The LRN ethics and compliance risk management practices report

® 

Inspiring Principled Performance sm 

The LRN ethics and compliance 

risk management practices report 

2008

® 

The 2008 LRN Ethics and Compliance 

Risk Management Practices Report 

TABLE OF CONTENTS 

Executive Summary ...............................................................................................................3 

Key Findings .........................................................................................................................6 

Significant Risk Management Trends 2007-2008.................................................................11 

Discussion ..........................................................................................................................17 

2008 Detailed Results .........................................................................................................23 

LRN Ethics and Compliance Market Maturity Model ...........................................................42 

Respondent Profile .............................................................................................................44 

REPORT OVERVIEW 

This is the second annual LRN Risk Management Practices report. Combined with the 2007 

LRN survey, it provides companies with insights into how others are progressing in their 

ethics and compliance risk management programs and allows them to assess where they are 

on the curve towards mastering best practices and creating corporate-wide ethical cultures. 

The 2008 survey questions largely followed the same set of survey questions offered in 

2007. Direct comparison of the data provides the opportunity to spot key trends occurring in 

the industry. 

• Key Findings present top-level insights into the results. 

• Significant Trends follows which identifies the most distinctive patterns over the 

two years of survey data, allowing companies to assess which practices companies 

are increasingly (or decreasingly) using, as well as which challenges to ethics and 

compliance are improving or worsening. 

• Discussion analyzes the holistic meaning of the data and offers an extended view of 

how companies can mature their ethics and compliance efforts and evolve into valuesbased 

ethical cultures that offer greater performance, profit and improved reputations. 

• Detailed Results reviews the data survey question by question, providing cumulative 

results for all respondents with graphic visuals, along with any relevant trending graphs 

and, if useful, a breakdown of the data by company type – global companies vs. singlelocation 

companies. A brief commentary for each question synthesizes the analysis of 

each set of data results. 

• Market Maturity Model reveals the progression from compliance to ethics, divided 

into four segments, each characterized by numerous common practices and activities. 

• Respondent Profile provides the demographics of the company and respondents. 

LRN | 2008 Ethics and Compliance Risk Management Practices Report | 2

EXECUTIVE SUMMARY 

Increased global competition, economic downturn and tighter regulation brought greater 

pressure on business and with it, greater risk. Both companies and governments worldwide 

had to make adjustments to cope with these changes in the business climate. Our 2008 Risk 

Management Practices research report shows great awareness of these issues – reporting 

substantive progress towards building more stringent programs to manage and mitigate 

risks, as tangible steps were taken to develop and nurture a more ethical and compliant 

business environment – at all levels of the organization. 

Governments around the world strengthen their collaboration to legislate and enforce a 

stricter set of rules regulating many facets of business conduct at a global level. The U.S. 

and European governments tightened their monitoring of potential anti-bribery and anticorruption 

violations. Companies doing business in the U.S. have had to respond to the new 

eDiscovery rule that went into effect in 2007, requiring them to account for and maintain all 

their internal electronic records including emails, instant messages, and electronic documents 

that might prove critical in investigations. New European regulations regarding electronic 

data privacy and data protection have affected companies doing business on the continent. 

Moving beyond 

compliance, more 

companies are 

conducting culture 

assessments. 

Faced with this surge of new regulatory compliance demands, as well as fresh ethical 

challenges posed by a more complex and global business environment, companies 

attempted to make necessary adjustments. 2007 brought with it new challenges to the 

business world and important lessons. Scandals like tainted pet food and lead paint in 

toys made in China were effective reminders about the need to manage and reduce ethics 

and compliance risks, not only within organizations, but also within their networks of 

supplier and business partners. The meltdown of the mortgage sub-prime and banking 

industries pushed businesses across all industries to re-examine their internal decisionmaking 

processes for the types of conflicts of interest and long-term ethical and reputational 

risks. This correlates with the increase in companies performing a corporate-wide “cultural 

assessment”, indicating that they are moving beyond just compliance into recognizing that 

the entire company culture is at stake. 

Our research shows that many companies made good progress in managing their ethics and 

compliance risks programs by conducting holistic business risk assessments, strengthening 

each of the five key steps of enterprise risk management and intensifying executive risk 

management training. 

Increasingly more companies integrate their ethics and compliance risk assessments into 

their enterprise risk management process. Also, the vast majority of organizations have 

implemented at least some of the best practices in terms of defining and preventing 

risks, detecting violations and responding to them. Organizations with mature ethics and 

compliance functions appear to strongly benefit from their prior efforts, having developed 

critical experience and skills to assess risks, educate employees, and minimize violations. 

Organizations with newer ethics and compliance departments and those with fewer 

resources find themselves still with challenges. 



Another critical step forward is that organizations appear to recognize the importance of 

making their ethics and compliance programs compelling, engaging, and comprehensive 

from the boardroom to the break room. 

• Boards of Directors are increasingly involved in participating in educational activities and 

monitoring the ethics and compliance actions of their companies. 

• Senior leadership, management and supervisors are being educated on the responsibility 

of being the preferred channels for reporting violations, and with it, the importance of 

awareness and education for their direct reports. 

• Employees require that education be relevant to their work and learning style. As a 

consequence, we witnessed an emerging trend toward interactive educational learning 

methods such as interactive gaming and facilitator-led workshops to appeal to today’s 

workforce. With increasing numbers of Millennials joining companies, organizations will 

need to offer more comprehensive, blended educational methods. 

We have seen businesses make significant steps toward an optimized approach for 

managing ethics and compliance risks. Nevertheless, a concerted effort is needed to make 

the leap from a reactive approach to a strategic, values-based program that increases 

awareness and understanding of governance, risk management and compliance issues 

across the enterprise for a competitive advantage. 

An integral component of enterprise risk management is to holistically build a strong 

control environment with a culture of corporate ethics, by defining, preventing, detecting, 

responding and evaluating as part of five key steps for building a sustainable compliance risk 

management process: 

• Define business ethics and corporate compliance risks to create a comprehensive 

risk profile. 

• Prevent ethics and compliance lapses/failures with hard and soft controls, including 

business ethics and corporate compliance training. 

• Detect noncompliance with the law, regulations, company code of ethics and corporate 

governance practice via multiple reporting methods. 

• Respond swiftly and publicly to allegations and potential violations. 

• Evaluate results and make continuous improvements. 



LRN’s Approach to Ethics & Compliance Risk Management 

It is imperative that companies establish a well defined approach for managing their 

ethics and compliance program. LRN developed and refined this process incorporating 

over 14 years of experience and proven best practices. Working throughout the 

enterprise, each step is essential when developing a holistic approach to your program. 

PREVENT 

• “Tone at the top” 

• Online Education 

• Facilitated workshops 

• Communication 

DEFINE 

• Access risks 

• Align policies and 

porcedures to risks 

• Define risk profile 

• Map risks to job function 

DETECT 

• Controls for rapid detection 

• Employee certification 

• Self-reporting channels 

• Compliance auditing 

and monitoring 

EVALUATE 

• Metrics and benchmarks 

• Policies, practices and procedures 

• Reports and actions 

• System improvements 

RESPOND 

• Case identification, investigation and closure 

• Corrective actions 

• Root cause analysis 

• Communication resolution 

Ethics & compliance risk management process 


KEY FINDINGS 

Ethics and compliance programs are maturing 

Numerous survey findings demonstrate reasonably vigorous efforts to implement sound 

practices to manage and mitigate risks. It is encouraging to note, for example, that almost 

9 in 10 companies perform a formal ethics and compliance risk assessment, with more than 

half integrating it into other business risk assessments. However, only half indicate their 

Executive Team or Board become involved in the assessments. 

Similarly, more than 9 in 10 companies have codes of conduct or offer internal 

communications, and almost the same number offer online education courses. Significant 

increases since 2007 appear in the number of companies (nearly 8 in 10) that provide 

formal ethics and compliance education for their CEO and senior management, indicating 

a growing recognition of the critical importance of developing a strong tone from the top. 

However, multinational companies lag in providing the same level of ethics and compliance 

education in their regional offices. 

Electronic data 

risks identified as 

top challenge. 

Overall, there are positive signs that ethics and compliance efforts are progressing, with 

more companies developing confidence in their abilities to manage and mitigate risks. 

Nevertheless, companies cite numerous challenges – including lack of resources, low 

employee engagement, employee fears of retaliation, and lack of relevancy in educational 

materials – that suggest their organizations are not investing in and developing holistic 

programs that move their culture beyond compliance into values-based self-governance that 

drives superior business performance. 

Companies identify their top two ethics and compliance risks as electronic data 

protection and data privacy 

It was unexpected that the two leading perceived risks involved electronic data issues rather 

than anti-corruption /anti-bribery, given the heightened Department of Justice focus on FCPA 

violations in 2007 and early 2008. Among all respondents, electronic data protection led 

the list of concerns in perceived risk. Data privacy was the second leading challenge, along 

with conflicts of interest. These three risks far outpaced other perceived risks including sexual 

harassment, environmental safety & health issues, anti-corruption and bribery. 

The increased concern about electronic data risk is the result of the growing amount of 

electronic data generated organization-wide, combined with new, more stringent regulations 

and requirements regarding the management and security of data. Businesses have had 

sound policies and procedures on processing, storing and protecting printed documents, 

many of them developed throughout decades. They have had to protect their trade secrets, 

customer data, and employee records, but now they must also comply with the eDiscovery 

Rule which went into effect in 2007. The eDiscovery Rule now requires them to manage and 

maintain all electronic data, including e-mails and instant messages, which might be relevant 

in future legal disputes. Global enterprises have to comply with new data privacy laws and 

regulations imposed by European governments. Germany, for example, has instituted specific 

new laws on data protection that go beyond existing EU data protection laws as well as the 

older German Federal Data Protection Act. In the U.S., 47 states have ratified separate data 

privacy laws protecting individuals from fraud and malicious use of their data. 

Compliance with these electronic data protection and privacy laws is more complex and 

has migrated beyond traditional IT functions into legal compliance and ethics areas since 

the legal issues extend beyond their technical expertise. Banking, financial, insurance, and 

healthcare industries have more rules and regulations regarding data privacy than other 

industries. 


KEY FINDINGS 

To address these concerns, companies need to develop comprehensive privacy and security 

policies; conduct audits of their data practices including Internet activities, cross-marketing 

and data sharing with affiliates and partners; manage their internal data usage, such as 

handling of customer and employee personal data; and educate employees to prevent 

breaches or losses related to data privacy. 

A majority of companies perform formal risk assessments involving multiple 

functions 

Respondents are taking risk assessment seriously, with nearly 9 in 10 respondents indicating 

they perform risk assessments regularly. Slightly more than half say they integrate ethics and 

compliance concerns into other business assessments. Results indicate that depending on 

the nature of the risk, companies are utilizing one or more of the following departments in 

their risk assessments: 

• compliance, 

• legal, 

• internal audit, and 

• human resources. 

Most importantly, two-thirds of respondents share the findings of the risk assessments with 

their Board and their senior executives, ensuring that top leadership participates in the 

responsibility for building ethical and law-abiding business conduct. Furthermore, almost 

one-quarter also share their findings with employees, thereby reinforcing ethical awareness 

and demonstrating the company’s commitment to fostering an ethical workplace. 

Only 4 in 10 respondent companies involve their business managers in the risk assessment 

process. The middle managements’ proximity to operations enable them not only to have 

a more in-depth knowledge about where the ethics and compliance challenges may lie 

but also to gain the subordinates trust and become the channel of choice when reporting 

a potential violation. Not tapping into these two key advantages of middle management 

creates a critical gap in the risk assessment and detection processes. Furthermore, the survey 

results indicate that nearly all companies want supervisors to be a channel for employees to 

report violations, it is counterproductive to not involve them in the risk assessment process. 

Companies would benefit significantly by proactively including managers in every step of 

the risk management cycle and could substantially improve employees’ willingness to report 

violations to managers. 

Companies cite engaging employees and making education more relevant as their 

top challenges in prevention 

In terms of preventing risk, respondents point to a lack of resources as their leading 

challenge, with nearly 6 in 10 companies marking it. However, beyond this perennial 

problem, the next two leading challenges reflect crucial factors that make or break getting 

employees motivated to take risk management personally: relevancy and engagement. 

More than 4 in 10 respondents indicate making the education relevant is their next most 

significant challenge, and one-quarter cited engaging employees. 

The search for relevancy and engagement is critical in risk prevention. The learning theory 

states that adults pay less attention to information that does not directly affect their 

jobs than they do to information that has an immediate value to their day-to-day work. 

Numerous studies have also shown that engaging people in their learning boosts their 

interest in and ability to use the knowledge. Learning resources that allow people to control 

their own progress, interact with the materials, and gauge their learning through self-tests 

have proven to have higher impact on adults than one-dimensional lessons that workers 

passively read or listen to. 


KEY FINDINGS 

The most common risk prevention education is a code of conduct, in place at nearly all 

respondent companies followed by internal communications. The next two major methods 

of education were online and offline (classroom) education which may include interactive 

components to engage employees, such as discussion questions and debates. 

There is increased focus on tone-from-the-top, with companies providing more customized 

education to their board and senior leadership. Among respondents, around threequarters 

offer formal CEO/senior management development and management/leadership 

development programs. The popularity of both of these programs is up since 2007, with 

more companies offering them, suggesting that companies are recognizing the role that 

C-suite and senior management must play in establishing tone at the top and being up-todate 

about the ethics and compliance issues that may affect their companies. 

Early adopters are 

adding interactive 

gaming to 

their ethics and 

compliance 

education. 

It is interesting to note a new educational method: Interactive Games which has been used 

recently for teaching employees about ethics and compliance issues with great success. The 

study shows that 10% of respondents use Interactive Games which suggests that there 

are early adopters tapping into new technologies and approaches to engage employees in 

less static, more personalized, interactive ways that make ethics and compliance education 

relevant and memorable. 

There are two key trends that may explain the increased use of Interactive Games. Many 

industries frequently employ off-site workers or workers who don’t have time or regular 

access at their jobs to the Internet to participate in the usual types of online instruction in 

ethics and compliance. Interactive games delivered to laptops, iPhones, and other portable 

devices can provide a needed solution to keep these workers engaged even when they 

are not connected to the Internet. Alongside this trend, companies are faced with the 

need to accommodate a fast-changing workforce that includes more Millennial-generation 

employees who have grown up their entire lives playing video games. For these workers, 

interactive gaming is the most familiar and effective method of getting information – and 

they are often far more skilled at interactive gaming than they are at reading printed 

documents. We can conclude that, in fact, the use of Interactive Games to educate on ethics 

and compliance will expand exponentially in coming years as younger workers enter the 

workforce and information is presented in ways they prefer. 

Detecting violations still presents a significant challenge 

Despite the prevalence of anonymous reporting channels, employees fear retaliation and 

lack the motivation to report. Companies cited detection as their main challenge in 2007 

and they do so again in 2008. In both years, nearly half of respondents indicate they have no 

significant problems in this area, while the other half cites a wide range of challenges that 

hamper their detection efforts. Topping the list, almost two-thirds of companies believe their 

employees fear retaliation, up from 2007. Meanwhile, half the companies cite employee lack 

of motivation to report violations, compared to just 3 in 10 in 2007. 

The irony of these statistics about fear of retaliation and employee apathy is that 

organizations increased their efforts to communicate, educate employees about ethics and 

compliance, and ensure they have ready access to report violations. The survey results show 

that the nearly 9 out of 10 multinational companies offer at least three reporting methods 

for employees to use in their home region, and 7 out of 10 have at least three methods even 

in their field offices. Nearly all companies offer their workforce an anonymous or confidential 

channel to report ethics and compliance violations, and in 2 out of 10 of those enterprises, 

the company prefers the anonymous line to be its first line of reporting. In addition, 4 out of 


KEY FINDINGS 

10 companies also offer an internal ombudsman as a “go-to” person for reporting. Despite 

all these organizational efforts, employees remain reluctant to step forward to 

report violations. 

Employees may be uncertain about whether their reports will truly remain confidential. 

Survey results show that few companies emphasize the use of the anonymous /confidential 

channel to report violations. Not even 2 in 10 companies list it as the preferred first reporting 

channel at their offices. This could mean that in too many companies, employees simply 

don’t receive a clear message that confidentiality is valued. 

Another possible cause of employee fears of retaliation or apathy to report violations might 

be the increasing number and complexity of regulations. More and more enterprises operate 

in multiple regions, and are subject to a wide range of laws, and employ a more diverse 

workforce. Such factors could fuel worker ignorance or confusion about what to report 

and what will happen should they do so. Survey results somewhat bolster this explanation. 

Nearly 3 in 10 companies say their employees just don’t understand the rules, suggesting 

organizations to do a better job educating their employees and inspiring them to take 

greater responsibility for helping to build an ethical culture. 

Multinational companies face bigger challenges at their international regions than 

at headquarters 

Creating a unified ethical culture everywhere around the world is a crucial issue for 

multinational companies operating in an era of increased global competition, greater use 

of foreign agents and partners, suppliers, as well as a diverse workforce spread around the 

world. However, survey results suggest that global companies still face greater challenges in 

their international regions than at headquarters. 

In terms of overall capability, for example, multinational firms gave themselves lower ratings 

for both accuracy and timeliness of their risk management efforts at their regional offices 

than at their headquarters. Furthermore, the largest combined number of companies gave 

their home offices the highest ratings for timeliness and accuracy, and the largest number of 

companies combined gave their regional offices the lowest ratings. 

Companies indicated they face more challenges with their regional offices and workers. 

In terms of providing ethics and compliance education, companies consistently offered 

fewer programs in the regions than they did at their home office, including white collar 

/ managerial education, Board of Directors education, and Service Workers education. 

Multinational companies also offered fewer methods for reporting violations at their regional 

offices compared to their headquarters. 

These results suggest that global companies consistently experience more difficulty 

managing risk the further away from headquarters employees work. Learning how to 

equalize risk management and mitigation across all company offices will thus remain a key 

goal for multinational organizations in the future. 

Few larger companies actively manage ethics and compliance risks within their 

supplier and partners’ network 

Less than one-third of multinational companies are offering ethics and compliance building 

activities to parties that work closely with them, even though their violations would directly 

affect the company. Roughly speaking, only 1 in 10 multinationals offer education to 

resellers, 2 in 10 to suppliers and 3 in 10 to business partners in their headquarters area, and 

the results were even lower in their regional locations. 


KEY FINDINGS 

This lack of coordination with partners and supply chain should be a red flag as companies 

increasingly build or utilize overseas manufacturing plants, make deals with foreign 

governments and companies using agents and partners, and transact financial exchanges 

with parties whose inner operations they may not know. It is well known that the 

Department of Justice has little tolerance for fraudulent transactions, even those performed 

unwittingly. Ultimately, enterprises need to make greater efforts to ensure their agents, 

resellers, distributors, consultants and suppliers possess the same high degree of ethical 

conduct and compliance with the law that they hold up for themselves. 

Lack of resources – budget and staff – continues to be the leading challenge in 

conducting risk assessments and in implementing prevention programs 

Half the respondent companies cited lack of resources as the primary challenge they face 

when doing risk assessments, far surpassing other challenges, including obtaining accurate 

and quantifiable information, difficulty in conducting a global assessment, analyzing and 

applying the findings, and insufficient technology. Lack of resources also topped the list 

in providing ethics and compliance education and/or certification activities and programs. 

Almost 60% of companies marked it more frequently than the other possible challenges, 

such as cultural differences among workers, regulatory differences, and the need for 

translated materials. 

The slow economy and the need to comply with new and increasingly more regulations 

being issued by governments around the world are making companies to cite lack of 

resources as key challenge in all stages of risk management process. Another cause may be 

related to the fact that the U.S. Department of Justice and other governments are becoming 

more aggressive enforcing the laws, forcing companies to become more vigilant about 

their responsibilities. They need to hire more staff, purchase more education programs, 

communicate details about organizational hotline and education program, conduct risk 

assessments on a more regular basis – and lacking resources to do all that is fast becoming 

a real, not imaginary, deficit to success. 


20 

SIGNIFICANT RISK MANAGEMENT TRENDS 2007-2008 

LRN’s annual Risk Management Practices Survey provides an opportunity to evaluate trends 

in how companies approach their ethics and compliance efforts to better manage risks, 

year over year. Our analysis indicates that significant trends are occurring across the lifecycle 

of ethics and compliance functions. Many indicate that corporate programs are becoming 

increasingly robust and expansive. The following provides an overview of the most salient 

trends captured by comparing the 2007 and 2008 data. 

Defining Risks 

Properly defining ethics and compliance risks usually requires the office in charge to use 

existing knowledge of potential risks to design a questionnaire or interview process that asks 

key business-unit employees to evaluate the prevalence of known risks, such as: 

• Accounting breakdowns, including fraud, inaccurate record keeping, inappropriate 

record retention or destruction and noncompliance with the requirements of 

Sarbanes-Oxley 

• Business ethics failures, such as the exposure of confidential client information, conflicts 

of interest and giving and accepting inappropriate gifts 

• Employment related risks, like equal opportunity violations, workplace harassment and 

immigration offenses 

• Fair trading laws, Year which cover price % Respondents fixing, abuse of dominance and collusion 

2007 5200% 

• Customer and workplace violations, 2008 for example, 5800% aiding and abetting illegal customer 

acts and creating unsafe workplace conditions 

• Product issues such as product safety failures and intellectual property violations, patent 

infringement 

2007 2008 

Executive Team 4200% 5600% 

Board of Directors 1500% 4700% 

There is growing sophistication in defining and assessing risks. 

2007 2008 

Employes 1500% 2300% 

Managers 5100% 4700% 

Board & senior executives 8000% 6600% 

Integrating ethics and compliance risk assessments into other assessments 

processes is rising – By comparison with 2007, there was a 12% increase in the number of 

companies that integrate ethics and compliance into other organizational assessments. 

The number of enterprises that integrate risk assessments is even slightly higher among 

lesser and non-regulated companies. 

Ethics and Compliance Risk Assessment Integration 

in Other Enterprise Risk Assessment 

Risk As 

100% 

80% 

52% 

58% 

60% 

40% 

20% 

42% 

2007 

2008 

0% 

% Respondents 

Executive T 

Top Risk Assessment Challenges 

Educational P 

35% 

26% 

LRN | 2008 Ethics and Compliance Risk Management Practices Report | 11 

Difficulties in 

Conducting 

40% 

Obtaining 

34% 

50% 

40% 

30% 

20% 

10% 

0% 

% Respondents 

58% 

7 

Manageme 

leadership


2007 2008 

2007 2008 Management/leadership development 5800% 7000% 

Employes 1500% 2300% Formal CEO/senior mgmt development 6700% 7700% 

Managers 5100% 4700% 


TRENDS 



100% 

Involving boards and senior management in risk assessment process is rising – 

Respondents 

2007 6400% 

In 2008, more than three times as many companies involve 

2008their board 

7000% 

of directors in the 

risk assessment process compared to 2007. Also rising was the involvement of the 

Executive Team. 

Risk Assessment Process Involvement 

100% 

Employ 

52% 

58% 

80% 

60% 

40% 

20% 

42% 

56% 

47% 

80% 

60% 

40% 

20% 

Manag 

Board & senior executiv 

0% 

2007 

2008 

% Respondents 

2007 2008 

Difficulties in conducting global assessment 3400% 2600% 

Obtaining accurate/quantifiable data 4000% 3500% 

15% 

Executive Team 

Board of Directors 

2007 2008 

0% 

% Respondents 

Top Risk Assessment Challenges 2007 2008 

Management/leadership development 5800% 7000% 

Formal CEO/senior mgmt development 50% 6700% 7700% 

40% 

Sharing information from assessments with employees is rising, but is falling 

for Boards, senior executives and managers – It is encouraging to see an increasing 

Educational Programs on Ethics and Compliance Risks 

percentage of respondent companies sharing their findings from risk assessments with 

100% 

employees. Informing employees about ethical issues occurring within the company is 

an effective method of demonstrating the company’s commitment 80% to an ethical culture, 

as well as motivating employees to report incidents. However, there 60% was a drop in 

77% 

companies sharing information from 70% assessments 67% with their Board and/or senior executives 

40% 

58% 

and with managers. 

40% 

30% 

35% 

34% 

20% 

26% 

Respondents 

20% 

2007 10% 6400% 

Sharing Risk Assessment Findings 

2008 7000% 

0% 

0% 


Management/ 

Conducting Obtaining 

% Respondents Formal CEO/senior 

leadership 

% Respondents 

Risk Assessment Process Involvement 

development 

global 

accurate/ 

development 

15% 

assessment quantifiable data 

Employes 

100% 

23% 

2007 

2008 

80% 

2007 

51% 

2008 

Managers 

60% 

47% 

Educati 

64% 

2007 

2007 

42% 

56% 

47% 

40% 

20% 

Board & senior executives 

80% 

66% 


2007 2008 

15% 0% 

0% 

20% 40% 60% 80% 100% 


% Respondents 

2007 

2008 

% Respondents 


58% 

2007 

2008 

70% 

Management/ 

leadership 

development 

67% 

77% 

Formal CEO/senior 

development 

100% 

80% 

60% 

40% 

20% 

0% 

% Respondents 

Educating Board of Directors 

70% 

64% 

2007 

2008 

2007 2008 

100% 

80% 

60% 

40% 

20% 

0% 

% Respondents 


80% 

52% 

58% 

60% 

40% 

20% 

TRENDS 

42% 

5 

2007 

2008 

Conducting a global risk assessment is easing – Multinational companies are becoming 

better at conducting the risk assessment in their international regions. In 2008, only 35% of 

multinational companies reported having difficulty obtaining accurate, reliable information 

vs. 40% in 2007. Similarly, only 26% indicating being challenged to conduct a global risk 

assessment vs. 34% in 2007. 


0% 

% Respondents 

Year % Respondents 50% 2007 2008 

2007 5200% Difficulties in conducting global assessment 3400% 2600% 

2008 5800% Obtaining accurate/quantifiable data 40% 4000% 3500% 

Executive Te 

200 

Educational Pr 

2007 2008 

Executive Team 4200% 5600% 


2007 2008 

2007 2008 Management/leadership development 0% 5800% 7000% 

Employes 1500% 2300% Formal CEO/senior mgmt development 6700% 7700% 


Managers 5100% 4700% 

Conducting Obtaining 

% Respondents 


global 

accurate/ 

assessment quantifiable data 

35% 

2007 

2008 

26% 

40% 

34% 

30% 

20% 

10% 

Respondents 

2007 6400% 

2008 7000% 

58% 

2007 

2008 

70 

Managemen 

leadership 

developmen 



52% 

58% 

100% 

80% 

60% 

40% 

20% 

Preventing Risks 

The laws, regulations and Risk guidance Assessment reflect Process an evolution Involvement in regulatory philosophy. When 

determining fines, conditions of probation and other punishments for felonies and Class A 

100% 

misdemeanors, federal judges must consider whether an organization has promoted “an 

80% 

organizational culture that encourages ethical conduct and a commitment to compliance 

with the law.” 1 Education is a key element in any program 

60% 

designed to build an ethical 

corporate culture. So, it is encouraging 56% to note several positive 40% trends towards improved 

47% 

educational efforts occurring 42% in the period from 2007 to 2008. 

20% 

Employe 

Manage 

Board & senior executiv 

2007 

2008 

0% 

% Respondents 

15% 

Educating senior management of company is rising – Compared to the last year, more 


companies are emphasizing education for Board the of top Directors levels of % their Respondents organizations. In 2007, only 

67% offered formal CEO/senior 2007 management 2008 education, growing to 77% in 2008. Similarly, 

management / leadership development is now offered by more organizations: 70% in 2008 

compared to 56% in 2007. 

0% 


50% 


100% 

Educatin 

35% 

26% 

40% 

34% 

40% 

30% 

20% 

10% 

58% 

70% 

67% 

77% 

80% 

60% 

40% 

20% 

64% 


Conducting 

global 

assessment 

2007 

2008 

Obtaining 

accurate/ 

quantifiable data 

0% 

0% 

% Respondents 

Management/ 


leadership 

% Respondents 

development 

development 

2007 

2008 

2007 

2007 


60% 

47% 

42% 

56% 

47% 

40% 

20% 

Board & senior executives 

80% 

66% 

TRENDS 


15% 0% 

0% 

20% 40% 60% 80% 100% 


58% 

2007 

2008 

70% 

Management/ 

leadership 

development 


2007 2008 

67% 

77% 


development 

% Respondents 

Educating board members increases - Among multinationals companies, a larger 

percentage of companies provide education to board members compared to 2007: 70% vs. 

64% of respondents. 

100% 

80% 

60% 

40% 

20% 

0% 

% Respondents 

Detecting Risks 

2007 2008 

Providing self-reporting channels, establishing controls for rapid detection, conducting 

compliance monitoring Respondents and audits are all essential in detecting noncompliance with the law, 

2007 2900% 

regulations, 2008 corporate 4000% governance practice or code of conduct. In the realm of detecting 

risks, the trends revealed in the data are mixed; some are positive Internal reflecting Ombudsman advances in 

detection. These results may suggest a more pragmatic view of being able to detect risks 

everywhere they exist, together with a greater sense of responsibility to circumvent them, is 

reflected in the increase challenges across the board. 

Internal ombudsman 

No Set Policies for Reporting 

Respondents 

2007 2400% 

More companies facing significant challenges to detection – More companies indicate 

2008 1700% 

58% 

having challenges detecting risks than in 2007. This suggests 52% that companies are finding it 

difficult to establish reliable detection procedures which employees trust and feel inspired to 

participate in. Companies indicated having the following challenges 2007 in 2008: 

• employee fear of retaliation, 

• lack of employee motivation, 

• inappropriate uses of reporting channels, 

• lack of formal management process, 

• employee lack of understanding, and 

• insufficient staff to respond. 

Top Detection Challenges 2007 2008 

Employees fear retaliation 5000% 6400% 

Employees not motivated 3500% 5400% 

No significant challenges 4500% 4600% 

Inappropriate uses 2900% 4200% 

Lack of formal management 1300% 3300% 

Employees don't understand 1700% 2800% 

Insufficient staff to respond 900% 1900% 

Other 2200% 1300% 

2007 

2008 

Educating Board of Directors 

64% 

2007 

70% 

2008 

100% 

80% 

60% 

40% 

20% 

0% 

% Respondents 

% Respondents 

100% 

80% 

60% 

40% 

20% 

0% 

% Respondents 

Employees fear retaliation 

Employees not motivated 

No significant challenges 

Inappropriate uses 

Lack of formal management 

Employees don't understand 

Insufficient staff to respond 

Other 

50% 

64% 

35% 

54% 

45% 

46% 

29% 

42% 

13% 

33% 

17% 

28% 

9% 

19% 

22% 

13% 

Top Detection Challenges 

% Respondents 

0% 20% 40% 60% 80% 100% 

2007 

2008 


TRENDS 

ondents man 

900% 

000% 

Respondents 

2007 2900% 

2008 4000% 

ondents r Reporting 

400% 

Respondents 

700% 2007 2400% 

2008 1700% 

2007 2008 

000% 

hallenges 

6400% 

2007 2008 

500% etaliation 5400% 5000% 6400% 

500% otivated 4600% 3500% 5400% 

allenges 900% 4200% 4500% 4600% 

300% s 3300% 2900% 4200% 

anagement 700% 2800% 1300% 3300% 

understand1900% 

1700% 2800% 

o 200% respond 1300% 900% 1900% 

2200% 1300% 

52% 

2007 

Increased use of internal ombudsman – Compared to 2007, more companies indicated 

having an internal ombudsman – responsible for investigating and resolving issues – as a 

potential channel for reporting violations, 40% in ‘08 vs. 29% in ‘07. 

Internal Ombudsman 


100% 

58% 

52% 

2008 2007 

80% 

60% 

40% 

58% 

20% 

0% 

100% 

80% 

60% 

40% 

20% 

0% 

2008 % Respondents 

% Respondents 



24% 

17% 

10% 

17% 

0% 

0% 

2007 

2008 2007 % Respondents 

2008 

% Respond 

More Companies having set policies for reporting violations – Compared to 2007, the 

percentage of respondents indicating that their company has no set policies for reporting 

decreased by 60%. In 2007, nearly one-quarter of respondents had no set policy for 

reporting violations, whereas in 2008, only 17% responded having no reporting policy. 

24% 

50% 

40% 

30% 

20% 

50% 

40% 

30% 

20% 

10% 

Top Detection Challenges 

Top Detection Challenges % Respondents 

% Respondents 

0% 20% 40% 60% 80% 100% 

0% 20% 40% 60% 80% 100% 

50% 

aliation 

50% 

mployees fear retaliation 64% 

64% 

35% 

otivated 

mployees not motivated 54% 

45% 

allenges 

No significant challenges 46% 

29% 

ate uses 

Inappropriate 42% uses 

13% 

agement 

ck of formal management 

33% 

17% 

derstand 

ployees don't understand 

28% 

9% 

respond 

nsufficient staff to 19% respond 

Other 

22% 

13% 

2007 

2008 

Other 

35% 

54% 

45% 

46% 

29% 

42% 

13% 

33% 

17% 

28% 

9% 

19% 

22% 

13% 

2007 

2008 

Evaluating Risks 

Amendments to the US Federal Sentencing Guidelines call for organizations to “take 

reasonable steps to evaluate periodically the effectiveness of the organization’s compliance 

and ethics program,” including oversight by “high-level personnel.” 2 Similarly, Sarbanes- 

Oxley Section 404 requires management to take responsibility for and assess the 

effectiveness of internal controls and procedures. Several trends in how companies evaluate 

their ethics and compliance programs point to weakening capabilities among companies 

Formal Culture Assessment 

to benefit from measuring their program effectiveness and using the results to create 

Year 

%Respondents 

2007 2500% 

improvements. While some 2008 survey findings are positive, several key evaluation practices 

2008 3500% 

are declining when compared to 2007. 

Top Challenges in Evaluating in Ethics and Compliance Program 2007 2008 

More companies 

Correlating results 

using 

to business 

a 

improvements 

formal cultural assessment 

3300% 

– 

2500% 

A significant increase occurred 

Correlating data to results 3900% 2400% 

in the number Aggregating of and companies analyzing data using a formal cultural assessment: 2900% 2300% 35% of respondents in 2008 

Collecting data programs conducted at international regions 2200% 1400% 

vs. only 25% of respondents in 2007. The more common use of formal cultural assessments 

demonstrates that companies recognize the need to build awareness and create a value-based 

culture rather than basing their programs simply on ensuring compliance with regulations. 


50% 

40% 

Correlating results 

business improveme 

35% 

30% 

Correlating data to resu 

25% 

20% 

2007 

2008 

10% 

0% 

% Respondents 

Aggregating a 

analyzing d 

Collecting data 

programs conduc 

at international regio 


TRENDS 

%Respondents 

2007 2500% 

2008 3500% 

in Ethics and Compliance Program 2007 2008 

improvements 3300% 2500% 

3900% 2400% 

ta 2900% 2300% 

onducted at international regions 2200% 1400% 

Companies increased their abilities to evaluate their data – Two measures suggest 

companies are improving their use of data collected in evaluations. First, nearly 40% fewer 

companies cite having difficulty in correlating evaluation data to results than in 2007, 

and similarly, nearly 25% fewer companies have problems correlating results to business 

improvements. Aggregating and analyzing data also improved, with about 20% fewer 

companies marking this challenge. 

Top Challenges in Evaluating in Ethics and Compliance Program 

% Respondents 


50% 

40% 

Correlating results to 

business improvements 

39% 

25% 

0% 10% 20% 30% 40% 50% 

35% 

30% 

20% 

Correlating data to results 

33% 

24% 

10% 

0% 

Aggregating and 

analyzing data 

29% 

23% 

2008 

% Respondents 

Collecting data on 

programs conducted 

at international regions 

22% 

14% 

2007 

2008 


Why Ethics and 

Compliance Risk 

Assessment Must 

Be Integrated into 

Your Business 

An Interview with Diana Lutz, 

Professional Services Executive, LRN 

Risk assessments are not just opportunities to gather 

information about current risks but as importantly, to 

anticipate and plan for mitigation of identifiable future 

risks. In today’s business world, strategic decisions must 

evaluate future elements of risk. According to Diana Lutz, 

Professional Services Executive at LRN, companies are not 

getting the full value of ethics and compliance programs 

or risk assessment if they ignore the impact on business 

planning. “Ethics and compliance professionals should 

be involved on the business team,” she explains. “They 

should know what new products are being considered, 

what new sales models might be implemented, if there 

are new offices and locations under consideration, and 

other strategic plans that might cause them to encounter 

new risk or which could create gaps in the effectiveness 

of the company’s ethics and compliance program. When 

strategy is being discussed, the ethics and compliance 

officer should be at the table to recognize and advise on 

potential challenges and to offer solutions that can be 

integrated into the planning process. ” 

Similarly, the formal risk assessment process should 

also consider future business plans. The process should 

include questions designed to create discussion and 

review of the potential for certain risks coming to 

fruition and the likely impact of those risks. This is also 

a reason why ethics and compliance risk assessments 

should be integrated into other business assessments. 

“When companies put business units and support units 

in silos the lack of communication hampers prompt 

identification of risks,” Diana notes. “Integrating 

assessments helps reach out and gather data not only in 

the ethics and compliance group, but in finance, IT, and 

among all those whose data could help the company 

spot risk areas and trends. For example, if one part of 

your business is significantly over or underperforming 

expectations, it could be a warning sign that something 

is awry and that related risks need to be evaluated.” 

DISCUSSION 

The 2008 survey results and the trends evident since 2007 are highly revealing about the 

state of ethics and compliance programs and the challenges of the future. Overall, one 

might conclude that 2007 was a threshold year, with ethics and compliance professionals 

taking steps to transition their programs towards greater maturity and effectiveness. 

Companies with more mature ethics and compliance functions show high confidence levels, 

and it is likely those enterprises that are implementing best practices across their ethics and 

compliance program. Nearly 1 in 4 global companies even rated themselves between 9 and 

10, on a 10-point scale, for accuracy and timeliness of their ethics and compliance efforts. 

Meanwhile, less mature companies appear, on average, to be making smaller but effective 

strides to implement the basics of an effective ethics and compliance program. 

The impetus for program growth in ethics and compliance in 2007 is clearly a more 

stringent and complex regulatory and legal environment, both in the United States and 

globally, in which companies must operate. A surge of new regulations in the U.S. and EU, 

combined with more aggressive FCPA monitoring and prosecutions, and an increasing public 

intolerance of unethical business conduct, is forcing companies to “get their act together” 

when it comes to managing and mitigating risks and ensuring ethical behavior among all 

employees. The cost of compliance violations and ethical breaches is mounting, both in sheer 

dollars paid in fines and the reputational damage companies suffer when their unethical 

conduct hits the front page of the business section. It is clear that companies can no longer 

afford to procrastinate in developing and implementing best practices in their ethics and 

compliance programs, given the pressures of today’s legal and business environment that 

requires them not just to out-perform their competitors but to out-behave them. 

More and more companies are recognizing that ethics and compliance is the new frontier 

of business strategy. Increasing research demonstrates that forward-looking companies that 

put in place comprehensive and holistic ethics and compliance programs – i.e., programs 

that do not simply ensure the organization meet all regulatory requirements but that embed 

values-based business conduct into their culture – enhance their capabilities to compete in 

the marketplace. Without the distractions that accompany conflicting ethical viewpoints and 

goals or concerns over potential and actual rules infractions. Companies should concentrate 

on the workforce or the management of compliance infractions, companies can thrive 

through inspiration, motivating employees to be their best. An ethical work environment 

leads to more productive and profitable organizations. 

How can companies cross the thresholds to reach the goal described above What is 

required to transform their ethics and compliance programs from predominantly reactive, 

rules based initiatives to highly responsive, values-based programs woven into their 

organizational culture Making the transition first means ensuring they have all the basics 

of a solid ethics and compliance program that contains strong risk management procedures 

to meet all regulatory compliance requirements. More importantly, is transitioning their 

programs to go beyond “check the box” risk management processes by refocusing the 

soul of the program onto values-inspired business conduct. Employees must move beyond 

making business decisions to satisfy regulations and rules because they are not enough. 

Such narrow motivation tends to lead to frequent confusion over gray areas. Rules-based 

motivation fails to inspire and engage people to be their best selves. Companies must seek 

to create a business environment based on trust, transparency, and self-governing behavior, 

by embedding values into the heart and minds of their employees. 

Clearly, ethics and compliance officers are challenged to obtain the time, budget, staff 

and commitment of their companies to achieve these greater goals. It can be tempting to 


DISCUSSION 

simply stay focused on ensuring adequate check-the box programs that meet regulatory 

requirements are in place but stop short of building a truly ethical culture. Company 

leadership may require absolute proof that a greater investment in ethics and compliance 

pays off, and that it is possible to alter the corporate culture meaningfully. However, models 

of successful transformations now exist that prove that an ethical culture positively impacts 

the bottom line. Companies that commit to this “journey of significance” to instill values 

and inspiration into their organizational culture will find that their ethics and compliance 

programs become far more effective, their employees more engaged, their reputation 

enhanced, and their performance and competitiveness improved. 

In terms of the results of the LRN 2008 Ethics and Compliance survey, the perspectives below 

provide a high-level roadmap for how companies can take steps to implement best practices 

across the five phases of risk management and mitigation, mature ethics and compliance 

programs, and cross the threshold from rules-based compliance to values-based culture. 

Define 

Risk management and mitigation requires a strong set of procedures to identify risks, 

understand their potential impact, and target how and where they may occur. Regular risk 

assessments, along with ranking and mapping the results in appropriate ways can help to 

ensure better risk management. Every function within the organization needs to evaluate 

their specific risks and contribute to a comprehensive understanding of the company’s status 

both immediate and in the future. Involving functional managers is particularly important 

to obtain their in-depth, front-line knowledge of where risks may lie, and to reinforce 

their role to root out ethical misconduct and to be a channel for reporting. Integrating risk 

assessments into other business assessments can be a valuable method to capture risks that 

may have gone undetected in business planning. 

In today’s fast-paced business world, risks can also change frequently, so companies need 

to schedule risk assessments as frequently as necessary, taking into account the nature of 

their business, updated or new regulations, and the need to track global differences among 

regulations. Finally, sharing the findings of the risk assessment with the Board, senior 

management, line managers, and even employees, transforms the process into a shared 

responsibility, and communicates that the entire company is committed to avoiding ethical 

breaches, rather than guarding risk assessments as an internal audit not to be shared. 

Survey results indicate that, while companies perform formal risk assessments, the majority 

don’t undertake them in an integrated holistic way that offers many benefits. A bare 

majority of firms integrate the risk assessments into other business processes, and mapping 

and ranking are seldom implemented. Less than half of the respondents involve their 

Business managers or convey the findings to them, and only 25% discuss the status of the 

risk findings with employees. 

The greatest challenges to ethics and compliance effectiveness year on year continue to be 

employee engagement in ethics and compliance, educational relevancy, employees fear of 

retaliation, motivation to report violations, and difficulty correlating the findings of program 

evaluations with business results. 

The basics of an adequate if not robust risk management program must begin with 

improving the entire risk assessment process. While nearly half of companies cite “lack of 

resources” as their leading challenge, the fact remains that companies seeking to improve 

the effectiveness and efficiency of their risk assessments simply need to devote greater 

resources to it. And given how better risk assessments – and communication about their 


Educating a 

Diverse Workforce 

An Interview with Marsha Ershaghi, 

Director of Education Solutions, LRN 

A new reality in today’s world is that the workforce 

is changing. Companies are increasingly hiring the 

“Millennial” generation, those born between 1985 and 

2001, the first wave of whom are now in the early 20s 

and starting to enter the workforce following completion 

from their college or graduate business programs. 

Meanwhile, the main body of the workforce continues 

to be comprised of baby boomers, those born between 

1946 and 1964, the first wave of whom will be officially 

retiring within the next 3 to 5 years. As one generation 

enters while the other exits, companies will increasingly 

face a “blended workforce” composed of two groups of 

people who literally have different upbringings, values, 

social and political views, and styles of learning. 

According to Marsha Ershaghi, Director of Education 

Solutions at LRN and a Doctoral candidate in educational 

technology, generational differences in learning will 

become a driving force to change how companies 

engage employees about ethics and compliance. As 

the 2008 survey results demonstrate, relevancy and 

engagement are already key challenges in educating 

employees and motivating them to take ethics and 

compliance seriously, as well as to report violations. 

One cause of this is the fact that many companies have 

only recently adopted online educational courses that 

offer more flexibility and interactive engagement to 

employees, as few adults, whether boomer or Millennial, 

tolerate dull, lifeless learning. 

However, with the Millennials – a generation that grew 

up with constant access to computer technology, video, 

gaming, and the Internet – the methods and nature of 

engaging them will need to change to accommodate 

their preferred learning styles and capabilities. “There are 

specific ingredients of an effective learning experience 

for Millennials,” notes Marsha. “They must have a 

blend of analysis and critical thinking, with elements 

of entertainment, immediate feedback, practical 

application, and personnel relevance.” 

One type of learning that especially appeals to 

Millennials is interactive gaming. This is why 10% of 

survey respondents in this year’s survey indicate that 

some forward-looking companies are already recognizing 

its value to educate its younger workforce about ethics 

DISCUSSION 

findings – can contribute to a greater understanding among managers and employees, 

this more holistic and transparent approach takes a step in crossing the threshold towards 

making risk assessments a key part of the organization’s culture, rather than a compliance 

necessity. In other words, the more everyone in the organization understands the need to 

guard the organization’s reputation and assets, the more risk assessments will inspire people 

to take responsibility for their own culture. It is one element in the process of transitioning 

toward self-governance. 

Prevent 

To be successful, risk prevention efforts require that employees recognize the relevance of 

the education to their jobs and their future and buy into the company’s commitment to build 

its cultural values. Without that, no amount of education will motivate employees to learn 

the rules or be inspired to internalize the company’s values and policies. It may be possible to 

“train” employees about compliance regulations, but “educating” them to assimilate their 

significance in the company’s culture and to apply them in their everyday conduct cannot 

happen without relevancy and engagement. 

The first step in formulating an effective education program must come from the highest 

levels, the Board and senior leadership, which need to inspire employees by communicating 

a clear vision of the company, its culture, and its future. Employees must hear and believe 

that the greater success of the company leads to their greater success. This reality makes 

developing senior management and business management education foundational aspects 

of a solid prevention program. 

Beyond that, companies must offer a wide range of prevention education to suit the 

learning styles and working habits of their workforce. Programs need to be tailored to the 

time and schedules that employees have available. They must reflect local cultural and legal 

understandings so as to avoid being irrelevant or biased. They need to appeal to the diverse 

workforce the company employs, which may include global localization and translations. 

They are most effective if they are targeted at the employee’s job function and how it 

intersects with ethics and compliance concerns and risks. And, most importantly, they must 

engage the employee’s mind and heart in order to motivate learning the concepts, adopting 

the values, and developing confidence and trust that the company truly cares to have 

employee as part of its culture. 

An important element of prevention is that the education should be customized, to the 

greatest extent possible, to speak to the employee in a way that engages and inspires that 

individual. This requires recognizing that the company’s workforce consists of many types of 

workers, who will increasingly reflect generational differences in learning style, educational 

background, and capabilities using technology. 

To date, only modest strides are being made in the use of cultural relevant education best 

practices. While 8 out of 10 companies have codes of conduct, utilize online education, 

or offer classroom experiences, 5 in 10 companies struggle with cultural differences, 4 in 

10 companies say there are challenges to make the education relevant, and 2 in 10 cite 

lack of translated materials, low leadership support, or low employee motivation. There is 

disconnect between the efforts to educate employees and the sense that the efforts are 

successful. However, it does appear that companies have recognized the importance of 

educating their boards and senior leadership and have increased efforts since 2007. This 

alone is a positive step, but the dots must be also connected between developing the 

company’s leadership and educating its employees. The company must be viewed as one 

organization on the same journey. 


DISCUSSION 

continued... 

and compliance. “Another advantage of interactive 

gaming is that it provides a mobile element to learning,” 

notes Marsha. “In the world of iPods and iPhones, 

learning can’t always take place at a scheduled time. 

By using it for critical risk areas, it allows you to tap into 

employee time with greater frequency and shorter bursts, 

which breeds more effectiveness and greater retention.” 

Another change is that corporations will need to tilt 

enterprise learning from passive to engaged. While 74 

percent of survey respondents use offline education, 

which may have a degree interactivity in it – such as 

simulated exercises from a live instructor, or watching 

a video-based vignette, followed by discussion – the 

deepest level of interactivity, says Marsha, “is when you 

can simulate being in that person’s shoes, making the 

decisions.” Leveraging interactive learning tools allows 

companies to simulate that decision making. As a result, 

companies are tapping into new types of ethics and 

compliance products, such as experiential learning games. 

Companies are discovering that Boomers and Millennials 

come from two worlds of learning, but in some cases 

they can help each other. Marsha notes that some 

companies have initiated “mentor” programs where 

experienced Boomer workers mentor Millennials on 

institutional knowledge transfer, while Millennials 

mentor Boomers on how to use new technologies. Says 

Ershaghi, “You have to be creative in how you educate 

employees and facilitate engagement and activity, and 

appeal to different learning styles. Education today 

has to be entertaining and story-based; it must also 

be localized when you’re dealing with multinational 

companies. The good news is companies are finally 

waking up to these changes. 

The path beyond providing “just” compliance education to employees depends extensively 

on disseminating a sincere message that the company’s future is invested in its culture. 

Employees at every level must feel inspired to be part of that culture and to take personal 

responsibility to protect it. An element of trust and mutual loyalty is necessary to drive 

people’s buy-in that their learning the rules and living the values of the company truly matters. 

Employees must feel in their hearts, not just understand in their minds, that their ethical 

conduct will help drive the company to better performance and thus greater rewards. 

“Doing the right thing” then becomes meaningful not to simply comply with some 

distant, faraway regulation, but to obtain competitive advantage, job satisfaction, and 

personal achievement. 

Detect 

Detecting violations is perhaps the Achilles heel of the ethics and compliance industry. 

Many ethics and compliance breaches remain undetected for long periods of time, often 

because people are reluctant to report them, but sometimes because the regulations are 

so gray, it is not clear that a violation occurred until it is too late. For this reason, the entire 

workforce must not only be cognizant of the rules, but also trust that the company’s 

professed values of transparency will welcome disclosure with no threat of retaliation or 

adverse repercussions. Companies therefore need to maintain as many channels as possible 

to encourage employees to talk, to inform themselves and evaluate their knowledge and 

understanding of the laws and policies and, as necessary, to formally report violations. 

Companies must establish clear policies about which channel for reporting violations is best 

used first, and why. This may vary among a company’s regional offices, because of logistical 

constraints or cultural differences, but it should aim to be as consistent as possible across 

the entire organization, even in global companies, and demonstrate the same commitment 

to zero tolerance of ethics and compliance breaches. The greater understanding employees 

have about the detection process, the more likely they will use it. 

One of the most effective channels to encourage discussion is line management. Employees 

need to feel they can go to their manager or supervisor as soon as they believe something 

contrary to the law or company policy is occurring in their work area or among people with 

whom they conduct business. This is especially true in global cultures where companies 

need to spell out very clearly why they offer an anonymous helpline, what situations are 

appropriate for calling it, what level of confidentiality will be maintained when employees 

call it, and what will happen to employees who report violations. 

Based on the 2007 survey results, companies seem to have the reporting channels in place. 

Nearly every company has an anonymous helpline, as outlined in the U.S. Federal Sentencing 

Guidelines, and nearly 9 out of 10 companies offer at least three channels for reporting. 

That may explain why one-half of respondents say they have no significant challenges about 

detecting. But for the other half, having the detection mechanisms available is not removing 

two fundamental barriers to accurate and complete detection. Companies have built the 

infrastructures, but the audience is not showing up. In nearly 8 in 10 companies having a 

single location, the respondents report that their employees fear retaliation; in nearly 7 of 10 

of those companies, they say employees are not motivated to report. The results are slightly 

better among multinational companies, but both barriers still challenge close to half of 

global companies. 


Avoiding the 

Pitfalls of 

Detection 

An Interview with Marjorie Doyle, 

Global Practice Leader, Ethics and Compliance 

Solutions, LRN 

Marjorie Doyle has extensive expertise in building 

sound detection programs and avoiding the pitfalls 

that plague many organizations. She notes that “not 

enough resources” is a perennial challenge in ethics and 

compliance, but companies cannot rely solely on having 

an anonymous hotline and wait for the calls to come 

in. “Companies need to have a wide range of tools to 

implement robust and effective detection procedures, 

she says. “Most programs run out of resources by the 

time they get to auditing and monitoring, and they put 

their faith on having a hotline, without having thought 

about how to get people to use it.” As EVP and Chief 

Compliance Officer at Vetco, and Chief Compliance 

Officer at DuPont, she found that a company’s culture 

has a lot to do with whether employees will trust the 

hotline and be willing to use it. Companies need to be 

completely transparent, explaining in clear terms how 

reporting channels work, when employees should call, 

and what are the ramifications of reporting violations. In 

addition, Marjorie offers the following counsels: 

Look Ahead, Not Back: Too many risk assessment 

processes focus on past problems rather than on 

business strategies going forward. Some areas that 

require the most diligent detection simply don’t exist at 

the current moment, but will appear once the company 

enters a new market, completes a merger or moves 

a half-dozen back-office processes to an offshore 

outsourcing provider. Effective ethics and compliance risk 

management and detection procedures need to look as 

much forward as backward. 

Pay Attention to the Middle: Studies have shown 

that when most people are faced with an ethics or 

compliance decision, they consider three things, in 

this order: 1) how their immediate boss is behaving; 

2) how their colleagues behave; and 3) their own 

moral compass. This places the largest responsibility 

on front-line supervisors, who need to recognize their 

role in effective detection. As a result, legal and ethics 

and compliance professionals need to effectively 

communicate with these supervisors. You have to win 

their hearts and minds to convince them that ethics 

DISCUSSION 

The keys to improving detection as companies mature their ethics and compliance programs 

require a dual-pronged effort. One prong must focus on clearer communications with 

employees about what, why, how and when to report, and the other prong is, yet again, 

to instill trust in employees that the company’s culture is based on self-governance, which 

means everyone must assume a role in watching over the ethical health of the firm. No 

one can be immune from taking responsibility to report violations. Clearly, to achieve this 

buy-in, companies must look inward and have honest discussions to fashion fair policies 

about reporting. If they are going to have zero tolerance for infractions, they must have zero 

tolerance for retaliations. Mutual trust will drive detection. 

Respond 

If detecting violations is the chink in the armor of ethics and compliance, investigating 

violations is the shield. Given that companies have had to investigate ethics and compliance 

problems for many years, they have built up the expertise to handle them correctly. Good 

investigation procedures are being followed in many companies: e.g., involving many 

functions, from legal to HR to Ethics & Compliance, and alternating the leadership of the 

investigation as necessary depending on the nature of the violation. 30% of companies 

report having no significant challenges in investigating violations. This is one area where 

team efforts clearly have a positive impact on success. 

Can responding to violations be improved further The keys appear to be in better training 

for investigators and hiring more of them. These two factors are tied in with the leading 

challenge: not enough resources, cited by nearly 1/3 of respondents. It is likely that when 

companies provide a greater commitment to an ethical culture, they will experience fewer 

violations, and resource savings can be made in responding activities. In short, a values-based 

culture and self-governance will yield savings that can be applied elsewhere. 

Evaluate 

When it comes to evaluating ethics and compliance efforts, companies must understand 

how successful their programs are in mitigating risks, reducing ethical breaches, improving 

employee conduct, and increasingly, in analyzing performance improvements that their 

programs contribute towards the company’s bottom line. Companies need to periodically 

measure how their programs are faring in their workplaces. These evaluations may be 

quantitative or qualitative, or both, depending on each company’s needs. The findings 

from evaluations are most valuable when they are used to improve the programs being 

offered, thus increasing understanding and establishing clear linkages between ethics and 

compliance programs and their improved business results. A key best practice is to share 

the evaluation results with the Board and senior leadership, ensuring that they stay in 

touch with the program’s results and, by extension, its value to the company. This should 

assist in reinforcing their support for the program, which then cascades back through their 

communications to employees that the company is making progress. In effect, evaluations 

are the corollary to risk assessments, bringing the cycle of activities full circle, demonstrating 

a return on investment. 

The 2008 survey indicates that nearly three-quarters of companies are making efforts at 

using evaluations to improve their programs. More companies perform annual evaluations 

than quarterly ones, but the frequency depends entirely on each company’s needs. On the 

downside, only 6 in 10 companies share the findings with their board, and almost 1 in 3 

companies lack resources to conduct evaluations. Also down are the uses of qualitative and 

quantitative measures. Such results might indicate that some companies are not yet mature 

in their evaluation processes, and they will need to invest more to master this phase of the 

ethics and compliance process. 


DISCUSSION 

continued... 

and compliance education and detection processes 

are not another “flavor of the month.” They need to 

understand and believe how a violation can affect their 

specific business. 

Communicate Findings and Results: Many 

companies prefer to remain tight-lipped after an 

ethical or compliance failure, a near failure or even 

a positive example of an employee adhering to an 

important guideline. The tendency to keep these reallife 

occurrences quiet prevents a golden educational 

opportunity. Real-life accounts of ethical and compliance 

wins and losses drives home the effectiveness of the 

detection process, educates employees on policies and 

procedures and sends the message that management 

is serious about investigating and holding the company 

and its people accountable. 

And finally performing a formal cultural assessment is the foundation’s best practice to 

baseline and evaluate an effective program. Those companies that are serious about transforming 

their cultures must logically begin with a formal cultural assessment. The adage 

“You can’t know where you are going until you know where you are” applies here. The 

survey results indicate a rising trend of companies doing a formal cultural assessment, 35% 

in 2008 compared to 25% in 2007. More companies are implementing this best practice, 

indicating that at least 1 in 3 companies has begun a journey of significance to understand, 

measure , and improve their entire corporate culture, not just implement a compliance program. 

Footnote 1 & 2: 2005 Federal Sentencing Guidelines §8B2.1(a)(2). “2005 Federal Sentencing Guidelines Manual and 

Appendices” (United States Sentencing Commission, effective 1 November 2005) http://www.ussc. gov/guidelin.htm 

(February 17, 2006) 

Translate Policies: The effectiveness of all risk 

prevention and detection programs diminishes with 

distance and cultural/linguistic barriers. Too many 

companies don’t translate their policies and procedures 

into the languages spoken at the company’s overseas 

locations. The farther employees are from HQ the less 

they understand what they are supposed to do. These 

challenges are significantly multiplied in countries where 

reporting runs counter to cultural standards or is limited 

by law. 


2008 DETAILED RESULTS 

DEFINE 

1. Is your ethics and compliance risk assessment process integrated with other risk 

assessment processes within your enterprise 

Nearly 9 out of 10 enterprises conduct ethics and compliance risk assessments. 

Respondents 

Yes 58% 

No 19% 

Don't know 10% 

We do not perform 13% 

Ethics & Compliance Risks Integrated with ERM Program 

We do not perform 

Managers 

Function 2008 

Compliance 6300% 

Legal 6200% 

Internal Audit 5900% 

Executive Team 5600% 

Human Resources 5100% 

Board of Directors 4700% 

Finance 4400% 

Business managers 4100% 

Ethics 3900% 

IT 3800% 

Data Privacy 3400% 

Risk Office 2300% 

External Auditors 2200% 

Consultants 1400% 

Managers Involved in Risk Assessments%Respondents 

Under 5,000 4200% 

Over 10,000 5600% 

Top Ethics and Compliance Risks %Respondents 

Electronic Data Protection 5200% 


Intellectual Property 3200% 

Environment Health and Intellectual Property 3000% 

FCPA and Anti-bribery 2700% 

Sexual Harassment 2600% 

Export Controls 2300% 

Conflicts of interest 2100% 

Supply Chain 2000% 

Insider Trading 1600% 

Frequency of Conducting Risk Assessments Respondents 

Annually 144 39% 

Periodically as part of audit 90 25% 

No formal or set schedule 51 14% 

More than once a year 34 9% 

I do not know 28 8% 

Less than once a year 17 5% 

365 

Using information from Risk Assessment%Respondents 

Share findings 7100% 

Rank findings 5100% 

Apply findings to programs 4300% 

Map findings 3200% 

Ethics & Compliance Risks Integrated with ERM Program 


Other metrics 300% 


Don’t know 

No 

10% 

19% 

13% 

% Respondents 

Only 12% of respondent companies do not perform risk assessments, nearly unchanged 

since 2007. The lifecycle Frequency of a comprehensive, of Conducting Risk effective Assessments risk management and mitigation 

program must begin with understanding and measuring risks. Integrating the assessment 

Less than once a year 

with other business processes especially boosts its effectiveness, given that ethics and 

I do not know 

compliance concerns now filter down into nearly every department and operation of 

enterprises. Conducting More holistic than risk 8% assessments 5% in conjunction with financial auditing, 

once a year 

manufacturing, marketing, sales, 9% IT, and other functions ensures that a more complete range 

of risks are identified and correlated to ethics and 40% compliance Annually concerns as necessary. 

Disappointing in these No formal results or is the 14% fact that nearly 2 in 10 companies (19%) still do not 

integrate their risk assessments 

set schedule 

with other business processes. Among the potential 

explanations of this fact can be: the ethics 25% and compliance function has only recently been 

created, a budget shortage, or an industry-specific rationale that precludes the need to integrate. 

Periodically as 

part of audit 

2. What Functions are involved in the Ethics and Compliance Risk Assessment 

% Respondents 

A wide range of functions may be involved in risk assessments, though four 

typically lead the field. 

58% 

Managers Involved in Risk Assessments 

Yes 

100% 

42% 

Under 5,000 

employees 

Electronic Da 

Intelle 

Environment Health and Intelle 

FCPA an 

Sexu 

E 

Conf 

13% 

Map risks according to: 

% Respondents 

Don’t know 

Specific employees or groups 2900% 

10% 


56% 

80% 

60% 

40% 

No 

19% 

58% 

Yes 

42% 

20% 

Using 0% information from Risk Assessment 

Ranking findings according to: % Respondents 

Probability of occurrence 4400% 

Monetary value 2700% 


% Respondents 

Under 5,000 

employees 

Over 100% 10,000 

employees 

80% 

% Respondents 

60% 

71% 

Top Risk Assessment Challenges % Respondents 

Inadequate Frequency resources of Conducting Risk Assessments 4700% 

Obtaining accurate/ quantifiable info 3500% 

Conducting a global assessment 2600% 

Analyzing and applying Less the findings than once a year 2000% 

Insufficient technology 2000% 

No I do significant not know challenges 1200% 


40% 

51% 

LRN | 2008 Ethics and Compliance Top Risk Ethics Management and Compliance Practices RisksReport 32% | 23 

43% 

20% 

10% 

% Respondents 

0% 

3%


rform 

13% 

13% Don’t know 

10% 

10% 

19% 

58% 

19% No 58% 

Yes 

% Respondents 

% Respondents 

Yes 

Managers Involved in Risk Assessments 

56% 

42% 

60% 

56% 

42% 

The 2008 results demonstrate that a wide 20% range of functions are involved in risk 

0% 

assessments, including ethics and compliance, legal, internal audit, HR and finance, 

0% 

consistently leading Under the 5,000 pack of involved parties. 

Under 5,000 

employees 

employees 

Over 10,000 

employees 

100% 

80% 

40% 

Over 10,000 

% Respondents 

employees 

3. What are your top ethics and compliance risks 

100% 

80% 

60% 

40% 

20% 

% Respondents 

DETAILED RESULTS 

Electronic data protection and data privacy are the top two challenges of today’s 

compliance world. 

Frequency of Conducting Risk Assessments 

Conducting Risk Assessments 

Top Ethics and Compliance Risks 


Top Ethics and Compliance Risks 


I do not know 

% Respondents 

% Respondents 

0% 20% 40% 60% 80% 100% 

More than 8% 5% 

once a year 

0% 20% 40% 60% 80% 100% 

8% 5% 

9% 



40% Annually 


40% Annually 


14% 


No formal or 


set schedule 




25% 



25% 





cally as part of audit 


audit 

Conflicts of interest 21% Supply Chain 20% 

% Respondents 

Supply Chain 20% Insider Trading 16% 

% Respondents 


As discussed in Key Findings, electronic data protection and privacy are at the top of 2008 

concerns for ethics and compliance professionals. One likely reason is that IT departments 

can no longer be solely responsible for the wide range of compliance regulations facing 

enterprises. New laws regarding data privacy in both the U.S. and Europe create need for 

additional compliance. Legal, HR, and ethics and compliance departments are needed to 

interpret and understand the laws, educate employees, and write corporate-wide policies on 

electronic data protection and privacy. 

100% 

80% 

60% 

40% 

20% 

0% 

espondents 

s 

7% 

21% 

Using information from Risk Assessment 


100% 

80% 

60% 

71% 

40% 

20% 

0% 

% Respondents 

71% 

51% 

Share findings 

Rank findings 

Map findings 

Apply findings to programs 


Rank findings 

Map findings 

Apply findings to programs Other metrics 

Don't know 

Other metrics 

Don't know 

51% 

43% 

32% 

Another major challenge is conflicts of interest, ranked third highest Mapping risk area. Risks The category 

is broad and contains many gray areas that are often 

Mapping 

difficult 

Risks 

to educate employees about 

50% 

beyond instructing them about rules and 50% regulations, rather providing clear corporate 

40% 

values to aid their decision making when there is no definitive answer. Conflict of interest 

40% 

concerns range from hiring and firing issues to contract 30% administration, to sales interactions. 

30% 

There is a heightened government and public intolerance of situations in which employees 

20% 

29% 

have personal interests at stake when making 20% decisions on 

29% 

behalf of their company, their 

10% 

customers or taxpayers. Non-compliant companies face severe penalties and reputational risk. 

43% 

32% 

One additional 

10% 3% 

observation about these results % is Respondents that, despite globalization and the 

3% 

% Respondents 

increased correlation between a company’s reputation and the actions of its business 

Specific employees or Other groups metrics 

ecosystem, companies do not yet perceive their Supply Chain or extended ecosystem as 

Other metrics 

a major risk. Companies that depend heavily on extended alliances distributors should 

reevaluate communication and training for suppliers, agents and contractors, especially if 

they are located overseas and lack consistent supervision. 

10% 

% Respondents 

% Respondents 

0% 10% 20% 30% 40% 50% 

0% 10% 20% 30% 40% 50% 

Inadequate resources 47% 






Analyzing and applying the findings 20% 





10% 

0% 

0% 



Specific employees or groups 


11% 

11%

Function 2008 


Legal 

2008 

6200% 

Internal Audit 5900% 

6300% 

Executive 

6200% 

Team 5600% 

Human Resources 

5900% 

5100% 

Board of 

5600% 

Directors 4700% 

Finance 

5100% 

4400% 

Business 

4700% 

managers 4100% 

Ethics 

4400% 

3900% 

IT 

4100% 

3800% 

Data Privacy 

3900% 

3400% 

Risk Office 

3800% 

2300% 

External 

3400% 

Auditors 2200% 

Consultants 

2300% 

1400% 

2200% 

Managers 1400% Involved in Risk Assessments%Respondents 

Under 5,000 4200% 

Over 10,000 

in Risk Assessments%Respondents 

5600% 

4200% 

5600% 

Don’t know 

No 

10% 

19% 

13% 

Don’t know 

58% 

No 

Yes 

10% 

19% 


4. What is the Frequency of conducting Ethics and Compliance Risk Assessment 

About 4 in 10 enterprises conduct risk assessments % Respondents annually 

Another 25% performing % Respondentsthem periodically as part of their audit procedures. 

13% 

58% 


Yes 

42% 

Under 5,000 

employees 

56% 

Over 10,000 

employees 

42% 

Under 5,000 

employees 



Top Ethics and Compliance Risks %Respondents 

Top 




I do not know 

pliance Risks %Respondents 


5200% 

Environment Health and Intellectual Property 3000% I do not know 

4700% 

More than 


8% 5% 

3200% 


once a year 

ellectual Property 3000% 

Electronic 0% 2 

Export Controls 2300% More than 

9% 

2700% 

8% 5% 

Conflicts of interest 

2600% 

2100% once a year 


40% Annually 

2300% 

9% 



1600% 

14% 

Inte 

2000% 

No formal 40% or Annually 


Frequency of 1600% Conducting Risk Assessments Respondents 

set schedule 

Intellectual 

Environment 

Property 

Health 32% and Inte 

Annually 144No formal 39% or 14% 

Periodically as part of audit 90 25% 

FCPA 

g Risk Assessments Respondents 

set schedule 

No formal or set schedule 51 14% 

25% 


144 39% 

More than once a year 34 9% 

Se 

f audit 90 25% 


edule 

I do not know 

51 

28 

14% 

8% 

25% 

ar 

Less than once 

34 

a year 17 

9% 

5% 



28 

365 

8% 

part of audit 

Co 


ar 17 5% 


365 

part of audit 


% Respondents 


Using information from Risk Assessment%Respondents 

Share findings 7100% 

% Respondents 


rom Risk Assessment%Respondents 

Rank findings 5100% 

Apply findings to programs 4300% 

7100% 

Map findings 

5100% 

3200% 

grams 

Don't know 

4300% 

1000% 

Other metrics 

3200% 

300% 

1000% 

300% 

Companies conduct risk assessments on a regular basis, either once per year or scheduled 

periodically along with regular audits. The best practice is to conduct an ethics and 

compliance risk assessment as consistently as possible to keep awareness up with changing 

laws and regulations that affect the enterprise as well as to track changes from one period 

to the next. 

Map risks according to: 

% Respondents 

Specific employees or groups 2900% 

g to: 

% Respondents 


r groups 2900% 

1100% 

5. How do you use or apply information from your ethics and compliance risk 

assessment 

7 in 10 companies share risk assessments findings. 


Ranking findings according to: % Respondents 

Probability of occurrence 4400% 

ccording to: % Respondents 

Monetary value 2700% 


nce 4400% 

2700% 

2100% 

100% 

80% 


100% 

80% 

60% 

71% 



nt Challenges % Respondents 



s 4700% 

quantifiable info 

Analyzing 

3500% 

and applying the findings 2000% 

assessment 

Insufficient 

2600% 

technology 2000% 

ing the findings 

No significant 

2000% 

challenges 1200% 

y 

Don't know 

2000% 

800% 

ges 

Other 

1200% 

300% 

800% 

300% 

60% 

40% 

20% 

0% 

% Respondents 

Ranking Findings 

71% 

40% 

51% 

20% 

0% 

% Respondents 

43% 


Rank findings 

Map findings 


Other metrics 

Don't know 

32% 

51% 

43% 


Rank findings 

Map findings 


Other metrics 

Don't know 

32% 

10% 

3% 

10% 3% 

% Res 

Top Risk Assessm 


50% 

50% 

40% 

30% 

20% 

10% 

44% 

40% 

30% 

20% 

10% 

27% 

0% 

21% 

44% 

27% 

21% 

0% Inadequate 10% 20% 

resources 

Inadequate resourcesObtaining 47% accurate/ quantifiable info 

Obtaining accurate/ quantifiable info Conducting 35% a global assessment 

Conducting a global assessmentAnalyzing 26% and applying the findings 

47% 

35% 

26% 

20% 

0% 

% Respondents 

% Respondents 

Probability of occurrence 

Monetary value 



Other metrics 

Analyzing and applying the findings 20% Insufficient technology 

LRN | 2008 Ethics and Compliance Insufficient Risk technology Management 20% Practices No significant Report challenges | 25 


Other 

Other 8% 

Don't know 

20% 

12% 

8% 

3%

32% 

10% 

3% 


Supply Chain 

% Insider Respondents Trading 

21% 

20% 

16% 



I do not know 

re than 

e a year 

9% 

rmal or 14% 

hedule essment 

8% 5% 

25% 


part of audit 

% Respondents 

40% 

Annually 

50% 

40% 

30% 

20% 

10% 

0% 

% Respondents 









Conducting risk No significant assessments challenges is the vital first step 1200% in risk management. As a tool for 

Don't know Top 800% Ethics and Compliance Risks 

identifying strengths Other and weaknesses in their ethics 300% and compliance efforts, the information 

collected from assessments is most valuable when it is communicated broadly to appropriate 

% Respondents 

parties, analyzed for relevance and potential gaps, and applied to improve the company’s 

0% 20% 40% 60% 80% 100% 

prevention and detection programs. On this basis, the survey shows that most companies are 


not benefiting as much as they could from their risk assessments. 

Intellectual Property 

Mapping Risks 

Environment Health and Intellectual Property 

29% 

Under 5,000 

employees 

11% 

Over 10,000 

employees 

Data Privacy 

FCPA and Anti-bribery 

Sexual Harassment 

Export Controls 


Supply Chain 

Insider Trading 

47% 

32% 

30% 

27% 

26% 

23% 

21% 

20% 

16% 

50% 

40% 

30% 

20% 

10% 

0% 

% Respondents 

% Respondents 


44% 

27% 

21% 

80% 

60% 

40% 

20% 

0% 

% Respondents 


Other metrics 



Other metrics 

ate resources 

uantifiable info 

al assessment 

ng the findings 

ent technology 

ant challenges 12% 

0% 

Other 8% 

% Respondents 

Don't know 3% 


100% 

0% 10% 20% 30% 40% 50% 

47% 

80% 

35% 

60% 

26% 

20% 40% 

20% 

20% 


71% 

51% 

43% 


Rank findings 

Map findings 


Other metrics 

Don't know 

Three out of four companies share their findings, though most do not gain the full value by 

communicating them with employees and managers. 

The fact that many companies say they lack the resources needed for the steps of the risk 

% Respondents 

50% 

assessment process may explain why the majority do not rank or map findings. Only 5 out 

of 10 companies rank findings, with most Compliance of those companies 

63% 

40% doing so on the basis of 

probability of occurrence. Worse, only 3 in Legal 62% 

10 companies map findings to specific employee 

30% 

groups or other metrics. It may be that Internal their Audit HR systems 59% are not yet equipped with the 

20% 

29% 

advanced tools that can capture accurate Internal data Audito map 56% risks to specific groups or individuals. 

Both ranking and mapping are highly Human recommended, Resources 10% 51% 

as both practices could ultimately 

11% 

help companies save money by being able Finance to more precisely 

47% 

target their prevention and 

32% 

0% 

detection efforts. 

Ethics 44% 

10% 

3% 

% Respondents 

IT 39% 

Data Privacy 

41% 

6. What are the biggest challenges you face in conducting your Other ethics metricsand 

Risk Office 38% 

compliance risk assessment 

External Auditors 

Consultants 

Business managers 


34% 

23% 

22% 

14% 

Lack of resources is the leading challenge in conducting risk assessments 


Function 

% Respondents 

Mapping Risks 

0% 20% 40% 60% 80% 100% 


% Respondents 

0% 10% 20% 30% 40% 50% 

21% 

Inadequate resources 

Obtaining accurate/ quantifiable info 

Conducting a global assessment 

Analyzing and applying the findings 

Insufficient technology 


Other 

Don't know 

47% 

35% 

26% 

20% 

20% 

12% 

8% 

3% 


% Respondents


Lack of adequate resources was once again cited as the top challenge in conducting 

risk assessments, despite this year’s survey including a larger pool of respondents, more 

single-location companies (as opposed to global, multinational companies) and more large 

enterprises with over 10,000 employees. This suggests that not enough staff and/or budget 

is an ongoing issue for enterprises seeking to do comprehensive risk assessments. 

The repercussions of inadequate resources may provide the basis for understanding the next 

two leading challenges cited: obtaining accurate, quantifiable information and conducting 

a global assessment. Both of these require staff and dollars sufficient enough to devote 

adequate time and energy to collecting and analyzing data. Companies that lack resources 

may simply not have the staff to reach out to all departments to obtain accurate data or, if 

they are global, to assess every regional office to the same depth as their headquarters. 

Rethics &compliance risks 

8,400% 

isks 7,600% 

6,500% 

t development 

5,800% 

ion5,400% 

5,500% 

development 5,000% 

5,200% 

5,000% 

eviews/other 4,400% incentives 

400% 

s 700% 

600% 

frica Middle East 

4900% 4800% 

2600% 2300% 

7500% 7100% 

1500% 1800% 

200% 300% 

1700% 2100% 

PREVENT 

7. What activities/programs does your company have in place to educate on and/or 

certify employees in specific ethics and compliance risks 

Most companies approach prevention using several methods of education. 

0% 20% 40% % Respondents 

60% 80% 100% 

Code of conduct/ethics 0% 96% 20% 40% 60% 80% 100% 

Code of conduct/ethics Internal communications 

96% 

Internal communicationsOnline 92% education 

Online Classroom-offline education 85% education 

Classroom-offline education Written certifications 

77% 

Written certifications Electronic certifications 

74% 

Electronic certifications 

69% Site visits 

Employee performance Site reviews/other visits 66% incentives 

Employee performance reviews/other incentives Interactive 63% Games 

Interactive Games No formal 60% programs 

Formal No formal CEO/senior programs mgmt 55% development 

Formal CEO/senior Management/leadership mgmt development 11% development 

Management/leadership development 

Other 

10% 

8% 

Other 

92% 

85% 

77% 

74% 

69% 

66% 

63% 

60% 

55% 

11% 

10% 

8% 



% Respondents 

Overall, companies uniformly implement their prevention programs via three methods: 

• codes of conduct 

• internal communications, and 

• online education 

The interactive games option was not included in 2007, but its use among 10% of 

Educational Programs on Ethics and Compliance Risks - Global Companies 

companies probably represents a new emphasis on engaging employees, especially those of 

% Respondents 

the Millennial generation who typically demand greater participation in their learning and 

0% 20% 40% 60% % Respondents 80% 100% 

who often prefer interactivity as a way to deal with the unfamiliar. Both of these may be the 

96% 

84% beginning of growing movement to use materials that offer greater levels of engagement to 

92% capture employee attention about ethics and compliance issues. This is bolstered by a later 

76% 

survey finding that most companies say their two greatest challenges in prevention are the 

85% 

lack of relevancy of materials and the lack of employee engagement. 


Code of conduct/ethics 

0% 20% 40% 60% 80% 100% 

96% 


84% 

Internal communications 

92% 


76% 

Online education 

65% 

85% 


65% 

77% 

Formal CEO/senior mgmt development 

58% 

77% 


58% 

74% 

Classroom-offline education 

54% 

74% 


54% 

69% 

Electronic certifications 55% 

69% 

Electronic certifications 55% 

66% 



50% 

66% 

Management/leadership development 50% 

60% 

Employee performance reviews/other incentives 50% 

Employee performance reviews/other incentives 

60%

espondents 

5800% 

4300% 

3100% 

2500% 

2500% 

2300% 

2200% 

2100% 

1900% 

1800% 

1000% 

900% 

e Outreach 

Workforce Outreach 


Other 

Global companies consistently have lower levels of prevention activities at their 

international locations than at headquarters. 

0% 20% 40% 60% 80% 100% 


96% 


84% 

% Respondents 

Internal communications 0% 

92% 

20% 

76% 

40% 60% 80% 100% 


96% 

85% 

Online 84% education 

65% 

92% 


77% 

Formal CEO/senior mgmt 76% development 

58% 

85% 


74% 

Classroom-offline 65% education 

54% 

77% 


69% 

Electronic 58% certifications 55% 

74% 

66% 

Classroom-offline Management/leadership education 

54% development 50% 

69% 

60% 

Employee Electronic performance certificationsreviews/other 55% incentives 50% 


Employee performance reviews/other incentives 

66% 

63% 

50% Interactive Games 52% 

60% 

55% 

No 50% formal programs 44% 

63% 

Interactive Formal CEO/senior Games 52% 

mgmt development 

55% 

No formal Management/leadership programs development 

44% 



100% 

75% 

50% 

Other 

11% 

4% 

10% 

7% 

8% 

6% 

Other 

Headquarters Region 

Just as in 2007, the International survey findings Region demonstrate that companies do not yet offer the same 

100% 

scope of prevention methods in their international locations. Nearly every prevention method 

is lacking at global locations. Potential causes may be: 

a) the lack of 

75% 

resources issues cited to deploy education globally (including translations of 

content and certification programs into preferred languages, identifying culturally relevant 

experiences, and reaching a dispersed workforce) 

50% 

b) regional workers not having access to classrooms and/or computers as extensively as 

headquarters employees. Nevertheless, global companies should extend their effort to 

equalize educational offerings at all locations. 

25% 

11% 

4% 

10% 

7% 

8% 

6% 

10% 

8% 


International Region 



% Respondents 

Europe 

total 

rribean 

btotal 

South Am/ Carribean 

Asia/ Pacific 

Asia/ Pacific 

Africa 

Africa 

Middle East 

25% 

0% 

8. What portion of your employees do you reach with your ethics and compliance 

0% 

education and/or certification activities/programs 

Middle East 

On average, companies reach All or Most of their employees with education or 

certification programs. 


US 

Canada/ 

Mexico 

Europe 

South Am/ 

Carribean 

Asia/ 

Pacific 

Top Challenges 

Africa 

Middle 

East 

All employees 66% 54% 51% Top Challenges 51% 47% 49% 48% % Respondents 

Ethics and Compliance Educational Programs Outreach 

Most Employees 24% 25% 28% 20% 23% 26% 23% 

% Respondents 


All or Most Employees 90% 79% 79% 71% 70% 

% Respondents 

75% 71% 

ompliance Educational Programs Outreach 

0% 20% 40% 60% 80% 100% 

0% 25% 50% 75% 100% 

Making the education relevant 43% 

Some Employees Cultural 7% differences 12% 31% 15% 17% 20% 15% 18% 

l 94% 

% Respondents 


Regulatory differences 25% 

No employees 3% 2% 2% 4% 4% 2% 3% 

al 89% 

25% 50% 75% 100% 


Low employee engagement/interest 25% 

rs 70% 

Some or Cultural No differences 31% 

Knowing all our compliance risks 23% 

Employees 

Regulatory 

Subtotal 

differences 10% 25% 14% 17% 21% 24% 17% 21% 

n 67% 

Lack of E/C materials in some risks areas 22% 

rs 64% 


Technology constraints 21% 

d 62% 


Lack of translated LRN | 2008 E/C materials Ethics and 19% Compliance Risk Management Practices Report | 28 

rs 36% 


Low leadership support 18% 

rs 25% 


No challenges 10% 

0% 20% 40% 60% 80% 100%

Ot 




US 

Despite challenges, companies reach all or most of their employees across the world with 

100% 

their education and certification programs. This accomplishment is achieved despite the 

significant number of workers that can be difficult to reach in industries with large offline 

populations such as agriculture, energy, manufacturing, retail, transportation and sales 

75% 

where workers spend the majority of their time in the “field,” without either ready-access to 

an Internet kiosk or in a setting that makes it difficult to receive education consistently. These 

50% 

results are nearly the same as 2007. 

The single data point worth noting is that Asia has the highest level of “some” employees. 

25% 

Given that 

US 

more and more companies utilize manufacturing or business partnerships in Asia, 

Canada/ Mexico 

Europe 

this Canada/ might Mexico indicate a need to ensure better 

South Am/ 

efforts 

Carribean 

All employees Europe 

to provide Asia/ Pacific education to workers in that 

South Am/ Carribean 

Africa 

0% 

Asia/ Pacific 

region of 

Most 

the 

employees 

Africa 

world. 

Middle East 

All employees 

Most employees All or Most Employees Subtotal 

All or Most Employees Some Subtotal employees 

Some employeesNo employees 

No employees 

Some or No Employees Subtotal 

9. Do you Some provide or No Employees ethics Subtotal and compliance education and/or certification activities/ 

programs to the following 

Middle East 

100% 

75% 

50% 

25% 

0% 

More companies reach white collar workers than Boards, blue collar and service 

workers. 



% Respondents 

% Respondents 

Inade 

0% 25% 50% 75% 100% 

0% 25% 50% 75% 100% 

Making the ed 

Cu 

White collar: Professional, Managerial 94% 

White collar: Professional, Managerial 94% 

Regul 

White collar: Sales, Clerical 89% 

Lo 

White collar: Sales, Clerical 89% 

Low employee enga 



Knowing all our 

Blue collar: Craftsman, Foreman 67% 

Lack of 

Blue collar: Craftsman, Foreman 67% 

Lack of E/C materials in 

Service workers 64% 

Service workers 64% 

Techn 

Blue collar: Semiskilled, Unskilled 62% 

Blue collar: Semiskilled, Unskilled 62% 

Business Partners 36% 

Business Partners 36% 

Lack of transla 

Low le 

Suppliers 25% 

Suppliers 25% 

Resellers 12% 

Resellers 12% 

Given that it is easier to reach white collar professional and managerial workers, it is logical 

that most companies are successful providing education to them. However, the substantial 

declines of roughly 30 percentage points in reaching blue collar skilled workers, service 

workers, and blue collar semi-skilled workers is disconcerting given that regulations require 

companies to encourage an ethical corporate culture and establish effective compliance 

programs across the entire workforce. Companies face greater challenges to engage these 

types of workers and make ethics and compliance relevant to their jobs. 

Few enterprises provide education to their extended business ecosystem. 

The low survey results regarding educating the business ecosystem, indicates a lack of focus 

on this area. They will become increasingly important populations for effective ethics and 

compliance education as companies outsource manufacturing and sales, as well as create 

partnerships around the world. Given that the U.S. Federal Sentencing Guidelines encourage 

large organizations to ensure smaller partners “implement effective compliance and ethics 

programs,” companies should invest in reaching them. Recent updates to the Federal 

Acquisition Regulations (FAR), require any prime contractor – and subcontractor – with 

$5 million dollars in annual government contracts have a code of conduct, communicate 


% Respondents 



0% 20% 40% 60% 80% 100% 

% Respondents 

96% 

Code of conduct/ethics 0% 84% 20% 40% 60% 80% 100% 

96% 



Internal communications Online education 

76% 

Headquarters 

International 

85% 

White collar - Professional, Managerial Formal 9600% CEO/senior Online education mgmt development 

7400% 


92% 

84% 

policies and 76% supply an anonymous hotline to all employees. So your ecosystem should meet 

92% 85% 

the same stringent guidelines you expect from your employees. 

Chart 2 

65% 

77% 

Global 65% companies 58% experience significant declines in their ability to reach offices 

Chart 2 

77% 74% 

outside of their headquarters. 

Global Companies: Ethics and Compliance Educational Program Outreac 

White collar - Sales, Clerical 9100% 7200% 

Headquarters 

International Formal CEO/senior mgmt Classroom-offline development education 58% 54% 

% Respond 


anagerial 9600% 7400% 

74% 69% 

Service workers 6300% Electronic certifications 

4400% 

Global Companies: Ethics and Compliance 0% Educational 20% Program 40% Outreach 60% 80% 


54% 55% 

9100% 7200% 

Blue collar - Craftsman, Foreman 6300% 5000% 

66% 

96% 

69% 

% Respondents 

6800% 3000% Management/leadership Electronic certificationsdevelopment 

White collar - Professional, Managerial 

55% 50% 

74% 

Blue collar - Semiskilled, Unskilled 6000% 4600% 

6300% 4400% 

0% 20% 40% 60% 80% 100% 

66% 60% 

Business Partners Management/leadership Employee performance 3100% development reviews/other 2600% incentives 

91% 

50% 50% White collar 

an 6300% 5000% 

96% - Sales, Clerical 

72% 

Suppliers 2400% White 1900% collar 60% - Professional, 63% Managerial 

74% 

illed 6000% Employee performance 4600% reviews/other incentives Interactive Games 

50% 52% 

68% 

Resellers 1300% 1400% 

55% 


3100% 2600% 

63% 

91% 

30% 

Interactive Games No formal programs 

52% White collar 44% - Sales, Clerical 

72% 

2400% 1900% 

11% 

63% 

55% 

Formal No CEO/senior formal programs mgmt development 

Service workers 

4% 

68% 

1300% 1400% 

44% 

44% 


11% 10% 

30% 

Formal CEO/senior Management/leadership mgmt development development 7% 

63% 

4% 

Blue collar - Craftsman, Foreman 

8% 

63% 

50% 

10% 

Other Service workers 

Management/leadership development 7% 

6% 

44% 

60% 

8% 

Blue collar - Semiskilled, Unskilled 

63% 

46% 

Other Blue 6% collar - Craftsman, Foreman 

50% 

31% 

Headquarters Region Business Partners 

60% 

26% 

Blue collar - Semiskilled, 

International 

Unskilled 

Region 

reach 

46% 


24% 

Suppliers 

International Region 

31% 

19% 

Business Partners 

26% 

13% 

Resellers 

14% 

100% 

24% 

Suppliers 

19% 

100% 

75% 

Resellers 

13% 

14% 

Headquarters 

International 

ific 

Asia/ Pacific 

Africa 

Africa 

Middle East 

75% 

50% 

25% 

Middle East 

0% 

50% 

25% 

0% 

The global breakdown of survey results on this question also demonstrates a pattern of 

Headquarters 

concern. Each type of workforce International in international regions reached fewer regions with ethics 

and compliance educational % Respondents programs than in their home market. Of course, this may reflect 

only logistical issues in reaching such international workers, or it may reflect that lack of 

resources companies cite as their leading challenge. This same decline in reaching global field 

offices was also the case in 2007, indicating a possible trend to watch, as well as a caution 

to companies to make better efforts to equalize their educational efforts. 

% Respondents 

10. What are the biggest challenges you face in providing ethics and compliance 

education and/or certification activities/programs 

Inadequate resources lead the challenges to education and certification programs. 



liance Educational Programs Outreach 

tional Programs Outreach 

% Respondents 

50% 75% 100% 

% Respondents 

75% 100% 

% Respondents 

0% 20% 40% 60% 80% 100% 

% Respondents 


0% 20% 40% 60% 80% 100% 



Cultural differences 


Regulatory differences 

31% 

25% 

Cultural differences 31% 


Regulatory differences 25% 







Lack of translated E/C materials 19% 



Lack of translated E/C materials 19% 

No challenges 


Union objections 9% 

No challenges 10% 

As in 2007, more than 50% 10% of respondent companies do not have enough resources in 

Union objections 9% 



terms of budget and staff to drive their ethics and compliance education and certification 

programs. This result may be reflected in why companies employ less classroom education, 

interactive workshops or site visits than other types of prevention programs that require 

fewer resources. It may also relate to why companies are not reaching their business 

ecosystem and why global companies face greater challenges at their international locations 

than headquarters. The antidote to this finding is for ethics and compliance functions to 

reach out to other departments within the organization to enlist their support for quality 

prevention programs. 

Making education relevant and low employee engagement / motivation are 

significant secondary challenges. 

The challenges related to making education relevant and combating low employee 

engagement and interest will be critical issues of the future, especially as more Millennial 

generation workers join the workforce and blend with the current generation of boomers 

whose learning and work styles are different. Companies will likely need to alter the 

methods they most often use to appeal to this generation. 

orting Methods for Global Companies 

ds for Global Companies 

Increased globalization accounts for several other key challenges: cultural and regulatory 

differences as well as translations of ethics and compliance materials. The lack of resources 

may be at issue behind this gap, but regardless, companies will need to gain ground to 

ensure they educate all relevant employee groups, regardless of cultural or educational 

background, language spoken, or location. 

DETECT 

11. What are the methods you provide for employees and others to report ethics or 

compliance violations 

Almost 9 in 10 companies offer multiple means for reporting potential ethics or 

compliance violations. 

Reporting Methods Available to the Workforce 

Reporting Methods Available to the Workforce 

% Respondents 

% Respondents 

0% 20% 40% 60% 80% 100% 

0% 20% 40% 60% 80% 100% 

First Reporting Channel 


Supervisor 

Supervisor 93% 



Anonymous/Confidential Reporting Channel 

Anonymous/Confidential Reporting Channel 91% 

Ethics & Compliance Office 

Ethics & Compliance Office 88% 

Legal Department 

Legal Department 86% 


Internal Ombudsman 40% 

No set policy 

No set policy 17% 

93% 

92% 

91% 

88% 

86% 

40% 

17% 

% Respondents 

% Respondents 

10% 20% 30% 40% 50% 

% 20% 30% 40% 50% 


Reporting Methods for Global Companies 

Reporting Methods for Global Companies


In global companies, reporting channels Reporting lag Methods at their for international Global Companieslocations. 

Reporting Methods for Global Companies 

% Respondents 


ges 

% Respondents 

40% 60% 80% 100% 

% Respondents 

60% 80% 100% 

0% 20% 40% 60% 80% 100% 

% Respondents 

93% 

Anonymous/confidential reporting channel 0% 20% 40% 60% 80% 100% 

78% 

Anonymous/confidential reporting channel 

93% 

78% Supervisor 

92% 

Supervisor 

Human 77% resources 

91% 

Human resources 

90% 

Legal 78% Department 

74% 

% Respondents 


90% 

Anonymous/Confidential 88% 

Compliance 

Legal 

ethics 

Department Reporting 9200% Channel 

Human % Respondents Resources office/business 9100% 74% conduct 

72% 

Supervisor Ethics & 9300% Compliance Office 8800% 

Anonymous/Confidential Legal Reporting Department 9200% Channel 8600% 

88% 

Compliance Human Resources ethics Internal office/business 9100% Ombudsman conduct 4000% 

41% 

No set policy Internal 1700% 72% ombudsman 


29% 



41% 

No set policy 1700% Internal ombudsman 

HQ 

International 

29% 

Anonymous/confidential reporting 9300% channel 7800% 

Headquarters Reporting Methods Region for Global Companies 

Supervisor 9200% 7700% 

International Regions 

Human HQ resources International 9100% 7800% 

Anonymous/confidential Legal reporting Department 9300% channel 7800% 9000% 7400% Headquarters Reporting Methods Region for Global Companies 

Supervisor Compliance 9200% ethics 7700% office/business conduct 

Human resources Internal 9100% ombudsman 7800% 4100% 2900% 

Legal Department 9000% 7400% 

Compliance ethics office/business conduct 

Internal ombudsman 4100% 2900% 

92% 

77% 

91% 

78% 

8800% 7200% 

Companies are clearly International making efforts Regionsto make reporting violations easy. Three observations 

about this data are worth noting: 

8800% 7200% 

• Supervisors lead the list of reporting channels. 

• An anonymous %Respondents reporting channel is available in 9 out 10 companies. 

• The use of internal ombudsman is increasing. This person may help in complex situations. 

First Reporting Channel %Respondents 


Anonymous Reporting Channel 1700% 

First Reporting Channel Ethics %Respondents 

& Compliance Office 1600% 

Supervisor Human 2800% Resources 1300% 

Anonymous Reporting Legal Channel Department 1700% 

1100% 

Ethics & Compliance Office No Set 1600% Policy 900% 

Human Resources Don't Know 1300% 

900% 

Legal Department Internal 1100% Ombudsman 400% 

No Set Policy 900% 

Don't Know 900% 


Top Challenges 2008 

Employees fear retaliation 6400% 

Employees not motivated 5400% 

Top Challenges No significant 2008challenges 4600% 

Employees fear retaliation Innapropriate 6400% uses 4200% 

Employees not motivated Lack of 5400% formal management process 

No significant challenges Employees 4600% don't understand 2800% 

Innapropriate uses Insufficient 4200% staff to respond 1900% 

Lack of formal management Other process 

1300% 

Employees don't understand 2800% 

Insufficient staff to respond 1900% 

Other 1300% 

Meanwhile, the breakdown of results for global companies shows a consistent lesser degree 

of offerings outside headquarters. While 86% of the multinational companies offer at least 

3 reporting methods for their home region employees, only 74% of them do so for their 

international employees. This result may reflect the logistical challenge to have the personnel 

from the various functions available to workers outside of headquarters. Nevertheless, 

multinational companies may need to create separate reporting systems using local 

3300% 

technologies and personnel who speak the local languages in order to conform to local laws. 

3300% 

They must also educate local employees to overcome the often-strong cultural differences 

that discourage reporting violations. 

12. To whom are employees expected to report an ethics and compliance 

violation first 

Anonymous/confidential helpline is considered the first reporting channel by some 


companies. 


Anonymous/Confidential 

Human Resourc 

Anonymous/Confidential Reporting Ethics Chann & 

% Respondents 

Supervis 

Ethics & Compliance Off 

Legal DepartmIn 

Internal Ombudsm 

No set po 

0% 10% 20% 30% 40% 50% 

% Respondents 

Supervisor 0% 28% 10% 20% 30% 40% 50% 

Anonymous Reporting Channel 


Anonymous Reporting 

Ethics 

Channel 

& Compliance Office 

17% 





No Set Policy 




Don't Know 


17% 

16% 

13% 

11% 

9% 

9% 

4% 

Don't Know 

4% 


Anonymous/Confidential Reporting Chann 

Ethics & Compliance Offic 


Legal Departme 


Internal Ombudsm 

After supervisors, 1 in 5 companies expects employees to report first using the % anonymous/ 

Respondents 

confidential reporting channel. This result 

0% 

may 10% be linked 20% to why companies 30% report 40% that their 50% 

% Respondents 

two top challenges in detection are employee fear of retaliation and employees are not 

motivated to report. 


0% 10% 20% 30% 40% 50% 



Given that Ethics anonymous/confidential & Compliance Office 16% helplines are the second most common reporting 

17% 

channel, companies must sure they have qualified personnel to answer the lines and refer 


16% 

allegations to the appropriate function. 


Ethics & Compliance Office 



No Set Policy 




17% 

11% 

9% 

Nearly 1 in 3 companies expects employees to report violations first to supervisors. 

9% 

Given that supervisors Don't are Know expected 4% to be a first line of detection, it is incumbent on 

9% 

companies to fully educate supervisors so they know how to handle violation reports 

Don't Know 4% 

according to company policies. Again, this is also why involving managers in risk assessments 

is beneficial for companies, given their greater knowledge of potential gaps and high risk 

employees who might cause ethics or compliance problems. 



No set poli 

13. What are your biggest challenges in detecting ethics and compliance violations 

Employee fears of retaliation and lack of motivation lead the risk detection challenges. 


Anonymous/conf 


% Respondents 

0% 20% 40% 60% 80% 100% 

% Respondents 

Employees fear retaliation 

0% 20% 64% 40% 60% 80% 100% 

Compliance eth 

Employees not motivated 

Employees fear retaliation 64% 

Innapropriate uses 

Employees not motivated 54% 

Lack of formal management process 

Innapropriate uses 46% 

Employees don't understand 

Lack of formal management process 42% 

Insufficient staff to respond 

Employees don't understand 33% 

Other 

Insufficient staff to respond 28% 


Other 19% 

54% 

46% 

42% 

33% 

28% 

19% 

13% 


13% 

Despite the prevalence of anonymous reporting channels, employees fear retaliation and lack 

the motivation to report. Companies cited detection as their main challenge in 2008. Nearly 

half of respondents indicate they have no significant problems in this area, while the other 

half cites a wide range of challenges that hamper their detection efforts. Topping the list, 

almost two-thirds companies believe their employees fear retaliation. Meanwhile, half the 

companies cite employee lack of motivation to report violations a significant factor. 

The irony of these statistics about fear of retaliation and employee apathy is that 

organizations increased their efforts to communicate, educate employees about ethics and 

compliance, and ensure they have ready access to report violations. The survey results show 

that the nearly 9 out of 10 multinational companies offer at least three reporting methods 

for employees to use in their home region, and 7 out of 10 have at least three methods 

even in their international offices. Nearly all companies offer their workforce an anonymous 

or confidential channel to report ethics and compliance violations, and in 2 out of 10 of 

those enterprises, the company prefers the anonymous line to be its first line of reporting. 

In addition, 4 out of 10 companies also offer an internal ombudsman as a “go-to” person 



for reporting. Despite all these organizational efforts, employees remain reluctant to step 

forward to report violations. 

Possible causes: a) employees may be uncertain about whether their reports will truly remain 

confidential which indicates that they did not receive a clear message that confidentiality is 

valued; b) the increasing number and complexity of regulations might fuel worker confusion 

and to some extent ignorance about what to report and what will happen if they do so. 

This is consistent with some survey results: nearly 3 in 10 companies say their employees just 

don’t understand the rules, suggesting that the fault may really lie within organizations to do 

a better job educating their employees and inspiring them to take greater responsibility for 

helping to build an ethical culture. 

RESPOND 

14. Who typically is involved in investigations arising from reports of violations 

2008 

6900% 

6600% 

6500% 

5000% 

te 900% 

700% 

s 600% 

500% 

400% 

%Respondents 

ts 

3800% 

2000% 

1400% 

1300% 

1100% 

400% 

300% 

100% 

100% 

%Respondents 

3300% 

ts 2800% 

1900% 

1800% 

1700% 

1500% 

1100% 

500% 

500% 

Ethics and Compliance Violations 

ompliance Violations 

Legal, Ethics and Compliance, Human Resources and Audit are the four functions 

mostly involved in investigations. 

Ethics & Compliance 


HR 

Legal 

Audit 

69% 

HR 

66% 

Legal 

65% 

Audit 

50% 

HR 

Standing committee HR to investigate 

9% 

Standing committee Special to committee investigateper allegations 7% 

Special committee per allegations 

Outsource 

Other 

Outsource 6% 

5% 

Other 

4% 

69% 

66% 

65% 

50% 

9% 

7% 

6% 

5% 

4% 

Functions Participating in Investigations 

% Respondents 

0% 20% 40% 60% 80% 100% 

The high participation of these four functions in ethics and compliance investigations is 

clearly expected, due to the nature of most allegations involve people and the potential legal 

impact they might have on a company. The generally balanced nature of their response rates 

indicates that companies use the various functions according to the nature of the violation, 

which again is logical. 

Functions Leading Investigations 



0% 20% 40% 60% 80% 100% 

% Respondents 

F 

Functions L 

% Respondents 

0% 10% 20% 30% % Respondents 40% 50% 

0% 10% 20% 30% 40% 50% 

Ethics & Compliance 38% 


Audit 

HR 

38% Audit 

20% HR 

14% Legal 

20% 

14% 

13% 

Legal 13% HR 11% 

HR 

Varies 

11% Varies 

4% Other 

4% 

3% 

Corporate Other Securities 3% 1% 

Corporate Securities 1% ERM 1% 

ERM 1% 

0% 10% 

0% 10% 20% 

No sign. challenges 

No sign. challenges Insufficient Resources 33% 

Insufficient Resources Insufficient 28% training 

Insufficient Uncooperation training from colleagues 19% 

Uncooperation from Difficulties colleagues in investigation 18% 

Difficulties in investigation Too few investigators 17% 

33% 

28% 

19% 

18% 

17% 

15% 

Too few investigators 

Don't know 

Don't 15% know 

11% Other 

11% 

5% 

Too Other many false 

5% 

reports 5% 

Too many false reports 5% 



%Respondents 

No sign. challenges 3300% 

Top Challenges Insufficinet Resources %Respondents 2800% 

No sign. Insufficient challengestraining 3300% 1900% 

Insufficinet Uncooperation Resources from colleagues2800% 

1800% 

Insufficient Difficulties training investigation 1900% 1700% 

Uncooperation Too from few colleagues investigators 1800% 1500% 

Difficulties in investigation Don't know 1700% 1100% 

Too few investigators Other 1500% 500% 

Don't Too many know false reports 1100% 500% 


Other 

in Investigating 500% Ethics and Compliance Violations 


Top Challenges in Investigating Ethics and Compliance Violations 

Special committee per allegations 

Special committee per allegations Outsource 6% 

Outsource Other 

5% 

15. Which function typically leads your investigations 

Other 

4% 

6% 

5% 

4% 


Ethics & Compliance function leads investigations in 1 out of 3 companies. 





HR 

HR 

Legal 

66% 

Legal 

Audit 

65% 

Audit 50% 

HR 

mmittee to HR investigate 

9% 

e mmittee to investigate per allegations 7% 

per allegations Outsource 6% 

Outsource Other 

5% 

Other 4% 

% Respondents 

0% 10% 20% 30% % 40% Respondents 50% 


0% 10% 20% 30% 40% 50% 



Ethics & Compliance Audit 38% 

38% 

20% 

% Respondents 

Audit HR 20% 14% 

0% 20% 40% 60% 

% Respondents 

HR 80% Legal 14% 13% 100% 

0% 20% 40% 60% 80% Legal HR 13% 100% 11% 

69% 

66% 

65% 

HR Varies 11% 

Varies Other 4% 

Corporate Other Securities 3% 

4% 

3% 

1% 

50% 

Corporate Securities ERM 1% 1% 

ERM 1% 

9% 

7% 

6% 

5% 

4% 

The majority of companies did not designate a single leader in investigations. This indicates 

that companies consciously select the leadership role according to the nature of the 

allegations in order to utilize the most relevant function for the investigation. A lack of clarity 

thus exists about how companies lead their investigations. This requires further study to 

ensure that the best practice of either teaming departments or assigning leadership based on 

relevant knowledge and skills is being followed. 

16. What are your biggest challenges in investigating allegations 

Leading Investigations 

ing Investigations 

% Respondents 

30% % 40% Respondents 50% 

30% 40% 50% 

One third of respondent companies have no significant challenges in investigations. 



% Respondents 

0% 10% 20% 30% % Respondents 

40% 50% 

0% 10% 20% 30% 40% 50% 

No sign. challenges 

No sign. Insufficient challenges Resources 33% 

33% 

28% 

Insufficient Insufficient Resources training 28% 

Uncooperation Insufficient from training colleagues 19% 

Uncooperation Difficulties from colleagues in investigation 18% 

Difficulties in Too investigation few investigators 17% 

Too few investigators Don't know 15% 

Don't know Other 11% 

Too many Other false reports 5% 


19% 

18% 

17% 

15% 

11% 

5% 

5% 

Companies have been managing ethics and compliance investigations for many years, so 

it is likely that the more mature processes in place in investigating can explain the higher 

percentage of companies that report no significant challenges with investigations (33%) 

compared to companies that cite no challenges in assessing ethics and compliance risks 

(12%) or preventing risks (10%). These findings are in line with 2007 findings. 



Insufficient resources lead the list of challenges for other companies. 

However, 28% of respondent companies cite insufficient resources, making investigations 

the third area – along with risk assessments and prevention -- where companies do not 

have enough staff or budget. In some industries, such as financial or medical, investigations 

can be costly, requiring extensive legal research and documentation. This suggests that 

it behooves companies to plan their budgets with the knowledge that, should they be 

required to investigate a major violation, they will need sufficient resources and should plan 

for that contingency. 

15% to 20% of companies cite insufficient training, lack of cooperation from colleagues, 

difficulties doing the investigations, and too few investigators as key challenges. This 

suggests that hiring and training staff is critical in companies new to investigations or not 

yet having a mature, experienced group of ethics and compliance, human resources, or 

legal professionals to manage investigations with accuracy, fairness, and legal aptitude 

are contributing factors impacting investigations. But it also again reinforces that most 

companies have few challenges when it comes to responding to violations. 

All in all, investigations are critical for all companies. It’s always better for companies to 

discover their own problems first, and to be proactive and transparent in notifying the 

authorities about their findings in advance of government intervention and sanctions. 

aluation Methods 

%Respondents 

antitative ds measures %Respondents 4900% 

ernal suresprocess audits 4900% 4500% 

audits alitative measures 4500% 4200% 

rmal uresculture assessment 4200% 3500% 

ssessment alysis of data from all our programs 3500% 2800% 

ternal from all process our programs audits 2800% 1900% 

audits do not evaluate 1900% 1400% 

ate 1400% 

quency of evaluation 

%Respondents 

aluation 

%Respondents Ongoing 3400% 

Ongoing 3400% Annually 2300% 

Annually Occasionally 2300% 1400% 

Occasionally Quarterly 1400% 900% 

Quarterly Don't 900% know 900% 

Don't know No reporting 900% 900% 

No reporting 900% 

Improve our programs 7100% Utilizing the 

Improve Share our programs findings wih the 7100% board 5900% Utilizing the Information 

are findings Share wih the findings boardwith company 5900% 2000% Information from the Ethics 

are findings with company Don't 2000% know 1100% 

from the Ethics and Compliance 

Don't know 1100% Other 600% 

Do nothing 600% and Compliance Programs 

Other 600% 

Share findings Do nothing with stakeholders 600% 500% Programs Evaluations 

findings with stakeholders 500% Evaluations 

EVALUATING 

17. How do you formally evaluate the impact of your overall ethics and compliance 

process 

There is nearly a 40% increase in percentage of companies conducting formal 

Evaluation Methods 

cultural assessments. 

Quantitative measures 

Quantitative measures 49% 

Qualitative measures 

Qualitative measures 45% 

Internal process audits 

Internal process audits 42% 

Analysis of data from all our programs 

Analysis of data from all our programs 35% 

Formal culture assessment 

Formal culture assessment 28% 

External process audits 

External process audits 19% 

We do not evaluate 

We do not evaluate 14% 

% Respondents 

% Respondents 

0% 10% 20% 30% 40% 50% 

0% 10% 20% 30% 40% 50% 

49% 

45% 

42% 

35% 

28% 

19% 

14% 


Lack of adequate resources 3000% 

ack lating of adequate results to business resourcesimprovements 3000% 2500% 

to business improvements Correlating data to 2500% results 2400% 

Correlating data to results Don't 2400% know 2300% 

Agregating Don't know and analyzing 2300% data 2300% 

adequate gating and management analyzing data tools/technology 2300% 1900% 

ting agement data on tools/technology programs conducted 1900% at HQ 1600% 

rograms rams conducted conducted at international HQ 1600% regions 1400% 

ted at international regions 1400% Other 700% 

Other 700% 

35% of the respondent companies indicated they conduct formal cultural assessment to 

evaluate the impact of their ethics and compliance program. This evaluation methodology is 

valuable because it allows companies to analyze their entire corporate culture on a holistic 

basis -- including risk assessment, work processes, employee attitudes, and many other 

Ongoing 

factors – all of which helps reveal the underlying corporate character. A mature Ongoing ethics and 34% 

compliance process must recognize that they can no longer achieve having a consistent Annually and 

Annually 23% 

reliable ethical culture through compliance alone. Isolated programs that comply with the 

Quarterly 

laws open too many gray areas open to interpretation where employees don’t Quarterly 14% 

know what 

Occasionally 

is right. Formal cultural assessments give companies greater insight into the Occasionally status of their 9% 

entire culture, especially how to move it beyond being simply rule-based towards becoming Don't know 

Don't know 9% 

values-based. 

Utilizing the Information from the Ethics and Compliance Programs Evaluations 


% Respondents 

0% 

% Respondents 

20% 40% 60% 80% 100% 

0% 20% 40% 60% 80% 100% 

No reporting 


0% 

0% 10% 

34% 

23% 

14% 

9% 

9% 

9% 

Improve our programs 

Improve our programs 71% 

Share findings wih the board 

Share findings wih the board 59% 

Share findings with company 

Share findings with company 20% 

71% 

59% 

20% 



uantitative measures 

itative measures 


itative measures 

ternal process audits 

l process audits 

from all our programs 

all our programs 

al culture assessment 

lture assessment 

xternal process audits 

al process audits 


e do not evaluate 



% Respondents 

% Respondents 

0% 10% 20% 30% 40% 50% 

0% 10% 20% 30% 40% 50% 

49% 

49% 

45% 

45% 

42% 

42% 

35% 

35% 

28% 

28% 

19% 

19% 

14% 

14% 

As for other evaluation techniques, the largest percentage of companies uses quantitative or 

qualitative measures to assess the impact of their ethics and compliance processes. 

It is useful to point out that roughly 1 in 3 companies say they analyze data from their 

programs to evaluate their programs. Another data point is that only 20% of companies use 

external resources for evaluations. This may increase in future years as companies find they 

need to go to outside experts to obtain more objective, accurate evaluations. 

18. How often do you evaluate the impact of your overall ethics and compliance 

process 

The use of ongoing evaluations is declining, with more companies performing 

annual evaluations. 

Frequency of Evaluation 


% Respondents 


%Respondents 

% Respondents 

Quantitative measures 4900% 

0% 10% 20% 30% 40% 50% 

Evaluation Internal Methods process audits %Respondents 4500% 

0% 10% 20% 30% 40% 50% 

Quantitative Qualitative measures measures 4900% 4200% 

Internal process Formal audits culture assessment 4500% 3500% 

Qualitative Analysis measures of data from all our programs 4200% 

Ongoing 34% 


2800% 

Formal culture External assessment process audits 3500% 1900% 

Ongoing 34% 


Analysis of We data do from not evaluate all our programs 2800% 1400% 


Annually 23% 


Annually 23% 

% Respondents 

Quarterly 14% 

% Respondents 

Frequency of evaluation 

%Respondents 

0% 10% 20% 30% 40% 50% 

Ongoing 3400% 

Quarterly 14% 

Frequency of evaluation 

Annually %Respondents 2300% 

on from the Ethics and Compliance Programs Evaluations 

Occasionally 9% 

0% 10% 20% 30% 40% 50% 

Ongoing Occasionally 3400% 1400% 

om the Ethics and Compliance Programs Evaluations 

Occasionally 9% Quantitative measures 49% 

AnnuallyQuarterly 2300% 900% 

Occasionally Don't know 1400% 900% 

Don't know 9% Quantitative measures 49% 

Quarterly No reporting 900% 900% 

Don't know 9% 

Qualitative measures 45% 


% Respondents 


No reporting 9% Qualitative measures 45% 

% Respondents 


40% 


60% 80% 100% 

Improve our programs 7100% Utilizing the 

40% 60% 80% 


100% 


wih the board 5900% Information 


Improve Share our findings programs with company 7100% Utilizing the 

2000% 

Share findings wih the board Don't know 5900% 1100% Information 

Share findings with company Other 2000% 600% from the Ethics 

Don't knowDo nothing 1100% 600% and Compliance 

Share findings with Other stakeholders 600% 500% 

Do nothing 600% Programs 

Share findings with stakeholders 500% Evaluations 


Correlating results to business improvements 2500% 

Lack of adequate Correlating resources data to results 3000% 2400% 

Correlating results to business improvements Don't know 2500% 2300% 

Correlating Agregating data and to results analyzing 2400% data 2300% 

Lack of adequate management Don't tools/technology know 2300% 1900% 

Collecting Agregating data on and programs analyzing conducted data at 2300% HQ 1600% 

Collecting Lack data of adequate on programs management conducted tools/technology at international regions 1900% 1400% 

Collecting data on programs conducted at HQ Other 1600% 700% 

Collecting data on programs conducted at international regions 1400% 

Other 700% 

In 2008, from the 66% Ethics of respondents indicated they perform at least annual program evaluations, 

and Compliance 



which Programs is in line with the industry best practices. In today’s world, compliance regulations 

Evaluations 


may change from year to year, and companies 

External process 

must 

audits 

ensure they 

19% 

remain up to date in their 


programs. High rates of employee turnover We do can not also evaluate affect the 14% success of a company’s 

ethics and compliance programs. And We do even not evaluate though values 14% are universal and don’t change, 

companies must monitor their programs at least annually to determine their effectiveness in 

moving their culture successfully towards living those values. 

19. What do you do with the information you derive from evaluating your overall 

ethics and compliance process 

Top Program Evaluation Challenges 


The majority of companies use the information collected in evaluations to improve 

% Respondents 

their programs. 

% Respondents 

0% 10% 20% 

Utilizing the Information from the Ethics 30% and Compliance 40% Programs 50% Evaluations 

0% 10% 20% 30% 40% 50% 




Correlating data to results 25% 

% Respondents 


Correlating results to business improvements 

25% 

24% 

0% 20% 40% 60% % Respondents 

80% 100% 

Correlating results to business improvements 24% 0% 20% 40% 60% 

Agregating and analyzing data 23% 

80% 100% 

Agregating and Improve analyzing our data programs23% 

71% 

Lack of 23% 

Lack of adequate management Improve 

Share 

tools/technology 

our programs 71% 

23% 

findings wih the board 59% 

Collecting data on programs conducted at HQ 19% 

adequate management tools/technology 

Collecting data on Share programs findings conducted wih the board at HQ 19% 59% 

Collecting data on programs conducted Share at international findings with regions company 16% 20% 


Share findings with company Don't know 20% 14% 



Don't knowOther 

11% 7% 

Other Other 7% 6% 

Other 6% 

Do nothing 6% 

Do nothing 6% 

Share findings with stakeholders 

5% 

Share findings with stakeholders 

5% 


antitative measures 49% 


ualitative measures 45% 

Internal process audits 

ernal process audits 42% 

Analysis of data from all our programs 

rom all our programs 35% 

Formal culture assessment 

l culture assessment 28% 

External process audits 

ternal process audits 19% 



ing the Information from the Ethics and Compliance Programs Evaluations 

n from the Ethics and Compliance Programs Evaluations 

% 

% 

% 

45% 

42% 

35% 

28% 

19% 

14% 

% Respondents 

0% 20% 40% % 

60% 

Respondents 

80% 100% 

40% 60% 80% 100% 


At least 7 in 10 companies are pursuing a best practice to use evaluations of their programs 

to benchmark, set metrics in order to improve them. This is logical. However, only slightly 


more than half of companies share their findings Frequency with of Evaluation their board, and only 2 in 10 share 

them with the company. 

% Respondents 

% Respondents 

0% 10% 20% 30% 40% 50% 

While sharing findings with a board 0% may 10% focus 20% on a level 30% of detail 40% many 50% boards do not 

need to know, it is likely to become 

Ongoing 

increasingly 34% important that boards stay abreast of all 

activities within their Ongoing companies 

34% 

regarding ethics and compliance progress. Given that the 

Annually 23% 

U.S. Federal Sentencing 

Annually 

Guidelines 

23% 

hold boards accountable for fostering an ethical culture, 

it behooves boards to open themselves Quarterly up further 14% to examining the progress and success of 

Quarterly 14% 

the company’s programs. 

Occasionally 

Occasionally 

9% 

Don't know 

9% 

9% 

Similarly, companies 

Don't know 

can often 

9% 

benefit by sharing the findings from their ethics and 

compliance program evaluations No reporting with their entire 9% organizations. Communicating the 


company’s progress towards both compliance and culture change can be the turning point 

to motivate employees into treating ethics and compliance more seriously and taking greater 

responsibility for reporting violations. Open, honest information helps engage and enlist 

employees, and sends a strong signal that the company is serious about advancing a culture 

of responsibility and integrity. 

% 

20. What challenges do you have evaluating overall ethics and compliance process 

Top three challenges are: Lack of adequate resources and Correlating data to results 

and/or business improvements. 



% Respondents 

% Respondents 

0% 10% 20% 30% 40% 50% 

0% 10% 20% 30% 40% 50% 

Lack of adequate resources 



Correlating data to results 25% 

Correlating results to business improvements 

Correlating results to business improvements 24% 

Agregating and analyzing data 

Agregating and analyzing data 23% 

Lack of adequate management tools/technology 

Lack of adequate management tools/technology 23% 

Collecting data on programs conducted at HQ 

Collecting data on programs conducted at HQ 19% 

Collecting data on programs conducted at international regions 


Don't know 


Other 

Other 7% 

30% 

25% 

24% 

23% 

23% 

19% 

16% 

14% 

7% 

As in the case of conducting risk assessments and implementing prevention programs, 

companies indicate lack of resources as leading challenge for evaluating the ethics and 

compliance program. 

Roughly one-quarter of respondents cited correlating results to business improvements 

(25%) and correlating data to results (24%). These challenges suggest that companies do 

not yet have the skills and/or tools necessary to effectively utilize their program evaluations 

and turn the information into meaningful results to drive program enhancements as well as 

business improvements. 



Quarterly 4100% 

Annually 3000% 

If Incident or Program 1600% Change Occurred 

We do not report 500% 

21. How 

I do not know 

often 

500% 

is the board updated on your ethics and compliance risk 

Other 400% 

management program 

The most common practice in evaluations is to update boards quarterly, or at least 

annually. 

Frequency of Reporting to the Board 

I do not know 

We do not report 

If Incident or 

Program Change 

Occurred 

16% 

Other 

5% 5%4% 

41% 

Annually 

Quarterly 

30% 

% Respondents 

71% of respondents cited updating boards quarterly or at least annually. This suggests that 

boards increasingly recognize the need, as suggested by the Federal Sentencing Guidelines, 

to receive information more frequently and be more actively involved in ethics and 

compliance concerns. Depending on the industry, size of company, and frequency of board 

meetings, a best practice in most companies would be to report annually, if not quarterly. 

eliness 

5700% Timeliness 

0% 2800% 5700% 

0% 1100% 2800% 

0% 400% 1100% 

0% 400% 

OVERALL SELF-ASSESSMENT 

22. Rate your company capability to address and mitigate Ethics and Compliance 

risks with accuracy and in a timely manner 

The majority of companies are moderately confident about their ethics and 

compliance effectiveness. 

1200% IR 

0% 5100% 1200% 

0% 2500% 5100% 

0% 1200% 2500% 

0% 1200% 

Ethics and Compliance Risk Ratings 

Ethics and Compliance Risk Ratings 

100% 

100% 

80% 

80% 

60% 

60% 

1600% IR 

0% 4400% 1600% 

0% 2800% 4400% 

0% 1200% 2800% 

0% 1200% 

7.0 

8.0 

6.0 

7.1 

7.1 

7.8 

6.2 

7.0 

7.0 

8.0 

6.0 

7.1 

7.1 

7.8 

6.2 

7.0 

HQ 

IR 

HQ 

IR 

57% 

57% 

53% 

53% 

28% 

24% 

28% 

24% 

9 - 10 

9 - 10 6 - 8 

6 - 8 

Accuracy 

Timeliness Accuracy 

Timeliness 

19% 

19% 

11% 

11% 

under 6 

under 6 

4% 4% 

4% 4% 

no answer 

no answer 

40% 

40% 

20% 

20% 

0% 

0% 

% Respondents 

% Respondents 

6.7 

8.2 

5.9 

7.4 

6.7 

8.1 

5.8 

7.3 

6.7 

8.2 

5.9 

7.4 

6.7 

8.1 

5.8 

7.3 



In general, companies rate themselves as doing a moderately good job for the accuracy 

and timeliness of their risk management processes. The cumulative average for 2008 is 

7.4 for both accuracy and timeliness, on a scale of 1-10 (with 10 being highest) This likely 

demonstrates the years of building up the knowledge and infrastructures needed to manage 

many risk areas, as well as conduct risk assessments, develop prevention programs, and 

investigate violations. 

Global companies are more confident about their headquarters than about their 

international regions. 

The most notable concerns are the confidence levels in global companies. Multinational 

companies consistently rated their accuracy and timeliness to address and mitigate ethics and 

compliance risks at a lower level for their international regions than at their headquarters. 

The gap in effectiveness for global companies demonstrates clearly that multinationals 

face greater challenges across distances due to the need to comply with more stringent or 

different regulations from country to country (such as European data privacy regulations) as 

well as with culturally diverse workforces that interpret ethics and compliance with varying 

rates of engagement. Some of the problems are associated with the logistics of doing 

business around the world, as multinational companies consistently indicate they have fewer 

prevention options and reporting channels in their regions than at headquarters. It is thus 

natural that their overall management capability for their international locations is lower due 

to the complexity of doing business globally. Mastering those challenges will be the work of 

the future for multinational companies, as they seek to define a unified ethical culture and 

comply with all applicable laws across their business units, regardless of location. 

Department budgets and program maturity have a significant impact on 

program performance. 

As might be expected, larger budgets and more program maturity yield greater results 

in the confidence levels of multinational companies, both at their headquarters and out 

in their regions. At headquarters, multinational companies with budgets over $500,000 

rate themselves 8.0 on average for accuracy and 7.6 for timeliness versus 7.0 and 7.1 

respectively for companies with budgets under $250,000. Similarly, at headquarters, ethics 

and compliance functions with more than 9 years experience rate themselves 8.2 for 

accuracy and 8.1 for timeliness vs. 6.7 on both factors for companies with under two years 

experience. 

In general, greater budgets and greater maturity lead to higher confidence for 

multinationals. 

The same confidence level spread occurs at their regional offices, where the larger budget 

companies average 7.1 for accuracy and 7.0 for timeliness versus 6.0 and 6.2 respectively 

for smaller budget firms. More mature companies average 7.4 for accuracy and 7.3 for 

timeliness versus 5.9 and 5.8 respectively for less mature companies. 

This suggests that companies are not yet fully assessing the size of the efforts to be done 

and accurately allocating the resources needed. A disconnect exists that affects most firms, 

even those that have larger budgets. However, it is encouraging to note that larger budgets 

do lead to greater confidence both at headquarters and at regional offices. 



It’s also a positive statement that maturity gives confidence. With greater knowledge and 

familiarity with risk management and mitigation, companies can move forward building 

better prevention programs, managing investigations, evaluating and monitoring their 

successes and failures, and predicting future problems more accurately. Even when 

regulations change, or their companies move into new markets or create new products, a 

more mature department is likely to spot potential ethics and compliance risks earlier and 

work out solutions faster. In short, experience counts in this business. 


The LRN Ethics and Compliance Maturity Model 

The preceding discussion provided a high-level view on adopting best practices across the 

entire ethics and compliance risk management cycle, but more importantly, how to begin the 

transition to becoming a self-governing enterprise. LRN has developed a far more detailed 

roadmap that spells out a four-phase program to mature a company’s ethics and compliance 

process, moving it step by step towards a values-based corporate culture. 

This model recognizes that companies pass through stages on the way to ethics and 

compliance maturity. The model is thus based upon a progression from compliance to 

ethics divided into four segments or levels, each of which is characterized by numerous 

common practices and activities. While at the first two levels, companies focus on mastering 

compliance, as follows: 

• Little c companies – These companies are just getting started on the journey; their focus 

is on implementing the basics of sound compliance program to ensure regulatory and 

legal compliance. 

• Big C companies – These companies have been able to implement full-fledged 

compliance programs and high visibility initiatives within the organization. 

Next, ethically-sensitive companies are those that are ready and willing to invest the energy 

and commitment to go beyond the compliance phase, implementing numerous steps that 

focus on embedding ethical values and principles into company policies and the workforce. 

• Little e companies – These companies have highly evolved compliance capabilities that 

drive adherence to corporate policies and rules as a means towards managing risk. 

• Big E companies – These companies have leadership that recognizes that rules can only 

do so much; they move toward fostering an ethical culture as the best prescription for 

enduring success. They make the highest commitment to a “do it right” philosophy that 

bolsters a self-governing culture. They view ethics and compliance as part of an overarching 

business strategy to drive company performance. 

The chart in Figure 1 offers a brief description of the four maturity phases and their 

distinguishing characteristics of the ethics and compliance program. 

LRN Market Maturity Model – A New Perspective 

Figure 1 

The transition from a little c to a Big E company requires many building blocks: executive 

sponsorship, oversight, education, and well established policies. The maturation of the 

ethics and compliance program is accompanied by increasing sophistication in its program 

activities. As the companies mature, they typically expand their ethics and compliance 


LRN ETHICS AND COMPLIANCE MARKET MATURITY MODEL 

efforts, building on basic structures and enlarging it to reach a widening area of influence in 

all company operations. The time it takes to move from one phase to the next is dependent 

on the company’s commitment to the process and its ability to learn and change. The graph 

in Figure 2 illustrates the nature of the learning curve, as companies move from little “c” to 

Big “E” characteristics which outline the characteristics of a company through the journey. 

Journey of Significance 

Figure 2 

Responses were collected through both in-person interviews and online interactions using 

the same survey tool. Survey data represent the perceptions of individual survey respondents 

and have not been validated through direct observation. The survey tool consisted of a series 

of seven questions which were scored using a system of weighted answers. The resulting 

score for each of the questions were combined to provide an overall rating for an individual 

respondent; the rating was compared against a range of scores corresponding to Little “c” 

through Big “E” to produce the final designation of ethics and compliance program maturity. 

The chart shows what percentage of respondents mapped to each stage. 

Final Perspectives 

If 2007 was a watershed year that challenged companies to boost their mastery of 

ethics and compliance, the coming years will further test how well they’re preparing for 

more floods. Today’s global business environment is only becoming more complex and 

burdensome on organizations to comply with increased legal regulation over many areas of 

business, as well as aggressive public scrutiny of their business conduct. It’s only going to get 

worse, given recent events such as the sub-prime mortgage meltdown, the collapse of major 

financial companies, and frequent regular product recalls. In today’s world of the Internet, 

digital communications, Google, YouTube, Facebook and MySpace, nothing remains hidden 

for long. The slightest missteps can embroil companies in costly lawsuits, claims, lost 

reputation, and underperformance. 

Companies can respond by trying to batten down the hatches of their ethics and compliance 

programs, making sure they have themselves covered, rule by rule, regulation by regulation. 

This response may be effective for a short-time and for some companies, it may be their only 

choice given what they can afford time- and resource-wise. Forward-looking companies, 

however, recognize that they must invest not just in the structures of ethics and compliance, 

but more importantly in their culture. A different type of organization will compete by 

outbehaving to out-perform their competitors. 


Total Number Employees % Respondents Under $250K 47% 

Under 5,000 Employees 47% $250K - $500K 14% 

5,001 - 10,000 Emplyoees 13% $500K+ 16% 

10,000+ Employees 40% I don't know 23% 

Operating Regions 

% Respondents 

1 location 40% 

2-3 locations 16% 


7 locations 17% 

RESPONDENT PROFILE 

Ethics and 

Conducted between February and May 2008, LRN e-mailed an invitation to Compliance complete 

Budget by 

the survey Ethics to and senior Compliance ethics, Department compliance, Maturity 

Company Size 

legal, risk and audit professionals, of which 461 

completed the survey. 

Ethics and Compliance Department Maturity Under 2,500 75% 7% 

Department maturity % Respondents 2,501 - 5,000 57% 12% 

Less than 2 years 20% 5,001 - 10,000 48% 16% 

Company Size 3-6 years Budget %Respondents 28% 10,000+ 20% 21% 

Total Number Employees % Respondents 6-8 years Under $250K 47% 18% 

Ethics and C 

Under 5,000 Employees 47% 9 years and more $250K - $500K 14% 29% E&C employees %Respondents 

5,001 - 10,000 Emplyoees 13% Title and Unknown role of $500K+ respondents 16% 5% 1 14% 

10,000+ Employees 40% I don't know 23% 

2-5 45% 

All respondents had senior titles in ethics, compliance, legal, risk, audit or HR 5-10 fields. Fifty 15% 

11+ 24% 

percent of Total respondents number of employees had % primary Respondents responsibility for their organizational ethics unknown and 

2% 


% Respondents 

Less than 2,500 31% 

compliance 2,501-5,000 initiatives. 

16% 

5,001-10,000 13% 

15% 

18% 

10,000+ 40% 

1 location 40% 



7 locations 17% 

Under 

$250K 

Size of companies 

7% 


Under $250K - $500K+ I don't 

The respondents Compliance profile is balanced $250K with $500K47% of respondents know coming from companies with 

Budget by 

Company Size 

less than 5,000 employees and 40% from companies with 10,000 or more employees. 

(In our 2007 survey, respondents came in majority from larger companies with more than 

10,000 employees). 

Ethics and Compliance Department Maturity Under 2,500 75% 7% 2% 15% 

Department maturity % Respondents 2,501 - 5,000 57% 12% 13% 18% 

Less than 2 years 20% 5,001 - 10,000 48% 16% 18% 18% 

3-6 years 28% 10,000+ 20% 21% 28% 32% 

6-8 years 18% 

9 years and more 29% E&C employees %Respondents 

Unknown 5% 1 14% Company Size 

2-5 45% 

5-10 15% 

11+ 24% 

Total number of employees % Respondents unknown 2% 

Less than 2,500 31% 

2,501-5,000 16% 

5,001-10,000 13% 

10,000+ 40% 

10,000+ 

Employees 

40% 

47% 

Under 5,000 

Employees 

2% 

75% 

$250K - 

$500K 

13% 

12% 

57% 

$5 

10,000+ 

Employees 

40% 

Company Size 

13% 

5,001 - 10,000 

Employees 

47% 

13% 

5,001 - 10,000 

Employees 

2,501 - 5,000 

Operating 

Employees 

7 locations 

Budget 17% 

% Respondents 

I don't know 

$500K+ 

Number of global regions 

$250K - $500K 

Under 27% $250K 

Almost two-thirds of respondents (60%) have operations in 2 or more regions of the 4 world, - 6 locations 

Number of Employees 

Under 5,000 

while 40% were located in only one country. The pie chart shows a breakdown of the 

Employees 

1 

number of regions of operation among respondents according to the location of their 

Ethics & C 

headquarters. 

2 - 

10,000+ Operating 40% Regions 31% Less than 2,500 

7 locations 

Under 2,500 

% Respo 

% Respondents 


17% 

13% 16% 

40% 

5,001 - 10,000 

1 location 

2,501 - 5,000 

27% 

4 - 6 locations 

% Respondents 16% 

9 years 

and moreBudg 

I don’t know 

23% 

6 - 8 y 

10,000+ 

40% 

31% 

Less than 2,500 


$500k+ 

16% 

% Respondents 

14% 

13% 

5,001 - 10,000 

16% 

Location of headquarters 

$250k - $500k 

Ethics & 

The majority of respondent companies (87%) were headquartered in the U.S. while others 

Budget 

2,501 were - 5,000headquartered in Europe (6%), Canada (2%), Asia/ Pacific (2%), South America (1%), 

% Respo 

Africa (1%) and Middle East (1%). 


% Respondents 

23% 

11+ 

16% 

47% Under $250k 

$500k+ 

LRN | 2008 Ethics 14% and Compliance Risk Management Practices Report | 44 

5 -10 

1 

$250k - $500k

,000 

es 

r 5,000 

loyees 

an 2,500 

s than 2,500 

E&C employees 

%Respondents 

1 14% 

2-5 45% 

5-10 15% 

11+ 24% 

unknown 2% 


Compliance 

Budget by 

Company Size 

7 locations 



$500k+ 

Under 

$250K 


27% 

23% 

17% 

16% 

40% 



7 locations 

16% % Respondents 

47% 

$250k - $500k 

$250K - 

$500K 


14% 

$500K+ 

I don’t know % Respondents 

23% 

I don't 

know 

Under 2,500 75% 7% 2% 15% 

2,501 - 5,000 57% 12% 13% 18% 

5,001 - 10,000 48% 16% 18% 18% 

10,000+ 20% 21% 28% 32% 

E&C employees 

%Respondents 

1 14% 

2-5 45% 

5-10 15% 

11+ 24% 

unknown 2% 

27% 


Budget 

16% 

Budget 

40% 


1 location 

75% 15% 

2% 

7% 

57% 


0% 

Industries represented 

12% 

60% 

Respondent companies’ Under 2,500 industry profile is mosaic-like 20% representing organizations from a 

broad range of industries such 

2,501 

as 

- 5,000 

Healthcare, 

16% 

Manufacturing, Energy/Power/Oil & Gas, 

5,001 - 10,000 

28% 

Financial Services, Insurance etc. 

Employees 

75% 

13% 

Maturity of Ethics and Compliance Budget Departments 

57% 

More than three-fourths (78%) I don't of know 

20% 

the respondent companies have had an ethics and 

21% 

$500K+ 

48% 

compliance function for more $250K than - $500K 3 years. Only in 5% of respondent companies was the 

ethics and compliance function 

Under 

newly 

$250K 

created (within past year) and these companies are, 

0% 

for the most part, smaller ones with less than 2,500 employees. 

I don't know 

$500K+ 

$250K - $500K 

9 years Under $250K 29% 

and more 

18% 18% 

48% 

5% 

20% 

28% 

21% 

Under 2,500 

20% 

2,501 - 5,000 

Ethics & Compliance 5,001 - 10,000 Department Maturity 

Employees 

10,000+ 

Unknown 

Budget 

18% 28% 

Ethics & Compliance Department Maturity 

6 - 8 years 

10,000+ 

40% 100% 

20% 

80% 

Less than 2 years 

3 - 6 years 


20% 

9 years 

Size of the Ethics and Compliance Department 

29% 

1 location 


Among single-location companies, 

Ethics 

nearly 

& Compliance 

half (44%) 

Department 

have 

Size 

between 2-5 people in their ethics 

and compliance department, while 34% 

Unknown 

have more than 5 or more people. 

18% 128% 

Among global companies, nearly all 6 have - 8 years more 2% people at their 3 - 6 headquarters years office than in 

11+ 

14% 

their international locations. Almost half 24% (45%) have 2-5 people in their headquarters office, 

and 39% have 5 or more people. Nearly half (49%) have just one ethics and compliance 

Under $250k person to server their international locations. 

% Respondents 

15% 

5 -10 

45% 

Ethics & Compliance Department Size 

2 - 5 

11+ 

18% 

Unknown 

Unknown 

% Respondents 

2% 

14% 

24% 

1 

32% 

40% 

Less than 2 years 

$500k+ 

16% 

14% 

47% 

Under $250k 

5 -10 

15% 

45% 

$250k - $500k 

2 - 5 

% Respondents 

% Respondents 


% Respondents 

17% 

% Respondents 

17% 

% Respondents 

40% 1 location 

27% 

40% 1 location 


40% 


1 location 


27% 

4 - 6 locations 27% 




16% 

16% 

16% 

Budgets (excluding salaries) 


10,000+ 40% 

31% Less than 2,500 


10,000+ 

Although nearly one-quarter (23%) of respondents 2 - 3 locations did not know their budgets, those 

40% 


10,000+ 40% 


who did reflected a wide range of dollar % allocations: Respondents 47% had under $250,000; 14% had 

% Respondents 

$250,000 to $500,000; 7% had $500,000 % Respondents to $1M; and 9% had more than $1M. 

13% 16% 

13% 16% 

13% 16% 

Budget 

5,001 - 10,000 

2,501 - 5,000 

Budget 

5,001 - 10,000 

2,501 - 5,000 

Budget 

5,001 - 10,000 

2,501 - 5,000 



% Respondents 

I don’t know 23% 

% Respondents 

23% 

% Respondents 

23% 

9 years 

and 9 years more 

9 

and 

years 

more 


6 - 

6 - 

6 - 

Ethics 

Ethics 

Ethics 

11+ 

11+ 

11+ 

47% 

$500k+ 

16% 

47% 

$500k+ 

16% 

16% 

47% 

$500k+ 

14% 

14% 

14% 

$250k - $500k 

$250k - $500k 

$250k - $500k 

% Respondents 

% Respondents 

% Respondents 

Under $250k 

Under $250k 

Under $250k 

5 -10 

5 -10 

5 -10 

Budget 

%Respondents 

Under $250K 47% 

Budget 

$250K - $500K %Respondents 

14% 

Under $250K $500K+ 47% 16% 

$250K - $500K I don't know 14% 23% 

$500K+ 16% 

I don't know 23% 


Compliance 

Under 

$250K 

$250K - 

$500K 

$500K+ I don't 

know 

Ethics and Budget by Under $250K - $500K+ I don't 

Compliance Company Under 2,500 Size$250K 

$500K 

know 

75% 7% 2% 15% 

Budget by 

Company 2,501 - 5,000 57% 12% 13% 18% 

Under 2,500 Size 

5,001 - 10,000 

75% 

48% 

7% 

16% 

2% 

18% 

15% 

18% 

2,501 - 5,000 10,000+ 57% 20% 12% 21% 13% 28% 18% 32% 

5,001 - 10,000 48% 16% 18% 18% 

10,000+ 

E&C employees 

20% %Respondents 

21% 28% 32% 

1 14% 

E&C employees 

2-5 %Respondents 

45% 

1 5-10 14% 15% 

2-5 

11+ 

45% 

24% 

5-10 15% 

unknown 2% 

11+ 24% 

unknown 2% 

Budgets vs. Company Size and Type of Industry 

What is surprising is that larger company size did not uniformly correlate with having the 

largest ethics and compliance budgets. Of course, the majority (69%) of smaller companies 

had the smallest budgets of under $200,000 but more than 25% of smaller companies had 

budgets of either $250K-$500K or $500K to $1M. Conversely, while 45% of companies 

with more than 50,000 employees had budgets of more than $1M, 26% of the larger 

companies had budgets of only $500,000 to $1M, the same percentage as smaller 

companies with less than 5,000 employees. 

15% 

2% 

7% 

75% 

15% 

2% 

7% 

Under 2,500 

75% 

Ethics and Compliance and budget by Company Size 

Ethics and Compliance and budget by Company Size 

13% 

12% 

57% 

18% 18% 

18% 18% 

13% 

12% 

57% 

BudgetI don't know 

I don't 

$500K+ 

know 

$500K+ 

$250K - $500K 

$250K 

Under 

- $500K 

$250K 

Under $250K 

18% 

16% 

48% 

32% 

28% 

21% 

20% 

Under 2,500 2,501 - 5,000 

20% 

2,501 - 5,000 5,001 - 10,000 

Employees 5,001 - 10,000 10,000+ 

Employees 

10,000+ 

Budget 

18% 

16% 

48% 

32% 

28% 

21% 

60% 

40% 

20% 

0% 

100% 

80% 

60% 

40% 

20% 

0% 

100% 

80% 





Unknown


Level of regulation does not correlate to budget 

The industry level of regulation does not predict the size of the ethics and compliance 

budgets. Of the companies from highly regulated industries, 44% have a small budget under 

$250K – and conversely, 45% of the companies with a large budget of $500K or more 

are not highly regulated. Meanwhile, 18% of the very large companies with more 10,000 

employees have smaller budgets of under $250K, even though nearly 40% of them are from 

highly-regulated industries. 

The correlation of budgets to company size and degree of regulation defies explanation, 

other than the fact that companies vary greatly in their resources as well as the degree to 

which their specific industry requires larger resources to comply with regulations. Some 

industries such as financial banking may be able to survive on a lesser budget to achieve 

compliance, compared to a company in oil and gas exploration, pharmaceuticals or 

agriculture whose dangers translate into more dollars needed to meet their compliance 

requirements. 

Survey and statistical methodology 

The survey was completely anonymous and each respondent could take the survey only 

once. The survey questionnaire included multiple choice questions developed in collaboration 

with experts in the ethics and compliance risk assessment field. 

Significance has been analyzed using the chi-square statistics. The threshold for reporting 

differences or relationships as statistically significant is: p < 0.05. This survey was selfadministrated 

using the Instant Survey online tool from GMI (Global Market Insite, Inc.). 

Rounding may occasionally cause some total results to add up to greater than 100 percent. 

® 

For more information, visit www.lrn.com or contact us at: 800-529-6366 North America +1-310-209-5400 Global 

www.lrn.com 

©2008 LRN (07/08) 

LRN Headquarters 

1100 Glendon Avenue 

Seventh Floor 

Los Angeles, CA 90024 

USA 

New York 

One East 52nd Street 

Third Floor 

New York, NY 10022 

USA 

London 

Aldwych House 

71/91 Aldwych 

London WC2 

UK 

Mumbai 

11 Sahakar Road 

Vile Parle (East) 

Mumbai - 400 057 

India

The LRN ethics and compliance risk management practices report

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?