The LRN ethics and compliance risk management practices report

More documents

Recommendations

Info

KEY FINDINGS Ethics and compliance programs are maturing Numerous survey findings demonstrate reasonably vigorous efforts to implement sound practices to manage and mitigate risks. It is encouraging to note, for example, that almost 9 in 10 companies perform a formal ethics and compliance risk assessment, with more than half integrating it into other business risk assessments. However, only half indicate their Executive Team or Board become involved in the assessments. Similarly, more than 9 in 10 companies have codes of conduct or offer internal communications, and almost the same number offer online education courses. Significant increases since 2007 appear in the number of companies (nearly 8 in 10) that provide formal ethics and compliance education for their CEO and senior management, indicating a growing recognition of the critical importance of developing a strong tone from the top. However, multinational companies lag in providing the same level of ethics and compliance education in their regional offices. Electronic data risks identified as top challenge. Overall, there are positive signs that ethics and compliance efforts are progressing, with more companies developing confidence in their abilities to manage and mitigate risks. Nevertheless, companies cite numerous challenges – including lack of resources, low employee engagement, employee fears of retaliation, and lack of relevancy in educational materials – that suggest their organizations are not investing in and developing holistic programs that move their culture beyond compliance into values-based self-governance that drives superior business performance. Companies identify their top two ethics and compliance risks as electronic data protection and data privacy It was unexpected that the two leading perceived risks involved electronic data issues rather than anti-corruption /anti-bribery, given the heightened Department of Justice focus on FCPA violations in 2007 and early 2008. Among all respondents, electronic data protection led the list of concerns in perceived risk. Data privacy was the second leading challenge, along with conflicts of interest. These three risks far outpaced other perceived risks including sexual harassment, environmental safety & health issues, anti-corruption and bribery. The increased concern about electronic data risk is the result of the growing amount of electronic data generated organization-wide, combined with new, more stringent regulations and requirements regarding the management and security of data. Businesses have had sound policies and procedures on processing, storing and protecting printed documents, many of them developed throughout decades. They have had to protect their trade secrets, customer data, and employee records, but now they must also comply with the eDiscovery Rule which went into effect in 2007. The eDiscovery Rule now requires them to manage and maintain all electronic data, including e-mails and instant messages, which might be relevant in future legal disputes. Global enterprises have to comply with new data privacy laws and regulations imposed by European governments. Germany, for example, has instituted specific new laws on data protection that go beyond existing EU data protection laws as well as the older German Federal Data Protection Act. In the U.S., 47 states have ratified separate data privacy laws protecting individuals from fraud and malicious use of their data. Compliance with these electronic data protection and privacy laws is more complex and has migrated beyond traditional IT functions into legal compliance and ethics areas since the legal issues extend beyond their technical expertise. Banking, financial, insurance, and healthcare industries have more rules and regulations regarding data privacy than other industries. LRN | 2008 Ethics and Compliance Risk Management Practices Report | 6
KEY FINDINGS To address these concerns, companies need to develop comprehensive privacy and security policies; conduct audits of their data practices including Internet activities, cross-marketing and data sharing with affiliates and partners; manage their internal data usage, such as handling of customer and employee personal data; and educate employees to prevent breaches or losses related to data privacy. A majority of companies perform formal risk assessments involving multiple functions Respondents are taking risk assessment seriously, with nearly 9 in 10 respondents indicating they perform risk assessments regularly. Slightly more than half say they integrate ethics and compliance concerns into other business assessments. Results indicate that depending on the nature of the risk, companies are utilizing one or more of the following departments in their risk assessments: • compliance, • legal, • internal audit, and • human resources. Most importantly, two-thirds of respondents share the findings of the risk assessments with their Board and their senior executives, ensuring that top leadership participates in the responsibility for building ethical and law-abiding business conduct. Furthermore, almost one-quarter also share their findings with employees, thereby reinforcing ethical awareness and demonstrating the company’s commitment to fostering an ethical workplace. Only 4 in 10 respondent companies involve their business managers in the risk assessment process. The middle managements’ proximity to operations enable them not only to have a more in-depth knowledge about where the ethics and compliance challenges may lie but also to gain the subordinates trust and become the channel of choice when reporting a potential violation. Not tapping into these two key advantages of middle management creates a critical gap in the risk assessment and detection processes. Furthermore, the survey results indicate that nearly all companies want supervisors to be a channel for employees to report violations, it is counterproductive to not involve them in the risk assessment process. Companies would benefit significantly by proactively including managers in every step of the risk management cycle and could substantially improve employees’ willingness to report violations to managers. Companies cite engaging employees and making education more relevant as their top challenges in prevention In terms of preventing risk, respondents point to a lack of resources as their leading challenge, with nearly 6 in 10 companies marking it. However, beyond this perennial problem, the next two leading challenges reflect crucial factors that make or break getting employees motivated to take risk management personally: relevancy and engagement. More than 4 in 10 respondents indicate making the education relevant is their next most significant challenge, and one-quarter cited engaging employees. The search for relevancy and engagement is critical in risk prevention. The learning theory states that adults pay less attention to information that does not directly affect their jobs than they do to information that has an immediate value to their day-to-day work. Numerous studies have also shown that engaging people in their learning boosts their interest in and ability to use the knowledge. Learning resources that allow people to control their own progress, interact with the materials, and gauge their learning through self-tests have proven to have higher impact on adults than one-dimensional lessons that workers passively read or listen to. LRN | 2008 Ethics and Compliance Risk Management Practices Report | 7
Page 1 and 2: ® Inspiring Principled Performance
Page 3 and 4: EXECUTIVE SUMMARY Increased global
Page 5: EXECUTIVE SUMMARY LRN’s Approach
Page 9 and 10: KEY FINDINGS 10 companies also offe
Page 11 and 12: 20 SIGNIFICANT RISK MANAGEMENT TREN
Page 13 and 14: 80% 52% 58% 60% 40% 20% TRENDS 42%
Page 15 and 16: TRENDS ondents man 900% 000% Respon
Page 17 and 18: Why Ethics and Compliance Risk Asse
Page 19 and 20: Educating a Diverse Workforce An In
Page 21 and 22: Avoiding the Pitfalls of Detection
Page 23 and 24: 2008 DETAILED RESULTS DEFINE 1. Is
Page 25 and 26: Function 2008 Compliance 6300% Lega
Page 27 and 28: DETAILED RESULTS Lack of adequate r
Page 29 and 30: Ot Workforce Outreach Workforce Out
Page 31 and 32: DETAILED RESULTS terms of budget an
Page 33 and 34: Anonymous/Confidential Reporting Ch
Page 35 and 36: Top Challenges %Respondents No sign
Page 37 and 38: DETAILED RESULTS uantitative measur
Page 39 and 40: DETAILED RESULTS Quarterly 4100% An
Page 41 and 42: DETAILED RESULTS It’s also a posi
Page 43 and 44: LRN ETHICS AND COMPLIANCE MARKET MA
Page 45 and 46: ,000 es r 5,000 loyees an 2,500 s t
Page 47: RESPONDENT PROFILE Level of regulat

The LRN ethics and compliance risk management practices report

Create successful ePaper yourself

Delete template?

Save as template?