How to Build a Culture of Ethics and Compliance: The Greatest Article Ever – Part I

The Greatest Article EverDonna Boehme and Jim McGrath continually rail against the notion that a ‘rogue employee’ causes the majority of bribery and corruption charges under such laws as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. Companies continually claim that they do business ethically and in compliance with such anti-bribery and anti-corruption legislation and that it is only one or a few of ‘them-those pesky rogue employees’ who have brought the company to grief. Even GlaxoSmithKline PLC (GSK) is now beginning to distance itself from its Chinese business unit and executives who confessed to engaging in bribery and corruption to sell GSK products in China.

The first problem with this ‘rogue employee’ claim is that it is wrong. The second problem is that by making this bogus claim and denying that it was a company failure; a company may well never correct the underlying problem which led to the compliance failure. However if a company does not recognize its role in any such compliance catastrophe, it will probably have a repeat of a similar event in the not do distance future. Once again witness GSK, which agreed, in 2012, to a $3bn fine for fraud in marketing of its products and within one year is caught up in allegations of corruption in China.

I recently read an article in the summer 2013 issue of the MIT Sloan Management Review, entitled “Designing Trustworthy Organizations”, by the quartet of authors: Robert F. Hurley, Nicole Gillespie, Donald L. Ferrin and Graham Dietz. In this article, the authors address the question of “How can companies recover from trust failures and create reputations for trustworthiness?” Let me put this as succinctly as possible – IF THERE IS ONLY ONE ARTICLE THAT YOU READ ON ETHICS AND COMPLIANCE IN 2013 THIS IS THE ONE TO READ. This the single best article I have ever read as it gives a specific road map to the compliance practitioner, in-house counsel or any other business executive on how to instill a culture of ethics and compliance in your company. I will be discussing the article over my next three posts. Today I will look at why such ethics and compliance failures occur from an organizational perspective; in Part II I will talk about how to build ethical organizations which do business in a compliant manner, and in Part III I will conclude with the steps a company can take to rebuild trust in an organization after a catastrophic failure.

Signals of an Ethical Business

In the FCPA Guidance, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) make clear that paper compliance which companies only employ to “check-the-box” on compliance with the FCPA are doomed to fail. The FCPA Guidance states, “A well-designed compliance program that is not enforced in good faith, such as when corporate management explicitly or implicitly encourages employees to engage in misconduct to achieve business objectives, will be ineffective. DOJ and SEC have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant FCPA violations because management has failed to effectively implement the program even in the face of obvious signs of corruption.”

This is a clear recognition that more than simply having a compliance program in place is required to make it effective. Unfortunately many companies seem to believe that simply having an ethics and compliance program in place is sufficient.
While the authors write about ‘trust’ I believe that their research, findings and framework all translate to ethics and compliance; so I will make that substitution throughout my discussion of their article. To begin their discussion, the authors believe that there are “six identifying signals” that employees consider when deciding to follow a company. They are:

Common values: does the company share our beliefs and values?

Aligned interests: do the company interests coincide, rather than conflict with ours?

Benevolence: does the company care about our welfare?

Competence: is the company capable of delivering on its commitments?

Predictability and integrity: does the company abide by commonly accepted ethical standards and is the company predictable in how it behaves?

Communication: does the company listen and engage in a dialogue or not?

Why Do Ethical and Compliance Violations Occur?

Here the authors begin with a definition. They define trust as “a judgment of confident reliance on another (a person, group, organization or system) based upon positive expectations of future behavior.” For the compliance practitioner a violation of that trust occurs and there is unethical behavior which is not in compliance with the norm, for example when “a party significantly deviates from positive expectations” by engaging in such conduct as bribery and corruption. The authors believe that they see such conduct condoned, explicitly or tacitly from management, they also lower their own personal expectations of the type of conduct they will personally engage in.

Such a failure leads to individual employees engaging in bribery and corruption. However, the authors make clear that this is not down simply to the individual or ‘rogue’ employee but such unethical conduct is “predictable in organizations which allow dysfunctional, conflicting or incongruent elements of their organizational system to take hold.” The authors cited three examples where this played out with devastating results for companies. The first was the Mattel Corporation, which had a strong reputation for quality but weak oversight of its supply chain led to production of contaminated toys and a massive toy recall. The second was BP and the Deepwater Horizon disaster, where the company’s strategy and culture of minimizing costs to enhance profitability conflicted with its stated emphasis on safety; all leading to a multi-billion dollar claim. Finally, Goldman Sachs and its role in the Abacus fund where “investigators found that Goldman’s stated values of client focus and integrity were at time overshadowed by a less formal culture that emphasized getting deals done with less than full disclosure.”

The authors noted that in all three examples they cited, each company had extensive systems processes and procedures in place to produce “trustworthy behavior”. However there were “other elements undermined the companies’ ability to deliver on their core responsibilities.” Recall that as part of its $3 billion settlement GSK agreed to a Corporate Integrity Agreement (CIA). The company had a Compliance Committee, whose job was to oversee full implementation of the CIA and all compliance functions at the company. The company had Integrity Champions within each business unit and management accountability and certifications from each business unit. Training of GSK employees was specified.

GSK’s Code of Conduct stated, “The GSK attitude towards corruption in all its forms is simple: it is one of zero tolerance, whether committed by GSK employees, officers, complementary workforce or third parties acting for or on behalf of the company.” The company had a Third Party Code of Conduct, which required that third parties shall conduct their business in an ethical manner and act with integrity.

All of this was backed up by “a Global Ethics & Compliance team which is responsible for providing oversight and guidance to ensure compliance with applicable laws, regulations, and company policies, as well as fostering a positive, ethical work environment for all employees.” The Code of Conduct also stated that “GSK has an active system of internal management controls to identify company risks, issues and incidents with appropriate corrective actions taken. Our Risk Management and Compliance Policy provides the framework for these internal controls, to ensure significant risks are escalated to the proper levels of senior management.”

The authors research led them to several different areas of organizational weakness which allow for ethics and compliance violations to occur. Company leaders “focused on fundamental aspects of how the organization functioned: organizational restructuring and instability; poor support and follow-through; poor talent management; lack of communication and information; and leadership and strategies.” Interestingly, when employees were interviewed they had the following thoughts on how to improve ethics and compliance, “improve communication, enhance senior management capability, provide more accountability for performance, empower employees and enhance collaboration groups.”

Yet in their examinations, the authors found “one type of incongruence that frequently led” to breakdowns in doing business ethically and in compliance. That breakdown came when the interests of one stakeholder group was favored over another stakeholder group. The authors identified some various stakeholders as shareholders, employees, customers, suppliers and communities. The authors said that this incongruence has “been defined as letting shareholder profits take precedence over core responsibilities to other stakeholders.” But it is simply more, than serving on stakeholder better than the others. It is favoring one stakeholder to the extent of “the expense of and even causing harm to” other stakeholders.

In other words, if profits are put ahead of all other measurements for an employee, that employee will get the message and make sure that he or she makes their numbers. The authors conclude this section by noting that with the current 24 hour news cycle and social media, what may have been yesterday’s event can rapidly spiral across the globe and out of control more quickly than ever. Once again witness just how quickly GSK seemed to be on notice of allegations of corruption and bribery in China to the time its Chinese employees admitted to such conduct on state TV. It was mere days.

In tomorrow’s post I will look at building high trust in organizations and how that relates to ethics and compliance. This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2013