As part of the National Business Ethics Survey conducted by the Ethics Resource Centre (ERC), the ERC releases supplemental research briefs that focus on a number of topics from the survey in a more detailed manner. The most recent release featured information pertaining to the cost of retaliation on both the company and its employees. As mentioned in yesterday’s post about the Dodd-Frank Act and its whistleblower protections, retaliation is a growing concern in the workplace. In many organizations, employees are an employer’s eyes and ears when it comes to catching workplace misconduct. To establish a workplace that is safe and enjoyable for all, employers must work to create an environment that encourages the reporting of misconduct. The ERC survey concluded that companies with a zero tolerance policy for retaliation experienced very few instances of retaliation, which demonstrates that efforts to prevent retaliation do have an impact.

The ERC research brief “Retaliation: The Cost to Your Company and Its Employees,” is a free report, which can be accessed by clicking on the link provided.

ERC Retaliation Brief

The costs of retaliation stretch beyond monetary amounts, as retaliation leaves a dark mark on a company’s reputation. In the press release from the ERC, “Fear of Backlash for Reporting Misconduct is a Sure Sign of an Ethically Challenged Workplace,” they report on some of the findings outlined in the retaliation research supplement.

“Employees who report misconduct in a company with zero tolerance for retaliation experience it at a strikingly lower rate than workers at companies with weak ethical environments (4% versus 25%), the study found. Victims of retaliation trust the company’s leaders less, feel less optimistic about the company’s financial future, tend to think the head of the company is overpaid and look to quit the company sooner. Likewise, where workers feel pressured to compromise company standards, policy or the law, those who report misconduct are much more likely to experience retaliation (59%) than those who report but do not feel pressure (6%).”

These findings send employers the message that there’s a correlation between an ethical corporate culture and the rate of retaliation an organization experiences. In order to reduce misconduct, as well as retaliation, employers need to be open and appreciate that employees are looking out for the best interest of the company. There have been reports published supporting the fact that employees who decide to blow the whistle, do so because they feel it’s the right thing to do.

Preventing Workplace Retaliation

As important as it is to properly handle allegations of retaliation, employers must enact internal controls that help prevent retaliation from occurring altogether. Here are some tactics employers can use to prevent retaliation from occurring:

• Develop a Strong Corporate Culture: As made evident by the conclusions from the ERC supplement, an ethical corporate culture greatly impacts employee willingness to report observed misconduct. To develop a strong culture that works to prevent retaliation, provide training for employees and communicate with them regularly to make them feel comfortable when it comes to raising issues or concerns about events in the workplace.
• Policies: An anti-retaliation policy must be built into a company’s code of conduct. Include the company’s zero tolerance stance towards retaliation in the policy.  The anti-retaliation policy must also outline the protections in place that cover employees who report misconduct. Referring to the anti-retaliation policy is important during workplace investigation interviews, as investigators are likely to get stronger responses from an interviewee who feels less pressure and has a reduced fear of retaliation.
• Training: Employees at all levels need to understand what is and isn’t considered an act of retaliation. Tailor training to the various roles and reporting structures within an organization. Employees at different levels encounter different challenges in regards to the potential for retaliation to occur. For example, train managers to maintain confidentiality effectively handle reported misconduct allegations. Train employees to understand their rights in reporting misconduct, the confidentiality of their report and how to look for and report retaliation, should they feel they have been retaliated against.
• Monitor: KPMG has established an excellent system for monitoring employees who have reported workplace misconduct. We covered the KPMG program in detail in our post “Vicki Sweeney of KPMG Presents Best Practices in Preventing and Monitoring Workplace Retaliation.” At KPMG, they monitor past cases to identify issues of retaliation. The retaliation monitoring program at KPMG tracks those who raise issues by evaluating and analyzing data related to the investigation and the nature of the complainant’s job in order to determine the likelihood of retaliation. A typical monitoring period at KPMG is one year, and can continue for two or more years if necessary.

Early last week, a USB key containing hundreds of Ontario patient health information files was stolen. According to the CBC, the USB wasn’t encrypted and was stolen from the purse of a University Hospital Network (UHN) employee. The theft of these files has resulted in a call for efforts to increase the security of sensitive information. This is the second instance in under a year where private patient information was compromised in Ontario due to theft. The lesson learned from this story can be applied to any business that maintains client or customer personal information records: make sure sensitive information is encrypted. Controlling access to information can further prevent information security breaches, as the number of people viewing sensitive information is decreased. Regular evaluation of training programs and internal procedures related to information security must be undertaken to ensure each employee is completing the necessary steps to safeguard information.  

Preventing Information Security Breaches

Preventing information security breaches needs to become a main priority for any company when handling both customer and company information. In regards to the above-mentioned incident, a CBC article “Hundreds of Ont. Patient Health Files Stolen,” quotes Ontario’s Information and Privacy Commissioner, Ann Cavoukian, stating:

“The ease with which we transfer information now and we engage in online activities, somehow it’s factoring into this and not making people go through the steps they need to.”

The ease of accessing and sharing information has significantly increased due to the use of e-mail, Internet, intranets, mobile devices and other portable technologies. These developments make communication easier and faster, but can also compromise data security. Here’s a list of steps companies can take to ensure sensitive information remains protected and prevent future information breaches from occurring:

1. Encryption

Data encryption is one of the easiest ways to ensure sensitive information is kept private.  Data encryption helps keep information secure, prevents companies from losses incurred from security breaches and noncompliance fines. To secure information, there are a number of different data encryption software solutions on the market, as well, it might be wise to invest in encrypted USB keys to avoid situations such at the UHN incident above. There are various levels of encryption strength, therefore, choose the level of encryption appropriate for the type of information on the server. Develop a policy for password strength. Longer passwords that contain a variety of numerical, symbol, upper and lowercase letter characters are more difficult to crack.

2. Access Controls

Restrict access to information based on an individual’s role within a company. This helps reduce the spread of information and the risk of information landing in the wrong hands. If certain projects require access to information for a specific period of time, provide employees with access to the information but restrict immediately after the project is completed.

3. Evaluate Training and Procedures

 As with every other program or workplace procedure, train and reinforce data security protocols within the workplace. Effective training includes information on the risks and effects of information security breaches, the importance of following internal procedures to protect the privacy of information, as well as the various ways information security can be compromised. Training programs and procedures must be evaluated and updated on a regular basis to reflect new information related to security threats and laws. As mentioned at the beginning of this post, it’s important to ensure that each employee follows the established procedures and completes all of the steps necessary to ensure private information remains secure. Tailor training programs to different roles within the organization in order to address the different information security challenges throughout the entire organization. Every employee is responsible for ensuring information is kept secure, however, depending on the individual’s role in the company, they may be responsible for a greater number of information security related tasks.

Should an information breach occur, contact the Privacy Commissioner or similar regulatory body depending on the country of operation. In the case of last week’s privacy breach, the  UHN failed to report the incident to the commissioner based on the low numbers of compromised files. In the CBC article “Hundreds of Ont. Patient Health Files Stolen,” UHN president and CEO Dr. Bob Bell stated:

“‘There was a decision made that this wasn’t a significant enough breach to warrant informing the commissioner, and I’ve apologized to the commissioner for that,’ he said. He added that it is the UHN’s policy that medical information on any mobile device needs to be encrypted. ‘The employee had not realized that there was personal health information on that USB key,’ said Bell. The network is looking to make some changes to prevent future breaches, including the automatic encryption of any device that gets used by the network, he said.”

Workplace violence and harassment continue to negatively impact the workplace. Newly introduced legislation, such as Ontario’s Bill 168, defines measures employers can take to protect employees from threatening work situations. When preparing policies and procedures to comply with such laws, it’s important to consult with employees. Employees are an employer’s number one resource for identifying workplace risks, as they are the ones performing their jobs on a consistent basis. It’s important for employers to remember that the time spent creating policies and training employees is an investment in a safe workplace.

Protecting a company’s employees needs to become a top priority.

Workplace Violence and Harassment

According to research done at the Queen’s School of Business in Kingston, Ontario, a single instance of workplace harassment can potentially be:

“Just as harmful to an employee as being exposed to one or even two additional types of harassment. General workplace harassment – the causes of which are more difficult to pinpoint – can actually be harder for victims to tolerate than racial or gender harassment, which are typically rooted in bias. The study also reveals that Caucasians report higher levels of general workplace harassment than minorities, and, surprisingly, women are not more likely than men to experience either gender harassment or general workplace harassment.”

For more information on the study, refer to the article “Workplace Harassment: Once, Twice or Three Times as Harmful?”

Ontario’s Bill 168

The Law Times Article “Few Ready for Bill 168,” discusses one of the reasons for passing the Bill:

“The Ontario government introduced the legislation in part in response to the murder of nurse Lori Dupont in 2005. Dupont’s former boyfriend, Dr. Marc Daniel, stabbed her to death at the Hôtel-Dieu Grace Hospital in Windsor, Ont. The facility was aware of repeated and escalating harassment by Daniel, an anesthesiologist, but failed to discipline him. The pair were scheduled to work together on the day he killed her.”

Bill 168 is now in effect for all businesses in Ontario. This Bill is in use to help prevent workplace harassment and strengthen controls surrounding workplace violence. The Ontario Ministry of Labour has established a resource entitled “Workplace Violence and Harassment: Understanding the Law,” to help employers understand the definitions of workplace harassment and violence, as well as clarifying employer responsibilities surrounding policies and programs.

An article from CBC News reports that, as of today, all organizations in Ontario are responsible for:

• Carrying out a risk assessment to identify potential sources of workplace violence and harassment.
• Developing policies to address workplace violence and harassment.
• Training employees about the new policies. Being ready to investigate and deal with incidents or threats of workplace violence or harassment.
• Disclosing an employee’s history of violence to his or her co-workers.
• Preparing to protect employees from domestic violence in the workplace.
• Allowing employees to refuse work if they feel harassed or endangered by a co-worker. 

Here is a video released by the Ontario Ministry of Labour discussing Bill 168:

Is Your Business Ready for New Harassment and Violence Legislation?- CBC News

For Ontario employees, they only have a few days left before Bill 168 comes into effect on June 15th. Bill 168 requires compliance from all employers, regardless of business size. The Bill provides employees with protection against violence and harassment in the workplace. The article states, “the Occupational Health and Safety Act indicates corporations found to be noncompliant with the Bill will face penalties, including significant fines.”

On May 18th, I attended a webinar, “The Role of HR in FCPA Compliance,” hosted by Tom Fox, a lawyer based out of Houston, Texas. A specific section of the webinar that really stuck with me was a titled “Doing More With Less.” This has been a major topic of discussion recently, as organizations deal with the effects of the recession and the growing demands of ethics and compliance. Organizations are carefully considering where to spend their dollars. Ethics and compliance departments tend to have their budgets cut first, as some employers have a difficult time determining the return on investment of their ethics and compliance initiatives.

In the Ethisphere article “Take it from the Top: When Deloitte Execs Made Ethics a Priority, it Filtered on Down,”  Deloitte CEO Barry Salzberg, said:

“Fortune 1000 companies are on average spending 18%  less on their ethics and compliance budgets during the current recession. But it’s during times like these that it’s most important to invest in your employees so that they can make better, ethical decisions.”

Consider the costs associated with lawsuits, fines, a tarnished reputation, public backlash and the collapse of a company due to ethical violations. The money invested in preventing ethics and compliance investigations is well worth it. In today’s legal environment, organizations have been hit with some of the largest fines ever handed out for cases involving noncompliance, ethics violations and negligence. It’s much better to work towards preventing these issues from occurring than it is to have to respond to allegations exposing an organization’s wrongdoings.

Human Resources

In the webinar, Tom Fox discussed the use of HR departments in conducting FCPA investigations. The case he made was that organization’s HR departments already handle employee training and background checks. Members of the HR department are frequently in direct contact with employees and can be used as a cost effective solution for carrying out investigations. In a blog post Fox wrote leading up to the webinar, “The Role of Human Resources in FCPA Compliance-Part I,” he mentioned:

“A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few. There’s a training requirement set forth in the US Sentencing Guidelines. Companies are mandated to ‘take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.’ “

For the same reasons as mentioned above, many organizations already use their HR department for investigations. Fox also discussed how employee training enforces FCPA compliance. In one of our previous posts, “How to Maximize Your Compliance Training ROI,” we discuss the importance of setting the tone at the top, message consistency for communicating rules and regulations, including real-life examples and outcomes of previous workplace situations, using multiple training methods and frequency and timing of training.

Effective training leads to a better understanding and desire to commit to compliance. When employees comply with laws and corporate policies, the risk for violations is reduced. When employees act ethically and make decisions based on company policies, a return on investment is identified, as employees have retained the information and reduced the risk of allegations being made against the company.

Investigation Systems

The US Sentencing Commission has outlined mandatory guidelines for creating an effective ethics and compliance program. Under Chapter 8, section 2.1, the USSC states:

“The organization shall take reasonable steps to: (A) Ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct. (B) Evaluate periodically the effectiveness of the organization’s compliance and ethics program. (C) Have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.”

With i-Sight Investigation Software, we offer an easy to use, cost effective case management solution for HR teams. i-Sight is frequently integrated with existing HR databases and systems that store customer or employee information.  Integration ensures users won’t have to re-enter information that already exists in another application, as the information is extracted from existing systems and pulled into i-Sight cases. This feature helps reduce redundant actions and helps investigators save time. i-Sight is web-based, storing cases in a centralized locations, accessible anywhere there’s an Internet connection. i-Sight is custom configured to each organization’s unique policies and procedures to ensure consistency throughout the investigative process.

In the post “The Role of Human Resources in FCPA Compliance-Part I,” and in the webinar, Fox discussed the benefits HR brings to internal investigations:

“Regarding investigations, HR can bring broad benefits to any FCPA compliance and ethics program through an efficient investigation process. It’s recognized that a Legal or Compliance Department may wish to take over and complete an investigation process. However, HR can bring a consistency in both the process and any discipline which is imposed. Such consistency reinforces the senior management’s message of commitment by the company to FCPA compliance and ethics. Such a function by HR can lead to an understanding of emerging risks. Lastly, it may be that employees are more willing to speak up to HR and the building of trust can be utilized to assist in overall risk mitigation. ”

To read an overview of the other topics discussed in the webinar, I recommend looking at these two articles written by Tom Fox on his FCPA Compliance and Ethics Blog:

The Role of Human Resources in FCPA Compliance-Part I

The Role of Human Resources in FCPA Compliance-Part II

Diversity allows companies to better understand the needs of its consumers, helping modify and create products to suit a variety of tastes. To properly manage diversity, companies need to focus on creating inclusive cultures. Building an inclusive culture takes time. Once achieved, inclusive cultures help companies handle future conflict and respond to changes in the work environment.

Defining Inclusion

The blog post “Defining Diversity and Inclusion,” defines inclusion as:

“Allowing companies to quiet cultural discord. Inclusion is a set of policies, procedures, programs, set of norms, and actions that create an environment where the people who make up this diversity are able to use their difference to a company’s benefit, not to its detriment.”

Inclusion is a component of a company’s culture. This allows companies to attract a wider range of qualified employees, as today’s job seekers increasingly base employment decisions on a company’s culture and reputation. The article “The Ethics of Inclusion: Three Common Delusions,” sheds light on the real challenge of inclusion, stating it’s to find common cause for important work. This can’t be done effectively if employees isolate themselves from each another based on differences such as race, culture, nationality, gender, ability, and personality. Inclusion doesn’t mean an employee has to like everyone they work with, but they must still respect the opinions of fellow employees.

Steps Toward Inclusion

Developing an inclusive culture requires effort from every member within an organization. Here are examples of tactics used by industry leaders to develop inclusive cultures in their workplaces:

Inclusion Statement

Make it official. Place inclusion statements in company policies and websites.  Employees are required to review company policies and are given training on its components. Therefore, incorporating inclusion into policies ensures the matter is addressed and understood by everyone. Here is an example of the diversity and inclusion statement developed at Coca-Cola Enterprises:

“Attracting, developing and retaining a highly talented and diverse workforce is one of our three strategic business priorities. To achieve this, we are committed to creating an inclusive culture – one that welcomes, values, and celebrates a workforce comprising employees of different ages, ethnicities, races, cultures, genders and sexual orientations.”

Establish Employee Networks

In our post “Labor Relations Tone Set at the Top: Campbell Soup Co.,” we discussed the use of employee networks at Campbell’s. The company has established 7 networks:

• Campbell African American Network
• Asian Network of Campbell
• Hispanic Network de Campbell
• Our Pride Employee Network
• The Bridge
• Women of Campbell
• Global American Indian/Aboriginal Network

Employee networks are excellent tools to foster inclusion in the workplace. Any employee can become a member of each group, allowing them to develop a stronger understanding of the challenges other employees encounter. Networks add more to an employee’s work experience, fostering communication and relationship building. The information shared in these groups assists management in addressing issues and removing barriers to an inclusive workplace.

Customized Training

Diversity training needs to be mandatory for employees at every organizational level. Carefully develop a training plan, tailoring it to the audience. In order for training to effectively engage employees, include a variety of training methods- role play, classroom-style, Q & A and web-based learning.  Instead of conducting training once or twice a year for days at a time, hold sessions more often. Also, break training sessions up into shorter sessions. These tips help employees avoid information overload and keeps the information fresh in their minds.

Tone From the Top

Culture is established at the top. In the article “What Does it Take to Create an Inclusive Workplace?,” Paul Hogendoorn, President of OES Inc. located in the UK, discusses two of the ways he sets the tone from the top to encourage an inclusive culture:

“When I make the rounds in the morning, I often say good morning in ten different languages. Of course ‘good morning’ is just about the extent of what I am able to say in many of those languages, but it does put a few smiles on faces. Sometimes it takes intentionally role-modeling examples to illustrate the point that no one person is above any specific task, including myself. Although specific roles may have different values in an organization, as individuals, we are still equal.”

Hogendoorn proves a little bit goes a long way. When top level executives emulate the corporate culture, it’s easier for employees to follow and commit to adopting the culture themselves.

Employees are a company’s number one source for detecting fraud and misconduct in the workplace. One of the many challenges faced by managers and HR professionals is how to encourage employees to use internal reporting tools. Employees are often hesitant to report misconduct for fear of retaliation.  Employers must inform employees of the various reporting options available to them, as well as the opportunity to remain anonymous. A well communicated anti-retaliation policy can reduce employee hesitation towards reporting misconduct.

Committing to the Cause

The tone at the top establishes the culture of the company. Employers need to communicate their commitment to creating a productive and safe workplace for everyone.  Talk to employees about how internal reporting tools help the company achieve this goal.  Let employees know that when they report misconduct, the information helps to eliminate and correct workplace risks. 

In the article “Encouraging Internal Reporting” by the SCCE, they write that:

“In an organization where information flows freely among various levels, it’s more likely problems will come to the attention of those who will be able to deal with them relatively early. Research shows that whistleblowing is more likely to occur in an open organization, but they are more likely to view it merely as truth telling and as an attempt to help the organization.”

Some additional steps that can help improve corporate culture and make the use of internal reporting systems less daunting for employees would be to:

• Train employees to use internal reporting systems. Provide them with access to information and let them know what to expect once a complaint has been made. Distribute information to employees, explaining the complaint and investigation processes.
• Establish, communicate and provide training on company anti-retaliation policies. If employees are expected to use internal reporting systems, they will need to feel safe and protected.
• Provide employees with regular access to management. Inform employees of the reporting lines within the company and designate times when management is available to speak with them and answer questions. An open door policy puts employees at ease, making the work environment more inviting for discussion- especially when it involves sensitive topics. Offer training sessions regarding how to communicate openly within the organization.

Awareness is Key

In a recent article on Tradingmarkets.com, they stated that awareness was one of the main contributors to the increase in calls made to the ethics (“whistleblower”) hotline at BAE Systems:

“The number of BAE Systems workers calling the controversial group’s confidential “whistleblower” helpline to report incidents rocketed 72% in 2009 to 870. BAE also said the number of staff dismissed due to “unethical behaviour” jumped 63% to 485. The defense giant revealed the figures in its latest annual and corporate responsibility reports. The report said: “Employees made 870 enquiries to our Ethics Helpline in 2009 to request information and advice or raise concerns confidentially about business conduct. Procedures are in place to ensure ethical concerns are investigated and the findings are reported to the Ethics Review Committee.” The spokesman said the jump in those using the helpline was due to increased awareness of the hotline within the group after the roll-out of its global code of conduct in 2008. Still, only about 50% of staff surveyed stated that they feel it’s safe to speak up and challenge an issue.”

Employees must be aware that an internal reporting system exists, but they should also know how to use it. In the example of BAE, their systems provide advice on ethical issues. Give employees access to a knowledgebase of past issues and resolutions.  Post signs within the workplace reminding employees of their options when it comes to reporting misconduct. Training and communication brings awareness to workplace misconduct and the steps taken to reduce these issues in the workplace.

Anonymity and Confidentiality

Provide employees with various options for reporting. Outline the differences between confidentiality and anonymity to avoid confusion between the two. In cases where anonymous reporting is possible, employees are usually given an incident report number to track the investigation. In other cases, confidentiality is the only option.  This means that the individual’s identity is exposed, but only to a select group of people directly involved in the investigation.

Some whistleblowers feel comfortable with full disclosure- in this case, ensure the employee is kept free from retaliation, and check in with them regularly to keep an eye on the situation. Another consideration is to provide employees with options for case entry, such as a web-based reporting system or a hotline-only system. Many companies tend to use a reporting system that integrates web-based and telephone hotlines for better case management. Keep in mind employees have different comfort levels and it could take some time before they are comfortable trusting the measures in place to reduce the risks of retaliation.

Recognize and Reward

In many cases, we only hear about employees that were either fired or faced retaliation, causing them to quit their job after blowing the whistle. In cases where there is significant evidence supporting an employee’s complaint and a subject admits that they are guilty as charged, chances are, the employee blowing the whistle was acting to protect the company and its reputation, rather than out of malicious intent. In the article “Encouraging Internal Reporting” by the SCCE, they write:

“One way to reinforce this message is to give awards for internal problem reporting, (e.g., by incorporating them into an existing award program for suggestions that save or make money for the organization). The amount of the award could be based on saving money (e.g., the discovery of embezzlement), but there are many other ways to positively reinforce the message that reporting is valued. The program should be well publicized, as should the presentation of the awards.”

Before starting to design and implement policies within an organization, it’s important to conduct a proper risk assessment. Risk assessments ensure company policies and procedures help reduce the risks and potential threats within the workplace. Each company faces different risks based on factors such as location and industry type. There are certain elements that need to be included in all risk assessments. Similar to conducting a basic SWOT analysis, risk assessments encourage HR managers and executives to think harder about different threats and opportunities for the business. A SWOT analysis assists in defining clear goals, making a risk analysis investment worthwhile.

In our previous post, “5 Simple Steps to Conduct a Risk Assessment“, we focused on safety based tips for conducting workplace risk assessments, however, in today’s post we are focusing in on 5  risk assessment tips that help with setting the tone at the top and governing policies.

1. Evaluate ALL Areas of Misconduct

To conduct a proper ethics and compliance risk assessment, address all potential areas of risk- not just the most common or obvious ones. To ensure that all of the bases have been covered, evaluate risks that are specific to both the company and the industry that it operates in. As a starting point, go through previous files or cases relating to complaints or problems that occurred within the company and then focus on risks that are a bit harder to identify.  It’s important to examine the factors causing these risks to occur, as well as the ability company’s have to plan for and reduce the impact of risks. This analysis will helps with policy creation, aiding in the development of effective policies fostering an ethical corporate culture.

2. The More The Merrier

During the ethics risk assessment, gather opinions from as many employees as possible. Also, make sure they come from different levels within the company. There are different risks present at different levels and faced by different employees. Including a number of employees allows for a more complete picture of the company’s ”risk landscape,” as these employees can identify and communicate risks they encounter on a day-to-day basis. Depending on company size and the number of people included in this step, the article “Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks” recommends using methods such as distributing surveys, holding focus groups or other forms of meetings or individual interviews, to gather information.

3.  Benchmarking and Comparison

A useful resource for identifying risks and evaluating ethics and compliance program is to benchmark against competitors or industry leaders. This helps to ensure policies keep companies ”in check” with industry laws and standards. When observing the ethics program of an industry leader, look at their code of ethics, corporate culture and corporate social responsibility statements that can be easily accessed on corporate websites. Pay attention to the areas of risk they focus on and see if the policies they have put in place actually work as intended.

For example, Johnson and Johnson is an industry leader in the consumer health care field. If a company is one of their competitors or are looking for a superior quality ethics and compliance program, look at their corporate governance guidelines, annual reports and code of ethics to get an idea of issues that are important to them and how they handle them. Benchmarking is similar to leading by example. Industry leaders and companies known for their commitment to ethics and compliance want to lead the way for other companies to follow and incorporate best practices into their workplace.

4. Training and Awareness

The article “Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks” states that it’s also important to evaluate employee training related to the compliance and ethics program to make improvements to the training program:

“Measure employee knowledge. The ethics and compliance risk assessment should include a measurement of employee knowledge and awareness of the compliance program and supporting controls. Doing so can help pinpoint where training and communications programs need to be improved.”

In our post, “How to Encourage Employees to Use Internal Reporting Tools“, we discussed the impact of increased ethics and compliance program training and awareness at BAE Systems. BAE Systems credits increased employee awareness of compliance and reporting systems as a contributing factor in the increased use of internal reporting systems to help detect and uncover workplace misconduct. Employees must be aware of all policies and procedures that govern employee actions in order to create an ethical corporate culture.

When evaluating and developing training programs, consider the interests of the audience and make training interactive. Taking those two factors into consideration will lead to increased employee engagement and retention of information communicated- take a page out of the books at Cisco Systems, their ”Ethics Idol“ training program really got employees talking!

5. Set a Re-Evaluation Date

I know that this point was already included in our post “5 Simple Steps to Conduct a Risk Assessment“, but it’s just to important to leave out. Select a time or times each year where to re-evaluate corporate risk assessments. This allows companies to keep policies and procedures up to date and remain inline with updated laws and regulations. As the workplace evolves, adapt policies to these changes to help mitigate risk. To provide an idea of the frequency required for re-evaluation, the authors of the article “Maintaining a Robust Ethics and Compliance Program in Today’s Business Climate: A Necessity to Minimize Your Organization’s Risks” recommend that:

“The frequency with which an organization chooses to conduct ethics and compliance risk assessments depends on the nature of the organization’s industry, but if the methodology and process is adequately defined, it can reasonably be conducted on an annual basis where year-over-year results can be appropriately compared. Since operating environments, regulations and government enforcement priorities routinely change, it is inadvisable to conduct compliance risk assessments on a less frequent basis than every two years.”

In 2009 alone, General Mills received over 20 awards recognizing the company for their corporate reputation and human resource and employee relations leadership - including awards for managing diversity, working mothers, ethics and corporate citizenship. General Mills was listed to the Glassdoor.com “Employees’ Choice -50 Best Places to Work” and after reading employee comments and rankings for General Mills on the Glassdoor.com website, employees consistently give the company high ratings and praise the company for employee benefit and wellness programs, rates of pay, flexibility for employees with families, commitment to employee development and growth and its supportive culture.

Code of Conduct and Leadership

In the opening address from the CEO, the General Mills Code of Conduct states:

“We hold ourselves to a very high standard at General Mills. Nowhere is that more true than in our expectations for ethical conduct in every aspect of our business. For General Mills, high ethical standards are not something new. It is who we are.”

At General Mills, they address the fact that ethical dilemmas can occur, and if you are faced with one, they have outlined questions to ask and steps to take when faced with such a decision:

• Speak Up- At General Mills, employees are trained to know what is expected and what is considered ethical practice. They encourage employees to ask questions and speak up if they are aware of actions taking place within the company that compromise their commitment to ethics. Employees are free to talk to managers about these issues, but they can also call the Ethics Line if that makes them feel more comfortable.
• Set Examples- General Mills addresses the increased risk for encountering an ethical dilemma when you manage a team- making answers difficult to find. In this situation, remember that ALL employees are accountable to the company and other members of the team, you want to create an open environment, consult available resources, support employees who raise questions and have concerns, as well as report any matters that don’t comply with the company code of ethics, other company policies or the law.
• Ask Questions- The General Mills Code of Conduct also lays out some questions that employees should be able to answer “yes” to when making a decision: Would you feel comfortable with this news in the media? Will my decision protect the reputation of General Mills as an ethical company? Am I being fair and honest? Are my actions consistent with the law and company policies?

Focus on Employees

At General Mills, it’s extremely evident that they provide a high level of support and take a lot of pride in their employees. General Mills provides a number of benefits to their employees- including pension and retirement funds, benefits for new mothers and fathers, as well as adopting parents, medical, dental and insurance benefits for both families and same sex partners, education advancement benefits and local perks for employees working out of the General Mills HQ in Golden Valley, Minnesota. In Canada and the US, all employees at General Mills qualify for their incentive program, as the company values each member’s contribution to the team. General Mills offers flexible work arrangements whenever possible to assist employees in balancing their work and home lives.

The company also offers extensive training programs for employees within various divisions of the company, for example, “HR U” has been created for further training of HR professionals, “Champ Camp” has been created for new marketing professionals and technical professionals may end up training at “Cereal School”. Employees can also undergo formal training sessions at the General Mills Institute, where they create programs aimed at developing employee skills to create future company leaders. The different training environments and formats available for training- they also offer web based training and individual development plans, make training more exciting for employees, allowing them to achieve greater benefits from training and better retention of information.

The Importance of Workplace Diversity

In the General Mills Code of Conduct, they state that they value diversity in the workplace because it brings new viewpoints to the table. When looking at the number of awards General Mills has won, many of them mirror the company’s commitment to diversity, as General Mills has become a preferred employer by a number of diverse groups. A diverse workplace can also allow for greater understanding of consumer wants from the company, allowing General Mills to create and develop new products that meet the changing needs of their consumers. The corporate culture at General Mills is one of respect and inclusion, creating a mutual respect between employees at all levels.

In the article “Up Close with Mike Davis: General Mills’ Playbook for Challenges in Unprecedented Times”, Mike Davis, Senior Vice President of Global HR at General Mills stated:

“This year alone, I have been to India, China, and Europe. I have found that in spite of all the cross-cultural differences, all human beings like to be valued, be listened to, be developed, and feel like they make a difference. All of these commonalities are part of the cultural core of General Mills. Even our long-term view of career development works well cross-culturally, as employees everywhere appreciate an organization that values them.”

The observation and contact between global employees and top level executives further demonstrate the commitment General Mills places on workplace diversity. Through observation, discussion and travel, the global HR team at General Mills is able to gain a stronger understanding of what their employees seek in an employer, as well as measure their satisfaction with their roles at General Mills. Understanding the common traits across geographical divisions of the company makes it easier to develop unified plans and policies, as well as deepen the corporate culture and commitment to common goals.

Rio Tinto, Daimler AG, Nexus Technologies, and others have managed to make their way into the headlines this past week, and they have all managed to do so for the same reason: conviction of bribery. Bribery and other FCPA infractions have been longstanding issues facing a number of companies due to the differences in laws and ethics around the world.

Each country has a different opinion on administering and accepting bribes for the gain of business- or the individual. In the article “New Global Standard of Good Corporate Citizenship” on the Corporate Compliance Insights website, the OECD Good Practice Guidance for Anti-Bribery Compliance Programs by Kaplan & Walker “seems destined to become the most significant set of compliance and ethics standards yet promulgated- at least for global companies.” The steps addressed by the OECD regarding good practices provide great points for review when it comes to developing compliance and ethics policies for your company.

Standards for Good Corporate Citizenship

The OECD states that:

“Effective internal controls, ethics, and compliance programs or measures for preventing and detecting foreign bribery should be developed on the basis of a risk assessment addressing the individual circumstances of a company, in particular the foreign bribery risks facing the company Such circumstances and risks should be regularly monitored, re-assessed, and adapted as necessary to ensure the continued effectiveness of the company’s internal controls, ethics, and compliance program or measures.”

The OECD recommends paying close attention to these 12 principles of good practice guidance and implementing them into your company:

1. Tone at the Top- Strong, visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery.

2. Anti-Bribery Policy- A clearly articulated and visible corporate policy prohibiting foreign bribery.

3. Compliance is the Responsibility of Everyone–Compliance with anti-bribery policies and related internal controls, ethics, and compliance programs or measures is the duty of individuals at all levels of the company.

4. Senior Officer Duties- The oversight of ethics and compliance programs regarding foreign bribery- including the authority to report matters directly to independent monitoring bodies such as internal audit committees of boards of directors or of supervisory boards, is the duty of one or more senior corporate officers, with an adequate level of autonomy from management, resources and authority.

5. Areas of Bribery- Ethics and compliance programs designed to prevent and detect foreign bribery are applicable to all directors, officers, and employees. They are also applicable to all entities over which a company has effective control, including subsidiaries. These areas of bribery include: gifts, entertainment and expenses, customer travel, political contributions, charitable donations and sponsorships, facilitation payments, solicitation and extortion.

6. The Power of Many- Ethics and compliance programs designed to prevent and detect foreign bribery are applicable to all employees and other intermediaries- consultants, representatives, distributors, contractors and suppliers, consortia, and JV partners regarding the following elements:

i) Properly documented risk-based due diligence related to the hiring, as well as the appropriate and regular oversight of business partners.

ii) Informing business partners of the company’s commitment to abiding to laws on the prohibitions against foreign bribery and of the company’s ethics and compliance program.

iii) Seeking a reciprocal commitment from business partners.

7. Accurate Accounting Documentation- Develop a system of financial and accounting procedures- including a system of internal controls, designed to ensure the maintenance of fair and accurate books, records, and accounts, to ensure that they cannot be used for the purpose of foreign bribery or hiding such bribery;

8. Communicate and Train- Design a program to ensure periodic communication and documented training for those at all levels of the company pertaining to the company’s ethics and compliance program, as well as for subsidiaries- if applicable.

9. Reward and Support- Develop measures to encourage and provide positive support for the observance of ethics and compliance programs at all levels of the company.

10. Establish Consequences and Disciplinary Procedures- Address appropriate disciplinary actions for violations, at all levels of the company, of laws against foreign bribery and the company’s ethics and compliance program.

11. Handling Internal Complaints and Investigations- Develop effective measures for handling investigations and allegations made through reporting systems:

i) Provide guidance and advice to directors, officers, employees and other business partners, on complying with the company’s ethics and compliance program- including what to do when they need urgent advice on difficult situations in foreign jurisdictions.

ii) Internal and confidential reporting by and protection of directors, officers, employees, and other business partners not willing to violate professional standards or ethics under instructions or pressure from hierarchical superiors. As well as protection for directors, officers, employees, and other business partners willing to report breaches of the law, professional standards or ethics occurring within the company.

iii) Undertaking appropriate action in response to such reports.

12. Regularly Update and Review Policies- Periodic reviews of the ethics and compliance programs to evaluate and improve their effectiveness in preventing and detecting foreign bribery, taking into account relevant developments in the field and evolving changes in international and industry standards.