Harvard Business Review
Constance E. Bagley, Bruno Cova, and Lee D. Augsburger
DECEMBER 21, 2017
One defining feature of 2017 has been seeing corporate directors and officers being held personally responsible for illegal behavior at their companies. For example, after Wells Fargo Bank paid more than $300 million in penalties for creating over 3 million sham customer accounts, Judge Jon Tigar of the U.S. District Court in San Francisco refused to dismiss claims against the fifteen members of the Wells Fargo board. And Oliver Schmidt, the highest ranking Volkswagen officer residing in the United States, was sentenced to seven years in prison and ordered to pay $400,000 for his role in the VW diesel emissions scandal.
As the ultimate guardians of the firm’s financial, human, and reputational capital, corporate boards need to set their bar higher, and replace reactive approaches to misbehavior with a proactive approach to winning with integrity. Instead of assuming everything is fine unless they hear otherwise, directors need to be more probing.
Based on decades of experience working with companies in multiple industries and studying hundreds of compliance failures, we’ve developed a comprehensive ten-step program to help boards reduce the risks of illegal behavior, reinforce ethical conduct as a core value, and enhance the company’s reputation—in the eyes of regulators and stakeholders—as a good corporate citizen.
1. Create an ethics committee of the board. Strategic compliance starts with the tone at the top. To avoid a diffusion of responsibility, the board of directors should designate a committee of nonexecutive directors with responsibility for the firm’s culture of integrity and for creating a robust program of controls and processes to promote ethical conduct and compliance. This could be the audit committee, an ethics and compliance committee, or an ad-hoc committee to address evolving risks and challenges.
Its charter should include appointment, with feedback from the other directors, of the chief ethics and compliance officer (CECO); and the committee should approve the company’s code of conduct, as well as revise it to meet changing conditions in the marketplace.
The committee should be charged with working with the top management team (including the CECO) and the other board members to ensure that the company’s approach to product quality, worker safety, environmental stewardship, sustainability, compliance, and corporate social responsibility is an integral part of its overall business strategy. Committee members should be specially trained in measuring an ethical culture and have the demonstrated ability and moral courage to take responsibility for mistakes and to call out suspicious behavior.
2. Appoint a high-ranking chief ethics and compliance officer (CECO) to take day-to-day operational responsibility for the company’s global ethics and compliance program. The CECO should have knowledge of applicable law, ethical theory, and the science of unethical behavior—and should also possess active listening skills and demonstrated good judgment. This individual should report to the board’s ethics and compliance committee—and should feel secure reporting on the integrity program’s effectiveness without fear of retaliation.
The board committee with responsibility for ethics and compliance should meet with the CECO at least quarterly, oversee the evaluation of his or her performance, and set the officer’s compensation and other terms and conditions of employment, including possible termination (with input from the day-to-day supervisors such as the CEO or General Counsel). The CECO should meet with the full board at least once a year.
The CECO should chair a cross-functional, multi-disciplinary team of managers that reviews the company’s policies and procedures on a regular basis so they remain evergreen. The CECO should have authority over all the local compliance officers just as all in-house lawyers should report to the general counsel. The CECO should also have direct access to companywide information on disciplinary actions, so they can see where there are outliers or clusters of untoward behavior.
3. Establish and post online ethical and compliance standards and procedures to prevent, detect, and remedy illegal or unethical conduct. Well-crafted and company-specific mission statements and codes of conduct are critical to educating directors, officers, and employees about the company’s core values, standards, and procedures. The code of conduct should be simple, easy for employees to understand, refer to values that will resonate with employees, and contain straightforward, relatable, and authentic examples. (Good models include GE’s “The Spirit and the Letter” and Johnson & Johnson’s “Our Credo.”) The code needs to be continuously and creatively reiterated so that it becomes part of the fabric of the company. As seen with Enron’s exemplary policy statements, the only thing worse than having no code is having one the leadership ignores.
4. Promote quality and safety with clear escalation policies. Ensuring product quality and workplace safety starts on the production floor and is defined by the leadership’s response to the problems brought to their attention. The board should make sure the firm has an escalation policy with clear guidance on what types of issues can be handled at the local plant level and which matters should be immediately surfaced to others higher in the organization. For example, Arleen Ashjian, former quality executive and portfolio manager at P&G/Gillette, Ocean Spray, and International Flavors & Fragrances, told us, Gillette’s Grooming Division (the leading manufacturer of razorblades) required immediate escalation to the CEO of any manufacturing problems with the potential to cause physical harm.
5. Develop measurable integrity performance indicators, reward good behavior, and do not create misaligned incentives. Integrity performance indicators include customer and employee complaints; comments on help lines and during exit interviews; days without a workplace accident or environmental spill; absenteeism, including sick days; accuracy of expense reports; stolen company property or misuse of company assets; and lying, even on seemingly immaterial matters. It is important to establish and enforce best practices and to benchmark the company’s program and results against those of relevant comparators.
Every job description should include explicit ethical expectations (including the obligation to report misconduct and a ban on retaliation). Supervisors should factor satisfaction of those expectations when setting employee compensation and making promotion decisions. This emphasizes that “how” something gets done is as important as “what” gets done.
Conversely, threatening to fire employees who did not meet unrealistic selling goals or rewarding managers for deceiving customers into buying unsafe or unsuitable products makes it clear that the codes and espoused values are just meaningless words.
Moreover, financial incentives matter. The Boston Consulting Group found that the CEOs of public companies recently found guilty of fraud had received stock options in the years before the fraud occurred that were worth eight times what CEOs of compliant firms were granted. After Wells Fargo Bank employees opened millions of sham accounts in response to misaligned incentives, Wells Fargo put in place a new incentive program in January 2017 that focused on customer service rather than selling products.
6. Use due care in hiring C-suite executives. Directors should ensure that the officers they appoint to run the business are honorable and of high moral character. Four key character traits correlated with successful business leaders are integrity, responsibility, forgiveness, and compassion. Because the best predictor of future behavior is past behavior, it is critical to talk with individuals who have worked with the candidate and perform thorough background, criminal history, and conflicts-of-interest checks. Executive search firms can also often obtain candid assessments from members of their networks.
7. Mandate interactive training to communicate the ethical and compliance standards to all employees and members of the board. Topics should include firm values, how the firm makes money, a discussion of the laws applicable to the business, and the science behind unethical behaviour. Discussing actual cases and telling stories can help employees and directors internalize the message and better identify and address risk areas. Training can also give participants the opportunity to practice exercising good judgment, including knowing when to delegate authority or to escalate a decision.
A well-designed training program will be varied, using video, gaming, and traditional face-to-face communication as well as on-line tools and a touch of humor. The CECO should be responsible for overseeing the training with the assistance of adult learning specialists and subject matter experts. Sometimes multiple sessions in a single week in three-minute spurts can be more effective that longer, less frequent programs.
8. Make sure employees aren’t retaliated against for speaking up. Whistleblowers are the “canaries in the mineshaft.” The board should ensure that the company has a well-publicized reporting system, so employees can report (anonymously or confidentially if they choose) ethical and compliance concerns. Using open-ended ethics questions on employee opinion surveys and exit questionnaires can also help the CECO and board monitor the workplace environment. Because fear of retaliation is often the main reason why concerns are not reported, a strong non-retaliation policy can encourage employees to speak up. Companies should consider honoring employees who report problems with “stewardship awards” or “badges of courage.”
Global companies should have reporting mechanisms for employees to report concerns in their local languages—and they should take culture into account. In hierarchical cultures, it is critical to empower employees at all levels to speak up and take action. A famous and tragic case involved Korean Airlines, whose senior pilot flew the plane into a mountain even though the more junior first officer knew that the pilot was coming in too low. (This is one reason why it is now best practice for surgeons to have a time-out before each surgery, during which everyone in the operating room, from the senior attending surgeon to the lowliest orderly, is called upon to confirm that everything is in order.)
9. Apply the rules evenly across entire organization. When misconduct is detected, the board must ensure that the company takes appropriate steps to respond—regardless of the offender’s rank, sales record, or economic performance. An international law firm learned this the hard way: it failed to sanction a major rainmaker who had sexually harassed two secretaries, until the third secretary won a multimillion dollar judgment against the firm.
Treating offenders equally enhances organizational justice—the employees’ perception of fairness in an organization. According to the Corporate Executive Board, of all the indicators of an ethical culture, organizational justice has the most significant impact on maintaining ethical behavior. The CECO and general counsel should have primary responsibility for ensuring that rules are being enforced equally.
10. Be prepared for compliance failures. Compliance failures and ethical lapses are what Max Bazerman and Michael Watkins call “predictable surprises.” The board needs to ensure that the company has contingency plans in place, including when to contact internal and external players, such as PR and social media experts and government relations personnel. After an offense has been detected, the board must take all reasonable steps to stop the misconduct and to prevent further offenses—including making any necessary modifications to its compliance and ethics program. As Mary Barra, CEO of GM, put it after GM agreed to pay $900 million in penalties arising out of its defective ignition switches: Apologies don’t amount to much if you don’t change your behavior.
Constance E. Bagley is a Senior Research Fellow at Yale School of Management and the CEO of the Bagley Strategic Consulting Group LLC. She has held previous positions of Professor in the Practice of Law and Management at Yale School of Management, Associate Professor of Business Administration at Harvard Business School, Senior Lecturer in Law and Management at Stanford Graduate School of Business, and partner at Bingham McCutchen LLP.
Bruno Cova chairs the Milan office of international law firm Paul Hastings. Prior to joining Paul Hastings he served as General Counsel of Eni E&P, Chief Compliance Officer of the EBRD, Group General Counsel at Fiat, and chief legal advisor to the administrator appointed by the Italian government to investigate the financial fraud at Parmalat and restructure the company. He is co-chair of the Anti-Corruption Committee of the International Bar Association and a member of the troika of specialists advising the Corporate Governance Committee of Borsa Italiana.
Lee D. Augsburger is Sr. Vice President, Chief Ethics & Compliance Officer for Prudential Financial, Inc. He has previously served as legal counsel both as in-house and outside counsel to leading financial services firms, in addition to having served as Board Chair of industry organizations such as the National Society of Compliance Professionals, the Ethics & Compliance Officer Association and the Ethics & Compliance Initiative.
February 12, 2018
By Professor Dr. Emmanouil Ioannidis
ECA Governance, Risk & Regulatory Compliance Consultant
This is perhaps one of the best, if not the best, Harvard Business Review the ECA Research & Development (R&D) has come across in 2017. The authors have skilfully outlined the ten key criteria that regulators and all types of stakeholders expect to see as tangible proof of what good corporate citizenship is:
1. Create an ethics committee of the board
2. Appoint a high-ranking chief ethics and compliance officer
3. Establish and post online ethical and compliance standards and procedures
4. Promote quality and safety with clear escalation policies
5. Develop measurable integrity performance indicators, reward good behavior, and do not create misaligned incentives
6. Use due care in hiring C-suite executives
7. Mandate interactive training to communicate the ethical and compliance standards
8. Make sure employees aren’t retaliated against for speaking up
9. Apply the rules evenly across entire organization
10. Be prepared for compliance failures
Yet this high-level corporate governance is full of best practices that can be applied internationally.
The ECA will be preparing later this month a supplementary guide on the number and nature of the best practices contained in this case study.
We invite all ECA members as well as those who have visited our website to email to the ECA their opinion on how many best practices this Harvard Business Review paper contains.
We hope to receive as much feedback as possible in order to organise a free webinar for existing members as well as prospective new members.
Prof. Dr. Emmanouil Ioannidis