting scandal charges. Other topics discussed this week include investigating sexual harassment allegations in the workplace and measures companies can use to protect the personal information of employees and clients. Here’s a review of our posts from this week:

Monday:

• Blog Post- Xerox’s Accounting Scandal Recovery Tactics

“The turn of the century was marked with a number of accounting and ethics scandals that would significantly alter the importance of corporate ethics and compliance. The Securities and Exchange Commission (SEC) began investigating the accounting practices at Xerox in 2000, which eventually led to Xerox agreeing to pay a $10 million settlement. During Xerox’s post-scandal transformation, Sarbanes-Oxley came into effect to improve financial and accounting compliance. Today, Xerox has turned their practices around and secured a spot on numerous ethical company lists. This post discusses the tactics deployed at Xerox to regain consumer confidence and instill ethics and compliance back into the company.”

Tuesday:

• Blog Post- The SCCE’s Annual Compliance & Ethics Institute in Chicago

“We, Customer Expressions, will be sending a team down to Chicago to attend the  Annual Compliance & Ethics Institute, hosted by the Society of Corporate Compliance and Ethics. The conference runs from September 12-15 and features presentations from chief compliance and ethics officers, CEOs, certified compliance and ethics professionals, lawyers, compliance analysts and many other professionals in the field of ethics, compliance and risk management. While we are away, we will be blogging from the event and interviewing industry professionals.”

Wednesday:

• Blog Post- Investigating Workplace Sexual Harassment Allegations

“Sexual harassment occurs all too frequently in the workplace. Many recent sexual harassment allegations that have been made have been directed at top level executives. As investigators, you understand the value of maintaining compliance, confidentiality and promptness when investigating incidents of sexual harassment. Regardless of the employee’s level in the organization, each investigation must be handled with objectivity, follow company policies and reprimand those found guilty of policy violations. Previously, we blogged about a number of sexual harassment related topics, including developing anti-sexual harassment policies, tips for preventing and detecting sexual harassment, as well as the different forms of sexual harassment against males and females in the workplace. This post will focus on addressing sexual harassment complaints and investigations into sexual harassment allegations, to ensure company policies are enforced and violators face appropriate consequences.”

Thursday:

• Blog Post- Gaining Control Over Personal Information Privacy

“The issue of personal information protection is a hot topic. Companies such as Google and Facebook have been questioned in regards to their privacy policies, as the personal information gathered from users has been leaked to the public on multiple occasions. Most recently, the University Health Network made headlines when patient information was leaked due to the theft of an unprotected USB key- we discussed the topic in the post “Maintaining Information Security and Privacy.” Sharing information has been made easier due to the Internet and electronic files, which raise concerns when it comes to regaining control over personal information protection. As technology advances, the risks surrounding information privacy continue to increase. Will your organization be ready to respond to tighter information controls?”

We, Customer Expressions, will be sending a team down to Chicago to attend the  Annual Compliance & Ethics Institute, hosted by the Society of Corporate Compliance and Ethics. The conference runs from September 12-15 and features presentations from chief compliance and ethics officers, CEOs, certified compliance and ethics professionals, lawyers, compliance analysts and many other professionals in the field of ethics, compliance and risk management. While we are away, we will be blogging from the event and interviewing industry professionals.

Some of the topics being addressed at the conference this year include:

• Ethics Policy and Program Development
• International Compliance Issues
• Benchmarking and Best Practices in Ethics and Compliance
• Compliance Training
• Internal Investigations
• Maintaining FCPA Compliance
• Trends and the Future of Ethics and Compliance

This year’s conference is a very unique one for us at Customer Expressions, as our company president, Ray Gerard will be presenting a breakout session with Lyn Scrine, Ethics Director at Allstate. The two of them will be discussing investigation systems and how to implement them into the workplace. Joe Gerard, Vice President at Customer Expressions, stated:

“Over the past two years, we’ve completed global implementations of i-Sight for managing employee relations, ethics , privacy , compliance and security investigations. Ray Gerard, President at CEC, will be presenting at the conference this year alongside Lyn Scrine, Ethics Director at Allstate- which is an extremely exciting opportunity for us. This year, we look forward to engaging with industry professionals to learn more about their needs during challenging economic times, to continue to meet the growing demands of ethics and compliance professionals.”

SCCE’s Annual Compliance & Ethics Institute is the primary education and networking event for professionals working in the compliance and ethics profession across all industries around the world. Sessions at the 2009 conference will offer the latest compliance information on hot topics and current events. Sessions have been carefully selected and will be presented by leading experts who will explore real-world compliance issues, practical applications, emerging trends and state of the art techniques.

Pre-Conference Sessions will be presented on Sunday, September 12, 2010. The day will be divided into two longer sessions: morning sessions and afternoon sessions. The longer timeframe allows for in-depth discussion and interaction to cover the topics in more detail. Post-Conference Workshops will be completed on Wednesday, September 15, 2010. The sessions are four hour interactive work-shops designed to cover some of the most important and timely topics in ethics and compliance.

This year the SCCE has added an additional track for those wishing to focus on risk management. The risk management track will focus on topics including conflict of interest, internal investigations, data privacy, risk management and mergers and acquisitions.

To view a complete day-to-day overview of events, presentations and speakers at the Annual Compliance & Ethics Institute, view the news release we have posted on our website.

The turn of the century was marked with a number of accounting and ethics scandals that would significantly alter the importance of corporate ethics and compliance. The Securities and Exchange Commission (SEC) began investigating the accounting practices at Xerox in 2000, which eventually led to Xerox agreeing to pay a $10 million settlement. During Xerox’s post-scandal transformation, Sarbanes-Oxley came into effect to improve financial and accounting compliance. Today, Xerox has turned their practices around and secured a spot on numerous ethical company lists. This post discusses the tactics deployed at Xerox to regain consumer confidence and instill ethics and compliance back into the company.

Accounting Scandal

In 2002, the SEC filed civil fraud charges against Xerox. The charges were filed after a two year investigation into the company’s accounting practices. The SEC charges came at a time when major fraud scandals- WorldCom and Enron, broke out. In the CFO Magazine article “Xerox: New Lease on Life,” Craig Schneider wrote:

“The commission alleged that Xerox management accelerated the revenue recognition of leasing equipment over a four-year period by more than $3 billion, and inflated pre-tax earnings by $1.5 billion, to meet or exceed Wall Street expectations and hide its true operating performance.”

The accounting techniques used by Xerox violated the generally accepted accounting principles (GAAP). Revenues were inaccurately assigned to time periods in which they were not yet received. This resulted in inflated revenues, and also provided investors with inaccuate information pertaining to the company’s income/ assets. It was reported that management was aware of and even approved these accounting methods. According to the initial complaint filed by the SEC:

“The allegations in the complaint center around seven different accounting actions used, in Xerox parlance, to “close the gap” between the company’s operating results and the market’s expectations from 1997 through 2000. Many of these actions had the purpose and effect of accelerating Xerox’s recognition of revenue at the expense of future periods. According to the complaint, Xerox fraudulently disguised these actions so that investors remained unaware that the company was meeting earnings expectations only by using accounting maneuvers that could compromise future results.”

Another interesting point to consider is the fact that, unlike Siemens, it was reported that Xerox didn’t fully cooperate with SEC investigators. The lack of cooperation lead to the stiff penalty handed down by the SEC, as the $10 million fine was the largest fine administered by the SEC in a financial fraud case at that point in time.

Xerox’s Response

Practices at Xerox are much different today, as the company- like many others that find themselves facing compromising charges, has learned their lesson. The CFO Magazine article “Xerox: New Lease on Life,” stated that prior to settling with the SEC, Xerox had already ousted executives that had participated in the accounting fraud schemes. Following the $10 million settlement with the SEC and the restatement of company financials from the 1997-2000 time period, Xerox began their transformation, lead by CEO Anne Mulcahy.

According to the CCN Money article “Xerox Turns a New Page: Less than three years ago, the iconic company seemed doomed. Here’s how CEO Anne Mulcahy is bringing it back,” Mulcahy’s first step was to replace the company’s accounting team and begin cutting costs to reduce the company’s large debts. The article also takes note of Mulcahy’s optimism in her role as CEO- believing in the company and its ability to achieve greatness. When a company’s leader exhibits infectious optimism, it rubs off on employees. Mulcahy managed to successfully change the tone at the top at Xerox, which contributed to her ability to rebuild Xerox into the company it is today.

In rebuilding Xerox, Mulcahy focused on three areas that can be applied to executives in all organizations. The case study “From Goliath to Lazarus: Xerox is Revived by the Power of Customer-led Innovation,” discusses how Mulcahy responded to feedback from both employees and customers to make positive changes, she walked the talk and was able to prove to employees the need for change within the company. The case study also documented Mulcahy’s efforts to open up the lines of communication within the company by traveling to speak with people who would provide her with constructive criticism to bring the company back to success.

Of course, turning the company around and working towards gaining a profit wasn’t easy. Employees were laid off and various corporate functions were outsourced to save money. One of the processes selected for outsourcing was the company’s internal audit. If a company can manage to do so, it’s wise to outsource the internal audit function. Although there has been much debate over the decision to outsource the internal audit function, the objectivity and opinion of an outsider can provide greater benefits for the company, as an external auditor doesn’t have any direct relationship to the company. According to the article “Internal Audit Outsourcing Services,”:

“The benefits of internal audit outsourcing include:

• Quick start-up of the function and execution of work, including already-developed methodologies and audit tools provided by the outsourcing organization.
• A variable-cost arrangement rather than a fixed-cost function.
• Access to a greater number and wider range of resources.
• Potentially greater objectivity and independence.”

Companies must learn from the mistakes other organizations have made in the past in order to avoid making similar ones in the future. Leaders must understand how to identify ways the issue could have been detected and addressed sooner. The ethical lapse at Xerox forced company executives to reevaluate the way accounting matters would be handled within the company, while new members were brought in to ensure that known inaccuracies were reported and corrected.

This week we continued to look at the lessons learned from the HP CEO ousting, as well as the dramatic exit of JetBlue employee Steven Slater. Focusing on key topics such as tips for detecting harassment and discrimination in the workplace and employee theft investigations, here’s a review of our posts from this week:

Monday:

• Blog Post- Civacon Reduces Complaints and Reporting Time With i-Sight Quality and Correction Action Software

“Many of us rarely think about where products come from or how they arrived at their destination safely. Much of what we use and consume on a daily basis goes through many steps and precautions along the way through a company’s supply chain.  Civacon is the world’s leading provider of cargo tank components and systems designed for safe, profitable handling and transportation of hazardous bulk products. Civacon’s vents, valves and other equipment help safeguard against petroleum, liquid and chemical spills and get dry bulk commodities to their destinations. In order to effectively manage complaints and quality issues, Civacon implemented the i-Sight Quality and Correction Action Software.”

Tuesday:

• Blog Post- The Warning Signs of Workplace Harassment and Discrimination

“For some, the work environment can be an unwelcome place. Employees who fall victim to workplace discrimination or harassment react differently- some confront the issue by discussing it with their manager, while others, in the case of last weeks feed up JetBlue employee, grab a beer, release the emergency exit and slide on out in a dramatic exit. Employees don’t always feel comfortable bringing harassment and discrimination incidents forward, as fear of retaliation and being singled out by fellow employees adds additional stress to the employee. In some workplaces, the culture and tone from management may also hinder an employee’s willingness to come forward. In many jurisdictions, employers are legally responsible for providing employees with a safe, harassment and discrimination free workplace. Employers need to know how to monitor and recognize signs of harassment and discrimination in the workplace. Recognizing the signs and symptoms of distressed employees helps to identify workplace issues and draws attention back to sections of the company code of conduct that may need to be reinforced or require additional training.”

Wednesday:

• Blog Post- Conducting Effective Employee Theft Investigations

“According to a report from the Association of Certified Fraud Examiners, occupational fraud and abuse costs businesses in the United States upwards of $400 billion a year. Today’s business leaders must focus on protecting their brands through prevention and proactive measures to rid their workplace of fraud, theft, violence and other unethical acts. However, managers still need to be prepared to react to these types of events and conduct investigations into reported allegations, as accidents do happen. One of the main concerns facing businesses during times of economic recession is employee theft. As businesses do their best to cut unnecessary costs, they must also monitor for theft, as the costs associated with theft place significant burdens on the organization. We have covered tips for preventing and detecting employee theft in our posts “Workplace Theft & Fraud Prevention Tips Part 1,” and “Workplace Theft & Fraud Prevention Tips Part 2,” therefore, this post will focus on the proper handling of workplace theft allegations and conducting employee theft investigations.”

Thursday:

• Blog Post- Learning From Ethical Lapses

“There have been countless articles written since August 6^th, when HP ousted their now former CEO, Mark Hurd. In particular, this article from the Wall Street Journal focuses on the importance of proper expense reporting and how the HP example has already served as a lesson in numerous workplaces. The article features comments from ERC President, Patricia Harned, in which she states:

“Companies will often use very public cases as a teachable moment to remind employees why certain policies are so important.”

The article discusses the increased harshness faced by executives who make poor, unethical decisions, as they are supposed to be leaders and set an example for their employees. The article also features a great discussion about the importance of administrative staff in detecting inaccurate or unjust expenses.

According to a report from the Association of Certified Fraud Examiners, occupational fraud and abuse costs businesses in the United States upwards of $400 billion a year. Today’s business leaders must focus on protecting their brands through prevention and proactive measures to rid their workplace of fraud, theft, violence and other unethical acts. However, managers still need to be prepared to react to these types of events and conduct investigations into reported allegations, as accidents do happen. One of the main concerns facing businesses during times of economic recession is employee theft. As businesses do their best to cut unnecessary costs, they must also monitor for theft, as the costs associated with theft place significant burdens on the organization. We have covered tips for preventing and detecting employee theft in our posts “Workplace Theft & Fraud Prevention Tips Part 1,” and “Workplace Theft & Fraud Prevention Tips Part 2,” therefore, this post will focus on the proper handling of workplace theft allegations and conducting employee theft investigations.

Handling Theft Allegations

Whether it’s allegations of employee theft involving physical property, intellectual property, money, supplies or other workplace materials, all allegations must be treated with the same level of importance. When allegations are initially received, investigative or HR managers- whomever allegations and complaints are received by, must designate an appropriate investigator to the case. There are a number of ways to determine an appropriate investigator. Some organizations choose to filter allegations by location, organization department or type of allegation. Investigation software solutions, including i-Sight, make it easier to control case assignment through built in process rules. Incoming allegations can be held in a pending queue to be assigned manually by the investigative manager, or, new cases can by routed to the designated investigator based on the various filters mentioned above. 

When theft allegations arise, the FindLaw article “Handling Employee Theft Claims,” recommends:

“When a theft is detected, you must move quickly to investigate and discipline the employee. If an employee is caught by direct observation, the “investigation” should be straightforward. However, more often than not, an employee theft is suspected based upon indirect or circumstantial evidence, such as another employee report or in the results of an audit. In such cases, an investigation is necessary. However, do not unnecessarily delay the investigation, since criminal and civil statutes of limitation will begin upon discovery of the loss.”

Software for Managing Employee Theft Investigations

Take Action: Once it has been determined that the theft allegations provide grounds for further investigation, it’s important to determine what to do with the subject (accused employee) while the investigation commences. The action taken will vary based on the nature and scale of the employee theft reported. In the FindLaw article “Handling Employee Theft Claims,” they suggest that sometimes it’s best to leave the employee in their position and monitor their actions to confirm the fraud, whereas sometimes it’s best to immediately suspend the employee until a decision has been made.

Maintain Confidentiality: As with every workplace investigation, ensure confidentiality is upheld to the highest degree possible.  i-Sight provides investigators with the ability to control who has access to entire case files, as information pertaining to internal issues may even require confidentiality amongst members of the investigation unit. Since theft is a criminal offense, information will likely need to be shared third parties. Access can be granted to members of third parties, granting them access to an entire case or specific parts within the case file. Once they have the information the need, access can be restricted once again to maintain privacy.

Confidentiality must also be addressed during investigation interviews, as some individuals being interviewed may be hesitant to divulge information for fear of retaliation. Remind interviewees that retaliation isn’t permitted and if they feel anyone is acting in a retaliatory manner towards them, to report it. Communicating the company’s commitment to investigation confidentiality will allow for stronger information to be collected, greatly improving the quality of the investigation.

Stay on Track: Employee theft investigations not only require immediate attention but must also be conducted in a timely manner. A company that has already lost money due to theft cannot afford to lose additional money by being slapped with a lawsuit for negligence. i-Sight keeps investigators on task by using a system of approvals and alerts that make it easier for investigative managers to keep an eye on the progress of their investigators. Alerts are used to inform investigators of newly assigned cases, task assignment, inactivity or overdue tasks and approval requests (confirming ownership of cases and tasks). By selecting due dates when assigning cases and tasks, alerts keep investigators on top of their investigations and ensure that no step is overlooked.

Repeat Offenders: It’s important to be aware of an employee’s involvement in previous theft incidents. It has been reported that many employees commit an act of theft more than one time within their organization. Identifying repeat offenders helps determine a suitable punishment to be administered when the investigation has concluded. i-Sight makes it possible to identify repeat offenders through case linking and search functionalities.

Track Restitution Payments: One of the best features of i-Sight Investigation Software, for theft investigations, is the ability to track restitution payments and case-related expenses. This information is stored directly in the case file and alerts can be sent if restitution payments are not made on time. This helps companies gain back monetary losses they have incurred, while holding the subject accountable for making timely payments.

It seems to be that each week is busier than the last. Here are some of the things we blogged about this week- as well as some other pieces that caught our attention regarding internal investigation, human resources and ethics:

Monday:

• Blog Post- Maintaining Information Security and Privacy

“Early last week, a USB key containing hundreds of Ontario patient health information files was stolen. According to the CBC, the USB wasn’t encrypted and was stolen from the purse of a University Hospital Network (UHN) employee. The theft of these files has resulted in a call for efforts to increase the security of sensitive information. This is the second instance in under a year where private patient information was compromised in Ontario due to theft. The lesson learned from this story can be applied to any business that maintains client or customer personal information records: make sure sensitive information is encrypted. Controlling access to information can further prevent information security breaches, as the number of people viewing sensitive information is decreased. Regular evaluation of training programs and internal procedures related to information security must be undertaken to ensure each employee is completing the necessary steps to safeguard information. ”

Tuesday:

• Blog Post- HP CEO Violates Company Code of Conduct

“On Friday, HP CEO Mark Hurd was asked by the company’s board of directors to submit his resignation. As reported in the TechCrunch Article “HP CEO Mark Hurd Resigns, This Looks Messy,” the outcome of an investigation into sexual harassment allegations against Hurd “concluded that there was no sexual harassment violation, however it did find that Hurd violated HP’s ‘Standards of Business Conduct.‘” When news broke about his departure, Hurd claimed he himself hadn’t lived up to his own standards regarding integrity and respect. Therefore, if he wasn’t able to live up to these standards himself, what message does that send to the rest of the employees at HP?”

Wednesday:

• Blog Post- Whistleblowers Granted Additional Protections Under Dodd-Frank Act

“Employers must be prepared to follow new legislation that has been enacted to increase protections for whistleblowers. The recent passing of the Dodd-Frank Act continues to follow the trend towards putting an end to whistleblower retaliation- as well as rewarding whistleblowers for bringing forward evidence of unethical or criminal acts taking place within an organization. Whistleblowers can become victims of retaliation whether it comes from managers or fellow employees.”

Thursday:

• Blog Post- Ethics Resource Centre Releases Information on the Cost of Workplace Retaliation

“As part of the National Business Ethics Survey conducted by the Ethics Resource Centre (ERC), the ERC releases supplemental research briefs that focus on a number of topics from the survey in a more detailed manner. The most recent release featured information pertaining to the cost of retaliation on both the company and its employees. As mentioned in yesterday’s post about the Dodd-Frank Act and its whistleblower protections, retaliation is a growing concern in the workplace. In many organizations, employees are an employer’s eyes and ears when it comes to catching workplace misconduct. To establish a workplace that is safe and enjoyable for all, employers must work to create an environment that encourages the reporting of misconduct. The ERC survey concluded that companies with a zero tolerance policy for retaliation experienced very few instances of retaliation, which demonstrates that efforts to prevent retaliation do have an impact.”