Meet John Dienhart, Ph.D. - Society of Corporate Compliance and ...

Meet John Dienhart, Ph.D. - Society of Corporate Compliance and ...

Meet John Dienhart, Ph.D. - Society of Corporate Compliance and ...


You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

elate to compliance. Essentially, allemployees are directed to perform activitiesin compliance with company policies,procedures, <strong>and</strong> objectives.Unfortunately, such a broad definitionbecomes meaningless for purposes <strong>of</strong>analysis <strong>and</strong> discussion.Today’s environment requires that theword “compliance” be exp<strong>and</strong>ed into aterm which more clearly articulates thecontextual meaning <strong>of</strong> the concept beingconveyed. At the most expansive level,the term “compliance operation” can beused to define the universe <strong>of</strong> compliancefunctions <strong>and</strong> activities beingimplemented by individuals <strong>and</strong> businessunits throughout a company, <strong>and</strong>the organizational structure establishedto link these individuals <strong>and</strong> businessunits to each other, as well as to stakeholdersinside <strong>and</strong> outside the company.Figure 1:Core, supporting,<strong>and</strong> monitoringfunctionsIt is helpful to further divide compliancefunctions into at least three groupswhich exhibit generally accepted distinctions:“core compliance functions,” “supportingcompliance functions” <strong>and</strong>“monitoring compliance functions.”Core compliance functions refer to thoseactivities necessary to meet specific <strong>and</strong>defined regulatory <strong>and</strong> company requirements.Traditionally, core compliancefunctions include activities such as rate<strong>and</strong> form filing, complaint h<strong>and</strong>ling,licensing <strong>and</strong> registration, where regulationsenumerate specific activities thatcan be objectively tested during anexamination to determine whether acompany is successfully complying withthe requirement. In certain circumstances,companies m<strong>and</strong>ate activitiesthat, while not imposed by regulation,become a compliance requirement. Forexample, certain companies require thatreplacement disclosure forms be providedto customers in all states, includingthose states which have not regulatedthis disclosure.Supporting compliance functions refer tothose activities that are performed to helpensure all core compliance functions arebeing implemented as required. Thesefunctions might include activities such astraining, the documentation <strong>of</strong> policies<strong>and</strong> procedures, the completion <strong>and</strong> use<strong>of</strong> risk assessments, analysis <strong>and</strong> communication<strong>of</strong> emerging regulations, <strong>and</strong> theapplication <strong>of</strong> a formalized metrics-basedsupervisory system. Attention to supportingcompliance functions increased whenregulators began drafting laws with anembedded “reasonableness” st<strong>and</strong>ard asthe qualitative measure. For example,NASD Rule 3010 3 <strong>and</strong> the regulationsimplementing the USA PATRIOT Act,Section 352 4 , utilize a reasonablenessst<strong>and</strong>ard as the basis for compliance. Ineffect, “reasonableness” regulations prescribea desired outcome <strong>and</strong> leave it tothe company to tailor specific controls toachieve the outcome. As a result, companieshave needed to look beyond therealm <strong>of</strong> technical compliance with specificregulations <strong>and</strong> focus on those compliance-relatedactivities necessary to supportthe successful implementation <strong>of</strong> therelated core compliance function.Reproduced by permission <strong>of</strong>PricewaterhouseCoopersIn addition, companies with leading edgecompliance operations formally monitorthe implementation <strong>of</strong> both core <strong>and</strong>supporting compliance functions to evaluate<strong>and</strong> verify that these functions arereasonably designed <strong>and</strong> being effectivelyimplemented. This assessment takesmany forms, <strong>and</strong> <strong>of</strong>ten includes continualmonitoring <strong>and</strong> analysis <strong>of</strong> complianceContinued on page 6<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 20055

The evolving definition <strong>of</strong> compliance ...continued from page 5activities, periodic testing <strong>and</strong> formal,independent audits. In addition, it is<strong>of</strong>ten within the scope <strong>of</strong> those performingmonitoring functions to provideadvice <strong>and</strong> counsel on the design <strong>of</strong> core<strong>and</strong> supporting compliance controls.Figure 1 (see page 5) illustrates the relationshipbetween core, supporting, <strong>and</strong>monitoring compliance functions.Emerging core compliance functionsRecent regulatory actions indicate thatlawmakers are now taking a hybridapproach to enacting relevant legislation.While generally maintaining reasonablenessst<strong>and</strong>ards, these new regulationsaddress activities previously performedin voluntary support <strong>of</strong> core functions.For example, certification requirementsunder Sarbanes-Oxley 5 , NASD Rule3013 6 <strong>and</strong> the SEC Rule 38a-1 7 havemade voluntary monitoring by company<strong>of</strong>ficers a regulatory requirement. Otherexamples include the training <strong>and</strong> testingrequired under anti-money launderingregulations. 8 As such, companiesmust address these functions from twodifferent perspectives. In this circumstance,training <strong>and</strong> testing are now corecompliance functions, as well as remainingvital supporting <strong>and</strong> monitoringcompliance functions. As a supportingfunction, training will still be an essentialelement for ensuring compliancewith activities such as reporting largecash transactions <strong>and</strong> the identification<strong>and</strong> reporting <strong>of</strong> suspicious activities.However, in addition, the company willneed to support this training activitywith documented policies <strong>and</strong> procedures,training <strong>of</strong> the trainers, formalsupervision <strong>and</strong> appropriate monitoringto ensure the training program is reasonablydesigned <strong>and</strong> being effectivelyimplemented (see Figure 2).Figure 2:Open communication betweenall individuals performing relatedcompliance functions iskey to maintaining an effectivecompliance operation<strong>Compliance</strong> structure—roles,responsibilities <strong>and</strong> reportingThe broad array <strong>and</strong> increasing complexity<strong>of</strong> compliance functions beingimplemented throughout an organizationplaces new dem<strong>and</strong>s on companymanagement to assess <strong>and</strong> determine theappropriate compliance structure fortheir organization, <strong>and</strong> requires thatmanagement seek answers to the following:Which operational business unit orunits should be charged with responsibilityfor implementing specific compliancefunctions? What is the appropriaterole for the compliance department <strong>and</strong>the chief compliance <strong>of</strong>ficer in developing<strong>and</strong> managing the structure establishedto support the implementation <strong>of</strong>these compliance functions?Organizational alignment for theimplementation <strong>of</strong> compliance functionsThe establishment <strong>of</strong> formal compliancedepartments came into vogue after theReproduced by permission <strong>of</strong>PricewaterhouseCoopersDecember 20056<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

market conduct sc<strong>and</strong>als <strong>of</strong> the mid-90s,when life insurance companies pulledthe implementation <strong>of</strong> certain core compliancefunctions (e.g., sales materialreview) out <strong>of</strong> line business units <strong>and</strong>centralized these functions into the compliancedepartment. However, companiesthat built large, centralized compliancedepartments for these purposeshave started to move these functionsback out to line business units in aneffort to better manage risk. Many companiesstrongly believe that line businessunits should retain responsibility for theimplementation <strong>of</strong> those core compliancefunctions which are central to theline business unit’s general operation.Today, it is not unusual for marketing ordistribution to have responsibility forsales material review, or for productdevelopment to have responsibility forrate <strong>and</strong> form filing. In addition, legaldepartments <strong>of</strong>ten retain responsibilityfor the initial identification <strong>and</strong> analysis<strong>of</strong> emerging regulations, <strong>and</strong> many companiescharge customer service departmentswith responsibility for h<strong>and</strong>lingcomplaints. Of course, this is a simplifieddelineation <strong>and</strong> no company haspure separation <strong>of</strong> responsibility.Having a compliance function implementedby an organizational unit otherthan the compliance department doesnot address the question <strong>of</strong> whether theimplementation should be h<strong>and</strong>led in acentralized or decentralized manner.Centralization <strong>of</strong> certain compliancefunctions has distinct advantages overbroad decentralization <strong>of</strong> these functions.There are clear economic efficiencies<strong>and</strong> control benefits to the centralization<strong>of</strong> functions such as licensing,complaint h<strong>and</strong>ling, <strong>and</strong> analysis <strong>of</strong>emerging regulations. However, thecomplexity <strong>of</strong> some organizationsrequires the decentralization <strong>of</strong> eventhese functions. The primary challengeassociated with decentralization is managingconsistency in implementation<strong>and</strong> in allocating sufficient resources toh<strong>and</strong>le all necessary support <strong>and</strong> monitoringfunctions. It should be noted thatassigning responsibility for the implementation<strong>of</strong> a compliance function toan individual aligned with the compliancedepartment does not, necessarily,avoid the consistency or resource issue.<strong>Compliance</strong> departments with staffphysically embedded into the businessunits are also challenged by consistency<strong>and</strong> resource issues.There are no universal answers for whichcompliance functions should be implementedby individuals aligned with thecompany’s compliance department <strong>and</strong>by which individuals assigned to one <strong>of</strong>the company’s other business units.Similarly, each company needs to decidewhether compliance functions should beimplemented from a centralized operation(compliance department or otherwise)or performed by multiple individualslocated in decentralized businessunits across the enterprise. For a complianceoperation to find success, the location<strong>of</strong> individuals responsible for theimplementation <strong>of</strong> compliance functionsmust be aligned with the company’soverall culture <strong>and</strong> operational needs.Role <strong>of</strong> the chief compliance <strong>of</strong>ficer <strong>and</strong>compliance departmentDiscussions around which business unitsshould be charged with the implementation<strong>of</strong> specific compliance functionsleads to questions surrounding the role<strong>of</strong> the chief compliance <strong>of</strong>ficer <strong>and</strong> compliancedepartment in designing, developing<strong>and</strong> maintaining a compliancestructure that is sufficiently structured t<strong>of</strong>acilitate the effective oversight <strong>and</strong> governance<strong>of</strong> all compliance activities.While there are many identifiable elementsevident in the structure <strong>of</strong> arobust compliance operation, two st<strong>and</strong>out as being essential: the quality <strong>of</strong> theindividuals assigned responsibility forimplementing the compliance functions<strong>and</strong> the manner in which these individualsare connected to each other. Today, aprimary role <strong>of</strong> the chief compliance<strong>of</strong>ficer is to make certain these elementsare successfully addressed.Individuals assigned a role in the performance<strong>of</strong> a specific compliance functionmust possess the requisite skills,experience <strong>and</strong> authority to effectivelyimplement the function. The chief compliance<strong>of</strong>ficer is responsible for ensuringthat business units assign complianceresponsibility to appropriate individuals<strong>and</strong> that resource levels are sufficient tomeet the compliance needs <strong>of</strong> the company.In addition, compliance departmentsare now responsible for makingcertain that compliance-related roles <strong>and</strong>responsibilities are well-defined <strong>and</strong>communicated in a manner that leavesno questions as to what behaviors areexpected. Well-articulated responsibilitieslead to clear expectations that can bemeasured <strong>and</strong> evaluated (e.g. metricbasedsupervision, testing).Second, it is essential that individualsimplementing compliance functions areorganizationally linked in a manner thatmakes sense for the company’s generaloperating style <strong>and</strong> culture. It is notunusual for multiple business units toContinued on page 8<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 20057

The evolving definition <strong>of</strong> compliance ...continued from page 7play key roles in the support <strong>and</strong> monitoring<strong>of</strong> a specific core function. Forexample, where a core compliance functionis being implemented by individualsin a specific business unit (e.g. complaintsbeing h<strong>and</strong>led by the customerservice department), the activities <strong>of</strong>these individuals may be directly supported<strong>and</strong> monitored by individualsfrom the legal, training, auditing <strong>and</strong>compliance departments (see Figure 2).Consequently, in a robust complianceoperation, the compliance departmentmust ensure that individuals are connectedin a formal manner that goes wellbeyond traditional direct or dotted-linematrix reporting relationships. Forexample, where similar compliance functionsare being implemented in a decentralizedenvironment, consistencyrequirements dictate the need for formalcommunication on a consistent basis. Inaddition, the relationship between individualsperforming core or supportingfunctions <strong>and</strong> individuals performingrelated monitoring functions requires adegree <strong>of</strong> independence that supersedesdirect line, or even dotted-line, reportingrelationships. However, the absence <strong>of</strong>reporting does not diminish the need fora formal relationship to exist betweenthese individuals. In fact, monitoringrelationships <strong>of</strong>ten call for a high degree<strong>of</strong> formality with specified forms <strong>of</strong>communication (e.g. reports) <strong>and</strong> directoversight. Ultimately, what matters isthat individuals who perform relatedcompliance functions remain connectedto each other in a meaningful manner,<strong>and</strong> each company needs to find theappropriate level <strong>of</strong> formality <strong>and</strong> structureto facilitate these connections.Based on the above, chief compliance<strong>of</strong>ficers must possess skill sets that are, inmany respects, quite different from theskills that may have served them welljust a few years ago. It is now incumbenton the chief compliance <strong>of</strong>ficer <strong>and</strong> individualsorganizationally assigned to theFigure 3:Governance <strong>and</strong> oversight compliancefunctions provide an overlay to the core,supporting, <strong>and</strong> monitoring functionsbeing implemented acrossthe company.Reproduced by permission <strong>of</strong>PricewaterhouseCoopersDecember 20058<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

compliance department to facilitate thelinkage between individuals performingcompliance functions across the enterprise.Today’s effective chief compliance<strong>of</strong>ficer must be a fully integrated member<strong>of</strong> the executive management teamwith full access to all business leaders<strong>and</strong> the board <strong>of</strong> directors. In addition,the chief compliance <strong>of</strong>ficer must complementbroad technical expertise with amastery <strong>of</strong> organizational skills <strong>and</strong> theability to present complex complianceconcepts to all stakeholders.<strong>Compliance</strong> governance—seniormanagement <strong>and</strong> board oversightIn today’s environment, it is expected,<strong>and</strong> in certain circumstances required,that senior management <strong>and</strong> the board<strong>of</strong> directors (directly or through a committee)actively provide oversight overthe company’s compliance operation.The compliance oversight functions performedinclude the review <strong>and</strong> approval<strong>of</strong> significant compliance policies <strong>and</strong>programs, the provision <strong>of</strong> strategicdirection to compliance leadership, <strong>and</strong>the continual assessment <strong>of</strong> whethercompliance functions are being effectivelyimplemented in accordance with thecompany’s risk management philosophy(see Figure 3).For this oversight to be meaningful, sufficient<strong>and</strong> significant information relatingto the effective implementation <strong>of</strong> allcompliance functions must be providedto senior management <strong>and</strong> the board. Ifthe structure <strong>of</strong> the compliance operationis effective, essential informationwill flow from those performing core<strong>and</strong> supporting compliance functions tothose charged with monitoring thesefunctions. In turn, this information willbe presented to members <strong>of</strong> senior management<strong>and</strong> the board <strong>of</strong> directors whoare charged with providing oversight <strong>of</strong>the compliance operation. The chiefcompliance <strong>of</strong>ficer is generally responsiblefor providing timely reports summarizingrisks, issues <strong>and</strong> operational effectiveness.Importantly, where the company’s compliancestructure effectively links all <strong>of</strong>the individuals who are implementingrelated core, supporting <strong>and</strong> monitoringcompliance functions across the enterprise,these reports provide much morethan a retrospective communicationfocused solely on the number <strong>of</strong> complaints,results <strong>of</strong> regulatory inquiries, orthe cost <strong>of</strong> litigation. These reports havethe potential <strong>of</strong> providing valuableprospective analytical information confirmingthe occurrence <strong>of</strong> expected complianceactivity. Risks <strong>of</strong> non-complianceare identified <strong>and</strong> escalated to seniormanagement <strong>and</strong> the board for evaluation<strong>and</strong> direction before they result inan adverse regulatory action or lawsuit.With this type <strong>of</strong> information, seniormanagement <strong>and</strong> the board <strong>of</strong> directorshave the tools necessary to providemeaningful oversight over the complianceoperation.There is no question that federal <strong>and</strong>state lawmakers, regulators, <strong>and</strong> thosecharged with enforcing these laws <strong>and</strong>regulations, expect meaningful governance<strong>of</strong> the compliance operation froma company’s leadership team. With continuallyemerging regulations <strong>and</strong> newcorporate dem<strong>and</strong>s, building the complianceinfrastructure necessary to facilitatethis expected governance is no simpleundertaking. Chief compliance <strong>of</strong>ficersmust structure <strong>and</strong> manage a complianceoperation that successfully connectsindividuals from across the enterprisehaving the responsibility for implementingmultiple layers <strong>of</strong> compliance functions.Underst<strong>and</strong>ing that the simpleterm “compliance” now requires anexpansive definition helps in beginningto frame the issues <strong>and</strong> questions thatwill lead to the development <strong>of</strong> a successfulcompliance operation. ■1. The Sarbanes-Oxley Act <strong>of</strong> 2002 (Pub. L. 107-204,116 Stat. 745 (2002)).2. Securities <strong>and</strong> Exchange Commission (‘SEC’) rule 38a-1 under the Investment Company Act <strong>of</strong> 1940 <strong>and</strong> rule206(4)-7 under the Investment Advisors Act <strong>of</strong> 1940<strong>and</strong> the National Association <strong>of</strong> Securities Dealers(‘NASD’) Rule 3013.3. ‘Each member shall establish <strong>and</strong> maintain a system tosupervise the activities <strong>of</strong> each registered representative<strong>and</strong> associated person that is reasonably designed toachieve compliance with applicable laws <strong>and</strong> regulations,<strong>and</strong> with the Rules <strong>of</strong> the Association.’ NASDRule 3010 (emphasis added).4. ‘…[E]ach member shall develop <strong>and</strong> implement a writtenanti-money laundering program reasonablydesigned to achieve <strong>and</strong> monitor the member’s compliancewith the requirements <strong>of</strong> the Bank Secrecy Act (31U.S.C. 5311 et. seq.) <strong>and</strong> the implementing regulationspromulgated thereunder by the Department <strong>of</strong> theTreasury.…The anti-money laundering programrequired by this Rule shall, at a minimum...(b) Establish <strong>and</strong> implement policies, procedures <strong>and</strong>internal controls that can be reasonably expected todetect <strong>and</strong> cause the reporting <strong>of</strong> transactions requiredunder 31 U.S.C. 5318(g) <strong>and</strong> the implementing regulationsthereunder.’ NASD Rule 3011 (emphasis added).5. The Sarbanes-Oxley Act <strong>of</strong> 2002 (Pub. L. 107-204,116 Stat. 745 (2002)) (Section 302).6. ‘Each member shall have its chief executive <strong>of</strong>ficer (orequivalent <strong>of</strong>ficer) certify annually, as set forth in IM-3013, that the member has in place processes to establish,maintain, review, test <strong>and</strong> modify written compliancepolicies <strong>and</strong> written supervisory procedures reasonablydesigned to achieve compliance with applicableNASD rules, MSRB rules <strong>and</strong> federal securities laws<strong>and</strong> regulations…’ NASD Rule 3013(b).7. Under SEC rules 38-a-1 <strong>and</strong> 205(4)-7 investment companiesare required to appoint a chief compliance <strong>of</strong>ficerwho is responsible for certifying to the adequacy<strong>and</strong> effectiveness <strong>of</strong> the company’s compliance policies<strong>and</strong> procedures.8. USA PATRIOT Act, Section 352 (c) <strong>and</strong> (e).<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 20059

y Bill PracharEditor’s Note: Bill Prachar has over involved, communications tend to bethirty years experience in <strong>Compliance</strong>, frequent, practical <strong>and</strong> clear. BusinessEthics, <strong>and</strong> <strong>Corporate</strong> Governance. Mr. messages are embraced <strong>and</strong> delivered byPrachar is an attorney practicing with a broad spectrum <strong>of</strong> the operationalthe <strong>Compliance</strong> Systems Legal Group hierarchy. Where C&E objectives are(CSLG). Because he has an extensive involved, the quality <strong>and</strong> frequency <strong>of</strong>business, as well as legal background, he communications are <strong>of</strong>ten less “robust”specializes in the practical issues associatedwith developing <strong>and</strong> implementing <strong>of</strong>ten delivered by a smaller group <strong>of</strong>than in the business context, <strong>and</strong> areeffective ethics <strong>and</strong> compliance programs.He can be reached via e-mail at able reasons for this, <strong>and</strong> there are fixespeople. There are, I think, underst<strong>and</strong>-bprachar@cslg.com.for the problem. I’ll <strong>of</strong>fer my take onthis now <strong>and</strong> hope readers will <strong>of</strong>ferAs I travel around the country additional or differing opinions.visiting organizations engagedin building effective compliance<strong>and</strong> ethics programs, I see a lot stems from a too narrow reading <strong>of</strong> thePart <strong>of</strong> the problem, in my view, <strong>of</strong>tenbeing done well. Companies are focusingcarefully on the Federal Sentencing Section 8B2.1(b)(4)(A) states: Thelanguage <strong>of</strong> the Sentencing Guidelines.Guidelines’ recently enhanced seven organization shall take reasonable stepssteps <strong>and</strong> the guidance given by others to communicate periodically <strong>and</strong> in asuch as the HHS OIG, NYSE, <strong>and</strong>, <strong>of</strong> practical manner its st<strong>and</strong>ards <strong>and</strong> procedures,<strong>and</strong> other aspects <strong>of</strong> the compli-course, Sarbanes-Oxley. They are investingtime <strong>and</strong> resources into developing ance <strong>and</strong> ethics program, to the individualsreferred to in subdivision (B) by<strong>and</strong> rolling out attractive, well-writtencodes <strong>of</strong> conduct <strong>and</strong> into <strong>of</strong>fering comprehensivetraining vehicles including <strong>and</strong> otherwise disseminating informationconducting effective training programson-line courses <strong>and</strong> innovative games. appropriate to such individuals’ respectiveroles <strong>and</strong> responsibilities. The key isMuch attention is being given to assuringthat the “governing authority” <strong>and</strong> the meaning <strong>of</strong> the word communicate.senior management are knowledgeable The first dictionary definition <strong>of</strong> theon the elements <strong>of</strong> the compliance <strong>and</strong> noun is “an act or instance <strong>of</strong> transmitting.”Read with this meaning Sectionethics programs. The list goes on <strong>and</strong>on—a lot <strong>of</strong> good stuff happening out (4)A) is pretty simple to implement—there.create targeted training, print <strong>and</strong> distributea lot <strong>of</strong> pamphlets containingOn the other h<strong>and</strong> there is one area policies <strong>and</strong> procedures, <strong>and</strong> post messageson the intranet. In fairness, mostwhere I repeatedly see need for improvement,<strong>and</strong> that is the area <strong>of</strong> communications.Where business objectives are cles “practical” <strong>and</strong> effective. This iscompanies are trying to make these vehi-allBILL PRACHARgood but I think it is only part <strong>of</strong> thecommunications picture, <strong>and</strong> in someways, maybe the less important part.Other definitions <strong>of</strong> communicate are:“a process by which information isexchanged between individuals through acommon system <strong>of</strong> symbols, signs, orbehavior” <strong>and</strong> “a technique for expressingideas effectively” [emphasis added].Communication requires exchangebetween at least two parties. If a messageis posted on the company intranet <strong>and</strong>nobody reads it, arguably no communicationhas taken place. While I’m not goingto suggest that a single message can never“communicate,” I will suggest that goodcommunications involves a process—onewhereby successive messages build uponeach other to clearly explicate <strong>and</strong> reinforcethe key communication point orpoints. How many <strong>of</strong> us have been ableto instill an important behavioral messageto our kids by simply saying it once?Process is especially important in a largeorganization where communications,particularly in the C&E area, are seldom“one-on-one.” Messages need to be deliverednot just by the CEO <strong>and</strong> the ChiefC&E <strong>of</strong>ficer, but by the managers whosign the paychecks <strong>of</strong> those we makeDecember 200510<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

esponsible for ethical <strong>and</strong> compliantconduct. Unfortunately, most managershave plenty to do without trying toexplain compliance <strong>and</strong> ethics to thosethey manage. However, if they are periodicallygiven C&E messages to deliver,<strong>and</strong> some guidance on how to deliverthem, most managers, by nature organizationalteam players, will happily oblige.It’s also important to remember thatexchange <strong>of</strong> information implies twowaycommunications. The more thecommunications process can encourage<strong>and</strong> engender constructive discussion,<strong>and</strong> even push-back, the more effectiveit will be. People tune out when they aretalked to all the time. Conversely, ifcommunications are credible <strong>and</strong> seekthe thoughts or opinions <strong>of</strong> employees,even if they choose not to respond, thereis a greater chance that they will becomeengaged in the message <strong>and</strong> some or all<strong>of</strong> it will be retained.The bad news—developing <strong>and</strong> implementingeffective C&E communicationstakes serious planning <strong>and</strong> tenaciousmanagement. The good news—it can bethe least expensive <strong>and</strong> most effectivepart <strong>of</strong> an organization’s C&E program.Yes, codes, training, Web portals, subjectmatter pamphlets, <strong>and</strong> other programmaticelements are critical communicationstools on their own. However, thereis a wonderful opportunity, with planning,to weave around these tools asteady stream <strong>of</strong> supporting, supplementalcommunications. Done well, C&Ewill not be viewed as another flavor <strong>of</strong>the month, but as a living part <strong>of</strong> theorganization’s operational DNA.The fundamental business tool toaccomplish all this is the “plan.” A comprehensiveannual communications planthat establishes timing <strong>of</strong> messages,responsibility for content development,accountability for delivery, <strong>and</strong> evaluation<strong>of</strong> effectiveness is an absolute must.Few things are accomplished in businesson an ad hoc basis. Processes must beplanned <strong>and</strong> managed, <strong>and</strong> the communication<strong>of</strong> consistent, effective <strong>and</strong>credible C&E messages is no exception.In a future column I will share some <strong>of</strong>the communications techniques I haveused. I would also like to share methodsused by readers to effectively communicatethe C&E message in their organizations.I would like particularly to share agood annual communications plan withreaders. Please e-mail any communicationsexamples or techniques you havefound successful to the address belowso we can develop a communicationsplanning matrix. ■<strong>Compliance</strong> & EthicsAdvertising RatesFull page B/W insertion rates:1–2 $640.003–5 insertions $605.006–11 insertions $490.0012 or more $405.00Half page B/W insertion rates:1–2 $450.003–5 insertions $420.006–11 insertions $355.0012 or more $305.00Quarter page B/W insertion rates:1–2 $265 003–5 insertions $250 006–11 insertions $225 0012 or more $215.00Full page 2 color insertion rates:1–2 $1075.003–5 insertions $1040.006–11 insertions $925.0012 or more $840.00Half page 2 color insertion rates:1–2 $885.003–5 insertions $855.006–11 insertions $790.0012 or more $740.00Quarter page 2 color insertion rates:1–2 $700.003–5 insertions $685.006–11 insertions $660.0012 or more $650.00Call for AuthorsPlease e-mail your articles or topic ideas to the <strong>Compliance</strong> & Ethics story editor, Marlene Robinson, atmarlene.robinson@corporatecompliance.org. Be sure to include your telephone number, or you maycall Marlene at (888) 277-4977 to discuss your article ideas.Deadlines:■ December 16, 2005 (February 2006 issue)■ March 16, 2006 (May 2006 issue)■ June 16, 2006 (August 2006 issue)<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200511

On the cusp <strong>of</strong> greatnessby Kate W. ButchartEditor’s Note: Kate W. Butchart is an in South Africa originated with theMBA C<strong>and</strong>idate 2006 at the Fisher South African Medical AssociationGraduate School <strong>of</strong> International (SAMA), <strong>and</strong> they assembled a group <strong>of</strong>Business <strong>and</strong> the Monterey Institute <strong>of</strong> individuals supporting the initiative. InInternational Studies.the late 1990s, a feasibility study, conductedby the Ethics Resource Center“It was the best <strong>of</strong> times, it was the (ERC) in Washington DC, identifiedworst <strong>of</strong> times…”significant support for an independent—A Tale <strong>of</strong> Two Cities, organization which would serve as anCharles Dickens ethics resource. It was incorporated inSeptember 1999 <strong>and</strong> began operationsSouth Africa is a l<strong>and</strong> <strong>of</strong> contrasts, in August 2000. EthicSA is a non-pr<strong>of</strong>itlike none I have seen before. The organization that employs two seniordissimilarities between urban <strong>and</strong> managers <strong>and</strong> four full-time staff—rural, black <strong>and</strong> white, male <strong>and</strong> female, which is not nearly enough to keep uprich <strong>and</strong> poor, highfeld (high plateau) with the dem<strong>and</strong>s on their time. It is an<strong>and</strong> coast, all paint a portrait <strong>of</strong> a country institutional response to a worldwidethat is uniquely positioned in the world recognition <strong>of</strong> the need for moral renewal.South Africa, in particular, experi-at this time. Socializing in neighbourhoodswhere black freely mingles with ences an erosion <strong>of</strong> ethical values in awhite, such as Melville in Johannesburg wide range <strong>of</strong> institutions <strong>and</strong> practices.or Long Street in Cape Town, one can Their vision is an ethical nation, <strong>and</strong>feel the palpable pulse <strong>of</strong> the future <strong>of</strong> their mission is to build one by formingSouth Africa—a future heavy with partnerships with the public <strong>and</strong> privateresponsibility, as the shining star <strong>of</strong> the sectors, <strong>and</strong> serving as a resourceAfrican continent. South Africa has the through ethics thought leadership,potential to lead the rest <strong>of</strong> the continent research, training, support <strong>and</strong> rating.towards a better future, as long as it Their guiding values are integrity,ensures that the example it sets is one that respect, responsibility, fairness, <strong>and</strong>should indeed be followed by others. The excellence.Ethics Institute <strong>of</strong> South Africa (EthicSA)is making great strides towards achieving While working at EthicSA, I conductedthis goal. I am immensely pleased that I extensive research on whistle-blowinghave had the opportunity to contribute hotlines <strong>and</strong> drafted a Code <strong>of</strong> Ethics forefforts towards a fascinating research project,namely developing a code <strong>of</strong> ethics In doing so, EthicSA has addressed theservice providers based on the findings.for the whistle-blowing hotline industry, critical need for establishing an industrythe first <strong>of</strong> its kind in the world. best-practice st<strong>and</strong>ard within SouthAfrica. The market for these hotlines hasThe idea <strong>of</strong> establishing an ethics center exp<strong>and</strong>ed rapidly as a result <strong>of</strong> recent recommendationsfrom the US FederalSentencing Guidelines, the South AfricanKing II Report, Article 301 <strong>of</strong> theSarbanes-Oxley Act, <strong>and</strong> the SouthAfrican National Anti-CorruptionSummits, which all cite a whistle-blowinghotline as an essential component <strong>of</strong>an effective anti-corruption program.EthicSA was concerned about qualityassurance as a result <strong>of</strong> the plethora <strong>of</strong>new players entering the market. An“EthicSA Certified Hotline Provider” statuswill be given to companies thatchoose to adhere to the st<strong>and</strong>ard as a wayto differentiate between satisfactory <strong>and</strong>unsatisfactory hotline providers. EthicSAwill maintain the integrity <strong>of</strong> this certificationby performing annual site inspections<strong>of</strong> call center premises, which willfocus on ensuring that specific provisionscontained within the Code <strong>of</strong> Ethics arebeing executed. All in all, I enjoyed mywork at EthicSA immensely <strong>and</strong> amthrilled that it is the first organisation inthe world to identify <strong>and</strong> address thisneed for a whistle-blowing hotlineprovider st<strong>and</strong>ard code <strong>of</strong> behavior.Of course, I was not working seven daysa week while in South Africa; I allottedmy weekends for exploring the southernregion <strong>of</strong> that great continent! In keepingwith the idea <strong>of</strong> contrasts, the best<strong>and</strong> worst times that I have experiencedin any foreign l<strong>and</strong> have all transpired inSouth Africa. The extent <strong>of</strong> my glee atseeing lions mating in the PilanesbergNational Park was matched by theextent <strong>of</strong> my anger as a result <strong>of</strong> mytemporary home in Pretoria being brokeninto <strong>and</strong> my belongings stolen. Theyin <strong>of</strong> fulfilment that I have found inmy work at EthicSA has been complementedby the yang <strong>of</strong> frustration atbeing shunned at a braai (barbeque) forDecember 200512<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

suggesting that Afrikaaners are as much<strong>of</strong> an African “tribe” as the Zulus. For all<strong>of</strong> the illusions <strong>of</strong> security—gates, barson windows, alarms, barbed wire—behind which I grudgingly lived for thethree months, I never felt completelysecure. And just when I felt like I wasbeginning to underst<strong>and</strong> the rhythm <strong>of</strong>life in South Africa, just when I wasstarting to see the beauty in its everydaycomplexities, it came time for me todepart.South Africa, as a regional leader, hasbeen faced with having to make difficultethical decisions <strong>of</strong> late, <strong>and</strong> they willnot be getting easier nor less frequent.The Sabir Shaik—Jacob Zuma corruptionsc<strong>and</strong>al broke soon after I arrived,<strong>and</strong> through watching that dramaunfold, I was introduced to the bubblingcauldron <strong>of</strong> controversy <strong>and</strong> corruptionin which South African political lifesteeps. More recently, Thabo Mbeki hasbeen confronted with whether or not tolend money to the Zimbabwean government,which is controlled by RobertMugabe—a dictator who is not unfamiliarwith morally questionable acts. Someargue that the positive step taken byMbeki in removing Zuma from his<strong>of</strong>fice as Deputy President for allegedlyengaging in corrupt activities was negatedby lending money to Mugabe, thespearhead <strong>of</strong> “Operation Drive OutFilth,” which forced hundreds <strong>of</strong> thous<strong>and</strong>s<strong>of</strong> Zimbabweans from their homeswith a moment’s warning. The ethicall<strong>and</strong>scape in southern Africa is constantlychanging, <strong>and</strong> I trust that EthicSAwill continue to raise the bar by raisingawareness within organisations, both private<strong>and</strong> public, throughout the region.I am confident that the scope <strong>of</strong>EthicSA’s work will continue to grow, asit progresses from a national to regionalto global leader in the ethics field, <strong>and</strong> Ilook forward to keeping abreast <strong>of</strong> newinitiatives. I will reflect on my shorttime in Africa with both a smile on myface <strong>and</strong> a tear in my eye, rememberingbreathtaking moments such as viewingVictoria Falls from a helicopter withequal poignancy as driving past urbantownships, people’s seemingly simplelives flying past my window in a blur.EthicSA actively bridges ethical dividesby implementing ethics managementprogrammes within a large variety <strong>of</strong>organisations. In the l<strong>and</strong> <strong>of</strong> contraststhat is South Africa, doing so is a necessary,ambitious, yet attainable endeavourthat sets an example <strong>of</strong> ethical businessbehaviour for the rest <strong>of</strong> Africa. ■Subscribe to<strong>Compliance</strong> & Ethics,published quarterly!THREE WAYS TO ORDER:www.corporatecompliance.orgFax: 952-988-0146Mail request to: SCCE,5780 Lincoln Drive,Suite 120Minneapolis, MN 55436Call for more info:1-888-277-4977Future Leaders in <strong>Compliance</strong> <strong>and</strong> EthicsThe <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics (SCCE) is pleased to announce the addition <strong>of</strong> a student column titled,“Future Leaders in <strong>Compliance</strong> <strong>and</strong> Ethics” in <strong>Compliance</strong> & Ethics (C&E), the <strong>of</strong>ficial journal <strong>of</strong> the SCCE. The columnis designed for business students to share their ideas <strong>and</strong>/or synopsis on compliance <strong>and</strong> ethics related issues or events withleaders in the compliance <strong>and</strong> ethics field. We encourage pr<strong>of</strong>essors to notify their students about this unique opportunity tobe a voice in the corporate world.C&E is published quarterly, distributed to over 375 members, <strong>and</strong> displayed at more than ten national conferences eachyear, with more than 1,500 copies in circulation. Articles should be between 500–1,000 words <strong>and</strong> the author can beanonymous, with only the college name published, upon request by the student. Articles should be submitted electronicallyto info@corporatecompliance.org. Please see a list <strong>of</strong> submission deadlines below. Since C&E is a peer review journal, allarticles will be submitted to our editorial board for review <strong>and</strong> recommendation. We also encourage pr<strong>of</strong>essors to reviewtheir students’ articles prior to submission, to be submitted with your comments or recommendations.C&E Submission DeadlinesDecember 16 – February Issue | March 16 – May issue | June 16 – August issue<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200513

Editor’s Note: Dave Slovin is the VicePresident <strong>of</strong> Business Development atThe Network, a company that has operatedconfidential hotlines for more than20 years. The Network provides hotlineservices to some <strong>of</strong> the world’s largestorganizations. He can be reached atinfo@tnwinc.com.The Sarbanes-Oxley Act <strong>and</strong> theamended Federal SentencingGuidelines for Organizationshave inspired many companies, bothpublic <strong>and</strong> private, to either implementa confidential hotline or helpline for thefirst time, or to review the procedures<strong>and</strong> training surrounding their existinghotline. As Ethics <strong>and</strong> <strong>Compliance</strong>Officers review procedures, there areemerging data <strong>and</strong> trends about the use<strong>of</strong> hotlines that can prove helpful inunderst<strong>and</strong>ing the potential impact <strong>of</strong>changes to the hotline’s operations or itssupporting communications.This article will review the results <strong>of</strong> studies<strong>and</strong> data analysis which <strong>of</strong>fer implicationsregarding best practices for a hotline.These include statistics regarding operationalprocedures as well as communicationsthat can help improve effectiveness.Statistics about Hotline EffectivenessHotlines have proven highly effective asby Dave Slovina tool for detecting <strong>and</strong> deterring illegalactivities. In its 2004 Report to theNation, the Association <strong>of</strong> CertifiedFraud Examiners (ACFE) found tips arethe number one method for detectingfraud. This same report found thatorganizations without a hotline lost anaverage <strong>of</strong> $135,000 to fraud while thosewith a hotline lost only $56,000, suggestingthat the presence <strong>of</strong> a hotlinesubstantially lowered losses due to fraud.This result is likely caused by the dualeffect <strong>of</strong> the hotline as a detection device<strong>and</strong> the communications regarding thehotline having a deterrent effect onthose considering fraud. These statisticswere similar to the findings <strong>of</strong> the 2002Report to the Nation, substantiating thelong held belief that a hotline has anongoing role in mitigating risk surroundingillegal activities.Given their findings regarding the effectiveness<strong>of</strong> hotlines, the ACFE conducteda survey <strong>of</strong> members in order to betterunderst<strong>and</strong> the dynamics <strong>of</strong> what makesa hotline effective. This survey, developedin conjunction with The Network, askedquestions about specific techniques usedto promote the hotline <strong>and</strong> other types<strong>of</strong> reporting mechanisms.ACFE / The Network SurveyThe findings from the survey includedDAVE SLOVINthe following observations:■ Telephone hotlines <strong>and</strong> open doorpolicies were considered the mosteffective methods for collecting tips■ 73% <strong>of</strong> respondents had some form<strong>of</strong> a hotline■ 24-hour hotlines were seen as moreeffective than hotlines with limitedhours <strong>of</strong> operation■ Hotlines answered by a person wereseen as more effective than thoseanswered by an answering machine■ Hotlines were more likely to be ratedas effective when multiple vehicleswere used to promote the hotline toemployees■ Respondents who used wallet cards<strong>and</strong> brochures to communicate aboutthe hotline were most likely to ratethe hotline as “extremely effective”Promote multiple ways to come forwardwith concernsOne <strong>of</strong> the key implications for bestpractices <strong>of</strong> this study lies in providingemployees, suppliers, <strong>and</strong> other stakeholderswith a variety <strong>of</strong> methods forreporting concerns about illegal orunethical behavior. While some individualsmay feel comfortable coming forwardthrough an open door policy or tothe ethics <strong>of</strong>ficer directly, others mayDecember 200514<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

not. Another statistic may shed light onthe desire to use a hotline: roughly onethird<strong>of</strong> hotline callers indicate they havepreviously informed management <strong>of</strong> thesituation. These callers use the hotline asa safety net for reporting issues they feelhave not been h<strong>and</strong>led adequatelythrough face-to-face reporting. In thesesituations, an interview conducted by anexperienced interviewer results in themost actionable information possible.This enables the organization to investigate<strong>and</strong> take corrective action.Offer Interactive Communication forReporting ConcernsAnother important finding is that a live,interactive interview is more effective thanone-way communication, like a voice mailmessage. The reason for this seems clearwhen one considers that interactive communication,whether face-to-face or viathe telephone enables the Ethics Officer,Supervisor or Interviewer to ask questionsto clarify information <strong>and</strong> provide thedetails necessary to support an investigation.An anonymous note or message maybe very brief <strong>and</strong> lack the type <strong>of</strong> detailrequired by investigators.Interviewer TrainingGiven the finding that hotline effectivenessincreases when a live person answersthe call, the issue <strong>of</strong> training interviewersbecomes a relevant concern. Whetherthe hotline is operated internally orexternally, the people conducting interviewsrequire training regarding effectiveinterview techniques <strong>and</strong> how to dealwith a potentially emotional anonymousperson.This training must be conducted priorto answering any hotline calls to ensurethat interviewers glean as much informationas possible from the conversation. Ifthe caller chooses to remain anonymous,the interviewer needs to cover a variety<strong>of</strong> topics, such as the specific details <strong>of</strong>the questionable behavior, the existence<strong>of</strong> supporting documentation, <strong>and</strong> thepotential for recurrence <strong>of</strong> the unethicalbehavior in the future. In the case <strong>of</strong> anallegation <strong>of</strong> financial irregularities, thenature <strong>of</strong> the <strong>of</strong>fense may be highly specialized,such as an inappropriateaccounting entry. Interviewers need sufficienttraining <strong>and</strong>/or system support tobe able to create a report <strong>of</strong> the concernthat provides relevant details based onthe nature <strong>of</strong> the issue being reported.Also, training <strong>and</strong> procedures for h<strong>and</strong>linghotline calls should be sufficientlystructured to ensure that different interviewersmanage these conversations in asimilar manner. Consistency in h<strong>and</strong>ling<strong>of</strong> calls is an important deliverable <strong>of</strong> theconfidential reporting mechanism.Hours <strong>of</strong> availabilityNearly 50% <strong>of</strong> hotline calls happen outsideregular business hours, making 24/7coverage an important driver <strong>of</strong> effectiveness.Round-the-clock response ensuresthat each call receives equal treatment.Figure 1: Timing <strong>of</strong> Hotline Calls48% <strong>of</strong> calls were receivedoutside <strong>of</strong> business hoursReprinted by permission <strong>of</strong> The Network, Inc.Calls received from the hotlines <strong>of</strong> more than 500 companies.Prepare for 24-hour responsivenessSome organizations provide a hotlinewith live staffing during business hours<strong>and</strong> voice mail after hours. This meansthat the ability for an interactive conversationhas been lost, if any contact ismade at all. Anonymous callers are generallyresistant to leaving recorded messages,given that it leaves an identifiablerecord <strong>of</strong> the caller’s voice. If he or shedoes leave a message, it is likely to bebrief, potentially lacking importantdetails that enable the organization toinvestigate the allegation. Remember,the ultimate goal <strong>of</strong> the hotline is toreceive sufficient information to be ableto determine an appropriate response. Ifvoice mail covers nearly 50% <strong>of</strong> the callvolume, there will be many messagesthat cannot be investigated or evaluatedbecause <strong>of</strong> a lack <strong>of</strong> information.Whether the calls are answered by internalemployees or by a third-partyprovider, 24-hour coverage is critical.Voicemail also falls short <strong>of</strong> the mark interms <strong>of</strong> enabling a second round <strong>of</strong>conversation with an anonymous party.The ability to maintain an ongoing dialogueconstitutes a key deliverable <strong>of</strong> ahotline. This process <strong>of</strong>fers the companya chance to review the initial information,determine aspects that warrantclarification, <strong>and</strong> provide questions foruse in any subsequent conversation.Callers must have confidence that thecall is not being traced, <strong>and</strong> will sometimescall back as requested. A voicemail process will not help sustain anongoing dialogue because the processrequires each anonymous party to use aunique identification code when callingback. The interviewer simply providesthe code <strong>and</strong> the request to call back onContinued on page 16<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200515

Confidential reporting processes ...continued from page 15a specific date at the conclusion <strong>of</strong> theconversation. Again, this process shouldbe developed <strong>and</strong> followed 24/7 whetherthe hotline is staffed internally or operatedby a third-party provider.Given the propensity to receive calls atnight <strong>and</strong> on weekends, the organizationneeds to plan ahead to determine proceduresfor emergency notification <strong>of</strong> atime-sensitive issue. Key members <strong>of</strong> theorganization must agree on a list <strong>of</strong> topicsthat require immediate notification24 hours a day, seven days a week.Immediate notice <strong>of</strong> situations such asthreats <strong>of</strong> violence or an impendingcriminal act will allow the organizationto take preventative action. If such anallegation is received, the hotline staffcalls predetermined personnel usingtheir work, home or cellular phonesuntil the organization has been informed<strong>of</strong> the allegation. This illustrates anotheradvantage <strong>of</strong> a 24/7 hotline, in that apotentially damaging issue may beuncovered <strong>and</strong> resolved during the nightor weekend.AnonymityA 2002 study <strong>of</strong> employee behaviors <strong>and</strong>preferences by Ernst & Young also validatedthe need for multiple reportingmechanisms. Of those surveyed, 80%said they would be willing to report a coworker’sillegal or unethical activity, <strong>and</strong>39% would be more likely to make areport if they could remain anonymous.The employees who were willingto report fraud stated the followingpreferences:■ 57% chose a telephone hotline■ 20% would write an anonymous letter■ 16% would use an anonymousWeb siteThe Ernst & Young finding that 39% <strong>of</strong>respondents would prefer to remainanonymous falls somewhat below the historicaltrend for anonymity <strong>of</strong> calls madeto a hotline. In an analysis <strong>of</strong> hotline callstaken over three years for hundreds <strong>of</strong>organizations, The Network found thatapproximately 50% <strong>of</strong> hotline callers givetheir names, while the other half remainanonymous. The discrepancy between thesurvey results <strong>and</strong> daily hotline realitymay be because in a real-world situation,the possibility <strong>of</strong> retaliation drives adecision to retain anonymity.Protecting Confidentiality throughData SecurityProtecting confidentiality <strong>of</strong> informationis a critical deliverable <strong>of</strong> the hotline,especially if the organization is subject toSarbanes-Oxley. Confidentiality needs tobe protected through two avenues: thecontent <strong>of</strong> the report <strong>and</strong> the protection<strong>of</strong> data files. If the caller asks to remainanonymous, the caller’s identity shouldbe protected through techniques likeavoiding gender-specific pronouns, <strong>and</strong>not documenting the person’s phonenumber or any other identifiable information.No one should use caller ID ordocument a telephone number for ananonymous report. This is an importantissue for an internally operated hotline ifthe organization uses caller ID as a st<strong>and</strong>ardpractice. Under no circumstancesshould the caller’s number be documentedif he or she chooses to remain anonymous.Should an allegation be receivedregarding top management, there maybe pressure to review telephone recordsto uncover the caller’s identity.Data security <strong>of</strong> hotline records presentsother issues, which again manifest in differentways for internally versus externallyoperated hotlines. In either case, theEthics <strong>and</strong> <strong>Compliance</strong> Officer needs toassess the safeguards that are in place toprotect confidential information. Thedata servers should have intrusion detection<strong>and</strong> anti-virus s<strong>of</strong>tware in place.Employees without specific duties thatrequire access to databases, such as databaseadministrators, should not be ableto access reports. All systems housingconfidential reports should reside behindpassword protection <strong>and</strong> a robust firewall.If the data is housed internally,procedures should be put in place toensure that IT personnel would not provideor destroy the information in aclear violation <strong>of</strong> confidentiality ifrequested by a top executive. Lookingbeyond IT, interviewers must be trainedabout maintaining confidentiality <strong>and</strong>should undergo an extensive backgroundcheck. Documenting the steps taken tosecure this information helps protect theorganization from criticism <strong>of</strong> insufficientcompliance with the protection <strong>of</strong>a whistle-blower.Communication regarding the hotlineTypically, organizations educate employeesabout ethics <strong>and</strong> the hotline using awide range <strong>of</strong> vehicles, from posters <strong>and</strong>brochures to announcements at employeemeetings. When asked how theylearned about the hotline, callers most<strong>of</strong>ten cite posters (31%), followed byother employees (14%), the employeeh<strong>and</strong>book (11%), <strong>and</strong> wallet cards (8%).(See Figure 2 on page 18.)In the ACFE 2002 study, two questionswere considered in the analysis:1. Which promotional vehicles wereused by those respondents who ratedtheir hotline as extremely effective?Continued on page 18December 200516<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

y James Brennan <strong>and</strong> Kevin CasselEditor’s Note: James M. Brennan, J.D., reduce a speed limit from 45 to 15is the Chief Ethics Officer <strong>and</strong> Legal m.p.h. without posting a sign, so itCounsel for Midi Company, <strong>and</strong> would be unfair if companies failed toCommissioner on the Illinois State let employees know the legal st<strong>and</strong>ardsExecutive Ethics Commission. Kevin to which they will be held.Cassel is the Lead Writer/InstructionalDesigner with Midi Company.Providing Information on CompanyPolicies. The same applies to companyEvery ethics <strong>and</strong> compliance policies: no matter how finely tuned thepractitioner has heard it from moral compass <strong>of</strong> a new employee, heemployees at some point—or will not know, unless told, the proceduresfor reporting an apparent conflictperhaps at many points:Why do we have ethics training, <strong>of</strong> interest. Furthermore, company policiescan be more challenging to under-anyway? It’s insulting. Weren’t wesupposed to learn this stuff inst<strong>and</strong> <strong>and</strong> follow than laws are—particularlyin an environment where employeeskindergarten?routinely move from one company toIt is true that we are supposed to learn another. While laws have consistentright from wrong before joining the corporateworld—long before. And presum-although typically less nuanced than gov-application across the board, policies—ably, every employee <strong>of</strong> the company is a ernmental regulations—may vary considerablyfrom one employer to the next,good person (or, if some are not, thenthey have slipped past Humansince each company can craft its own.Resources). But contrary to popularbelief, corporate ethics <strong>and</strong> compliance (Incidentally, the fact that Company Atraining is not about teaching employees happens to draw a policy line in a differentplace than does Company B does notwhat it means to be a good person.What, then, is it about?mean Company A is more ethical thanCompany B. Suppose, for instance, thatPosting the Speed Limit. Just because we Company A prohibits all gifts <strong>and</strong> entertainment,while Company B allows themlearned right from wrong as children,that does not mean that as adults we as long as they are not overly lavish. Thisautomatically know the speed limit is not an indicator that Company A iseverywhere we drive. We still need speed more virtuous; it merely means that,limit signs. Similarly, the fact that an after analyzing their particular industry,employee is a good person does not distribution methods, culture, <strong>and</strong> risks,mean she intuitively knows the laws that these two companies found it made senseapply to her work. She needs <strong>and</strong> to draw the line in different places.)deserves to hear from her company whatthose laws are. It’s a matter <strong>of</strong> fairness: Making the St<strong>and</strong>ards Come Alive.just as it would be unfair for a town to Quite <strong>of</strong>ten Codes <strong>of</strong> Conduct seemvague, with overly abstract <strong>and</strong> generallanguage. This approach is intentional:Codes have to be flexible in order toapply to an extremely wide variety <strong>of</strong> situations.A well-written Code articulatesa company’s st<strong>and</strong>ards on the wide range<strong>of</strong> issues that employees will face in thecourse <strong>of</strong> doing their jobs. On its own,however, even the best-written Code isonly a starting point. Without effectiveethics <strong>and</strong> compliance training, theCode is a piece <strong>of</strong> paper—nothing more.Good ethics training brings life to thepaper document that is a Code. It illuminatesthe general language <strong>and</strong> showsemployees how to live those st<strong>and</strong>ards inreal, concrete workplace situations.Showing that the Company St<strong>and</strong>s forSomething. The goals <strong>of</strong> training discussedso far aim to ensure that employeesknow what sort <strong>of</strong> behavior is expected<strong>of</strong> them. This knowledge is meaningless,however, unless employees believethat that’s really what the company wantsthem to do. The pressure to produce canlead to a certain cynicism about theabstract messages <strong>of</strong> compliance <strong>and</strong>ethics found in the Code document.After all, it’s easy to do the right thingwhen such a choice aligns with the company’sfinancial goals. Ethics <strong>and</strong> compliancedecisions—the hard choices—arise when doing the right thing appearsto conflict with producing the resultsthat everyone values so highly: makingthe big sale, certifying the quality <strong>of</strong>manufactured products, meeting shareholderexpectations, <strong>and</strong> so forth. TheCode tells employees what they shoulddo in challenging situations, but inless-than-stellar workplace areas, “theContinued on page 36<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200517

Confidential reporting processes ...continued from page 162. How many promotional methods areoptimal? Is one vehicle enough ordoes hotline effectiveness increasewhen multiple vehicles are used topromote the hotline?Of the promotional vehicles in thesurvey, some <strong>of</strong> the least <strong>of</strong>ten utilized(such as wallet cards <strong>and</strong> brochures)were related to the strongest effectivenessscores for the hotline. More than half <strong>of</strong>respondents who promoted their hotlineusing wallet cards or a brochure ratedthe hotline Extremely Effective.Communication % HotlineMethodExtremely EffectiveWallet cards . . . . . . . . . . . . . . . . . . . 57.1%Brochure . . . . . . . . . . . . . . . . . . . . . 52.3%Intranet. . . . . . . . . . . . . . . . . . . . . . . 42.9%Employee <strong>Meet</strong>ings. . . . . . . . . . . . . 42.6%Newsletter . . . . . . . . . . . . . . . . . . . . 40.7%Signs/Posters. . . . . . . . . . . . . . . . . . 38.4%Employee H<strong>and</strong>book. . . . . . . . . . . . 36.0%Turning to the question <strong>of</strong> the number<strong>of</strong> vehicles used to promote the hotline,respondents who promoted the hotlineusing multiple communications vehicleswere the most likely to rate their hotlineas extremely effective. Effectivenessscores were strongest when four or morecommunication vehicles were used.Implications for Best PracticesFigure 2: How Employees Learn about the HotlineUse a Broad Communication CampaignHotline communications should be part<strong>of</strong> a broader program that promotes ethicalbehavior in the workplace. Thesecommunications not only help detectissues, but can help prevent them. Anethics communication campaign isessentially an advertising campaign thatseeks to inspire a certain behavior withinan audience. As with any advertisingcampaign, the first step is deciding onthe key messages that will motivate ethicalbehavior <strong>and</strong> the use <strong>of</strong> the hotline.The following messages should beincluded:■ Ethical behavior is expectedthroughout the organization■ Illegal or unethical behavior hurts theentire organization <strong>and</strong> will not betolerated■ A request that employees report unacceptableactivities either by coming toa manager or by calling the hotlineThis communication should educateemployees <strong>and</strong> motivate them to reporttheir concerns. The message should bedelivered through multiple vehicles, suchas posters in break rooms, articles inemployee newsletters, discussions inmeetings <strong>and</strong> information on corporateintranet sites. This type <strong>of</strong> comprehensivecampaign reinforces the employee’sperception that the organization wantsto foster an ethical environment. Onepossible explanation for the findingsregarding brochures <strong>and</strong> wallet cards isthat these types <strong>of</strong> “take-away” itemsmake information more easily accessiblethan communications tools like theemployee h<strong>and</strong>book.December 200518Reprinted by permission <strong>of</strong>The Network, Inc.Initial communication should include anannouncement from top managementabout the program’s goals <strong>and</strong> the reasonfor implementing it. This helps set thetone by demonstrating top management’ssupport, <strong>and</strong> helps comply withthe Federal Sentencing Guidelines’updated st<strong>and</strong>ard that the organizationpromote ethical conduct. Employeesneed to know that the organization isproviding them with every opportunityto report problems, <strong>and</strong> that theinformation they report will be sent toContinued on page 20<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200519

Confidential reporting processes ...continued from page 18top management <strong>and</strong>/or to the Board <strong>of</strong>Directors.Every employee in the organizationshould also receive a letter or flyerannouncing the program. Ideally, thispacket should include a card that he orshe can keep in a wallet or purse as areminder <strong>of</strong> the phone number. Newemployees should receive this informationas part <strong>of</strong> their orientation.Managers throughout the organizationshould receive a guide that explains theprogram <strong>and</strong> prepares them to answerquestions.Broad communication means reachingbeyond employees. For example, if theorganization is being cheated by a supplier,there may be employees workingfor the supplier who know about it <strong>and</strong>are bothered by the illegal activity.Listing the hotline number on all checksissued is an inexpensive action that hashelped uncover fraud for many organizations.Asking key suppliers to communicateto their employees about the importance<strong>of</strong> ethics, <strong>and</strong> the existence <strong>of</strong> thehotline, would further enhance fraudprevention <strong>and</strong> detection. Publiccorporations should also informinvestors about the hotline as part <strong>of</strong>their communication about Sarbanes-Oxley compliance. This validates thecorporate commitment to uncoveringfraud.Communicate FrequentlyReferring again to the parallel <strong>of</strong> consumeradvertising, there is generally hotlineactivity following a wave <strong>of</strong> educationalcommunication. When a tool ispublicized, people use it for a while, <strong>and</strong>then they forget about it. Consumerproducts like automobile manufacturersadvertise frequently in order to be infront <strong>of</strong> you at the appropriate time:when you decide you need a new car. Inthe same manner, periodic remindersabout the avenues for reporting unethicalbehavior will help the organizationuncover issues by being available when aperson makes the difficult decision tocome forward with a concern.Ongoing communication is the most<strong>of</strong>ten overlooked component <strong>of</strong> a hotlineprogram, <strong>and</strong> a low volume <strong>of</strong> hotlinecalls can be easily misconstrued as a lack<strong>of</strong> issues. From a compliance perspective,this problem can be avoided by planningmonthly or quarterly communication toemployees regarding the reportingprocess, as part <strong>of</strong> the annual planningexercise. Creating a calendar <strong>of</strong> events forthe year will help ensure that communicationis sufficiently frequent to keepawareness strong.Statistics have proven the usefulness <strong>of</strong> ahotline in detecting <strong>and</strong> deterring illegalbehavior. <strong>Compliance</strong> <strong>of</strong>ficers have anopportunity to maximize the usefulness<strong>of</strong> this tool by making sure awareness <strong>of</strong>the hotline is strong <strong>and</strong> by making surethe hotline’s procedures protect confidentialitywhile <strong>of</strong>fering 24/7 responsiveness.Now is the time to reviewhotline operations <strong>and</strong> communicationsto ensure that your h<strong>and</strong>ling <strong>of</strong> a highpr<strong>of</strong>ile“whistle-blower” case wouldst<strong>and</strong> up to scrutiny in the era <strong>of</strong>Sarbanes-Oxley whistle-blowerprotection. ■Job Analysis SurveyThe <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> & Ethics (SCCE) is conducting a Job Analysis Survey.The survey can be downloaded on SCCE’s Web site at:www.corporatecompliance.org/CCEP/CCEPJobAnalysis.pdfBy filling out this survey, you have the unique opportunity to give your opinions about the job-relatedtasks <strong>of</strong> ethics <strong>and</strong> compliance pr<strong>of</strong>essionals <strong>and</strong>, ultimately, help determine the content <strong>of</strong> futureCertified <strong>Compliance</strong> <strong>and</strong> Ethics Pr<strong>of</strong>essional (CCEP) examinations. All surveys must be received nolater than November 30, 2005. The results <strong>of</strong> the job analysis survey will be used to establish the content<strong>of</strong> future certification examinations. To ensure that the test is relevant to actual practice, we ask youto rate the significance <strong>of</strong> the enclosed tasks for compliance <strong>and</strong> ethics pr<strong>of</strong>essionals. AppliedMeasurement Pr<strong>of</strong>essionals, Inc. (AMP), expert in conducting job analysis studies, has been hired bythe SCCE to assist with this process.For more information on CCEP or SCCE please visit http://www.corporatecompliance.org or contactTracy Hlavacek at SCCE at 1-888-277-4977 or tracy.hlavacek@corporatecompliance.org.December 200520<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

C ORPORATE C OMPLIANCE & ETHICS:G UIDANCE FOR E NGAGING Y OUR B OARD“This video provides anoverview <strong>of</strong> the Board’srole in compliance.”Odell GuytonSenior <strong>Corporate</strong> Attorney,Director <strong>of</strong> <strong>Compliance</strong>,Micros<strong>of</strong>t Corporationwww.corporatecompliance.org“It’s pretty clear thatthe best complianceprogram in the worldis meaningless, even ifit’s funded with a goodwell-meaning compliance<strong>of</strong>ficer, if the leadership<strong>of</strong> the company is notbehind it <strong>and</strong> isn’tsupportive…”Bringing the vision <strong>of</strong>leadership togetherwith a compliant <strong>and</strong>ethical cultureHonorableMichael E. HorowitzCommissioner, UnitedStates SentencingCommissionNameTitleCompanyOrder Today!Non-Members $395 SCCE/HCCA Members $345Total Payment $ ______________! Purchase Order # _____________! Check/Money Order! VISA ! MasterCardAddressNumberExp. DateCityState<strong>Ph</strong>oneFaxE-mailFormat: ! DVD! VHSMail to: SCCE5780 Lincoln Drive, Suite 120Minneapolis, MN 55436<strong>Ph</strong>one: (888) 277-4977ZipName <strong>of</strong> Card HolderSignature <strong>of</strong> Card HolderPlease make check payable to:<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics (SCCE)FAX: (952) 988-0146Online: www.corporatecompliance.orgE-mail: info@corporatecompliance.orgCode: CE1104December 200521

featurearticle<strong>Meet</strong> <strong>John</strong> <strong>Dienhart</strong>, <strong>Ph</strong>.D.The Frank Shrontz Chair for Business Ethics, Seattle University;Director, Albers Business Ethics Initiative; Director, Northwest Ethics NetworkEditor's note: José A. Tabuena is withthe Forensic & Dispute Services practice<strong>of</strong> Deloitte Financial Advisory ServicesLLP. He also serves as an AssistantEditor for <strong>Compliance</strong> & Ethics. Heconducted the following interview inOctober 2005 with <strong>John</strong> W. <strong>Dienhart</strong>,the Frank Shrontz Chair for BusinessEthics <strong>and</strong> Pr<strong>of</strong>essor <strong>of</strong> Management atSeattle University; Director <strong>of</strong> theNorthwest Ethics Network, an independentgroup <strong>of</strong> ethics <strong>and</strong> compliance<strong>of</strong>ficers from the business, non-pr<strong>of</strong>it<strong>and</strong> governmental sectors; Director <strong>of</strong>the Albers Business Ethics Initiative, athree year program to promote ethics inorganizations: <strong>and</strong> a Fellow <strong>of</strong> the EthicsResource Center in Washington, D.C.He consults with <strong>and</strong> does ethics trainingfor Costco, Holl<strong>and</strong> America Line,Micros<strong>of</strong>t, Washington Dental Service,<strong>and</strong> Washington Mutual.<strong>John</strong> <strong>Dienhart</strong> has a <strong>Ph</strong>.D. in<strong>Ph</strong>ilosophy from the University <strong>of</strong>Illinois at Urbana. He is a past President<strong>of</strong> the <strong>Society</strong> for Business Ethics. The<strong>Society</strong> is an international group <strong>of</strong>philosophers, economists, legal theorists,<strong>and</strong> business people devoted to the study<strong>and</strong> communication <strong>of</strong> business ethics<strong>and</strong> its role in leadership.<strong>John</strong> <strong>Dienhart</strong>'s comments on businessethics have appeared in newspapersacross the country, including The NewYork Times, The Washington Post, TheLA Times, The Puget Sound BusinessJournal, The Seattle Times, <strong>and</strong> TheSeattle PI. He has worked in the area <strong>of</strong>business ethics since 1980. He has publishedfour books, several articles, <strong>and</strong>made many presentations on ethics,leadership, <strong>and</strong> integrity in business.JT: Please describe your background<strong>and</strong> your current role.JD: I hold the Frank Shrontz Chair forPr<strong>of</strong>essional Ethics at Seattle University. Ispend half my time teaching. The rest <strong>of</strong>the time I spend on research <strong>and</strong> workingwith the business community. Idirect the Northwest Ethics Network,which has quarterly meetings for ethics<strong>of</strong>ficers in this region. I also direct theAlbers Business Ethics Initiative, whichbrings cutting edge research on organizationalethics to business people in thearea. Finally, I consult with companies tohelp them design <strong>and</strong> deliver effectiveethics training.I received my <strong>Ph</strong>.D. in philosophy fromthe University <strong>of</strong> Illinois in 1979. Iaccepted a position in the philosophydepartment at St. Cloud State in thatsame year, <strong>and</strong> in 1980 I was recruitedto teach business <strong>and</strong> society for thebusiness school there. That was my firstexposure to business ethics. The firstbusiness ethics lecture I heard was onethat I gave. I have learned a lot sincethen, <strong>and</strong> have been working in the areafor over 25 years.JT: How has your background <strong>and</strong>experience contributed to your ability tosucceed in your current position?JD: The work I did as a <strong>Ph</strong>.D. studentwas enormously helpful, since Ifocused on empirical research on howwe acquire <strong>and</strong> change our ethicalbeliefs. This empirical research showsthree things: (1) People develop ethicalvalues according to a rational pattern;(2) Ethics classes <strong>and</strong> training can bedesigned in ways that encourage thisDecember 200522<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

development; (3) There are shared valuesacross cultures that are otherwise verydiverse. Equally important was the rigorousphilosophical <strong>and</strong> normativeapproach to ethics that was st<strong>and</strong>ard atthe University <strong>of</strong> Illinois. I examined<strong>and</strong> critiqued all major ethical approaches,<strong>and</strong> came to underst<strong>and</strong> the value <strong>of</strong>having a "big picture" <strong>of</strong> the ethicall<strong>and</strong>scape. Finally, I learned early in mycareer to integrate empirical <strong>and</strong> normativeapproaches to ethics: this is necessaryfor business ethics to be relevant.There is another part <strong>of</strong> my backgroundthat is important. My father came froman upper middle- class German pr<strong>of</strong>essionalfamily, my mother from a working-classIrish family. What I learnedfrom them was that both sides have astory to tell, <strong>and</strong> both make mistakes.Keeping this in my mind has kept mebalanced, <strong>and</strong>, I think, contributed tomy effectiveness.JT: What are some <strong>of</strong> the mostimportant issues that face the fields <strong>of</strong>organizational compliance <strong>and</strong> corporategovernance?JD: Several things come to mind.One <strong>of</strong> the most important issues iswhether we should use ethics <strong>and</strong> complianceapproaches to promoting appropriatebusiness conduct. Each side hasimportant things to say. Ethical valuescan motivate people to do their verybest, but they are vague <strong>and</strong> hard toenforce. <strong>Compliance</strong> deals with enforceablerules, but no one can remember allthe rules or has the time to look themup. I believe this conflict arises becauseeach side defines itself too narrowly.Ethics approaches need to be connectedwith compliance approaches. Linkingthem clearly <strong>and</strong> intentionally for allmembers <strong>of</strong> the organization can be veryeffective in promoting good businessbehavior. In my consulting experience<strong>and</strong> research, I find very few companieseffectively link ethics <strong>and</strong> compliance.<strong>Corporate</strong> culture, or what is sometimescalled the control environment, is anothervery important issue. This is really aleadership issue <strong>and</strong> it starts with theboard <strong>and</strong> the CEO. When managers<strong>and</strong> employees face difficult situations, amajority <strong>of</strong> them will be strongly motivatedto do what the leadership does,not what the leadership has inspiredthem or trained them to do.Leadership can't fake it <strong>and</strong> be effective. Ifa company does not have leadership withintegrity, it needs a new managementteam. Of course, leadership has to pushthese values down <strong>and</strong> out in the organization,<strong>and</strong> even into the supply chain.This means using ethics <strong>and</strong> complianceas important parts <strong>of</strong> the review <strong>and</strong> promotionprocess. Don't promote peoplewho violate the company's st<strong>and</strong>ards.Let me finish with three smaller issues.(1) I don't think many companies do agood job training people when to usethe hotline or helpline. I find manyemployees who think they should callonly if they have irrefutable evidence <strong>of</strong>a violation. Also, many do not knowthey can call with questions. Finally,many do not underst<strong>and</strong> the differencebetween anonymous <strong>and</strong> confidentialreporting. This impedes reporting. (2)Employees in a company need to knowthe results <strong>of</strong> ethics <strong>and</strong> compliancecomplaints <strong>and</strong> investigations. Thesemust be scrubbed, <strong>and</strong> certainly not allcases should be made public. (3)Companies need to reward employeesJOSÉ A. TABUENAwho have shown exemplary behavior indifficult circumstances.JT: What trends are you seeing internationally;for instance, the tensionsbetween the European privacy lawsversus Sarbanes-Oxley? Will globalst<strong>and</strong>ards, such as those proposed by theOpen <strong>Compliance</strong> <strong>and</strong> Ethics Group<strong>and</strong> the Ethics Officers Associations,solve these problems?JD: The conflict between Europeanprivacy laws <strong>and</strong> Sarbanes-Oxley reportingrequirements illustrates how difficultit will be to develop global st<strong>and</strong>ards atthe level <strong>of</strong> specific rules. Business is part<strong>of</strong> the very fabric <strong>of</strong> a culture, <strong>and</strong> specificrules, like reporting fellow employees,can easily violate cherished <strong>and</strong> sensiblecultural norms. However, severalresearch projects have shown that culturesagree more on principles, such asfairness <strong>and</strong> general duties to shareholders<strong>and</strong> other stakeholders. If there aregoing to be global st<strong>and</strong>ards, they willbe general, like the seven criteria foreffective programs in the FederalSentencing Guidelines. This would allowfor adaptation to industry, size, culture<strong>and</strong> other specifics. Note well, however,that these principles must be backed upContinued on page 24<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200523

<strong>Meet</strong> <strong>John</strong> <strong>Dienhart</strong>... continued from page 23with rules, rewards, <strong>and</strong> punishment.There are still two sticking points. Localgovernments would need to endorse <strong>and</strong>enforce these st<strong>and</strong>ards <strong>and</strong> rules.Second, it is not clear what type <strong>of</strong>organization should be the primarysponsor <strong>of</strong> these st<strong>and</strong>ards.JT: What is your view <strong>of</strong> the certificationsbeing developed by the SCCE <strong>and</strong>existing in AustraliaJD: As business conduct programsgrow in size <strong>and</strong> influence, it makessense to ask about the qualifications forthose working in these programs. As forcertification, it depends on the criteria.If you mean a test that takes a few daysor weeks to prepare for, that can be useful.Part <strong>of</strong> a business conduct programis to know the rules, regulations, <strong>and</strong>other nuts <strong>and</strong> bolts that make up theseprograms.But there are other things that businessconduct <strong>of</strong>ficers do. Nancy Higgins,EVP for Ethics <strong>and</strong> Business Conduct atMCI, sits at the big table when strategyis being discussed. She is also responsiblefor designing <strong>and</strong> monitoring a programto change the culture <strong>of</strong> the formerWorldCom. She has done a fantastic jobbecause <strong>of</strong> her corporate <strong>and</strong> legal experience.I am also a Fellow <strong>of</strong> the EthicsResources Center. We are approachingthis issue by asking whether businessconduct <strong>of</strong>ficers should be thought <strong>of</strong> aspr<strong>of</strong>essionals who have duties to <strong>and</strong>beyond the corporate entity. Think <strong>of</strong>the new duty <strong>of</strong> a general counsel tomake a "noisy withdrawal" in certaincircumstances.Both the certificate <strong>and</strong> the pr<strong>of</strong>essionalapproach have merit. Consider therevamped program at Boeing. BonnieSoodik is the Executive Vice President <strong>of</strong>Internal Governance. Four areas report toher: Internal Auditing, Export/Import,<strong>Compliance</strong>, <strong>and</strong> Business Ethics <strong>and</strong>Conduct. The Business Ethics <strong>and</strong>Conduct group, headed by Martha Reis,includes the directors <strong>of</strong> ethics at the variousbusiness units, plus some functionalareas like training. The directors <strong>of</strong> ethicsat the business units have staff that,among other things, evaluate helplinecalls, do training, <strong>and</strong> talk with managersabout integrating ethics into their managerialsystems. Certification is appropriatefor some <strong>of</strong> these areas, <strong>and</strong> not others.The higher up you go in the chain <strong>of</strong>comm<strong>and</strong>, business conduct <strong>of</strong>ficersneed to know how organizations work,<strong>and</strong> how they fail. There is a great deal<strong>of</strong> research on this that continues as wespeak. At this point, I think the idealsolution is to create MBA, JD, or otherpr<strong>of</strong>essional degrees that have an emphasison organizational ethics. For thosealready in the business conduct programs,continuing education, includingcertificate programs, would be appropriate,especially for those new to the area.JT: Why did you become involvedwith SCCE?JD: I had the good fortune to meetOdell Guyton at a Northwest Ethics<strong>Meet</strong>ing. Odell asked me to help withthe initial SCCE conference (as an <strong>of</strong>fshoot<strong>of</strong> the Health Care <strong>Compliance</strong>Association at the time) at Micros<strong>of</strong>t. Ithas been a great relationship.JT: Any parting advice for ethics <strong>and</strong>compliance <strong>of</strong>ficers?JD: Not advice, but a word <strong>of</strong> encouragement.Keep the faith. You are playinga vital role in changing business for thebetter. I know you have setbacks thatmake it difficult to stay the course. I feelthe same way, at times. But one day, Ithought about those writers <strong>and</strong> thinkerscenturies earlier, who were advocatingthat representative democracy shouldreplace autocratic governments. Withoutthose bold spirits, we would not have thedemocracies we have today. The workthat ethics <strong>and</strong> compliance <strong>of</strong>ficers aredoing now will pay <strong>of</strong>f, <strong>and</strong> the lives <strong>of</strong>many, many people will be better for it. ■One <strong>of</strong> the most importantcomponents <strong>of</strong> recruiting acompliance <strong>and</strong> ethics pr<strong>of</strong>essionalfor your organization is awell-written <strong>and</strong> descriptive job ad.At SCCE we received severalrequests from members to help withjob descriptions. And we have goodnews: for your reference, SCCE hasadded a diversified selection <strong>of</strong> compliance<strong>and</strong> ethics job descriptionsto the new Career Opportunitiessection on our Web site.Visit www.corporatecompliance.org<strong>and</strong> click on “Careers” in the menuon the left, then click on the link formore information about posting aclassified listing.December 200524<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200525

Become a member today!NEED TO DISCUSS DIFFICULTCOMPLIANCE ISSUES?SCCE can help! As an SCCEmember you’ll have access totop-level insights <strong>and</strong> workingsolutions. <strong>Meet</strong>ings, conferences<strong>and</strong> the SCCE MembershipDirectory all afford you valuableopportunities to discussdifficult issues like...St<strong>and</strong>ards <strong>of</strong> ConductSarbanes-Oxley<strong>Compliance</strong> Program Design<strong>Compliance</strong> ResourcesProtection from Fraud <strong>and</strong> AbuseBenchmarking ToolsBest Practices ForumJob DescriptionsIntegrating S<strong>of</strong>tware SolutionsSelf AssessmentsTraining Programs<strong>Compliance</strong> AuditsThe SCCE is the only non-pr<strong>of</strong>itorganization solely dedicatedto improving corporate compliance.Who Joins SCCE? Executives, managers, <strong>of</strong>ficers, <strong>and</strong> directors <strong>of</strong> corporations,institutions, government agencies, individual <strong>and</strong> group providers, <strong>and</strong> entrepreneurs,in all segments <strong>of</strong> the corporate industry!<strong>Corporate</strong> compliance includes numerous issues such as ethics, education <strong>and</strong> training,Sarbanes-Oxley, SEC, auditing <strong>and</strong> monitoring procedures, investigations,enforcement, <strong>and</strong> due diligence to prevent <strong>and</strong> detect violations <strong>of</strong> law.You may already have a strong compliance program in place, but changing timesdem<strong>and</strong> more. Would you like to join in developing a culture that says, “Let’s do itright!” Here’s your opportunity to exp<strong>and</strong> your pr<strong>of</strong>essional resource network <strong>and</strong>help your staff excel! Let SCCE membership help to move you <strong>and</strong> your organizationcloser to a total compliance spirit.A pro-compliance mindset is a must for all <strong>of</strong> usinvolved with corporate compliance.WELCOME TO OUR SOCIETY!The SCCE Web site <strong>of</strong>fers an onlinemembership directory <strong>and</strong> specialinterestforum to facilitate networking!

MEMBERSHIPSERVICES INCLUDEEDUCATIONALPROGRAMSPROFESSIONALNETWORK-COMPLIANCE FOCUS GROUPSNEWSLETTERSAND MEMBERUPDATESMake <strong>Compliance</strong> Part <strong>of</strong>Your <strong>Corporate</strong> Culture!Membership ApplicationYes! Please accept my application for SCCE Membership!" Individual Membership ($250)" Multiple Employee Membership ($200/ea.)(4 or more employees from same company)" <strong>Corporate</strong> Membership ($1,500)" Government, Academic, <strong>and</strong> Student ($150)INTERACTIVE WEB SITEWWW.CORPORATECOMPLIANCE.ORGANNUAL NATIONALCONFERENCECOMPLIANCEWORKSHOPSPlease type or print:FIRST NAMEDEGREE(S) / LICENSE(S)TITLE(S)COMPANY / INSTITUTIONTOTAL:LAST NAMECOOPERATIVEPROGRAMS...WITH OTHER NATIONALORGANIZATIONSMEMBERDISCOUNTS...AND MORE!SCCE’S MISSIONSCCE exists to championethical practice <strong>and</strong> compliancest<strong>and</strong>ards in the corporatecommunity <strong>and</strong> to providethe necessary resources forcompliance pr<strong>of</strong>essionals<strong>and</strong> others who share theseprinciples.MAJOR FUNCTIONS• To promote qualitycompliance programs<strong>and</strong> to introduce <strong>and</strong>maintain them• To provide a forumfor interaction <strong>and</strong>information exchange• To enable our membersto contribute to thedevelopment <strong>of</strong> industryst<strong>and</strong>ards <strong>and</strong> excellencein compliance programs• To create vital <strong>and</strong> timelyeducational opportunitiesfor the rapidly changingcorporate complianceindustryDEPARTMENTMAILING ADDRESSCITY STATE ZIPTELEPHONE ( )FAX ( )E-MAIL ADDRESSPAYMENT INFORMATION: " Check enclosed Charge my credit card: " MasterCard " VISAACCOUNT NO.NAME ON CARDSIGNATURE EXP. DATE /Please make your check payable to SCCE.Fax your order form (credit card orders only): (952) 988-0146.Send your order form to:<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics5780 Lincoln DriveSuite 120Minneapolis, MN 55436For information call (888) 277-4977 or e-mail info@corporatecompliance.orgFederal Tax ID: 23-2882664Prices subject to change without notice.December 200527

Editor’s Note: José A. Tabuena is withthe Forensic & Dispute Services practice<strong>of</strong> Deloitte Financial Advisory ServicesLLP. Mr. Tabuena previously served as a<strong>Compliance</strong> Officer <strong>and</strong> has implemented<strong>and</strong> managed internal reportingmechanisms in the healthcare industry.The attached case story is a short<strong>and</strong> specific account <strong>of</strong> the use<strong>of</strong> a whistle-blower helpline inworking against corruption within anorganization.BackgroundThis case description involves a largepublicly traded health benefits companyin the United States that provides arange <strong>of</strong> medical <strong>and</strong> speciality products,including network-based health careservices. The company <strong>of</strong>fers varioushealth plans, pharmacy, life, <strong>and</strong>disability benefits in over 10 states.The ProblemThe company had a large InformationTechnology (IT) department that tendedto be viewed as a separate part <strong>of</strong> theorganization. As a result, they were <strong>of</strong>tenoverlooked when it came time to communicate<strong>and</strong> promote company-wideinitiatives. The IT department was alsosuffering from poor morale <strong>and</strong> frequentturnover <strong>of</strong> programming staff.by José A. TabuenaA compliance <strong>and</strong> ethics program,including a telephone helpline had beenin place for approximately two years. Abroad range <strong>of</strong> issues were reportedthrough the helpline, including allegations<strong>of</strong> regulatory violations <strong>and</strong>employee misconduct. Feedback fromemployees regarding the helpline wasgenerally positive with a percentage <strong>of</strong>callers (approximately 15%) using themechanism to seek guidance.The helpline was active, <strong>and</strong> averaged avolume <strong>of</strong> 1.5% calls per 1000 employeesper year since inception – however, itwas observed by the compliance departmentthat the IT department was theonly segment <strong>of</strong> the organization thatdid not have a single employee make areport or seek guidance through thehelpline. The compliance departmentthen realized that while all companyregions provided basic training on thecompliance <strong>and</strong> ethics program, regionalcompliance <strong>of</strong>ficers did not include ITstaff as “regional” employees. Similarly,the corporate units did not include IT intheir compliance training.The Drivers <strong>of</strong> Change, Key Players, <strong>and</strong>Trigger Stakeholder GroupThe compliance <strong>of</strong>ficer determined that acompliance liaison needed to be formallydesignated for the IT function. This liaisonwould be responsible for ensuringimplementation <strong>of</strong> core compliance <strong>and</strong>ethics program activities for the department.A new Chief Information Officerhad recently been hired who was supportive<strong>of</strong> the ethics <strong>and</strong> compliance program.As a result, IT employees finally beganreceiving basic training <strong>and</strong> communicationsregarding the company helpline. Thestakeholders most responsible for bringingpressure to bear in addressing the problemJOSÉ A. TABUENAwere the IT department employees.What HappenedAs training to IT employees becameimplemented across the organization,the usual initial surge <strong>of</strong> calls startedcoming to the helpline. The compliance<strong>and</strong> ethics department observed thatcalls coming from IT employees concernedthe following major issues:■ Questions regarding conflict <strong>of</strong> interests<strong>and</strong> hiring <strong>of</strong> family members■ Allegations that certain managers(Director-level <strong>and</strong> above) weremanipulating certain metrics tomaximize their annual bonusOutcomes <strong>and</strong> Impacts: The IssuesConflicts <strong>of</strong> InterestUpon evaluating questions regardingconflicts <strong>of</strong> interest <strong>and</strong> the hiring <strong>of</strong>family members, the compliance <strong>and</strong>ethics staff learned there was a widespreadperception <strong>of</strong> favoritism <strong>and</strong>inappropriate reporting relations in theIT department. A review was conductedwith the support <strong>of</strong> human resources(HR) that included questioning all ITmanagers about their direct reports <strong>and</strong>employees <strong>of</strong> their unit. It was determinedthat there was one instance <strong>of</strong> aDecember 200528<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

family member (brother-in-law) to amanager, who was hired, but that persondid not report to the manager <strong>and</strong> wasin a different section <strong>of</strong> the IT organization.Still, managers occasionally wouldrefer a friend or family member toanother manager, <strong>and</strong> employeesbelieved the referring managers exertedinfluence in the hiring process.Because <strong>of</strong> the misperceptions, whichwere believed to be impacting morale, allthe IT managers received training onappropriate employment practices (hiring,performance reviews, discipline, <strong>and</strong>retention). Communications were alsodelivered to all IT employees explainingpolicies <strong>and</strong> practices regarding the hiring<strong>of</strong> family members.Follow-up with callers to the helplinewas conducted (most <strong>of</strong> these callerswere not anonymous but confidentiality<strong>of</strong> their identity was maintained). Thecallers stated that work environment inthe IT department had noticeablyimproved. They also expressed gratitudethat their questions were answered <strong>and</strong>that the issue was addressed. The callersfelt their concerns were taken seriouslywhen they saw the communications onhiring practices <strong>and</strong> upon having discussionswith managers during staff meetings.Staff retention started improving inthe department.Manipulation <strong>of</strong> Data ImpactingIncentive CompensationEfforts were made to get more detail onthese allegations from an anonymouscaller. The HR leader responsible forincentive compensation noted that thesame allegation was made by an anonymousletter the prior year, but it was difficultto investigate the matter due tolimited information. For instance, therewere over 10 managers with varyingcompensation factors who could potentiallyfall under the allegations. Further,the data sources on which some <strong>of</strong> themetrics were based were not centrallymaintained <strong>and</strong> controls were loose. Acomprehensive investigation would havebeen difficult <strong>and</strong> time intensive.Through the telephone mechanism,ethics <strong>and</strong> compliance staff were able toobtain more information from thecallers thus isolating the metrics <strong>and</strong>impacted individuals in question. It wasdetermined that the bonuses <strong>of</strong> a selectfew IT managers were indeed influencedby the data source in question, whichwas controlled by a non-manager withminimal oversight <strong>and</strong> controls.Following interviews with the keyindividual <strong>and</strong> review <strong>of</strong> the data file(including forensic analysis), it wasdetermined that one IT manager hadmisrepresented information provided tothe staff person maintaining the data.Notably, this staff person also reportedto this manager. As a result, the ITmanager’s bonus compensation wasinflated.The IT manager was subsequently terminated.The compliance <strong>and</strong> ethicsdepartment also worked with HR toreview all bonus compensation arrangementsto assess appropriateness <strong>and</strong>potential for data manipulation.Performance incentives were adjusted<strong>and</strong> stricter controls on pertinent datafiles were implemented. The board <strong>and</strong>senior leadership began consideringlinking ethics <strong>and</strong> compliance orientedconduct <strong>and</strong> measures to bonus compensation<strong>and</strong> other company incentives.Conclusion: Success in theCorrection <strong>of</strong> FailuresThis case story provides support for severalbasic tenets <strong>of</strong> an effective ethics<strong>and</strong> compliance helpline in uncovering,investigating, <strong>and</strong> mitigating corruption.First, a helpline is <strong>of</strong> no value if theworkforce is not aware <strong>of</strong> it. Although ahelpline was in place, it became apparentthat a segment <strong>of</strong> the company had notbeen informed. And it was hotline datathat revealed this gap. By reviewing datasegmented by region, department, incidentclassification, etc., it became obviousin comparison to the rest <strong>of</strong> theorganization that the IT department hadnot used the helpline.Once the IT department became part <strong>of</strong>the helpline communication plan, theybegan to call the helpline. Fortunately,promotion <strong>of</strong> the helpline to IT staffwas not done in isolation. The ethics<strong>and</strong> compliance <strong>of</strong>fice obtained supportfrom the CIO for designating anaccountable liaison within the IT function.The support <strong>of</strong> department leadershiplikely influenced the success <strong>of</strong> thetraining <strong>and</strong> communications deliveredby the ethics <strong>and</strong> compliance staff.Awareness <strong>of</strong> the helpline is not sufficientto ensure success. The companymade sure that issues <strong>and</strong> allegationswere addressed <strong>and</strong> investigated, asneeded. During assessment work we’vedone with Fortune 500 companies,employees who choose not to reportwrongdoing indicate a belief that nothingwill be done anyway, so why take therisk? Employees also cite fear <strong>of</strong> retaliationas a reason for not reporting.Continued on page 36<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200529

y José A. Tabuena <strong>and</strong> Christopher MondiniEditor’s Note: José A. Tabuena is a Oxley (“SOX”) Section 301 whistleblowercomplaint procedures. 1 ThisManager with the Forensic & DisputeServices practice <strong>of</strong> Deloitte Financial included selection <strong>and</strong> design <strong>of</strong> appropriatereporting mechanisms, classifyingAdvisory Services LLP, <strong>and</strong> focuses oncomplex litigation, fraud risk management,<strong>and</strong> fraud <strong>and</strong> abuse investiga-committee, <strong>and</strong> case management <strong>and</strong><strong>and</strong> routing complaints to the audittions. He has considerable experience in investigation <strong>of</strong> complaints.designing, implementing, <strong>and</strong> assessingcorporate compliance <strong>and</strong> antifraud programs.He previously served as a compliance hotlines (or, as they areYet, prior to Sarbanes-Oxley, ethics <strong>and</strong><strong>Compliance</strong> Officer <strong>and</strong> has implemented<strong>and</strong> managed internal reporting emerged as the core mechanism forincreasingly labeled, “helplines” 2 ) hadmechanisms, including oversight over managing reports <strong>of</strong> misconduct <strong>and</strong>external helpline vendors.related internal complaints. TheAssociation <strong>of</strong> Certified FraudChristopher Mondini is a Senior Examiners continues to demonstrate, inManger with Deloitte’s Forensic & its annual Report to the Nation, that theDispute Services practice, assisting use <strong>of</strong> anonymous reporting mechanismsclients involved in international contract <strong>and</strong> tips remains the most frequentdisputes, fraud investigations, <strong>and</strong> regulatorycompliance matters. For the past fraud. 3 Recent amendments to themethod for identifying <strong>and</strong> uncoveringtwo years, he has coordinated service Federal Sentencing Guidelines (“FSG”)development for "Tip-<strong>of</strong>fs Anonymous," reaffirm the importance <strong>of</strong> such mechanismsas an essential component <strong>of</strong> ana whistle-blower helpline solution<strong>of</strong>fered in a number <strong>of</strong> overseas Deloitte anti-fraud program because they havepractices. Before joining Deloitte, Chris proven to be one <strong>of</strong> the best methods forworked as a Foreign Service <strong>of</strong>ficer in identifying potential misconduct beforethe U.S. Department <strong>of</strong> State, <strong>and</strong> as a it poses a significant <strong>and</strong> public problem.Moreover, we are now starting tocargo insurance claims investigator.see the enforcement <strong>of</strong> the SOX §The views in this article are those <strong>of</strong> the 806—the section that protects whistleblowersfrom retribution—as the num-authors <strong>and</strong> do not necessarily representthe views <strong>of</strong> Deloitte Financial Advisory ber <strong>of</strong> complaints <strong>of</strong> retaliation is beginningto rise. 4Services LLP.Previously we described the In this article we discuss practiceschallenges <strong>of</strong> establishing <strong>and</strong> observed from our experience in assistingorganizations in implementing oroperationalizing an ethics <strong>and</strong>compliance hotline under the Sarbanes- assessing their reporting mechanism, asJOSÉ A. TABUENAwell as in supporting internal investigationsresulting from complaints submittedto a helpline. What have organizations,which have managed an ethics <strong>and</strong>compliance hotline, learned from theirexperience? What are some <strong>of</strong> the features<strong>of</strong> what can be considered an“effective” reporting mechanism? Howcan the effectiveness <strong>of</strong> a whistle-blowerreporting mechanism be assessed?Assessment <strong>of</strong> ExistingComplaint ProceduresCompanies have long provided employees,customers, <strong>and</strong> vendors with variouschannels to report concerns <strong>and</strong> toraise questions. For example, employeescould drop a note in a suggestion box,or send a letter/e-mail to the CEOabout suspected fraud. Although suchchannels have historically existed,whether they were understood, userfriendly,or otherwise effective wasn’talways considered.The essential requirements <strong>of</strong> a whistleblowercomplaint procedure underSarbanes-Oxley § 301 reflect the basicfeatures <strong>of</strong> a well-designed reportingmechanism, including:■ The receipt, retention, <strong>and</strong> h<strong>and</strong>ling<strong>of</strong> complaintsDecember 200530<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

CHRISTOPHER MONDINI■ The ability for confidential <strong>and</strong>anonymous submission by employees■ Formal procedures for h<strong>and</strong>linginternal employee complaints as wellas external complaints■ Prohibitions on retaliating againstanyone providing a good faithcomplaint or reportResearch <strong>and</strong> organizational experiencehave identified additional key features <strong>of</strong>an effective ethics <strong>and</strong> compliancehelpline. For instance, organizationalstudies have shown that employees willnot trust or use a reporting systemunless certain features are in place. 5A good first step in assessing the effectiveness<strong>of</strong> existing processes is to determineif they contain a number <strong>of</strong> fundamentalfeatures. Consider: how are concerns <strong>of</strong>potential wrongdoing currently reportedin the organization? Do employees trust<strong>and</strong> actually use existing mechanisms? Inparticular, how are accounting <strong>and</strong> auditconcerns currently raised <strong>and</strong> h<strong>and</strong>led?Can employees report anonymously <strong>and</strong>confidentially? How are significant mattersreported to the board <strong>of</strong> directors?Regardless <strong>of</strong> the complaint procedurebeing used, organizations with a maturecompliance <strong>and</strong> ethics program stillencourage employees to utilize st<strong>and</strong>ardprotocols, such as reporting to an immediatesupervisor or higher level <strong>of</strong>authority, to human resources, or directlyto another company function, such asinternal audit or compliance. The availability<strong>of</strong> a hotline mechanism becomescritical when anonymity <strong>and</strong> confidentialityare <strong>of</strong> concern, or when more traditionalavenues have been exhaustedwithout the issue being resolved.Typically, hotlines are not designed tosupplant the normal chain <strong>of</strong> comm<strong>and</strong>,but to provide an alternative venuewhen the normal channels <strong>of</strong> communicationare ineffective or impracticalunder the circumstances.A well-designed hotline can encouragethe reporting <strong>of</strong> certain types <strong>of</strong> issues<strong>and</strong> concerns. The nature <strong>of</strong> hotline callscan include, but are not limited to:■ Concerns regarding questionablebusiness practices or plans■ Warnings about particular risk areasgoing unchecked■ Questions about what company policyor the law permits or requiresunder certain circumstances■ Allegations <strong>of</strong> fraud or misconductOur clients <strong>of</strong>ten say the volume <strong>of</strong>reports to a helpline depends not just onawareness, but on how well employeesunderst<strong>and</strong> the goals <strong>and</strong> objectives <strong>of</strong>the reporting system. Without clearcommunication about the purpose <strong>of</strong>the hotline, an internal reporting mechanismmay find itself having to addressissues better h<strong>and</strong>led by other means.Establishing an Effective“Helpline” SystemFollowing assessment <strong>of</strong> existing processes,an organization can better design areporting mechanism, <strong>and</strong> identifyopportunities for process improvements.What’s in a Name?Now let’s focus on the importance <strong>of</strong> amultifaceted effort to promote ethical<strong>and</strong> compliant behavior in an organization<strong>and</strong>, in particular, the need to continuallycommunicate the existence <strong>of</strong>the reporting mechanism <strong>and</strong> informationregarding the company’s code <strong>of</strong>conduct <strong>and</strong> available resources foremployees facing ethical dilemmas.Accordingly, many companies haveestablished a whistle-blower reportingmechanism as part <strong>of</strong> a broader push forethics <strong>and</strong> compliance awareness.Establishing an “Ethics Helpline” createsa go-to information source that canserve as both a reference point <strong>and</strong> aplace to report problems. The helpline(versus “hotline”) label, along with suchrequirements as ethics training for allemployees <strong>and</strong> individual certification—statements <strong>of</strong> having read <strong>and</strong> understood—thecode <strong>of</strong> conduct <strong>of</strong> an organization,help to de-stigmatize the reportingmechanism <strong>and</strong> diffuse any lingeringdiscomfort or negative feelings the term“whistle-blower hotline” might engenderamong employees.One System or Many?An initial consideration is whether separateprocesses for Sarbanes-Oxley § 301concerns or other categories <strong>of</strong> issues, orfor different types <strong>of</strong> complainants (e.g.,employees versus customers), are needed.A mechanism specific to potentialaccounting <strong>and</strong> auditing complaints mayprove efficient <strong>and</strong> may also assist inaddressing such complaints moreappropriately.<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgContinued on page 37December 200531

Editor’s Note: Alan Pierce is the editor<strong>and</strong> product manager for the <strong>Society</strong> <strong>of</strong><strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics. Mr.Pierce spent much <strong>of</strong> his career as anewspaper reporter <strong>and</strong> editor in Iowa<strong>and</strong> Minnesota, where he covered localgovernment <strong>and</strong> law enforcement. Afterworking at newspapers, he earned amaster's degree in English from theUniversity <strong>of</strong> St. Thomas in St. Paul,Minnesota.Virtue might be its own reward,but an ethical culture can befinancially rewarding.A strong ethical culture <strong>of</strong>fers this <strong>and</strong>other benefits, according to Ron James,president <strong>and</strong> CEO <strong>of</strong> the Center forEthical Business Cultures. James deliveredthe presentation “Checking thePulse <strong>of</strong> Integrity in Your Organization”at the <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong><strong>and</strong> Ethic’s fourth annual conference inChicago.by Alan PierceInstead, there’s another incentive to developan ethical culture. That reason is thebottom line. Simply put, James said,organizations that maintain ethical culturesoutperform organizations that don’t.By ethical culture, James means culturesbased on integrity, what he calls “oldfashionedhonesty.” Moreover, ethicalcultures aren’t content to choose rightactions over wrong ones. James said ethicalcultures “reach for higher st<strong>and</strong>ards<strong>of</strong> right.”So what is the evidence that having anethical culture gives organizations anALAN PIERCEadvantage? James referred to a HarvardUniversity study that analyzed morethan 200 corporations from 1977–1988.One group <strong>of</strong> corporations was dedicatedto an ethical culture, while the secondgroup mainly served the interests <strong>of</strong>investors. A comparison between thetwo groups showed that the revenue <strong>of</strong>James cited the Enron collapse <strong>and</strong> othersc<strong>and</strong>als to demonstrate themes <strong>of</strong> ethicalfailures in corporate culture. He blamedthese corporate abuses on a “culture <strong>of</strong>greed allowed to run rampant in organizations.”Many corporations also haveexperienced a breakdown in governance.Congress <strong>and</strong> the courts can’t entirelyfix the problem. “You can’t legislate orlitigate your way to an ethical culture,”James said.Ron James discusses the value <strong>of</strong> an ethical culture in business.December 200532<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

Attendees share ideas during the SCCE’s fourth annual conference in Chicago.the first group grew by 682%. The othergroup’s revenue grew by 166%.Surveys reveal that corporations with anethical culture enjoy certain advantagesin the workplace. Teamwork is strongerat organizations with an ethical culture,<strong>and</strong> employees believe these organizations<strong>of</strong>fer more opportunities forgrowth. It’s no wonder that corporationswith an ethical culture excel at retainingtalented employees.Having an ethical culture carries benefits,but achieving that culture calls forcommitment. Organizations must connect<strong>and</strong> align their mission, vision <strong>and</strong>values with ethics <strong>and</strong> compliance. Inaddition, all levels <strong>of</strong> the organizationfrom the governing authority to frontlineemployees must be trained <strong>and</strong> educatedin cultural ethics.Leadership is also paramount to establishingan ethical culture in an organization.“Leaders have to be sharp on settingthe example day in <strong>and</strong> day out,”James said.Setting the example calls for more thanexpressing support for an ethical culture.Executives must foster an ethical culturewith actions. James warned againsthypocrisy when it comes to an ethicalculture. Employees notice whichcoworkers receive promotions <strong>and</strong> theyobserve leaders. And if an organization issincere about an ethical culture, then theorganization should be stronger—<strong>and</strong>more lucrative—for it. ■Subscribe to eCCNeCCN is SCCE’s electronic<strong>Corporate</strong> <strong>Compliance</strong> Newsletter:the only newsletter devoted to<strong>Corporate</strong> <strong>Compliance</strong>. Keep upon the latest compliance news,regulation announcments, caseprogress, <strong>and</strong> court decisions.Subscribe today—visit:www.corporatecompliance.orgIt’s FREE!<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200533

y Alan PierceEditor’ Note: Alan Pierce is the editor<strong>and</strong> product manager for the <strong>Society</strong> <strong>of</strong><strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics. Mr.Pierce spent much <strong>of</strong> his career as anewspaper reporter <strong>and</strong> editor in Iowa<strong>and</strong> Minnesota, where he covered localgovernment <strong>and</strong> law enforcement. Afterworking at newspapers, he earned a master'sdegree in English from theUniversity <strong>of</strong> St. Thomas in St. Paul,Minnesota.Risk assessment is an enigmato many business people.For one thing, it’s a new field<strong>and</strong> it is also <strong>of</strong>ten confused with riskmanagement.For Alex Brigham, the risk in risk assessmentis a straightforward matter. “Riskfor us is ‘What could go wrong?’” hesaid. And learning what could go wronghas become an important mission forbusinesses.At the <strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong><strong>and</strong> Ethic’s fourth annual conference inChicago, Brigham <strong>and</strong> Lisa Kuca clarifiedissues surrounding risk assessment in thepresentation “<strong>Compliance</strong>/Ethics ProgramRisk Assessment <strong>and</strong> Auditing —GettingStarted or Refining Methods.” Brigham ispresident <strong>of</strong> Corpedia, Inc., which <strong>of</strong>fersrisk assessment s<strong>of</strong>tware <strong>and</strong> complianceeLearning Services in partnership with thePractising Law Institute (PLI) as the jointPLI-Corpedia service. Kuca is director <strong>of</strong>corporate compliance at Holl<strong>and</strong> &Knight LLP.Brigham presented several reasons forassessing risks. One significant reason isthe federal sentencing guidelines. TheU.S. Sentencing Commission hasamended the guidelines to requireorganizations to identify areas <strong>of</strong> riskwhere criminal violations may occur.However, fear <strong>of</strong> legal consequences isnot the only reason to assess risk.Businesses may wish to evaluate risk inorder to reduce problems, to protect thereputation <strong>of</strong> the company br<strong>and</strong>, <strong>and</strong>to strengthen relationships with customers,suppliers <strong>and</strong> partners.In a follow-up discussion with SCCE,Brigham elaborated on the benefits <strong>of</strong>risk assessments. “A good risk assessmentallows companies to prioritize wherethey spend their compliance budgets<strong>and</strong> provides a roadmap for what needsto be done to improve the compliancefunction through incremental policies,processes <strong>and</strong> controls,” he said.Moreover, risk assessments can revealredundant or unnecessary processes.“Companies (<strong>and</strong> employees) actuallylike to be able to eliminate a process, asit frees up time <strong>and</strong> resources to be spentelsewhere, including on business pr<strong>of</strong>itgeneratingactivities,” Brigham said.Before beginning a risk assessment, it isimportant to underst<strong>and</strong> what it is not.Kuca <strong>of</strong>fered this advice: “Don’t startdoing internal investigations,” she said.“Define the mission before you getstarted.”Brigham added this warning: “You haveto have very good ground rules aboutdocumentation going in.”ALAN PIERCEBrigham exp<strong>and</strong>ed on this point in a follow-updiscussion, stating, “Ground rulesare important, as an improperly conductedrisk assessment can actually increaserisk, as opposed to reduce it, as collecteddata <strong>and</strong> opinions could be taken out <strong>of</strong>context <strong>and</strong> may not be protected underattorney-client privilege in the event <strong>of</strong> agovernment investigation into misconductthat might occur despite a corporation’sbest efforts.”The ground rules should answer thesequestions:■ What sort <strong>of</strong> risks are going to beexamined?■ How is the organization going tocollect information?■ What information will becommunicated back to employees<strong>and</strong> managers who participated ininterviews?■ How will the organization process<strong>and</strong> prioritize risks based on theinformation that is collected?■ Will the organization conduct the riskassessment in a manner that can preservethe rights <strong>of</strong> privilege?■ What will the organization do withthe raw information <strong>and</strong> opinionsthat are collected once the final riskassessment report is completed?December 200534<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

Business leaders considering a risk assessmentmight want to keep other recommendationsin mind. One recommendationis that risk assessments should beobjective. There are two principal waysfor corporations to achieve objectivity.They can bring in an independentdomain expert who does not have a stakein the assessment’s outcome. Anotheroption is that corporations can askindustry experts familiar with the organizationto participate in the assessment.A second way to attain objectivity is touse available industry benchmarks <strong>and</strong>databases such as the ECERA database.This database measures compliance programactivities <strong>and</strong> provides industryspecificrisks that are categorized <strong>and</strong>weighted by likelihood <strong>and</strong> severity.In addition, consider the audience forrisk assessments. Individuals <strong>and</strong> agenciesthat see assessments include thecompany’s general counsel, CEO <strong>and</strong>executive team, board <strong>of</strong> directors, U.S.Department <strong>of</strong> Justice <strong>and</strong> the Securities<strong>and</strong> Exchange Commission.At the SCCE’s fourth annual conference, Alex Brigham clarified many <strong>of</strong> the mysteries about riskassessments.in that specific area, the risk assessmentreport will be certain to come back tohaunt any organization in the legaldiscovery process that can grow out <strong>of</strong> agovernment investigation.” ■With that in mind, it is important thatrisk assessment doesn’t become a h<strong>and</strong>icap.Of course, one major risk is failureto do a risk assessment. But once a riskassessment is completed, it is crucial forthe organization to respond to problemsthat have been identified.“In this day <strong>and</strong> age,” Brigham said, “anygood risk assessment report will recommendthat you take remedial, modifying,or corrective action to reduce the likelihood<strong>of</strong> criminal conduct. If an organizationfails to follow such recommendationsto the extent that they are reasonable <strong>and</strong>not costly, <strong>and</strong> should misconduct occurMark Your Calendars!The dates are set for next year’s <strong>Compliance</strong> &Ethics Institute:SCCE 2006 <strong>Compliance</strong> & Ethics InstituteSeptember 11–13, 2006Chicago, IL<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200535

Whistle-blower “case study”...continued from page 29Here, the ethics <strong>and</strong> compliance <strong>of</strong>ficeestablished the credibility <strong>of</strong> the helplineas a resource to raise issues <strong>and</strong> reportmisconduct. The concern regardingnepotism <strong>and</strong> conflicts <strong>of</strong> interest wastaken seriously <strong>and</strong> although the situationdid not exist as thought, the reviewwent a long way to clear the air.Similarly, the investigation <strong>and</strong> dismissal<strong>of</strong> the manager who manipulated data toincrease bonus compensation sent amessage to the department that suchconduct would not be tolerated.Without the report by an anonymouscaller, it is highly unlikely this schemewould have been uncovered. And thetelephone mechanism enabled a degree<strong>of</strong> interactivity that supported a detailedinvestigation—which had not beenpossible by submission <strong>of</strong> an anonymousletter.Finally, it should be apparent that thehelpline, in addition to addressing theproblem <strong>of</strong> corruption, proved to be asuccessful management tool. Before thehelpline was utilized, the IT functionwas a hotbed <strong>of</strong> discontent <strong>and</strong> highturnover. Once underlying concernswere safely raised <strong>and</strong> addressed,employee satisfaction <strong>and</strong> retentionimproved. Clearly the helpline supporteda culture <strong>of</strong> compliance <strong>and</strong> ethicalbehavior in the workplace which,in turn, fostered satisfaction in theworkplace. ■Note: This case story was written in coordination with<strong>and</strong> approval <strong>of</strong> the company described. The nature <strong>of</strong> thetopic <strong>of</strong> fraud <strong>and</strong> corruption in companies is such that anumber <strong>of</strong> clients whom we approached opted not to participate.Happily, the situation described is illustrative <strong>of</strong>similar experiences with whistle-blower helplines in anumber <strong>of</strong> countries <strong>and</strong> among multinationalcorporations.Why do we have ethics training, anyway?...continued from page 17way things are done” is not always inaccord with stated company policy. Insuch environments, new employees—<strong>and</strong> even not-so-new employees—tendto wonder whether the company tacitlyapproves <strong>of</strong> ethical corner-cutting.It’s the company’s culture—whatemployees see <strong>and</strong> hear from thosearound them—that convinces employeesthat they’ll be supported for making thedifficult choice to do the right thing.Effective ethics <strong>and</strong> compliance trainingallows management to show that it isserious about company values <strong>and</strong>policies. Such training is thus a criticalelement in creating <strong>and</strong> maintaining aculture <strong>of</strong> ethics <strong>and</strong> compliance.Employees who learn <strong>of</strong> activity thatmakes them uncomfortable are <strong>of</strong>tenrelieved to find, through training, thatwhat is happening in their area is unacceptable–they’renot crazy after all! Suchpersons frequently find the courage, aftertraining, to report what is going on,enabling the problem to be fixed beforeit grows too large.Informing Employees About TheirResources. The worst thing that canbefall an employee who faces an ethicalcrisis is that he or she feels isolated, withnowhere to turn. A sense <strong>of</strong> isolation, infact, is a primary reason why employees“blow the whistle” outside the company—ordon’t speak up at all. It is thus <strong>of</strong>vital importance that, during ethics training,employees learn that they are notalone. Whether employees turn to amanager, the helpline, the law department,finance, human resources, globalsecurity, or elsewhere, the importantthing is that they know that they can <strong>and</strong>should turn somewhere. If employeescome out <strong>of</strong> ethics training with anunderst<strong>and</strong>ing that help is available, halfthe battle is won.Many employees have negative opinionsabout ethics <strong>and</strong> compliance trainingbecause they misunderst<strong>and</strong> its purpose.Such training is provided, not to teachemployees to be good people, but tohelp them do their jobs. Effective,engaging ethics <strong>and</strong> compliance trainingsupports <strong>and</strong> promotes the company’sdesired culture, <strong>and</strong> it gives employeesthe knowledge to go about their jobs inthe right way <strong>and</strong> the support to do so,even when it involves making difficultchoices.Ethics <strong>and</strong> compliance practitioners whotransmit this message find their employeesto be more receptive to the training.Also, by keeping in mind the true purposes<strong>of</strong> ethics <strong>and</strong> compliance training,practitioners are better situated to develop<strong>and</strong> deliver training that will ultimatelybe a success. ■Call for AuthorsSCCE seeks authors for upcoming issues<strong>of</strong> <strong>Compliance</strong> & Ethics. We welcomeall who wish to propose corporatecompliance–related topics <strong>and</strong> writearticles. Among the topics to consider are:the Sarbanes-Oxley Act, enterprise riskmanagement, corporate responsibility,corporate governance, pr<strong>of</strong>essional liability,audit accounting, legal industry reforms,ethically responsible corporate behaviors,<strong>and</strong> responsibility in organizations. Articleswhen the topic allows, should include“how-to” tips. Articles generally runbetween 1,250 <strong>and</strong> 2,500 words, but arenot limited to this.If you are interested in submitting articles,please contact Marlene Robinson at:marlene.robinson@corporatecompliance.org888-277-4977 (direct: 952-933-4977)December 200536<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

Effective ethics <strong>and</strong> compliance helplines ...continued from page 31However, there are also risks to havingmultiple complaint systems. Employees(or customers) may become confused asto where to report <strong>and</strong> will need to betrained to underst<strong>and</strong> which process touse depending on the concern beingraised. Staff h<strong>and</strong>ling the various mechanismswill similarly need training, <strong>and</strong>safeguards will be required for SOX mattersthat are reported through the wrongmechanism—a company is on notice<strong>and</strong> still needs to ensure the complaint isrouted to the audit committee <strong>and</strong> properlyinvestigated.We have observed that companies withmultiple reporting mechanisms <strong>of</strong>ten failto integrate or link the tracking <strong>of</strong> incidentscaptured in separate systems.Similar concerns received through differentreporting mechanisms may not becollectively identified <strong>and</strong> could be overlookedas a much larger issue. An organizationwith several reporting mechanismsshould consider developing a uniformsystem for capturing <strong>and</strong> tracking issuesthat are reported. At a minimum, reportsfrom multiple systems should passthrough a central clearinghouse wherethey can be logged <strong>and</strong> tracked, if aninvestigation is initiated, until resolution.Selecting the Type <strong>of</strong>Reporting MechanismEffective complaint procedures canincorporate a number <strong>of</strong> different channelsfor employees to use, with someproviding more interactivity or assurance<strong>of</strong> anonymity. For smaller companies,telephone hotlines <strong>and</strong> web-based submissionservices might be unnecessarilyformal or expensive. Such companiesmay choose to enlist confidential papersubmission boxes placed in commonareas—provided that some degree <strong>of</strong>anonymity <strong>and</strong> confidentiality can beassured.Telephone hotlines have emerged as apreferred mechanism as they are able toprovide anonymity <strong>and</strong> have a trackrecord for h<strong>and</strong>ling business ethics <strong>and</strong>compliance issues. They are also interactive,allowing a skilled interviewer to elicitthe necessary details to enable appropriateaction. By using unique <strong>and</strong> secret fileidentification numbers, anonymouscallers can be invited to call again to learnthe status <strong>of</strong> any action taken on thecomplaint or to provide additional informationrequired for follow-up action.Other mechanisms, such as voicemail,e-mail <strong>and</strong> web-based submissions maynot <strong>of</strong>fer the same degree <strong>of</strong> interactivityor anonymity. For web-based systems,which are becoming more popular, evenif s<strong>of</strong>tware is used to make the name <strong>of</strong>the sender anonymous, employees maystill believe that their identity is discoverablethrough other methods, such ascookies, Internet IP addresses, <strong>and</strong> thelike. Similarly, employees leaving voicemailsmay be wary that their voices maybe identifiable, or that their voicemailmessages be forwarded inappropriately.Outsourcing the Reporting Mechanismversus Administering In-houseThere are advantages <strong>and</strong> disadvantagesto both internal <strong>and</strong> outsourced reportingmechanisms, <strong>and</strong> there is no universalright or wrong answer for all companies.6 Our experience shows there appearto be fewer issues <strong>of</strong> basic service (beingable to promptly answer a call) <strong>and</strong> credibility(having trained operators h<strong>and</strong>leintake) with an outside provider, whilethe costs associated with outsourcinghave also come down. While we havereviewed successful hotline processesadministered internally, we have alsoobserved instances where employeescomplained that the line is not consistentlyanswered, or there is hesitancy touse for fear <strong>of</strong> being identified. In-househ<strong>and</strong>ling requires considerable vigilance<strong>and</strong> dedication by the unit h<strong>and</strong>ling thecalls.Advantages <strong>of</strong> outsourcing the mechanismto an independent third party mayinclude:■ Independence can add credibility <strong>and</strong>objectivity. It may lessen concernsthat the person answering a call hasany other agenda than eliciting thefacts. When sensitive high-stakesissues are involved (such as accountingfraud), employees may not betrusting <strong>of</strong> internal channels.■ Complaints can be received aroundthe clock. There may be fewer worriesthan an organization might face withanswering machines or missed calls.This can be critical for employeeswho are tentative about calling in thefirst place. It also facilitates differenttime shifts <strong>and</strong> geographic diversity,<strong>and</strong> allows for individuals to call fromhome <strong>and</strong> during non-work hours.■ They provide an additional buffer.This is especially important if a callerwants to remain anonymous. Callersdo not have to worry about theirvoice being recognized <strong>and</strong> issues canbe sanitized to a degree to reduce therisk <strong>of</strong> identification.Advantages to an internal process mayinclude:■ Internal resources can be moreresponsive. The resource answering acall <strong>of</strong>ten has enough knowledge <strong>and</strong>Continued on page 38<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200537

Effective ethics <strong>and</strong> compliance helplines ...continued from page 37is empowered to provide answers toquestions or to initiate an investigation.There is less need for calls to bereferred back <strong>and</strong> forth before aresponse regarding follow-up is providedto the caller.■ They can be more efficient <strong>and</strong> costeffective, depending on whether thereare additional personnel costs. Thecost <strong>of</strong> an external service is over <strong>and</strong>beyond the cost <strong>of</strong> an internal inquirysystem <strong>and</strong> <strong>of</strong>ten requires creation <strong>of</strong>a position or job function to managethe outsource relationship. Issue management<strong>and</strong> case resolution can alsonecessitate involvement <strong>of</strong> internalresources. The external vendor addsan extra layer in the process. Somelarge companies already have internalcall centers or helpdesks, <strong>and</strong> canuse that infrastructure to build aninternal system.■ There is familiarity with the companyculture. Internal resources betterknow the issues confronting theorganization <strong>and</strong> are attuned to patterns<strong>and</strong> trends <strong>of</strong> past calls, as wellas the goals <strong>and</strong> objectives <strong>of</strong> theethics <strong>and</strong> compliance function.Communicating the ProceduresLike any new initiative, a hotline willfail if not launched effectively. A comprehensivecommunications <strong>and</strong> implementationplan is an important consideration.Similarly, another best practiceis to promote awareness through formaltraining as part <strong>of</strong> a company’s ethics<strong>and</strong> compliance program.From interviews <strong>of</strong> employees, we haveobserved that <strong>of</strong>ten the goals <strong>and</strong> objectives<strong>of</strong> a helpline are not always understood.This has created obstacles to successfullyimplementing the process in theworkforce. For instance, union employeeswith collective bargaining roles may havea negative perception <strong>of</strong> reporting mechanismsthat allow for complaints to bevoiced to management anonymously byindividuals. We have found that fearsabout a hotline can be greatly alleviatedby proactive communication efforts toemployees ahead <strong>of</strong> implementation.Companies can broadly disseminate theprocedures, or at least the portions <strong>of</strong> theprocedures that describe how to submitcomplaints. The logical places for suchdissemination would be the company’scorporate website <strong>and</strong> employee Intranet.For companies without websites orIntranets, or with a large percentage <strong>of</strong>employees with limited access to computers,it is useful to post the procedures incompany common areas. Companies canincorporate the procedures into theiremployee manuals, <strong>and</strong> consider distributingthe procedures in paper format to allexisting employees <strong>and</strong> to new employeesas part <strong>of</strong> the orientation process.Responsibility for Receiving <strong>and</strong>Evaluating ComplaintsTypically, a department with the requisitelevel <strong>of</strong> independence <strong>and</strong> authorityto h<strong>and</strong>le calls that may implicate anyonein the company, including seniormanagement, oversees a hotline. Thismay include, for instance, the internalaudit function or the ethics <strong>and</strong> compliancefunction, with the underst<strong>and</strong>ingthat those functions will have a directreporting relationship to the board’saudit committee.As with any issue involving highly placedindividuals in an organization, it could befutile to route whistle-blower complaintsto management if a member <strong>of</strong> managementcould be implicated. At a minimum,the audit committee should bepromptly notified <strong>of</strong> significant incidents<strong>and</strong> periodically receive summary informationon all substantial complaints.One <strong>of</strong> the challenges is to provide sufficientguidelines to properly screen <strong>and</strong>classify complaints that are the focus <strong>of</strong>Sarbanes-Oxley. A balance must besought to avoid deluging an audit committeewith irrelevant or immaterial matters,but also to guard against possiblyoverlooking a complaint that is related t<strong>of</strong>inancial reporting, resulting in the matternot being reported to the audit committeeor not being fully investigated. Ifan external helpline vendor is used, atwo-stage process is likely needed. Theexternal provider can be provided guidelines<strong>and</strong> definitions for classifying SOXmatters, but they should not be expectedto have sufficient expertise to assureaccurate classification. Internal resourcescan also be utilized for additional evaluation<strong>of</strong> complaint classifications so thatcomplaints are not missed or miscoded.Case Management <strong>and</strong> InvestigationsFor most companies, the functioncharged with receiving the complaintsdevelops helpline protocols, including ascreening <strong>and</strong> triage process. Typically, aqualified <strong>and</strong> trained individual willevaluate the nature <strong>of</strong> the call or complaint,<strong>and</strong> then route it to the appropriateresource (“liaison” or “subject matterexpert”). If the matter involves improperaccounting or financial control issues,then heightened procedures should befollowed, including immediate notificationto a member <strong>of</strong> the audit committee<strong>and</strong> retention <strong>of</strong> outside counsel.The intake process is important in thatDecember 200538<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

the communication specialist (in-houseor outsourced) plays a key role inobtaining detailed information that willbe useful both for h<strong>and</strong>ling the issue <strong>and</strong>for tracking the types <strong>of</strong> calls beingmade. During reviews, we have seenprocesses where intake is overly cumbersome,leading callers to drop <strong>of</strong>f; sostreamlining questions is important.A common challenge we have seen isensuring accountability for investigating<strong>and</strong> addressing the complaints that areraised. In some instances, problems arosebecause it was not clear who was responsiblefor taking action, resulting in complaintsnot being appropriately addressed.We have recommended to companiesthat they clearly designate individuals(<strong>of</strong>ten referred to as “liaisons” or “subjectmatter experts”) with the responsibilityfor investigating the complaint <strong>and</strong> ensuringresolution. Such accountabilityshould be defined in the job description<strong>and</strong> be incorporated into performancereviews. Further, the number <strong>of</strong> individualsinvolved in the process should be keptto a manageable size to maintain adequatequality control. At times, we haveseen processes where a liaison’s delegation<strong>of</strong> the actual investigation leads to minimaloversight or compromised confidentiality<strong>of</strong> the matter, which leads to theissue <strong>of</strong> appropriate investigations.Conducting independent <strong>and</strong> objectiveinvestigations is a key feature <strong>of</strong> an effectivehotline. We have seen issues involvingcase management difficulties in thefollowing instances:■ Where high-risk investigations areconducted without sufficient subjectmatter expertise■ Failure to use an impartial investigator■ Investigators or hotline liaisons lackingskills <strong>and</strong> training in investigativetechniques■ Having too few investigators orliaisons in certain areas, leading tooverburdened workloads <strong>and</strong> mattersnot being reviewed in a timely manner■ Having no liaison identified resultingin no accountability for any actiontakenCompanies with effective helplineprocesses make efforts to designate casemanagers <strong>and</strong> investigators with theproper skill set, while allowing for use <strong>of</strong>subject matter experts as needed. SeeFigure 1 flow chart on page 41 for anexample depicting a process overviewinvolving intake <strong>and</strong> internal delegationto company liaisons.Anonymity, Confidentiality, <strong>and</strong>“Good Faith” ReportingIt should be noted that anonymity <strong>and</strong>confidentiality are related but are separate<strong>and</strong> distinct issues. Both pertain toconcerns that a whistle-blower may faceretaliation for reporting suspected misconduct.An employee utilizing a reportingmechanism may choose to be anonymous<strong>and</strong> those involved in the investigationshould not be aware <strong>of</strong> the person’sidentity. Even if a caller chooses toidentify herself, there is still an expectationthat confidentiality with respect tothe individual <strong>and</strong> the investigation willbe maintained. This means that theinvestigation <strong>and</strong> the key facts (includingidentity, if known) should be kept instrict confidence <strong>and</strong> made aware toonly those who need to know, due totheir involvement in the investigation.An organization cannot guarantee totalconfidentiality. Generally a caveat is providedto a person contemplating a disclosure<strong>of</strong> wrongdoing, that the identity<strong>of</strong> a reporting individual may becomepublic due to circumstances beyond thecontrol <strong>of</strong> the organization. For instance,there may be litigation <strong>and</strong> other legaldem<strong>and</strong>s that may require an organizationto provide critical facts <strong>of</strong> the matter,including the identity <strong>of</strong> the person(if known) reporting the issue. Even ifone remains anonymous, the circumstances<strong>of</strong> a matter may suggest the identity<strong>of</strong> a caller. Further, despite controls<strong>and</strong> protections in place, mishaps canstill occur <strong>and</strong> there is the speculation<strong>and</strong> gossip that <strong>of</strong>ten occurs during aninvestigation, especially following interviews<strong>of</strong> individuals.Such caveats are best conveyed in thepromotional literature publicizing thehelpline, <strong>and</strong> not on a live telephoneconversation, where they are more likelyto dissuade the caller from continuingwith his or her report.A caution typically being provided toindividuals contemplating anonymity isthat investigations tend to be more effectiveif investigators know the identity <strong>of</strong>the caller as they can be more readilycontacted <strong>and</strong> interviewed to follow-upon evidence <strong>and</strong> leads. Also, anothercaveat communicated to the workforce isthat protections are afforded only tothose who report issues in good faith. Inother words, discipline will be soughtagainst those who use the hotline forimproper purposes such as to harass orsl<strong>and</strong>er another’s reputation.Safeguarding Against RetaliationAs noted earlier, a number <strong>of</strong> studiesindicate that employees are reluctant todisclose wrongdoing unless there isContinued on page 40<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200539

Effective ethics <strong>and</strong> compliance helplines ...continued from page 39December 200540confidence that management will act onreports <strong>and</strong> that there will be no retaliationfor such reports. 7 Thus, the complaintprocedures should be designed tominimize the identification <strong>of</strong> a personwho filed an anonymous complaint, inaddition to protecting confidentialitywhen the identity is known.We find that most organizations havecompany-wide policies on confidentiality<strong>and</strong> non-retaliation that are widely promotedas part <strong>of</strong> communication <strong>and</strong>training concerning the complaint procedures.More mature hotline systems g<strong>of</strong>urther by periodically monitoring thestatus <strong>of</strong> whistle-blowers after a period <strong>of</strong>time to determine if they are experiencingharassment or other punitive measures.Reporting Mechanisms for Third PartiesAnother consideration is promoting use<strong>of</strong> the mechanism outside <strong>of</strong> the workforceto meet the requirements <strong>of</strong>Sarbanes-Oxley. Companies <strong>of</strong>ten maketheir helplines available, or may establishrelated-helplines, for third parties suchas customers or vendors. We find thatcompanies with large customer bases(e.g., consumer-oriented <strong>and</strong> serviceindustry companies) establish protocolswhereby potential employee fraud ormisconduct issues that arise throughnormal customer service or consumerprotection channels get forwarded to adepartment that oversees the hotline forh<strong>and</strong>ling <strong>and</strong> resolution. An advantagefor extending the coverage <strong>of</strong> the hotlineto third parties is to facilitate the ability<strong>of</strong> those in a position to observe employeemisconduct to report it.If a mechanism is considered for use outside<strong>of</strong> the company, it is recommendedthat the procedures <strong>and</strong> protocols beassessed. As with issues that can arisewith multiple mechanisms, such as thefailure to note common issues beingreported, the potential increase in reportingvolume <strong>and</strong> concomitant increasedcaseload should be considered. Whetheror not issues need to be routed <strong>and</strong> h<strong>and</strong>leddifferently, depending on who(employee versus vendor or customer)reports a matter, can also be evaluated.International ChallengesThe popularity <strong>of</strong> helplines is increasinginternationally along with the globalnature <strong>of</strong> U.S. business practices.According to a Conference Board surveyon the ethics program <strong>of</strong> 165 companiesworldwide, 8 other countries have significantpercentages <strong>of</strong> organizations withpolicies <strong>and</strong> procedures that encourageemployee reporting <strong>of</strong> violations.Another consequence <strong>of</strong> the globalization<strong>of</strong> helplines is the potential impact <strong>of</strong> culturaldifferences that may govern its use.A World Bank-Conference Board studynoted that culture-based resistance towhistle-blowers is less common in EastAsia than in Europe. 9 This study suggeststhat a lower incidence <strong>of</strong> whistle-blowingin Western Europe may “reflect a preferencefor other channels, such as workcouncils, labor unions, or even direct discussionswith appropriate company executives.”The study further notes thatwhistle-blowing may be a risky propositionin France because Article 214 <strong>of</strong> theFrench Criminal Code makes denunciation<strong>of</strong> another without just cause a criminal<strong>of</strong>fense. Anecdotal explanations havebeen <strong>of</strong>fered in other countries wherethere may be a culture-based resistance.Recent decisions in France <strong>and</strong> Germany,“that anonymous employee whistle-blowinghotlines, without certain precautions,are invalid or unlawful in those countries”are causing concern for manymultinational public companies thatmust comply with SOX <strong>and</strong> relatedrules. 10 In several European UnionMember States (“EU”), the SOX requirementsmay be in direct conflict withthese decisions. U.S. companies whichhave subsidiaries <strong>and</strong> employees in theEU with reporting mechanisms in place,must now consider additional options tominimize risks in those countries.The historical stigma <strong>of</strong> the whistlebloweras informer has its various culturalexplanations, yet the discomfort isapparently universal. At this time, thereis no universal solution; thus companiesshould monitor <strong>and</strong> perform a countryby-countryanalysis, pending future SECintervention or multinational resolution.Demonstrating EffectivenessComprehensive Approach NeededHow to demonstrate the effectiveness <strong>of</strong>a helpline (<strong>and</strong> other elements under theFSG) to law enforcement or regulatorshas been an ongoing challenge <strong>of</strong> ethics<strong>and</strong> compliance programs. Part <strong>of</strong> thedifficulty is that it is not obvious how tocompare company metrics to industrybenchmarks though some establishedvendors <strong>and</strong> associations now have availabledata on volume <strong>and</strong> usage by theircustomers. 11 What does it mean if youhave a low call volume compared to thenorm—that the organization has fewproblems, or that employees either arenot aware or do not trust the helpline?Furthermore, there is only just beginningto be a body <strong>of</strong> case law related to chal-Continued on page 42<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

Figure 1: Process OverviewThe establishment <strong>of</strong> formal procedures forreceiving <strong>and</strong> h<strong>and</strong>ling complaints is intended tosupport incident reporting <strong>and</strong> thereby alertingmanagement <strong>and</strong> the Board <strong>of</strong> potential problemsbefore they have serious consequences.Implementing a helpline mechanism can helpachieve this objective, but only if it is designedin a manner that encourages its proper <strong>and</strong>effective use.<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200541

Effective ethics <strong>and</strong> compliance helplines ...continued from page 41lenges around whistle-blowing mechanisms,<strong>and</strong> the effectiveness, anonymity,<strong>and</strong> protected status <strong>of</strong> whistle-blowersunder Sarbanes-Oxley 12 , but this is, asyet, insufficient to provide any emerginglegal st<strong>and</strong>ard <strong>of</strong> helpline effectiveness.Public, private, <strong>and</strong> nonpr<strong>of</strong>its alikeshould at least have documentation <strong>of</strong>their helpline processes as the reportingmechanism constitutes a critical company-levelanti-fraud program control. Abasic step to demonstrate effectiveness isbeing able to show that your mechanismhas the structure <strong>and</strong> processes expectedin a mature program—such as anonymitycapability, the ability to seek guidance,non-retaliation policies, <strong>and</strong> investigativeprotocols. Basic mechanics <strong>of</strong>accessibility should also be tested. Is thehelpline reachable from all companylocations <strong>and</strong> from outside the company?How quickly are calls answered?Another means <strong>of</strong> demonstrating effectivenessis to measure the perceptions <strong>of</strong>the workforce regarding the companyreporting mechanism. Do they trust thehelpline <strong>and</strong> would they use it if theyobserved misconduct in the workplace?Have those who have used the helplinefound it useful in resolving the concernreported? Some companies incorporatethe use <strong>of</strong> a customer service questionnairefollowing the closure <strong>of</strong> a helplinecase. Others periodically survey theiremployees on the work environment <strong>and</strong>include questions on the helpline <strong>and</strong>the compliance program generally.Obviously there is no single method ormeasure to show that your helpline isindeed effective. Multiple approachesmust be considered. In addition toprocess documentation, surveys, <strong>and</strong>case data (described more fully below),additional techniques to considerinclude:■ Using focus groups to measure employees’underst<strong>and</strong>ing <strong>of</strong> the purpose <strong>and</strong>proper use <strong>of</strong> the helpline■ Reviewing case files to determinewhether protocols were followed■ Follow-up interviews with identifiedcallers to evaluate the h<strong>and</strong>ling <strong>of</strong>issues raised■ Determining if whistle-blowers facedany form <strong>of</strong> retaliation for reporting aviolation■ Verifying that reported issues havebeen corrected■ “Mystery Shopper”—testing theprocess with a mock issueHotline Data <strong>and</strong> ReportsBest practices have emerged with respectto maintaining <strong>and</strong> reporting on helplinedata. Most vendors provide a databasetool that enables collection <strong>of</strong> call data.The American Institute <strong>of</strong> CertifiedPublic Accountants developed a Toolkitas a resource for audit committees, whichincludes a Sample Tracking Report forthe Sarbanes-Oxley reporting process.Additionally, record retention practicesare critical, especially under SOX.Often we see that management <strong>and</strong> theBoard <strong>of</strong> Directors find little value inthe basic hotline reports provided. Somehelpful database features we’ve found inmature helpline systems include:■ Having the functionality to capture<strong>and</strong> document multiple allegations■ Establishing definitions for theunique complaint categories beingused for reporting data■ Clarifying critical definitions suchas when a reported matter is“substantiated”■ Having controls for reclassification orother data modification that may compromiseits integrity, including limited<strong>and</strong> password protected access to reports■ Secure, online reports stored on dedicated,<strong>and</strong> segregated servers within a company,or on an outside vendor’s server■ Case management reports that showthe status <strong>of</strong> reports under investigation,establish deadlines, <strong>and</strong> provideproactive remindersIf data challenges are resolved, then anorganization potentially has a wealth <strong>of</strong>data for monitoring problematic areas.The availability <strong>of</strong> this data provides theopportunity to assess the impact <strong>of</strong> thehelpline, as well as other features <strong>of</strong> anethics <strong>and</strong> compliance program. Alongwith metrics that are routinely reportedto the leadership <strong>and</strong> the board, helplinedata can be analyzed to detect trendsover time <strong>and</strong> opportunities for improvement.Some basic measures that c<strong>and</strong>emonstrate effectiveness include:■ Tracking usage over time <strong>and</strong> correlatingto program initiatives (e.g., does callvolume increase following a helplinecommunication or ethics training?)■ Measuring the rate <strong>of</strong> substantiationon long-st<strong>and</strong>ing issues■ Trending usage <strong>of</strong> the helpline onmeasures that indicate the severity<strong>and</strong> nature <strong>of</strong> issues reported■ Comparing company data to your vendor’smeasures as well as other externalbenchmarks from those provided bysources such as the Ethics OfficersAssociation <strong>and</strong> the Association <strong>of</strong>Certified Fraud Examiners 13We find that leading companies gobeyond the basic monitoring <strong>of</strong> call volume<strong>and</strong> classification <strong>and</strong> try to correlatehelpline data to program activitiesDecember 200542<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.org

<strong>and</strong> events occurring in the organizations.Such companies further showemployee awareness <strong>of</strong> the helpline <strong>and</strong>their perception <strong>of</strong> its usage.Certainly, companies which make thehelpline part <strong>of</strong> a broader compliance,ethics <strong>and</strong> fraud detection, deterrence<strong>and</strong> mitigation effort, will have somedifficulty in isolating the helpline inorder to measure its effectiveness.Complementary activities such as ongoingethics training, proactive testing <strong>of</strong>financial data, increased backgroundchecks on business partners <strong>and</strong> newhires, fraud risk assessments, <strong>and</strong> periodiccultural assessment surveys amongemployees at all seniority levels, shouldcontribute to the fostering <strong>of</strong> a culture<strong>of</strong> compliance <strong>and</strong> ethical behavior inthe workplace, which a helpline introducedin isolation may not achieve.Finally, the body <strong>of</strong> knowledge <strong>and</strong>research in the field <strong>of</strong> fraud controlprograms, such as helplines, continues togrow. Companies will increasingly haveaccess to benchmarked, sectoral trends<strong>and</strong> survey results, <strong>and</strong> a growing number<strong>of</strong> organizations in this field aremeeting the dem<strong>and</strong> for guidance onhelplines <strong>and</strong> related programs. As aresult, companies are increasingly overcomingtheir sense that helplines areburdensome regulatory requirements<strong>and</strong> beginning to see them as usefultools for management <strong>and</strong> good governancewithin their organizations. ■About DeloitteDeloitte refers to one or more <strong>of</strong> Deloitte ToucheTohmatsu, a Swiss Verein, its member firms <strong>and</strong> theirrespective subsidiaries <strong>and</strong> affiliates. As a Swiss Verein(association), neither Deloitte Touche Tohmatsu nor any<strong>of</strong> its member firms has any liability for each other’s actsor omissions. Each <strong>of</strong> the member firms is a separate <strong>and</strong>independent legal entity operating under the names“Deloitte,” “Deloitte & Touche,” “Deloitte ToucheTohmatsu,” or other related names. Services are providedby the member firms or their subsidiaries or affiliates <strong>and</strong>not by the Deloitte Touche Tohmatsu Verein.Deloitte & Touche USA LLP is the U.S. member firm <strong>of</strong>Deloitte Touche Tohmatsu. In the U.S., services are providedby the subsidiaries <strong>of</strong> Deloitte & Touche USA LLP(Deloitte & Touche LLP, Deloitte Consulting LLP, DeloitteFinancial Advisory Services LLP, Deloitte Tax LLP <strong>and</strong> theirsubsidiaries), <strong>and</strong> not by Deloitte & Touche USA LLP.1. Tabuena, José. “<strong>Compliance</strong> <strong>and</strong> Ethics Hotlines:Establishing the Sarbanes-Oxley WhistleblowerComplaint Procedures”. <strong>Compliance</strong> & Ethics,Volume Two, Number One (February 2005).2. The terms helpline <strong>and</strong> hotline will be used interchangeably.3. Association <strong>of</strong> Certified Fraud Examiners, 2004Report to the Nation; various fraud surveys have similarlyreported that anonymous reporting mechanismsshowed the greatest impact on fraud losses.4. E.g., Kroll, Luisa. “Squealed, Fired, Rehired”.Forbes.com, 07/25/2005.5. See e.g., Transparency International—USA, “<strong>Corporate</strong>Governance: Code <strong>of</strong> Conduct/<strong>Compliance</strong> ProgramsLeading Practices Survey,” February 2003(http://www.transparency.org/); Trevino, Linda Klebe<strong>and</strong> Gary R. Weaver. “Organizational Justice <strong>and</strong> EthicsProgram ‘Follow-Through’: Influences on Employees’Harmful <strong>and</strong> Helpful Behavior.” Business EthicsQuarterly, Volume 11, Number 4 (October 2001): 651.6. The Institute <strong>of</strong> Internal Auditors (“IIA”) conducted aQuick Poll on its web site (www.theiia.org) fromJanuary 16-29, 2004, asking the following: “Doesyour company use an internal whistleblower process,or an outside service organization?” The results were44% use an internal process, 36% use an outside service<strong>and</strong> for 20% the question was not applicable.7. See footnote 5, supra. During assessment work we’vedone with Fortune 500 companies, employees whochoose not to report wrongdoing indicate their beliefnothing will be done anyway, so why take the risk?Similarly, Steve Priest with the Ethical LeadershipGroup (http://www.ethicalleadershipgroup.com) alsoasks employees why they don’t report <strong>and</strong> says the numberone response is the belief that no action will betaken, with fear <strong>of</strong> retaliation (perhaps counterintuitively)at number two. This is consistent with research studiessuch as the work <strong>of</strong> Linda Trevino <strong>and</strong> Gary Weaver.8. The Conference Board, Ethics Programs, The Role <strong>of</strong>the Board: A Global Study. 2003. (http://www.conference-board.org).9. Jean-Francois Arvis, Ronald E. Berenbeim, FightingCorruption in East Asia: Solutions from the PrivateSector, The World Bank, 2003, p. 57.10. Schreiber, Mark E., Jeffrey M. Held, et al.,Anonymous Sarbanes Oxley Hotlines in the E.U.:Practical <strong>Compliance</strong> Guidance for GlobalCompanies. BNA International World DataProtection Report, August 2005 (www.bnai.com).11. For example see the paper Best Practices in EthicHotlines, by The Network, a third-party ethics hotlineprovider (http://www.tnwinc.com/); <strong>and</strong> EverythingYou Wanted to Know About Helpline Best Practices,Preliminary Results <strong>of</strong> the 2004 Survey <strong>of</strong> EthicsOfficer Association Sponsoring Partner Members, bythe Ethical Leadership Group, October 2004(http://www.ethicalleadershipgroup.com).12. Hoey, Barbara E. “Recent Trends in WhistleblowerLitigation”. The Metropolitan <strong>Corporate</strong> Counsel, PartI (July 2005) <strong>and</strong> Part II (August 2005), which citescases involving the enforcement <strong>of</strong> the SOX § 806.13. The Open <strong>Compliance</strong> & Ethics Group (OCEG) is amulti-industry <strong>and</strong> multidisciplinary coalition workingto integrate the principles <strong>of</strong> governance, compliance,risk management, <strong>and</strong> integrity. OCEG(www.oceg.org) has a Hotline Working Group thatplans to document a global set <strong>of</strong> open st<strong>and</strong>ards forwhistleblower hotlines/helplines.WANTEDConsulting firmsLaw firmsAuditorsBusiness/VendorsNon-pr<strong>of</strong>itsUniversitiesSCCE WEB SITE CAMPAIGNWe are requesting information from thefive categories above. We want to givethese organizations a place on our Website to share tools <strong>and</strong> information.Current information needed:■ White papers■ Articles■ E-magazines (including back issues)■ Organizational policies/procedures/forms/audit tools/etc.■ Job descriptions■ <strong>Compliance</strong> operating tools■ List <strong>of</strong> your expertsHelp us to create the tools, <strong>and</strong> a list <strong>of</strong>compliance <strong>and</strong> regulatory experts, thatare needed for the leaders behind thedecision-making in <strong>Corporate</strong> America.If you are interested in setting up asection on our Web site, please contactLizza Bisek at:lizza.bisek@corporatecompliance.orgMain Office: 888-277-4977<strong>Society</strong> <strong>of</strong> <strong>Corporate</strong> <strong>Compliance</strong> <strong>and</strong> Ethics • (888) 277-4977 • www.corporatecompliance.orgDecember 200543

The Complete <strong>Compliance</strong> <strong>and</strong> Ethics ManualAn accurate, comprehensive, <strong>and</strong> authoritative reference source!Save time by improving the efficiency <strong>of</strong> your compliance program.You get the manual plus the full version CD.Pricing: Member rate $315.00, Non-Member rate $349.00The Complete <strong>Compliance</strong> <strong>and</strong> Ethics Manual including 838 double-sided pages filled withup-to-date, valuable information on current compliance issues. Large, attractive three-ring binder withcolor front, spine, <strong>and</strong> back cover.Three ways to order:Mail to: SCCEVisit: www.corporatecompliance.org 5780 Lincoln Drive, Suite 120Fax: 952-988-0146 Minneapolis, MN 55436For more info call 1-888-277-4977

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!