Aligning Corporate Views of Risks, Ethics and Compliance

Neil Hodge

|

October 22, 2024

Aligning Corporate Views of Risks Ethics and Compliance

Companies like to think that everyone in their organization shares the same views about risk, ethics and compliance, but unfortunately, the evidence suggests otherwise. According to a recent Benchmark of Ethical Culture Report by ethics and compliance specialist LRN Corporation, nearly a quarter (23%) of employees around the world thought it was acceptable to break the rules to get the job done. Worse still, some 14% admitted they had “engaged in behavior that violated their company’s code of conduct or standards” in the past year.

Many senior managers are unaware that there could be a problem. LRN found that management is 2.6 times more likely to indicate the company has a strong ethical culture than the typical worker. This may reflect that managers assume strong codes of conduct must automatically mean strong compliance.

LRN’s report also found that younger employees were more likely to bend or break rules than their older colleagues. For example, 22% of Gen Z respondents (typically those born between 1996 and 2010) said they engaged in unethical conduct in the past year in the workplace, compared with just 9% of baby boomers (those born between 1946 and 1964).

While the report does not indicate that such rule-breaking was linked to financial or personal gain, or any attempt to maliciously damage the company, experts generally agree that non-financial misconduct can be an early indicator of other serious noncompliance issues in an organization. As such, employers must consider whether they need to monitor employees more closely to determine how likely some workers might be to ignore compliance responsibilities. It is also a reminder for risk management functions that people risk should be on their radar, as fostering ethical conduct at all levels of an organization can help avoid potentially costly regulatory penalties.

Understanding the Disconnect

There are several signs that indicate employees’ views on risk, ethics and compliance may be divergent. For example, repetitive violations and inconsistent behavior across different teams or locations suggests a need for more uniform understanding and enforcement, while low reporting rates via speak-up mechanisms or line managers could indicate that employees are unaware of how to raise or escalate concerns or do not trust the process. High employee turnover and negative employee feedback via exit interviews can also be helpful indicators of poor corporate culture.

But trying to get everyone in the organization to see risk, compliance and ethics in the same way can be difficult. “I do not think you can ensure that everyone is on the same page, but you can build a culture where these issues are taken seriously and where employees are comfortable raising concerns in the belief that management will act on any complaints,” said Liz Sebag-Montefiore, director of HR consultancy 10Eighty. The problem lies in how a company actually conducts its business. “Companies can talk about ethics, but if they are gouging their suppliers, treating customers unfairly, and exploiting employees and treating them as disposable, then they will not inspire a workforce committed to best practice,” she said.

Many employers believe the key tool to outline acceptable and expected behavior is the code of conduct, which often includes ethics. Typically, this sets out the expectations for risk management, compliance and ethical behavior and is led or at least sponsored by executives and senior management. These documents are made accessible to all employees, require workers’ verification that they have read and understood the terms, and are reviewed periodically. To ensure the message gets through, companies usually insist on accompanying words with action through training and workshops. In reality, employees often do not read these voluminous codes of conduct very closely, which results in staff blindly accepting the terms and conditions and forgetting what they have read and agreed to do. 

Improving Compliance Efforts

According to Mark McClennan, author and host of the HR-themed blog and podcast Ethical Voices, the mismatch in employees’ understanding of compliance with codes of conduct is exacerbated by the fact that most companies fail to do ethics and risk training well. “Annual ethics training is about as effective as going to the gym once a year,” he said. “You can say you go to the gym, but it will not improve your health.”

The key to achieving better compliance is to get more direct employee feedback and buy-in to achieve a consensus view of which behaviors are acceptable and which are not, and then incorporate them into the company’s code of ethics or conduct. “Building an ethical culture requires regular discussion,” McClennan said. “Every manager should at least monthly highlight a situation they have seen of a regular ethical misstep and then ask everyone if they saw it and ask what they think, while ensuring the manager speaks last. Another tip is to have others share examples, discuss them and apply them to your company's code of ethics. This helps employees think about ethics first and understand the importance you place on ethics. It will uncover where there are ethics differences and might uncover issues you have not considered.”

Michael Toebe, specialist at ethics consultancy Reputation Intelligence-Reputation Quality, agrees companies can help employees see risk, compliance and ethics in the same light by building a majority agreement about what the organization’s ethical standards should be rather than having management develop and impose an arbitrary standard. While he concedes such an approach can be a huge time commitment that requires a lot of effort, patience, active listening, psychological safety and facilitated dialogue, it can pay real dividends in terms of better oversight, governance and compliance because there is buy-in.

Another useful approach is to create a safe forum for employees to share their experiences and views without fear of reprisal. This will help the organization to understand how its workforce interprets the rules and the circumstances under which employees may bend or break policies. Managers should ask open-ended questions and actively listen. “Be inviting and inclusive with the conversation," Toebe advised. “Keep it going and do not shut it off for time constraints—you will almost assuredly regret it if you do because of what you will not learn or be able to implement that will be helpful. You might also leave people resentful if they don’t get to share what they know or think is necessary to communicate. A sign that what you implemented is not working is behavior that is clearly not congruent with what was discussed and mutually agreed upon.”

Addressing Generational Differences

One of the key reasons that generations of employees have different views on risk and compliance is that differing work and management styles can create a culture clash. According to Richard Birke, chief architect at alternative dispute resolution firm JAMS Pathways, baby boomers—who are typically in senior positions—often misinterpret the more informal approach of Gen Z employees as a lack of work ethic or precision. As a result, they give these junior employees uncomplicated, unchallenging tasks that can cause them to feel devalued and lead them to “quiet quit” or mentally check out because it appears advancement opportunities are limited, slow to appear or simply non-existent. This “task conflict” then transforms into “relationship conflict” that negatively impacts the workplace and its inhabitants, he said.

To address this issue, Birke said managers should first start learning what motivates younger employees and work out how to get the best out of them. They should contact HR for training and guidance or bring in external expertise, if necessary. “Many managers are promoted from a line-level position to management without having an adequate opportunity to amend and enlarge their skill set,” Birke said. “Managing people is a distinct set of skills, and excellence ‘on the line’ is not a recipe for unmitigated success as a supervisor.” 

Second, older managers should examine ways to better communicate with cross-generational teams. “Set an example of how to communicate about your own preferences [without requiring] others to abandon the style of communication that is most effective for them,” he said. “Focus on psychological safety so that people with different approaches feel comfortable sharing with peers, supervisors and subordinates even when the supervisor is not present.”

Most experts say leadership plays a crucial role in achieving a unified corporate view of risk and compliance. The overriding opinion is that senior leaders must champion and model ethical behavior and demonstrate a commitment to compliance, communicating the importance of these values regularly. This sets a “tone from the top” that makes these principles integral to the corporate culture.

Prioritizing Ethical Behavior

According to Ann Skeet, senior director of leadership ethics at at Santa Clara University's Markkula Center for Applied Ethics, there are three conditions that make it more likely for people to prioritize ethics in organizations. The first is a sense of responsibility to society. The second is a respect for moral autonomy and a climate of mutual trust—basically, an environment that encourages decentralized decision-making and relying on people to come forward and voice concerns. The third relies on “ethical deliberation” so that decisions have clear motivations, are grounded in data and take into account those who will be affected by the outcomes.

Business leaders can further encourage ethical behavior through the example they set and the actions they take. They can start by building community within the organization as “people with strong, healthy relationships with each other do not want to put those relationships at risk by behaving unethically,” Skeet said. They can also look to positively influence actions and behavior beyond their own organization to ensure ethical behavior within the ecosystems they are a part of, such as a supply chain or industry sector.

However, while the “tone from the top” is iimportant, the “tone from the middle” may be even more essential. “Your average employee is not going to have any meaningful interaction with the C-suite or senior management, so being told what to do by an executive will have limited appeal to some employees,” said Sarah Miller, CEO at ethics advisory firm Principia. “Seeing how middle or line managers deal with ethical dilemmas and how they understand and abide by rules on a daily basis is going to make a much bigger and deeper impact to a wider range of workers, so these are the people who need to be ethics and compliance champions.”

She added that organizations also need to appreciate that different people—not just based on their age—have different “triggers” to motivate compliance. For example, some employees will curb their behavior if they are told specifically that they are doing something wrong, while some will accept that something is considered “best behavior” if they are told that everyone else is following suit. Others, however, may comply more readily if they are asked specifically what they think they should do (as well as should not do) or are challenged about their behavior and are asked to justify their actions.

Empathy can also play a strong role. Miller said younger employees are more likely to uphold rules, principles and kinds of behaviors that “matter” to them. They are also more likely to question rules and controls that seem silly, onerous and nonsensical, rather than simply follow “tick-box” compliance generally. For example, she said, Gen Zers are often more engaged with company policy—and more likely to report noncompliance—regarding equality and human rights, environmental issues, workplace bullying, harassment, sexism and racism, and less bothered about what they perceive to be “mundane” controls, procedures and protocols that they believe are low risk and hold up their work.

“Reflective rules that ask people to think about what they should do in a given scenario often chime more with younger employees instead of hard and fast rules that do not allow for judgment, which older employees are more used to,” Miller said. “It is not necessarily the case that employees in their early 20s or 30s do not think rules apply to them. It is just that they are more likely to question them and try to understand the logic—or lack of logic—behind them. As a result, companies may need to adopt different approaches to risk and compliance because people understand and follow rules in different ways.”

Companies also need to be clear about which kinds of rules can never be broken, and which might have a degree of leeway so long as an acceptable outcome is achieved. “For example, a bank teller is there to serve the customer,” Miller said. “But if an elderly customer makes repeated, large daily cash withdrawals, it is fair for the teller to ask questions to ascertain whether the customer is under duress or confused. Sticking to the rules in this kind of scenario becomes nonsense.”

Miller also warns companies against punishing employees too readily for noncompliance. “It is important to get a proper sense of why people see rules in the way they do,” she said. “You will not understand that if you chastise, punish or warn them without finding out why they thought this behavior or conduct was permissible. It could be a case that they have misinterpreted the rules, misunderstood the seriousness of the breach of conduct and potential fallout, or that they have been told by a colleague or superior that the action is OK. Also, it is unlikely that just the one employee sees the rules or tolerance of noncompliance in this way—others are bound to see it in similar terms. Understanding the motive and rationale for noncompliance can lead to better policy wordings and can help in future training as part of a ‘lessons learned’ segment.” 

Establishing how different parts of the workforce understand risk and ethics may have traditionally been the responsibility of HR, compliance and in-house legal functions. However, regulatory oversight and expectations about corporate behavior and consumer protection are at an all-time high. Therefore, all risk management functions should review how well rules are followed in their organizations, assess the levels of risk where noncompliance may be more likely to occur, and work with key assurance functions to prevent a serious disregard of regulations, especially those that come with large penalties and sanctions.

Neil Hodge is a U.K.-based freelance journalist.