volume three number three august 2006 published bimonthly · author of business ethics: managing a...

�August 2006

Society of Corporate Compliance and Ethics • (888) 277-4977 • www.corporatecompliance.org

Volume Three

Number Three

August 2006

Published Bimonthly

Meet Thurmond B. WoodardChief Ethics, Privacy & Compliance Officer

Vice President, Global Diversity, Dell Inc.

Ethics In Iraq

�August 2006


Professional certification for compliance and ethics professionals:

The time has come

ROY SNELL

RO

Y S

NE

LL

Odell Guyton, Global Compliance Officer for Microsoft, and I have had many discussions about the fate of the compliance and ethics profession. Both of us have been deeply involved in the

profession for ten years and over the course of those years we have been asked repeatedly, “What can we do to legiti-mize this emerging compliance profes-sion?” Compliance/Ethics professionals are justifiably proud of their profession and expertise. They want the profession to be taken seriously by those within and outside our organizations.

There has been considerable “splashing around” in an effort to improve and illuminate the compliance and ethics professionals’ image. Most of this has come in the form of meetings, writ-ing and ruminating—memos, emails, white papers and articles abound. Much time has passed waiting for action. Yet we know that just telling people Compliance and Ethics is an important profession is ineffective. We have had more than adequate time for discussion, now we need to take action.

How old is our profession? A decade? Since the Sentencing Guidelines were issued? Years before? Whatever you estimate our age to be, we have waited too long to move decisively. I am happy to say that the

groups I have had the opportunity to work with are taking action now. They have called on leaders who have a vision for action, and have insisted on soliciting professional expertise for the heavy lifting. As a result of this leadership we are now

poised to accomplish one of the most impor-tant steps in the matura-tion of our profession—a professional credential for compliance and eth-ics professionals across all industries.

According to Christian and Timbers and smartmoney.com the compliance and ethics professional is one of the top 10 hottest jobs in the country. That being said, we are also a relatively young profes-sion. Therefore, establishing credibility and our place in corporate America is going to take effort and time. Gaining respect and recognition for this new profession is dependant largely on how we develop and manage our profession. I have been deeply involved in this pro-fession, first as a compliance officer and founding president of the Health Care Compliance Association (HCCA), and now as the CEO of the HCCA and the Society of Corporate Compliance and Ethics (SCCE). SCCE and HCCA are nonprofit membership-based 501 c(6) organizations that are dedicated to serv-ing the compliance and ethics profession. Our experience in healthcare compliance certification, and the track record of other

professions, tells us that few proj-ects can have a greater effect on the image of the compliance and ethics profession than professional certification. Indeed, most respected professions of any impor-tance have a professional certification. For example, medical doctors and nurses have long sought certification beyond the minimum legal requirements.

Healthcare compliance professionals have had a professional certification program for almost eight years. Ignoring those who said that this task was impos-sible or would never get off the ground, certification has gone from obscurity to significant recognition during this period. There are over 1,000 compli-ance professionals who have obtained the Certified in Healthcare Compliance (CHC) credential. Companies are now listing the CHC as a preference in job postings. Organizations are ask-ing multiple employees to obtain the CHC certification. Health and Human Services’ Center for Medicare and Medicaid Services now has employees who have obtained this credential, the Texas State Inspector General has obtained the CHC credential, and many outside counsel and consultants are fol-lowing this lead. Some organizations have dozens of employees with the CHC credential, and they are sending a strong message to the enforcement community that they are committed to compliance. Nor is healthcare compliance alone in this. There is a certification program for privacy professionals, and one for compliance and ethics professionals in

Continued on page �

�August 2006

THE CALENDARON

2006 Conferences

2006 Compliance & Ethics Institute September 11–13, 2006 Chicago Downtown Marriott, Chicago, IL

Visit SCCE’s Web site for more information or to register now: www.corporatecompliance.org

Compliance & Ethics (CE) (ISSN 1523-8466) is published by the Society of Corporate Compliance and Ethics (SCCE), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription rate is $195 a year for non-members. Periodicals postage-paid at Minneapolis, MN 55436. Postmaster: Send address changes to Compliance & Ethics, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright © 2006 the Society of Corporate Compliance and Ethics. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publication may be reproduced, in any form or by any means without prior written consent of the SCCE. For subscription information and advertising rates, call SCCE at 888-277-4977. Send press releases to SCCE C&E Press Releases Department, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Opinions expressed are those of the writers and not of this publication or the SCCE. Mention of products and services does not constitute endorsement. Neither the SCCE nor CE is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.

Publisher: Society of Corporate Compliance and Ethics, 888-277-4977

Editor-in-Chief: Rory Jaffe, MD, MBAExecutive Director of Medical Services for the University of California; Board Member, Health Care Compliance Assocation

Executive Editor: Roy Snell, CEO, SCCE [email protected]

Advisory Board:James Brennan, JDChief Ethics Officer and Legal Counsel for Midi Company; Commissioner on the Illinois State Executive Ethics CommissionJay CohenGlobal Compliance Leader, Dun & BradstreetJohn Dienhart, Ph.DThe Frank Shrontz Chair for Business Ethics, Seattle University; Director, Northwest Ethics Network; Director, Albers Business Ethics Initiative; Fellow, Ethics Resource CenterOdell Guyton, JDSenior Corporate Attorney, Director of Compliance, U.S. Legal–Finance & Operations, Microsoft CorporationRick Kulevich, JDAssociate General Counsel, Aon Service CorporationSteve LeFarPresident, MediRegs; Board Member, Juvenile Diabetes FoundationTom McSteen, JD President, Compliance StrategiesStephen A. Morreale, DPA, CHCPrincipal, Compliance and Risk DynamicsMarcia Narine, JDVice President Global Compliance and Business Standards; Deputy General Counsel, Ryder System, Inc.Ann L. Straw, Vice President and Chief Compliance Officer, Laidlaw International, Inc. José A. Tabuena, JD, CFE, CHCManager, Deloitte Financial Advisory Services LLPGreg Triguba, JDCorporate Compliance & Ethics Manager, Eddie Bauer

Story Editor/Advertising: Marlene Robinson, SCCE, [email protected]

Layout:Gary DeVaan, SCCE, [email protected] Anondson, SCCE, [email protected]

Advisory Board

2 CEO’s Letter

4 Working with different cultures

13 Surveys offer guidance for future compliance efforts

16 Meet Thurmond B. Woodard

19 After Enron

22 The fundamentals of assessing a financial institution’s enterprise AML risk

27 Second chance after committing an environmental crime?

30 Communicating business ethics & compliance

33 Implications of the Stein decision for corporate compliance

38 Eight reasons compliance training doesn’t stick

40 Conducting a risk assessment

43 Frankly speaking

48

INSIDEINSIDE

S C C E R E S O U R C E S

■ Annual conferences

■ Compliance workshops

■ Audio conferences

■ Advertising

■ Membership directory

■ Compliance & Ethics, SCCE’s journal

■ Career opportunities

■ eCorporate Compliance News, SCCE’s e-mail newsletter

■ Corporate compliance resources

■ Compliance program evaluation

■ Compliance training and books

ON


�August 2006


Working with different cultures: the Iraqi Armed

Forces experienceBy Kenneth W. Johnson

Editor’s Note: This project represents a logi-cal progression in Mr. Johnson’s ethics and compliance work. He served two tours with the Marines in Vietnam, as a rifle platoon commander and as Executive Officer, Marine Detachment, USS Oriskany (CVA-34). He attended the University of Arizona College of Law and served as a Judge Advocate for three years at which time he resigned his commission.

Mr. Johnson practiced law in the area of real estate securities and litigation for a decade in Southern California. During that time, he led a number of special projects for the Marine Corps Reserves before being attached to the First Marine Expeditionary Force in 1988. Since then, he served in a variety of logistics assignments; including service as I MEF logistics plans officer during Operation Desert Storm and as a battalion commander, before retiring as a Colonel in 1998.

His service in the Gulf War led to his entering the ethics and compliance pro-gram field. Upon returning from Saudi Arabia, he pursued a Masters in Ethics and Policy Studies, which he received from the University of Nevada, Las Vegas, in 1995. His Master’s thesis explored ethical decision-making. He has researched, writ-ten, educated, and consulted in the area of ethics and compliance program assess-ment and evaluation since 1994, most recently serving as principal researcher for the Ethics Resource Center. He is principal author of Business Ethics: Managing

a Responsible Business Enterprise in Emerging Market Economies (Washington: Department of Commerce, 2004). When he returns from Iraq, he will return to working on a book tentatively entitled Ethics for an Evolving World: Dealing with Complexity, Transition, and Learning.

You will note in this article that the Center logo is a bird. Green is the color of Islam and the bird, the hoopoe, is mentioned in the Koran. It was used as a symbol of Saddam’s intelligence service. When that was brought to the attention of MG Nabil Abdul Kadir, the Center Director, he quietly and simply said, “Well, you can’t blame the bird.”

The photo of Ken was taken at the base of a statue, with Saddam’s hand holding a saber.

We live in an era of great change and in creased cultural contact. Our

times demand that leaders and manag-ers work with differing cultures with-out sacrificing the core beliefs of their organizations. Today in Iraq, a team of Coalition, NATO, and Iraqi mili-tary and civilians are part of a major initiative to professionalize the Iraqi armed forces. Formally named the Center for Military Values, Principles & Leadership, we have in mind specific, measurable changes in the organizational culture of the Iraqi Joint Forces (IJF). Our goal is that the Iraqi people perceive

the IJF as an effective component of a stable nation.

We understand that we are engaged in changing organizational culture writ large. Our challenge as a Center has been to develop a framework for change that considers culture in all its manifestations. We must be concerned about cultural influences in all aspects of our program—promulgating doc-trine, designing curriculum, delivering it to Iraqi audiences,1 and building our Center’s capacity. However, as one military affairs author has written, “Culture, comprised of all that is vague and intangible, is not generally inte-grated into strategic planning except at

KE

NN

Eth

W. J

Oh

NS

ON

�August 2006


the most superficial level.”2 We come to this project, therefore, with a mixture of confidence bordering on arrogance and humility bordering on anguish.

We look at culture from at least three perspectives: (1) certain dimensions of national culture, (2) the ethical ele-ments of organizational culture, and (3) a pervasive culture of fear. The focus of this article, then, is to describe how we consider culture in an outcomes-based framework for program assessment, design, implementation, and evaluation.3

Background and context. The Center itself is located in Ar Rustamiyah, south-east Baghdad. As the word “ethics” does not translate well into Arabic, we speak of military values and principles instead. That being a mouthful, the Center is usually called “the Ethics Center.”

Our vision for the IJF is a professional, values and principles-based, competently led IJF that is loyal to the principles of the Iraqi Constitution and accountable to the duly elected civilian leadership. Suffice to say that such is not the wide-ly-held perception of the IJF today. As the Commanding General of our parent command expresses it, “In the begin-ning [since 2003], we concentrated on the quantity of the Iraqi Army; now we must focus on its quality.”

Though the Center no longer formally uses the word “ethics,” we are engaged in a values-based ethics and compli-ance initiative. We are not, however, an anti-corruption program, though a professional military tends to have less corruption. Our emphasis is less on pre-venting and detecting violations of law (i.e. the Federal Sentencing Guidelines

for Organizational Defendants) than on building a professional IJF.

Our specific mission is to train Iraqi officers to train Iraqi forces in the essen-tials of military professionalism. Our initial focus is on delivering five blocks of training and education: (1) The Profession of Arms, (2) Officership, (3) Professional Military Ethics, (4) Law of Armed Conflict, and (5) the Role of the Military in a Democracy. We have devel-oped a five-hour block of instruction that addresses the core of these subjects to take to Iraqi commands and schools.

We are working with Iraqi military schools, including its Joint Staff College, to develop more in-depth educational packages in our five areas. For example, we are developing a program for Iraqi lawyers in the Law of Armed Conflict. Finally, we are developing a plan to mea-sure whether our training has results; that is, whether we will actually contrib-ute to achieving our program outcomes, described in more detail below.4

Indeed, one could consider our program to be part of a comprehensive social responsibility program. We are concerned with fostering and meeting the reason-able expectations of all the stakeholders of the IJF. Our training and education is designed to achieve those ends. In this, the overall initiative differs from a corpo-rate social responsibility program only by the purpose of the organization and the breadth and nature of its stakeholders.

As we employ an outcomes-based pro-gram evaluation model, one set of pro-gram outcomes requires us to measure

stakeholder perceptions of the IJF. We define stakeholders as “all those involved in, affected by, and in a position to influence the Iraqi Joint Forces.” A par-tial list of IJF stakeholders includes the civilian government; Coalition forces; local, tribal and religious leaders; Iraqi and international media; Iraq’s neigh-bors; the ranks of the IJF itself; and, most importantly, the Iraqi people. It is

Article 9: First:

A. The Iraqi Armed Forces and Security Services will be composed of the components of the Iraqi people with due consideration given to its bal-ance and its similarity without discrimination or exclusion and shall be subject to the control of the civilian authority. The Iraqi Armed Forces shall defend Iraq and shall not be used as an instru-ment of oppression against the Iraqi people, shall not interfere in the political affairs and shall have no role in the transfer of authority.

Constitution of Iraq, 2005

Continued on page �

�August 2006


essential that they all perceive the IJF to be an effective, professional armed force.

Finally, we recognize that our success as a Center will require advocating for ethi-cal systems and structures throughout the IJF. Setting up IJF officers, NCOs, and jundi for success, while doing the “right thing,” requires such systems as a values-based performance evaluation system; reduced discretion in procure-ment; merit-based schools selection, assignment, and promotion; and a fair, but effective, discipline system.

Nature of our approach. Our under-lying theory is that a truly profes-sional army applies a nationally-retained monopoly on coercion and violence as directed by popularly elected civil-ian authorities, and that it does so in a manner that makes a sustainable peace possible.5 Perceptions often being reality, the IJF must not only be professional enough to achieve the peace desperately sought by Iraqi society; they must be perceived by the Iraqi people to be a legitimate element of Iraqi society. It is pretty clear to us, in this situation, that reality must precede perception.

As we take an “outcomes-based” approach to our work, we are concerned with bringing about changes of three types: individual behavior, organizational culture, and status in society. While I have used such an approach in my corporate work for years, an outcomes-based approach seems so much more significant under these circumstances.

In our work, fundamental questions abound. Corporate managers all over the globe will recognize them: What changes in behavior, culture, and status

should we expect, and over what time periods? How to be seen as legitimate change agents by a different culture? How to manage change in a culturally sensitive manner? What metrics to apply to measure success as we define it? What unforeseen consequences do we need to guard against? Do we have the resources, including time, to effect the change we desire? In other words, can those opposed to change simply wait us out? And in the Iraqi context, there are two other issues: Can we overcome deeply rooted, quite reasonable, cynicism? And, given recent headlines, will we in the Coalition be seen as hypocritical and will our message be rejected?

This approach is influenced, in part, by our living conditions. In our day-to-day lives, we experience not so much Samuel Huntington’s “clash of civilizations” as we do a churning of cultures: much like two mountain streams coming together. Ultimately, cultures here may flow together peacefully some day. In the interim, however, there is turbulence within and between the two, we often act at cross purposes, and life is alter-nately exciting and frightening.

Geographically, we are located just off the Tigris River, one of two great histori-cal rivers. But, the reality of our lives is that our work is bounded by these two great rivers only in our minds, on our maps, and during the helicopter trips we make to meetings in the International Zone and Forward Operating Bases. Otherwise, we are isolated. Our camp is guarded by Coalition forces on one-half and by Iraqi forces on our half. It is a largely secure microcosm of military life, except for sporadically successful mortar and rocket attacks every week or

so. Our contact with the outside world comes through the stories of the Iraqis we serve and their Coalition advisors, our Iraqi interpreters and colleagues, the BBC World Service, meetings in the International Zone, and the Internet.

The Iraqis we deal with are a relatively highly educated and simpatico segment of Iraqi society. Our interpreters, for example, are of generally higher quality than most. Our colleagues at the Iraqi Joint Staff College and their students are select groups of professionals. Finally, and unlike my experience during the Vietnam War, all the Coalition and NATO mem-bers we work with are volunteers. We are all in this together, though some tours of duty, especially NATO tours, are mark-edly shorter than others, which affects continuity in some projects.

Considerations of national culture. Because many aspects of organizational behavior are culture-bound, there is a need to identify and understand regional and national culture differences and their influence on operations.6 This is especially true in Iraq, where one power can be seen to be imposing its will on another. Aristotle in his Politics, written in 350 B.C, observed that culture can be changed by law, but that the people will feel like slaves until the laws become habit and, eventually, the constitution of the people. While this is clear in the Iraq context, it is also the case even in domestic corporate change initiatives.

First, it is important to realize that in an Iraq populated with 26 million people, few see themselves first and foremost as Iraqi. One interpreter tells the story that even the American firm that contracts

Working with different cultures ...continued from page 5

Continued on page 8

�August 2006


Australia. It is time that compliance and ethics professionals in all industries have a professional certification. It is time that they have a credential that reflects their professional training and working knowledge of the field.

One year ago, the Society of Corporate Compliance and Ethics began the devel-opment of a professional certification for compliance and ethics professionals in all industries. The credential—Certified Compliance and Ethics Professional (CCEP)—is designed to help the profes-sional demonstrate individual knowledge and expertise. Odell Guyton, Chair of the SCCE Advisory Board, has enlisted the assistance of compliance and ethics professionals from organizations such as Radio Shack, DuPont, Eddie Bauer, the University of Louisville, Holland and Knight, Brown McCarroll, SAP Public Services, MediRegs, The Philadelphia Stock Exchange, Foley and Lardner, Tenet Healthcare, and many others.

This is a difficult and time consuming task that takes serious attention and expertise. SCCE has hired Applied Measurement Professionals (AMP) to oversee the devel-opment of the Certified Compliance and Ethics Professional credential. AMP is a company of experts in this area that has helped set up certification programs for many professional societies. AMP psycho-metricians oversaw every step of our certifi-cation development process. A psychometri-cian is a PhD statistician who has focused his or her studies and career on the develop-ment, administration, and analysis of the credentialing process. More specific infor-mation about applying to become CCEP certified is included at the end of this article along with a complete list of the those who participated in its development.)

The development of a professional certification involves many steps. The steps we have taken in the process include:

■ Selection of a firm to assist with the technical aspects of this process

■ Development of a rigorous job analy-sis survey (to establish what the job entails)

■ Establishment of fair criteria to sit for the exam (prior education, continuing education requirements, years in the profession, etc.) that send a signal of professionalism

■ Development of a comprehensive test■ Establishment of a cut score (i.e., pass-

ing grade)■ Elimination of, or correcting questions

that do not perform well■ Administration of the program

Most professional organizations that undergo the development of a profes-sional credential eventually develop multiple levels of certification. However, they typically start with the baseline certification which has fewer restrictions for entry but requires rigorous testing for competency. The CCEP credential is such a baseline credential. It is designed to be inclusive and to credential anyone working in the compliance and eth-ics profession who meets the require-ments. We have recognized that this is a growing field with many levels and positions; indeed, the Murphy & Leet book, “Working for Integrity” reports over 800 different compliance and ethics job titles in companies. Thus, the CCEP credential is not just for compliance and ethics officers alone, but for individu-als involved in education, auditing and other key aspects of an organization’s compliance and ethics efforts. It is also

designed to include those involved in ancillary components of the profession, such as academics, outside attorneys, consultants, vendors, and the enforce-ment community.

Several years from now we anticipate the development of a more advanced level of credential, often referred to as “fellow-ship”. The subsequent credential(s) will be more exclusive and will further delin-eate the specific expertise of the indi-viduals who obtain the credential. It may delineate those in the top of the profes-sion and in subsets of the profession such as individual expertise in manufac-turing, finance, retail, technology, etc.

It is absolutely essential that we pursue this effort with rigor and diligence. To do less is to betray ourselves and our fellow professionals. I have seen the development of “credentials” occur with a group of “experts sitting in the back room” deciding what to test. Their “cre-dential” often involves the purchase of a book or spending significant money on a workshop. They have not enlisted the recognized professional expert services to help ensure the process is effective and rigorous. In some fields certification may represent little more than that “the check cleared.” It is unlikely that these profit-oriented schemes could ever pass National Organization for Competency Assurance (NOCA) accreditation, the organization recognized for certifying credentialing programs. Their criteria are rigorous, and the SCCE program is designed to comply with all of their standards. With the help of AMP, the SCCE took great pains to ensure that the entire examination process can be defended from a technical standpoint in

Continued on page 45

Professional certification: The time has come ...continued from page 2

�August 2006


with the Coalition to provide interpret-ers insisted that it was not enough for applicanta to describe themselves as Iraqi. Declaring religious affiliation was mandatory just to apply for a position.

For the most part, our Center is deal-ing with IJF that are Arab, Muslim, and traditional Iraqi. While most of us have read Raphael Patai’s book, The Arab Mind, the framework described here is less concerned with what can be seen as cultural archetypes than with the underlying dimensions of national culture. For this, we look to the work of a Dutch Researcher, Geert Hofstede (“Dimensions of National Culture Model”), which I have used for years.7

From the initial results of his study of IBM operations in 22 countries, and later additions, Hofstede developed a model that identifies four primary dimensions to assist in differentiating regional and national cultures: Power Distance (PDI), Individualism (IDV), Masculinity (MAS), and Uncertainty Avoidance (UAI).8

After an additional international study with a survey instrument developed with Chinese employees and managers, he added a fifth Dimension. Based on Confucian dynamism, that dimension is termed Long-Term Orientation (LTO) and was applied to 23 countries.

Hofstede defines these five dimensions as follows:

Power Distance Index (PDI) is the extent to which the less powerful members of institutions and orga-nizations within a country expect and accept that power is distributed unequally.9

Individualism (IDV) pertains to soci-eties in which the ties between indi-viduals are loose: everyone is expected to look after himself or herself and his or her immediate family. Collectivism, as its opposite, pertains to societies in which people from birth onward are integrated into strong, collective in-groups, which throughout people’s

lifetimes continue to protect them in exchange for unquestioning loyalty.10

Masculinity (MAS) relates to gender roles in a society. A society is called masculine when emotional gender roles are clearly distinct: men are supposed to be assertive, tough, and focused on material success, whereas women are supposed to be more modest, tender, and concerned with the quality of life. A society is called feminine when emotional gender roles overlap: both men and women are supposed to be modest, tender, and concerned with the quality of life.11

Uncertainty Avoidance Index (UAI) is the extent to which the members of

Region/Country PDI IDV MAS UAI LTO World 53 43 50 64 45

US 40 91 62 46 29

Australia 36 90 61 51 31

Arab World 80 38 52 68

Japan 54 46 95 92 80

South Korea 60 18 39 85 75

UK 35 89 66 35 25

Kenneth Pollack concludes his exhaustive study of Arab military effectiveness noting that “certain patterns of behavior fostered by the dominant Arab culture were the most important factors contributing to the limited military effective-ness of Arab armies and air forces from 1945 to 1991.” These attributes included over-centraliza-tion, discouraging initiative, lack of flexibility, manipulation of information, and the discourage-ment of leadership at the junior officer level.

Norvell B. De Atkine, Why Arabs Lose Wars

Working with different cultures ...continued from page �

Table 1: Scores of various countries in Hofstede’s cultural model

�August 2006


a culture feel threatened by ambigu-ous or unknown situations. This feel-ing is expressed, among other things, through nervous stress and in a need for predictability: a need for written and unwritten rules.12

Long-Term Orientation (LTO) stands for the fostering of virtues oriented toward future rewards—in particular, perseverance and thrift. Its opposite pole, short-term orientation, stands for the fostering of virtues related to the past and present—in particular, respect for tradition, preservation of “face,” and fulfilling social obligations.13

Table 1 includes many of the regions in Iraq as part of the Coalition forces and the Arab world as a proxy for Iraq itself. It begins with the world averages and the United States scores.14 The index runs from 1 to 100, 100 being the high-est score.

Here we find that in Arab societ-ies15 Power Distance (PDI) (80) and Uncertainty Avoidance (UAI) (68) are the predominant characteristics.

These dimensions help us put cultural practices into perspective. In general, the region has a high tolerance for power unequally distributed within the society. Their people have a strong need to avoid uncertainty. They tend to have a group-focus; loyalty to collective in-groups is strong. They are about evenly balanced between masculine and feminine char-acteristics, as Hofstede defines them. While there is no data on Long-Term Orientation for the Arab world, the two Muslim countries studied, Bangladesh at 40 and Pakistan at 0, exhibited medium- to short-term orientations.

In these dimensions, by the way, the Arab culture holds much more in com-mon with the rest of the world than do we Anglo-Americans. Indeed, the two principal countries the Iraqis deal with in the field, the US and the UK, are poles apart from Arabs. We tend to have an individual focus. We tend to question inordinate differences in power distribu-tion. We tend to tolerate uncertain situ-ations. Our doctrine, curriculum, and delivery methods tend to reflect these dimensions. It is an open question how transferable these are to the Iraqis.

These national culture factors anecdot-ally exhibit themselves in the organiza-tional culture of the IJF: indeed they can be found in Arab armed forces in general, according to military scholars. As the quotation in the text box on page 8 argues, dominant cultural consider-ations may be the most important fac-tors contributing to the limited military effectiveness of Arab armies.16

The impact of these dimensions of

national culture on an organization can often best be understood by analyzing the culture of the organization itself. In my former position as principal researcher at the Ethics Resource Center, for example, I was often able to explain certain aspects of organizational culture that differed from country to country in transnational organizations by referring to the dimensions of national culture. For example, they are particularly help-ful in explaining employee willingness to report misconduct and perceptions of management behavior.

Organizational culture. For purposes of understanding the IJF as an organiza-tion, we use a profile of seven ethical elements of organizational culture: (1) embracing core beliefs and stimulat-

ing progress(2) accepting responsibility/holding

others accountable(3) member participation in decisions

and activities(4) sharing information

Until Arab politics begin to change at fundamen-tal levels, Arab armies, whatever the courage or proficiency of individual officers and men, are unlikely to acquire the range of qualities which modern fighting forces require for success on the battlefield. For these qualities depend on incul-cating respect, trust, and openness among the members of the armed forces at all levels, and this is the marching music of modern warfare that Arab armies, no matter how much they emulate the corresponding steps, do not want to hear.

Norvell B. De Atkine, Why Arabs Lose Wars


C o r p o r a t e C o m p l i a n C e & e t h i C s :G u i d a n C e f o r e n G a G i n G Y o u r B o a r d

Name

Title

Company

Address

City

State Zip

Phone

Fax

E-mail

Format:DVD VHS

Mail to: SCCE 6500BarrieRoad,Suite250 Minneapolis,MN55435Phone: (888)277-4977

TotalPayment$______________

PurchaseOrder#_____________Check/MoneyOrderVISA MasterCard

Number Exp.Date

NameofCardHolder

SignatureofCardHolder

Please make check payable to:

SocietyofCorporateComplianceandEthics(SCCE)

FAX: (952)988-0146Online: www.corporatecompliance.orgE-mail: [email protected]

Code:CE1104

Order Today!Non-Members $395 SCCE/HCCA Members $345

www.corporatecompliance.org

“�This�video�provides�an�over-view�of�the�Board’s�role�in�compliance.”��Odell Guyton��Senior�Corporate�Attorney,�Director�of�Compliance,�Microsoft�Corporation

“�It’s�pretty�clear�that��the�best�compliance��program�in�the�world��is�meaningless,�even�if�it’s�funded�with�a�good�well-meaning�compliance��officer,�if�the�leadership�of�the�company�is�not�behind�it�and�isn’t��supportive…”��Honorable��Michael E. Horowitz Commissioner,�United�States�Sentencing�Commission

Bringing the vision of leadership together

with a compliant and ethical culture

��August 2006


(5) valuing development of individual potential

(6) viewing differing viewpoints/mistakes as opportunities for learning/growth

(7) trusting one another/honoring promises and obligations

We have modified a questionnaire I have used for years to include one additional element—valuing individual develop-ment—and expanded one element to probe more deeply into how differing viewpoints are handled. Most of the ele-ments have been suggested by research, including the Ethics Resource Center’s National Business Ethics Survey®, and my experience over the years. If I ever doubted the value of this approach, it has made eminent good sense in this envi-ronment with the IJF as an organization.

The first element—core beliefs and stimulating progress—is vintage Jim Collins of “Built to Last” fame. Here, we are trying to reinstate core beliefs about military service—purpose, core values, and envisioned future—that predate the Saddam era, while being sure that they do not lead to a situation that made a Saddam possible. The IJF must progress from where they are to where they will be seen as a pillar of Iraqi society. This requires progress, but from an enduring foundation of core beliefs.

The second element—accepting responsi-bility and holding others accountable—is a core element of an ethical organization. Indeed the essence of individual ethics, in my view, is choice: making appropri-ate decisions and acting upon them. The essence of organizational ethics, likewise, is encouraging members and agents to be responsible and holding them account-able when they are not.

The third element—participation of mem-bers in decisions and activities—is the most obvious negative aspect of Iraqi armed forces culture. Officers do not, as a rule, delegate authority as much as a professional army does. Unlike the armed forces in the developed world, the IJF does not have a well-developed noncommissioned officer corps: the backbone of a professional mili-tary force. Stories of senior commanding officers leading or supervising small unit formations and operations are legion.

Deficiencies in the fourth element—sharing information—will ring true for most in the corporate world. However much the previous three elements may be practiced, individual and organiza-tional decision-making and activities can only be effective if they are based upon an accurate understanding of what we call “ground truth.” Here, knowledge is power. It is often not shared.

One can see the negative aspects of these four elements in the attributes described in the text box on page 9.

The fifth element—valuing development of individual potential—is the new ele-ment. We developed it to include a more concrete aspect to whether individuals are respected. Closely related to the element of participation, we added it because it brings a more structural and systemic aspect to whether individuals are respected and valued in practice.

The sixth element—valuing differing viewpoints and learning from conflict—expands an element that had focused on how the organization dealt with conflict to make differing viewpoints a factor in that conflict. This is, of course, an obvi-ous concern in Iraqi life: one needs only

read the newspaper headlines. It will increasingly be a concern as organiza-tions expand their markets and work-forces continue to become more diverse.

Finally, the seventh element—trust—brings all of these elements together in a final filter. When all is said and done, do we trust one another? In terms of the benefits of ethical behavior, mutual trust among organizational stakeholders is the principal consequence.

Culture of fear. In his “Fourteen Points for Management,” W. Edwards Deming wrote of the necessity to “drive out fear” in the workplace. Here we are trying to drive out fear in an entire society. Fear is ubiq-uitous and palpable. Maslow’s hierarchy is alive and well in our decision-making. Every day we are confronted with the real-ity that pervasive fear has to be treated as a factor in ethical decision-making. Dealing with fear on a day-to-day basis is “how we do things around here.” If we treat some of the organizational culture profile elements with fear in mind, this will become clear.

We are concerned with excellence, integ-rity and moral courage, to be sure. But survival—just in our Iraqi colleagues getting to and from work—is a factor in our planning. Those Iraqis known to work with the Coalition are prime targets for the insurgents. The neighbors of most of our interpreters, for example, do not know where they work. Planning is difficult because we have to be careful who is told what and when. The timing of group events on Ar Rustamiyah, for example, is closely held.

Simple examples: Unit formations have been targeted with mortar fire, appar-



��August 2006


ently directed by someone in the camp. Biographical information we accept as the norm in organizations is not kept for our interpreters; they use nicknames. Public displays of military academy graduation photos have airbrushed faces. At media events, one of the ground rules is no photos of civilian Iraqis.

Those of us who are members of the Coalition move exclusively by helicopter, scheduled on relatively short notice, closely held. I will probably never set foot on an Iraqi public street, and certainly never sip chai and watch crowds go by in a Baghdad café. And even something as simple as ordering a piece of furniture requires some Iraqi staff member or vendor to mix with crowds as unobtrusively as possible in order to slip through concrete approaches with the item to the relative safety of our camp.

Daily life with the Iraqis is full of greet-ings and well-wishes. We have infor-mal rules worked out: if we are eating together in the NATO facility, they are our guests; in the Iraqi facility, we are theirs. It is very important to them to have that understanding of hospital-ity worked out in advance. If you say, “What I miss is green tea,” it will appear, and some Iraqi colleague will refuse your offer to pay. Still, we have a diverse set of Iraqi colleagues and interpreters, and all or most have lost a relative to some sect to which another colleague or inter-preter belongs. They are united, to a large extent, by the purpose, vision, and values of the Center itself. But, memo-ries are long here. Cultural ties run deep.

In our training and education, we must be careful when we urge Iraqis to “do the right thing.” Sometimes doing the “right thing,” like reporting corruption among

senior officers, can get one killed. This puts a whole new meaning on the FSSG minimum requirement to provide a mech-anism whereby employees and agents may seek advice or report misconduct “without fear of retaliation.” It points to how sys-temic all this ethics stuff truly is.

Conclusion. This is a fascinating proj-ect, one which has required most of the tools in the ethics and compliance program toolkit. These tools have been helpful in gaining understanding of the context and criteria for an effective eth-ics program in Iraq—and to explain that understanding to others.

To a large degree, we are dealing in cul-tural change with all the considerations of change management that corporate managers face. Under normal circum-stances, cultural change requires five to seven years. Fighting a successful coun-ter-insurgency takes from nine years to a generation or two.

Recently at lunch, I spoke to Dr. Duncan Anderson, a military histo-rian and Dean of the War Studies Department at Sandhurst, UK, who is visiting the Iraqi Military Academy, Ar Rustamiyah. He knows of no histori-cal example where an army changed its culture and successfully fought an insur-gency at the same time.

The IJF have their work cut out for them. We are building the Center for Military Values, Principles and Leadership, Ar Rustamiyah, to help in that effort for generations to come. ■

The opinions or assertions contained in this article are the view of the author and should not be construed as official or

reflecting the views of the United States Department of Defense.

1. The reader will understand my not referring to them as “target audi-ences,” though truly we all are.2. Paul M. Belbutowski, “Strategic Implications of Cultures in Conflict,” Parameters, Spring 1996, pp. 32-42, quoted in Norvell B. De Atkine, “Why Arabs Lose Wars.” The Middle East Forum (December 1999). Available at: http://www.meforum.org/article/441. Accessed June 26, 2006.3. The key word here is “program.” Though our focus currently is on training Iraqi forces and assisting military educational institutions, we are consciously using a modified framework suggested by the Federal Sentencing Guidelines to encourage systemic change. For example, we had a strategic communications plan designed long before we began working with Iraqi units and schools.4. The Center logo is in the box opposite. Green is the color of Islam. The bird, the Hoo Poe, is mentioned in the Koran. It was used as a symbol of Saddam’s intelligence service. When that was brought to the attention of MG Nabil Abdul Kadir, then our director-designate, he quietly and simply said, “Well, you can’t blame the bird.”5. See discussion of the “Great Society” at Ludwig von Mises, Human Action Ch. VII, section 7. Available online at http://www.mises.org/humanaction/chap8sec7.asp. Accessed June 27, 2006. A similar center is working with the Iraqi police.6. This directly applies to transnational organizations—and, if trends continue, with domestic organizations. Increasingly, even domestic organizations are becoming transcultural, if not transnational.7. I have used Professor Hofstede’s work to understand differences in employee and agent behavior across countries and as a guide to improv-ing management responses to our findings, discussion, and recommen-dations. It was particularly helpful in interpreting lower reporting rates and greater willingness to acquiesce to authority in some regions of the world than others.8. Professor Hofstede conducted perhaps the most comprehensive study of how values in the workplace are influenced by culture. He analyzed a large database of employee values scores collected by IBM between 1967 and 1973. The data covered more than 70 countries, from which he first used the 40 largest. He later extended the analysis to 50 countries and three regions. In the editions of his work since 2001, scores are included for 74 countries and regions, based in part on replications and extensions of the IBM study on different regional and national populations.9. Geert Hofstede and Gert Jan Hofstede, Cultures and Organizations Software of the Mind Rev. and exp. 2nd ed. (New York: McGraw-Hill, 2005) p. 46.10. Hofstede, p. 76.11. Id., p. 120.12. Id., p. 167.13. Id., p. 210.14. Note that there is no country or region included in this table that is substantially similar in all four or five dimensions to the world aver-age. The index numbers were normalized at 100 as the range. Some countries, such as China with long-term orientation at 118, exceed the normalized index.15. Hofstede analysis for the Arab World includes the countries of Egypt, Iraq, Kuwait, Lebanon, Libya, Saudi Arabia, and the United Arab Emirates.16. Norvell B. De Atkine, “Why Arabs Lose Wars.” The Middle East Forum (December 1999). Available at: http://www.meforum.org/arti-cle/441. Accessed June 26, 2006. Quoting Kenneth M. Pollack, “The Influence of Arab Culture on Arab Military Effectiveness” (Ph.d. diss., Massachusetts Institute of Technology, 1996), p. 759.


SCCE exists to champion ethical practice and compliance standards in the corporate community and to provide the necessary resources for compliance profession-als and others who share these principles.

SCCE’SMISSION

��August 2006


Editor’s note: Judy Marrs is Legal Counsel with Midi, a provider of compliance and ethics learning solutions. Ms. Marrs has experience providing consulting services to in-house counsel, and has practiced labor and employment law in Chicago. Judy Marrs, contact information: [email protected]

The results of several surveys released in recent months offer an abundance of statistics designed to gauge the state of corporate conduct, integrity, and eth-ics. The data offer snapshots taken from various angles, with some studies pro-viding a picture of how employees view the climate in the workplace, and others presenting managers’ and executives’ assessments of a company’s ethical cul-ture. The range of issues covered by the surveys is extremely broad, encompass-ing everything from the reasons behind unethical behavior to employee views on corporate social responsibility, but a few common themes are worth noting, along with a handful of surprising results.

Misconduct persists

Some statistics were cause for cautious optimism about the likelihood of employ-ees to report misconduct, but the surveys consistently showed that much wrong-doing is left unreported. In KPMG’s Integrity Survey 2005-2006, 74 percent of employees reported that they had observed misconduct in the prior year, and half considered what they observed to be sufficiently serious that it could cause a significant loss of public trust if

discovered. The National Business Ethics Survey, conducted by the Ethics Resource Center (ERC), reported a lower, but still troubling, rate of observed misconduct. The results of that study showed that 52 percent of employees had observed at least one type of misconduct, and 36 percent of those employees had observed two or more types of misconduct. Both surveys noted that the prevalence of mis-conduct had not significantly changed in recent years.

On the reporting front, the news was mixed. The ERC study asked if those who actually observed misconduct had then reported it, and only 55 percent had done so, representing a decline of 10 percentage points since the 2003 survey. The 2005 Walker Loyalty Report for Loyalty in the Workplace, a study of employee loyalty and business ethics, found about the same rate of reporting as did the ERC study among those who were aware of misconduct—54 percent. However, in the Walker report that statistic was more encouraging, because it represented an increase of more than 14 percent over 2003 results. In both of these surveys, the same two explanations were given as the most common reason for not reporting: fear of retaliation and the feeling that nothing would be done to address the misconduct.

The KPMG survey had the most posi-tive data on reporting misconduct: 81 percent of respondents said they would notify their supervisor or another man-

ager if they observed a violation of the company’s standards of conduct.

Global companies reported additional challenges getting employees to report misconduct. The 2005 Global Ethics & Compliance Benchmarking Survey, conducted by Language and Culture Worldwide, indicated that cultural dif-ferences about what behavior constitutes misconduct, along with fear of retaliation, led to a lower reporting rate by employees outside of the United States. More than 60 percent of respondents, who were members of the Ethics and Compliance Officers Association and the Institute of Business Ethics, noted this disparity.

Formal programs more commonplace

The surveys offered persuasive evidence about the positive impact of formal com-pliance and ethics programs. The 2006 Compliance Program and Risk Assessment Benchmarking Survey, conducted by Corpedia and The Conference Board, found that 60 percent of all organizations have a Chief Compliance Officer, and 32 percent have a Chief Ethics Officer. This report, which compiled the responses of 225 inside corporate counsels, also revealed that almost three quarters of all organiza-

Surveys offer guidance for future compliance efforts

By Judy Marrs

Ju

DY

MA

RR

S


��August 2006


tions have formal codes of conduct or eth-ics training programs.

The observations of employees whose organizations have adopted a compre-hensive compliance program suggested that programs are making a difference. For example, in the KPMG study, 88 percent of employees in organizations with a program said they would feel comfortable reporting misconduct to a supervisor, compared to 48 percent in organizations without a program. Significantly, 87 percent of employees in organizations with a program felt that appropriate action would be taken in response to their report, while only 44 percent of workers in organizations with no program believed something would be done.

The “program vs. no-program” com-parison fails to mask the persistent challenges, such as addressing the underlying drivers of misconduct. Even among those employees working in organizations with a program, 50 percent reported that they feel pressure to “do whatever it takes” to meet their targets, according to the KPMG study. This is a problematic statistic, despite the fact that it was 10 points lower than the number reported by workers not exposed to a program.

The ERC study confirms the rise in formal programs elements, with 86 per-cent of employees reporting that written standards of conduct have been created and nearly 70 percent noting that ethics training has been implemented, but the persistence of misconduct and decline in reporting presented in those results sug-gest that the programs may not be lead-ing to better results. On the other hand,

the study found the presence of a strong culture does produce results, noting that in organizations whose top manage-ment displays certain ethical behaviors, employees are significantly less likely to observe misconduct.

Culture counts

There was broad agreement on the important but somewhat intangible effect of culture. According to the Business Ethics Survey, conducted by the American Management Association and Human Resource Institute (AMA/HRI), tone at the top is still a key driver of an ethical culture. Executives and managers who participated in the study were asked about the key elements of assuring an ethical culture. They said having leaders who support and model ethical behav-ior was most important, and consistent communications from those leaders was a close second. The value of communica-tion was echoed in results from the Fast Track Leadership Survey on Business Ethics and Integrity, whose respondents felt CEOs should work harder to listen to employees and customers, suggest-ing they “communicate with the shop floor” and “work in the trenches.” Fast Company magazine conducted the sur-vey along with Switzerland-based busi-ness school IMD and executive recruit-ing firm Egon Zehnder International.

In addition to the critical role of top executives, employees pointed to other factors and various levels of leadership when addressing what creates an ethi-cal climate. In the ERC study, middle managers got high marks for communi-cating the importance of ethics, setting an example of ethical conduct, and for keeping promises and commitments. Employees in the KPMG study were

asked about the characteristics of their individual departments and work units, and 78 percent said people in those work groups feel motivated and empow-ered to “do the right thing.”

In an effort to further define a strong ethical culture, the AMA/HRI study also asked about the importance of specific internal practices and programs. Having a code of conduct was cited as most important, with ethics training identi-fied as number two. Rounding out the top five were corporate social responsi-bility programs, providing an ombuds-man, and offering an ethics helpline.

Though culture seems to be moving in the right direction, according to a group of communications professionals, there is still room for improvement. A survey conducted by the International Association of Business Communicators Research Foundation indicated that only 46 percent of companies encourage dis-cussion of moral dilemmas and criticism of censurable conduct.

The importance of an organization’s ethi-cal culture extends beyond the relation-ship with its employees, as some surveys documented. The AMA/HRI analysis asked which practices make a difference to an organization’s customers. Respondents said transparency—having access to clear and complete information—was most highly valued, followed by corporate social responsibility programs.

Looking ahead

Although the results of these surveys present instructive themes and a wealth of useful data, the questions themselves offer equally valuable guideposts for con-tinuing to create and maintain ethical

Surveys offer guidance ...continued from page 13

��August 2006


cultures. In assessing the ethical climate within organizations, the data collectors identified many useful measurements. The ERC study, for example, took a detailed look at a variety of Ethics-relat-ed Actions (ERAs) displayed by everyone from top management to coworkers, and asked questions about issues such as accountability, communication, and decision-making. Similarly, KPMG’s Integrity Survey attempted to gauge the culture at all levels, for example, posing questions about whether local managers “know what type of behavior really goes on inside the organization” and if those managers “are approachable if employees have questions about ethics or need to deliver bad news.” These efforts to ana-lyze the ingredients of an ethical culture offer a framework which compliance and ethics officers may find effective as they work to create and improve the climate in their organizations.

Overall, the surveys show that many organizations have made notable prog-ress toward creating a culture which encourages ethical conduct and integrity. In addition, there has been an increase in adoption of compliance programs featuring codes of conduct, formal train-ing and reporting hotlines. Nevertheless, the studies document the prevalence of unreported misconduct, and the persis-tence of workplace pressures that lead to wrongdoing. In order to benefit from these findings and improve ethical con-duct and legal compliance, companies should focus their efforts on a few pri-mary compliance activities:

■ Prepare managers for the pivotal role they play in preventing, uncovering, and addressing misconduct. Middle managers and supervisors should receive targeted training to ensure that they are setting the right tone by their own con-

duct, and are well equipped to respond to concerns raised by employees.

■ Educate employees on all avenues and options available for reporting misconduct by incorporating discus-sions of the reporting process in all training. The training should include details of the steps the company will take in response to reports of wrong-doing, and emphasize actions that will be taken to protect employees from retaliation.

■ Analyze performance goals, incentive programs, and other business prac-tices that may be drivers of unethical behavior. A thorough assessment of such procedures may identify unreal-istic expectations which unintention-ally foster a “do whatever it takes” attitude. ■

OPPORTUNITIESSCCE Compliance & Ethics Institute

September 11-13, 2006SCCE’s Annual Compliance & Ethics Institute draws compliance and ethics professionals for three days of education and networking September 11–13, 2006, in Chicago, IL. Conferences offer visibility through a variety of sponsorship opportunities and networking events. SCCE offers the most effective use of your advertising dollar by taking advantage of these special opportunities.

Benefits for Sponsor and Exhibitors:Professional showcasingHigh visibility and name recognitionNetwork with compliance professionalsForm new working partnershipsLearn clients’ needsAccess decision-makersNational and local marketingExposure to top professionals in your fieldInexpensive and effective way to market your name

Excellent networking opportunitiesOn-Site Sponsorship Opportunities:Networking Luncheon and ReceptionConference BagsContinental Breakfast and Refreshment Breaks.Conference Program CD and Badge Holder Lanyards

Please feel free to contact Diane Abels at (952) 933-4977 or [email protected]

��August 2006


Editor’s note: José A. Tabuena is with the Forensic & Dispute Services practice of Deloitte Financial Advisory Services LLP. He also serves on the Advisory Board for Compliance & Ethics. He conducted the following interview in March of 200� with Mr. Thurmond Woodard, Chief Ethics, Privacy and Compliance Officer, and Vice President of Global Diversity. In his dual roles, he provides strategic direc-tion and oversees Dell’s global business conduct office and leads the company’s diversity initiatives. Mr. Woodard’s contact email is [email protected]

Q. What is your background and how has this experience contributed to your expertise in compliance and ethics? A. There are three aspects of my background that support my ability to provide leadership for the ethics and compliance functions at Dell. To begin, I was born into a family that values integrity, honesty, and fair dealing. My accounting education also contributed greatly to my preparation for today’s job responsibilities. Finally, my 30 years of global and corporate experience in finance, marketing, and human resourc-es enhanced my skills and judgment to perform at the highest level and under-stand all aspects of an operation.

Q. How did you come to your cur-

rent role as Chief Ethics & Compliance Officer at Dell? A. I joined Dell in 2000 as vice presi-dent for Global Diversity. Having spent a good part of my career running busi-nesses, I learned that knowing how the corporate culture operates is key for the success of any business, so my role was not only to institute and sustain a model for diversity, but also to help Dell’s lead-ership team define what they call a win-ning culture. The past five years have been crucial for Dell’s expansion around the world. Later in the road, we also realized that creating awareness around our higher standard of ethical behavior in all new and existing operations, and Dell’s Code of Conduct—which was implemented since 1992—would be a core piece of our winning culture. We can’t expect for all team members to know what the company expects from them unless we establish a formal communication about our standards. With that in mind, in 2003, Kevin Rollins and Michael Dell asked me to lead the Ethics function. Given our focus on the customer in everything we do, this role has also evolved and I’m now Chief Ethics, Compliance and Privacy Officer.

Q. How is the ethics and compliance

program structured at Dell and whom do you report to in your organization? A. At Dell, the Ethics and Compliance program permeates the entire organi-zation. With approximately 65,000 people on 6 continents and speaking 28 languages, and $55.9 billion revenue in 2005, the task is immense and very important. We are structured to make sure the job is well done and that issues are handled nearly immediately. This function is supported from the top and embedded in all parts of our business. Let me explain to you what that is. Dell’s board of directors oversees the overall affairs of Dell, from strategic and operational planning, major corporate actions and financial reporting, to gov-ernance, compliance, and risk manage-

Chief Ethics, Privacy & Compliance Officer; Vice President, Global Diversity, Dell Inc.

featurearticle

Meet Thurmond B. Woodard

��August 2006


ment. It bases corporate governance on the highest possible standards. I’m talking about standards of responsibility, ethics, and integrity. These standards are also rooted in our desire to act in our stock-holders’ best interest. Michael Dell, chair-man of the board, and Kevin Rollins, CEO, are the only Dell executives who are also part of our board of directors. I report to Larry Tu, Senior Vice President and General Counsel for Dell. We also have a Global Ethics Council that interacts with Dell’s board of directors, setting global ethics policies and overseeing the compliance of our executives. The council is chaired by me and includes executives from our busi-ness, operations, and corporate functions throughout the world, including Kevin Rollins, Dell’s CEO.

Q. Since Dell is a global company, can you comment on some of the interna-tional trends that may be impacting your program—such as European Union data privacy rules, the new French data protec-tion rules for whistle-blowing systems, the OECD Convention and the Foreign Corrupt Practices Act, and so forth? A. All of these trends and initiatives impact our global business activity. In keep-ing with our Dell model and culture, we are accustomed to seek out ways to achieve economies of scale, and our approach to addressing compliance with the rules and acts you mention is no different. While these privacy rules, for exam-ple, are fairly recent, we expect them to continue and at Dell, we have developed a strategy that will allow us to success-fully scale our business while holding ourselves to a higher standard in this area. We mirror our own global data privacy requirements to meet the most stringent requirements out there. This enables us to

focus on the important few rules, rather than the hundreds of variations. As far as OECD Convention and Foreign Corrupt Practices Act, they are obviously not new, having been around since 1997 and 1977, respectively. What is new today is a stronger focus of the authorities and the general public to ensure business is conducted ethically to safeguard the rights of employees and investors, especially after the known corporate cases and Sarbanes-Oxley. Dell has historically devoted substantial resources and implemented adequate controls to help prevent or detect viola-tions of the laws and regulations of the countries where it operates. We also continuously evaluate the effectiveness of our Compliance and Ethics Program and make improvements, if necessary, to ensure we comply with the 2004 amended Federal Sentencing Guidelines and are in line with or ahead of industry best practices. Our reputation and success are based on our customers’ and stakehold-ers’ trust and we see no other way to maintain that trust than to protect our customers’ privacy and other rights, and more generally, to conduct business with the highest level of integrity.

Q. How is the ethics and compliance program related to Dell’s corporate social responsibility and diversity programs? A. Dell is committed to operating in a responsible and sustainable manner around the globe. Our accountability, environment, and community programs help ensure that we operate in a manner consistent with our core values as we grow our business globally. No truly global organization can succeed in business without also achiev-ing excellence in these important areas

of corporate life. We accept no conflict, tension, or confusion between the cor-rect behaviors in corporate social respon-sibility and diversity, as contrasted with all the other necessary activities of our business. In today’s global economy, solid practices in these areas are at the core of good business.

Q. Tell us the role ethics and culture plays in the operation of your program. A. Like I said, ethics is an important part of Dell’s winning culture and cor-porate philosophy. It is challenging to maintain a culture of ethics when lead-ing a global company of our size that needs to deliver operational results. Think for a moment that Dell’s growth outside of the US has been over 125 percent over the last five years. But just as we work towards the same product and service standards around the world, we work towards the same commit-ment to ethics wherever we do business. The expectation of ethical behavior in conducting business in Austin, TX is the same in Shanghai, Bangalore, or Madrid. “Winning with Integrity” is global and must be owned by each employee. Our ethics and compliance team was created in a way that it could func-tion at a global level but be effective at a local cultural level. Dell ethics manag-ers sitting in the regions are from the local culture, so, no matter where we operate, we have a structured team that understands the culture, the laws and requirements of each region, and how those relate to Dell’s Code of Conduct and policies. This team is also aligned with each business’s goals and has the ability to advise leaders when faced with difficult ethical dilemmas involving the business performance.

Society of Corporate Compliance and Ethics • (888) 277-4977 • www.corporatecompliance.org ��August 2006


Q. What are the biggest compliance risks that the organization faces? A. Given the global scope of our oper-ations, the most challenging compliance risk we face is maintaining the highest ethical standards across a spectrum of circumstances. One of our areas of focus this year is to develop and implement a risk assessment tool that allows us to identify areas of compliance risk effec-tively and in a timely manner. A good risk assessment process will complement our efforts around our vigorous compli-ance training that is driven today at all levels of the organization.

Q. Has Sarbanes-Oxley changed your relationship with the board?

A. No, Sarbanes-Oxley has not changed the relationship with our board. We are, in fact, living in a new business environ-ment where corporations are expected to perform and report their performance in accordance with Sarbanes-Oxley and all other regulations; however, this was not the kickoff for ethics and strong corporate governance at Dell. Our Global Ethics and Compliance Office and overall structure that’s embed-ded in the business is expected to watch that policies are generated timely, under-stood, and followed by employees. Written reports on compliance are provided regu-larly to the board of directors and I appear before the audit committee of the board twice a year to share plans and results. We are continuously reviewing our practices to be certain that we’re not only meeting the absolute letter of the law, but also living up to the high standards Dell has set for itself—includ-ing the suppliers we partner with and our customers. For example, from the time we begin a relationship, we share

our Code of Conduct with our business partners and ask them to follow our higher ethical standard. That practice was already ingrained into the way we do business. The new regulatory envi-ronment has reinforced our commit-ment to ethical corporate governance and the need to continue to build the foundation into our operations.

Q. How is ethics and compliance train-ing coordinated in such a big organization? A. All Dell employees are required to complete at least three ethics train-ing courses annually. This past year all 65,000 employees met this requirement. As part of these courses, they learn that we have an Ethics Helpline available to them 24/7 in their language, no matter where they work. The training is sup-ported with a series of communications delivered consistently to all employ-ees in approximately nine languages. Additional courses are provided and/or created based on identified regional and special business unit needs. An important part of the program is management involvement. All Dell man-agers are expected to:■ ensure that their employees

understand our ethics program;■ encourage employees to raise, and

have issues raised and addressed; and■ facilitate completion of our training.

We have other internal tools avail-able like, “Tell Dell” to help motivate employees to speak out. Our retaliation protection also encourages openness.

Q. Are Dell employees being held accountable for meeting ethics and com-pliance-related objectives in performance reviews? A. Yes, they are held accountable.

Additionally, we have identified an over-time trend relationship between employee inquiries and incidents in the ethics arena.

Q. How do you see the relationship between ethics and compliance and fraud control? A. For us, fraud is just one more area that we need to be vigilant about. Based on our current metrics, fraud incidents tend to appear more often, almost on a regular basis, in countries like China and India where local sales practices, local culture, and other business practices are very different from Dell’s “higher stan-dard.” We consider this in our screening and hiring processes and local business controls. We have also developed specific training toolkits that focus on fraud, identity theft, and customer data privacy.

Q. Why did you become involved with SCCE and have you worked with other associations in ethics and compliance? A. Dell is proud to have sponsored the 4th Annual Ethics in Business Awards with SCCE. The relationship between Dell and SCCE is a natural one based on shared principles. One only needs to compare Dell’s core tenets with the five principles SCCE adapted for its awards from John Dalla Costa’s “The Ethical Imperative”:1. Respect life. 2. Be fair. 3. Be honest. 4. Strive for justice.5. Honor the environment.

Dell’s program of “Winning with Integrity” is achieving growth while maintaining a higher standard of ethical behavior under seven principles:■ TRUST: Our word is good.

��August 2006


Meet Thurmond B. Woodard ...continued from page 1�

Society of Corporate Compliance and Ethics • (888) 277-4977 • www.corporatecompliance.org ��August 2006

■ INTEGRITY: We do the right thing without compromise.

■ HONESTY: What we say is true.■ JUDGMENT: We think before we act.■ RESPECT: We treat people with dig-

nity and value their contribution.■ COURAGE: We speak up for what is

right.■ RESPONSIBILITY: We accept the

consequences of our actions.

The parallel principles on these two lists are obvious and demonstrate the naturalness of our relationship.

Q. How is the compliance profession changing, and how will it change in the future?A. The profession is moving toward more complexity as time moves forward. The demands on the profession are con-stantly increasing and the importance of compliance is no longer limited to large multinational companies. It’s also important for small businesses. The stable aspect of the profession is its unchanged commitment to the highest ethical stan-dards, regardless of other changes the world may generate. We must continue to be vigilant in maintaining our standard.

Q. Any parting advice for your fellow ethics and compliance officers? A. Firstly, let me thank you for the opportunity of sharing with you in this forum. I encourage all of us to continue to share tools, best practices, and other means of meeting the tremendous chal-lenges we all face. It is only through our collective knowledge, ingenuity, and shared respect for ethical behavior that we can continue the proud traditions we have started. Thank you. ■

Editor’s note: Adam Turteltaub is the corpo-rate relations executive at LRN, an industry leader and innovator in ethics, compliance and governance solutions. Mr. Turteltaub has worked with many of the world’s larg-est and most respected companies to develop educational events and initiatives that promote the sharing of best practices around ethics and compliance programs. Adam Turteltaub Contact: [email protected]

The verdict is in, and the Enron saga has come to a close. Its legacy, though, will be a long

one. Trust has, in large measure, been restored, giving investors greater faith in where their dollars are invested.

But if history is any guide, that faith will soon be destroyed by another wave of scandals. And the Sarbanes-Oxley solution, like others that came before it, will help solve some of the prob-lem of corporate malfeasance but not eliminate it. A new cycle of scandals will occur—involving the usual wrong-doing and ingenious new ones. A new response will be devised, the world will breathe a bit easier, until the next scandal emerges. That is, unless business is inspired to act according to a higher standard.

The cycle of scandal

This cycle of scandal has five stages:

1) Businesses operate according to a pre-scandal “baseline” of acceptable

corporate conduct;2) A scandal occurs;3) Legislators, regulators, and industry

advocates pass new laws and install new codes of conduct;

4) The targeted businesses pledge to fol-low the rules; and

5) Business continues along the new, higher baseline of behavior.

A few years later, however, another scan-dal breaks and the cycle of misconduct and reform repeats itself. This, essential-ly, is what happened after the Savings & Loan crisis, defense procurement scan-dals, and the Drexel Burnham Lambert junk bond saga of the 1980s. And, of course, the government responded to the fall of Enron and WorldCom with new rules and prosecutions, which set new baselines for both individual industries and for business as a whole.

Enron 101, Look to the Future Not the Past to End Cycles

of ScandalBy Adam Turteltaub


AD

AM

tu

RtE

LtA

ub

�0August 2006


Yet, after each of these seemingly water-shed events, the cycle of scandal repeated itself because the common approach to corporate malfeasance—setting new, rules-based baselines for conduct—is, by its nature, shortsighted and reactive.

Just as generals too often fight the last war, the industry and regulators too often fight to manage the last scandal in the war for public trust and market accountability. In the process, they fail to see that the next scandal will be dif-ferent or to ask whether the assumptions underlying the “solution”—the need to lighten loopholes to create a new base-line for behavior—are correct.

The problem with baselines

A baseline is, by definition, a tool for measurement and calculation, setting the minimum acceptable standards. Raising a baseline essentially recalculates the lowest level of permissible conduct. To borrow a phrase, it establishes a “manda-tory minimum” of legality and ethics.

The problem with this approach is that a minimal, baseline level is a risky place to do business. An overreliance on baseline rules can lull a company into a false sense of security, especially in heav-ily regulated industries such as Enron’s. Rules can give rise to a presumption that the baseline of proper conduct is clear and that employees can—with some oversight—be expected to work at or above it. But the corporate scandals of recent years belie this presumption. Companies have become engulfed in scandal despite the rules they already had in place.

That’s because operating at the bottom end of the behavioral spectrum leaves

little margin for error. It’s too easy for companies to fall out of compliance and too tempting to try and game the system.

Put another way, operating from a baseline perspective too often leads individuals to put their toes on the line, to see how far over they can get before getting caught. It also forces companies to watch which sides of the line toes are on. The problem with this approach is that when you spend your time staring at your feet, it’s very hard to see what’s coming, and sooner or later you are going to bump your head.

Looking ahead is especially important today when companies can become embroiled in scandal without actually breaking the law.

For example, last year’s after-market trading cases brought by New York State Attorney General Eliot Spitzer involved no illegal activity. However, the late-traders violated public standards of fairness, were deemed unacceptable, and cost the industry a great deal of both money and credibility.

Higher standards, not higher baselines

To move beyond the cycle of scandal, busi-ness needs to discard its faith in prescribed minimum standards of behavior. Just as companies seek to exceed customer expec-tations, not just meet minimum customer demands, business must seek to exceed public expectations of business conduct and not just meet legal minimums.

This is especially so in the post-Enron era when investors, the government, and the public increasingly hold manage-ment to higher ethical standards.

Managers should seek to build a culture

of ethics in which it is understood that the minimums prescribed in rules are but a start, and that the company aspires to a higher level of behavior. Moreover, they need to be sure that everyone understands that it is not in the compa-ny’s business interests to simply live up to the legal minimums.

When this is embraced by the workforce, employees don’t simply acquiesce to baseline rules. Rather, they make deci-sions based not solely on rules but also on values—values that inspire them to not just follow the law, but to respect it and ensure that their colleagues do so as well.

Leading prosecutors and regulators agree on the virtue of focusing on a culture of ethical conduct rather than compliance with a set of rules. The Department of Justice, in its Principles of Prosecution, stated, “[M]anagement is responsible for a culture in which criminal conduct is either discouraged or tacitly encour-aged.” Former SEC Chairman William Donaldson has said that while regulators can set rules, “legal definitions only go so far.” And, the U.S. Sentencing Guidelines call on companies to create a culture of ethics and compliance, and not just “check the box” compliance programs.

Legislation alone will not make cor-porate America less scandal prone. To break the cycle of scandal-legislation-scandal, business must pursue ethics-based reform, which aspires to a level of conduct above what is required by law. The ethics-based approach is better suit-ed by far for the new era because it man-ages against not just the ever-changing methods used to create a scandal, but also the very prospect of one happening in the first place. ■

After Enron ...continued from page 19

��August 2006


SendmeWorking for Integrity: Finding the Perfect Job in the Rapidly Growing Compliance and Ethics FieldYES

Working for IntegritySCCEMembers. . $245.00 Working for IntegrityNon-Members. . . $295.00

Numberofcopies:(Free FedEx Ground shipping within continental U.S.)Pleasetypeorprint:

HCCA Member ID

First Name M.I. Last Name

Title

Organization

Street Address

City State Zip

Telephone

Fax

E-mail

PleasemakeyourcheckpayabletoSCCE.Formoreinformation,pleasecall888-277-4977.

Mailcheckto: 6500BarrieRoad,Suite250Minneapolis,MN55435

OrFAXto: 952-988-0146

Total:$_______________

Checkenclosed

Invoiceme PO#_______________Chargemycreditcard: Mastercard

VISAAmericanExpress

Account number

Expiration date

Name on card

Signature

FederalTaxID:23-2882664

Pricessubjecttochangewithoutnotice.SCCEisrequiredtochargesalestaxonpurchasesfromMinnesotaandPennsylvania.Pleasecalculatethisinthecostofyoursub-scription.TherequiredsalestaxinPennsylvaniais6%andMinnesotais6.5%.

6500BarrieRoad,Suite250,Minneapolis,MN55435Phone888-580-8373•FAX952-988-0146info@corporatecompliance.orgwww.corporatecompliance.org

NEW—Working for Integrity: Finding the Perfect Job in the Rapidly Growing Compliance and Ethics FieldJoseph E. Murphy, one of the leading experts in compliance, has collabo-rated with Joshua Leet to write a remarkable book about the compliance and ethics field. If you want a career in this field, you must read Working for Integrity. If you already work in compliance and ethics, you will want to avail yourself of the advice and insight Mr. Murphy offers in this book. If you hire compliance professionals, you will want to refer to this resource to make wise choices. This book contains valuable information such as:

Interviews with more than 20 professionals in compliance and ethics Ways to promote compliance to management Résumé builders Protections for compliance professionals Finding the right employees for compliance jobs A glossary of compliance and ethics terms and a suggested reading list

Working for Integrity is a marvelous resource for EVERYONE involved with the compliance field!

��August 2006


The fundamentals of assessing a financial

institution’s enterprise AML Risk

By Anthony J. Tricaso

Editor’s Note: Anthony J. Tricaso, is a Corporate AML Compliance Officer with U.S. Bancorp. Mr. Tricaso’s experience extends across a range of financial services industries, including international bank-ing, broker/dealer, transfer agent, custody, investment advisory, and trust services with an emphasis in anti-money laundering (AML), Bank Secrecy Act (BSA), and USA PATRIOT Act compliance. Tony can be reached at: [email protected]

Federal regulators continue to expect financial institutions to effectively manage their

Anti-Money Laundering (‘AML’) and Bank Secrecy Act (‘BSA’) Compliance Program. As part of this management, every financial institution must complete an enterprise-wide AML / BSA Risk Assessment addressing money launder-ing, terrorist financing and regulatory compliance risk. The Federal Financial Institution Examination Council’s (“FFIEC”) revised Anti-Money Laundering Examination Manual specifically addresses a risked-based approach to assessing your AML / BSA risk. An assessment of your financial institution’s AML / BSA risk has always been a part of the AML / BSA Program. However, the focus has changed, and examiners expect to see a comprehen-sive AML / BSA risk assessment. As a result, a heightened level of scrutiny had been placed on financial institutions to enhance the risk profile with a compre-

hensive assessment of AML / BSA risk.

The AML / BSA Risk Assessment is a driving force behind the AML / BSA Compliance Program, identifying key areas for potential money laundering and terrorist financing activity. The foundation of a sound AML / BSA Compliance Program lies within a thorough AML Risk Assessment. That is, a financial institution’s AML / BSA Compliance Program must accord with the risk of its customer base, products and services offered, and geographical locations.

When assessing a financial institution’s AML risk, consideration should be given to geography, customer base, and products and services offered. A financial institution’s footprint, its pres-ence in High Intensity Drug Traffic Areas (“HIDTA”) and High Intensity Financial Crimes Area (“HIFCA”), as well as overseas exposure, plays a major role in the assessment of AML risk. A financial service’s customer base should be examined as well. As high-risk cus-tomers carry with them a greater risk for potential money laundering and terror-ist financing, greater scrutiny should be given to Non-Resident Alien (“NRA”), Money Service Business (“MSB”), Politically Exposed Person (“PEP”), and Private Investment Company (“PIC”) accounts. All of these customer types should be identified and risk rated

accordingly. The number of high-risk products and services offered by your financial institution directly correlates to your institution’s AML risk. Along with products and services offered, transac-tion processing should be examined as well. The number of wire transfers, for example, should be analyzed and cross-border wire transfers should be uncov-ered and assessed within your AML risk.

Additionally, the size of an institution may play a factor in assessing the financial institution’s AML risk. Larger financial institutions may wish to assess their AML risk on a business line level. Keeping in mind that regulators are requiring an enterprise-wide AML risk assessment, a business line risk score roll-up would be a viable option with this approach. Smaller financial institutions may wish to assess their AML risk on a corporate level only. Regardless of the approach, the final risk assessment must encompass an enterprise assessment of AML / BSA risk. The important element to remember is that there is no one approach that is necessar-ily correct. There is no one size that fits all financial institutions. The risk assess-ment should fit the size and complexity of the financial institution and be com-mensurate with its risk profile.

AN

thO

NY

J. t

RIC

AS

O

��August 2006


A three-pronged approach is recom-

mended in the development of a

financial institution’s AML / BSA Risk

Assessment:

(1) The first stage of developing the AML / BSA Risk Assessment is the information gathering stage. A complete inventory of the financial institution’s customer base, products and services offered, and geographical locations must be taken before you begin to evaluate the institution’s risk. A solid understanding of who the customers are, the types of transac-tions they utilize, and the volumes of transactions processed must be estab-lished. A financial institution’s geo-graphical presence, foreign exposure, and assets under management should also be collected and gathered. Once you have drawn a map of the finan-cial institution’s footprint, created a list of products and services offered, and identified who the customers are, you now have the knowledge and tools necessary to effectively assess the financial institution’s AML risk.

(2) The second phase of developing a financial institution’s AML / BSA Risk Assessment is the explanation of risk mitigating controls to defend against illegal activities. These con-trols include policies and procedures, transaction and account monitor-ing, investigative units, and training programs. Now is the time to make mention within the risk assessment document of any controls the finan-cial institution has put in place to mitigate its money laundering and terrorist financing risk. Although many areas of banking and financial services may be inherently risky when speaking of money laundering or terrorist financing, risk mitigating

controls properly put in place may help to offset such risk, thus lowering the level of risk within that area of service.

(3) The third and final phase of devel-oping a financial institution’s AML / BSA Risk Assessment is to identify areas of exposure and possible gaps in which potential money laundering or terrorist financing may leak through. Areas of exposure may include newly offered products and services, emerging products lines, or other services where volumes and transac-tion exceed the AML due diligence requirements within the inception of the AML / BSA Program. This gap analysis is crucial to uncovering areas that need heightened scrutiny and tighter controls. It is important to remember that the AML / BSA risk assessment should drive the AML / BSA Program. It is the second phase of your AML risk assessment that you begin to make your assessment actionable. By doing so, you begin to draft or revise existing policies and procedures around those areas identified as having potential risk for money laundering and terrorist financing. The level of risk identified within these gaps determines the level of due diligence required.

Throughout the AML / BSA Risk Assessment, you should offer an expla-nation of the AML risks present and controls put in place mitigating those risks. A well thought out commentary and supporting language to address the risks and controls surrounding those risks helps the examiner to understand your business, your corporation, and your AML initiative. Additionally, reference any materials used in the information

gathering stage. Document what you have found and attach or footnote your reference materials. A clear explanation of risk supported with documentation of your findings makes the examiner’s job easier. The more information provided within the risk assessment document, the fewer questions likely to be asked by the examiner.

When establishing scoring criteria for the risk assessment, the starting point of the scoring matrix should begin with risk rating scores of low, moderate, and high. Assigning numbers to each risk rating variable helps to simplify the sum of the overall enterprise risk rating score. When assigning numbers and weights to the risk rating variables, sometimes a simple equation is better. When creating the risk assessment and establishing scoring criteria, it is important to remember who the readers are (e.g., board of directors, internal and external auditors, and bank examiners). The document itself must be easily understood and written in plain English. The scoring criteria established should be commensurate to the risk and, at the same time, set at a level that may be interpreted by the reader with ease. Additionally, try to stay away from jargon and minimize the use of acronyms as much as possible.

The AML / BSA Risk Assessment should reach a conclusion. The assessment should identify the level of AML risk present within the financial institution as well as assess a final risk rating score. The final risk rating score should identify the financial institution at low, moderate, or high risk of being used to launder money from illegal activities or conduct terrorist financing. Additionally, you should offer

Continued on page 2�

��August 2006


5th AnnuAl

ComplianCe & ethiCs institute

Corporate Compliance and Ethics Programs:

Case Studies and Risk Areas

SAVE $100

and attend the

pre-conference for

FREE: register by AuguST 16!

A $200 TOTAL VALuE

September 11–13, 2006Chicago Downtown Marriott, Chicago, IL

Society of Corporate Compliance and EthicsThe Corporate Compliance Professionals’ Association

www.corporatecompliance.org

��August 2006

ComplianCe & ethiCs institute

Corporate Compliance and Ethics Programs:

Case Studies and Risk Areas

HOW TO REGISTER

Web:� www.corporatecompliance.org

Fax:� �Complete form with necessary credit card payment information and fax to (952) 988-0146.

Mail: Include completed registration form with check payable to: Society�of�Corporate�Compliance�and�Ethics�6500�Barrie�Road,�Suite�250�Minneapolis,�MN��55435

Tax ID Number: 23-2882664Credit�Card:�We accept VISA, MasterCard, and American Express. Purchase�Orders:�Purchase orders must be paid by the conference dates or payment will be required from the individual on-site. Checks:�Please make checks payable to the Society of Corporate Compliance and Ethics. Registrations must be paid in full by the conference date or payments will be required from the individual on-site. Payment should be in U.S. funds.

TAX DEDUCTIBILITYAll expenses incurred during training to maintain or improve skills in your profession (including tuition, travel, lodging, and meals) may be tax deductible. Please consult your tax advisor.

CANCELLATIONS/SUBSTITUTIONSRefunds will not be given for “no-shows” or cancellations. You may send a substitute; call SCCE at (888) 277-4977.

GROUP REGISTRATIONAll group registrations must be submitted at the same time with one form of payment. Each member of a group is required to fill out a registration form. Call the SCCE office at (888) 277-4977 for special group rates for five or more.

CONTINUING EDUCATION SCCE will be offering CLE, NASBA-CPE, ACHE, and HCCB Continuing Education Credits.

HOTEL ACCOMODATIONS Special rates of $229 (single/double) have been arranged for the 2006 Compliance & Ethics Institute. There are a limited number of rooms available at the special rate. Please make your reservations directly with the Chicago Marriott Downtown Hotel and mention the Society of Corporate Compliance and Ethics to receive the reduced rate. Reservations will be accepted until Saturday, August 19, 2006, or until the group block is sold out, whichever comes first. Reservations received after this date or after the group block is filled will be accepted based on space and rate availability.

PLEASE MAKE YOUR RESERVATIONS EARLY!Chicago Marriott Downtown Hotel540 North Michigan AvenueChicago, IL 60611, USAPhone: 312-836-0100Fax: 312-836-6139

First Name m.i. Last Name

membership iD

titLe

CompaNy

aDDress

City state Zip

phoNe Fax

e-maiL (required for conference notification)

PAYMENT INfORMATION

Total Payment $ ______________

❑ Invoice me ❑ Purchase Order # ____________❑ Check or Money Order enclosed❑ Charge my credit card* ❑ VISA ❑ MasterCard ❑ Amex

aCCouNt Number

exp. Date

Name oF CarD hoLDer

sigNature oF CarD hoLDer

* SCCE will charge your credit card the correct amount should your total be miscalculated.

2006 Compliance & Ethics Institute � � Until�8/16/06� After�8/16/06

❑ SCCE Members . . . . . . . . .$699 . . . . . . . . . . . . . $799❑ Non-Members . . . . . . . . . .$799 . . . . . . . . . . . . . $899❑ Become a Member

& Register . . . . . . . . . . . . .$849 . . . . . . . . . . . . . $949 (New members only.)

❑ Student . . . . . . . . . . . . . . . . .$50 . . . . . . . . . . . . . . $50❑ Students: Become a

Member & Register . . . . . .$100 . . . . . . . . . . . . . $100 (Student ID verification may be required.)

❑ Pre-Conference . . . . . . . .FREE . . . . . . . . . . . . . $100

CEI06-CE

Questions?�Call SCCE at 888-277-4977

Save $100 off your first year of membership! Annual dues are normally $250.


��August 2006


an explanation of the scoring criteria. It is important to also real-ize that some financial institutions will score either moderate or high. Not all financial institutions can be of low risk for AML / BSA. Many risks presented within the financial services industry are inherent. The purpose of the AML / BSA risk assessment is to identify where that inherent risk lies and properly put in place policies and procedures to mitigate that risk.

Once your AML / BSA Risk Assessment has been completed, put it into action and make it operational. Your AML / BSA Risk Assessment should be a working document. At minimum, it is recommended that your assessment of AML / BSA risk should take place on an annual basis. Risks need to be reevaluated as the business changes. Changes within the financial institution must be accompanied by a commensurate change in the AML / BSA Risk Assessment. As a result of the fast paced environment of the finan-cial services industry, the AML / BSA Risk Assessment have a lim-ited life expectancy. It should be reviewed as circumstances dictate and keep pace with the changes and complexities of AML risk. ■

The ideas and viewpoints included in this article are those of the

author, and may not be representative of U.S. Bancorp,

and its subsidiaries.

Financial institution’s enterprise AML risk ...continued from page 23

The Complete Compliance

and Ethics ManualAn accurate, comprehensive, and

authoritative reference source! Save time by improving the efficiency

of your compliance program. The manual comes with the full-version CD.

Member rate $315.00 / Non-Member rate $349.00

The Complete Compliance and Ethics Manual includes more than 400 double-sided pages filled with up-to-date, valuable information on current compliance issues. Large, attractive three-ring binder with color front, spine, and back cover.

Three ways To order: Mail to: SCCEVisit: www.corporatecompliance.org 6500 Barrie Road,

Suite 250Fax: 952-988-0146 Minneapolis, MN 55435

For more details call 1-888-277-4977

Call for Authors – Compliance & EthicsCompliance & Ethics is a bi-monthly peer review journal offering articles written by members and other compli-ance experts related to corporate ethics and culture, compliance programs, enforcement actions, and new and changing regulations. C&E publishes a wide range of articles for professionals in all industries. SCCE is looking for authors to write articles for this informative publication.

Please e-mail your articles or topic ideas to the Compliance & Ethics story editor, Marlene Robinson, at [email protected]. Be sure to include your telephone number, or you may call Marlene at (888) 277-4977 to discuss your article.

Deadlines

• August 20, 2006 (October issue)

• October 20, 2006 (December issue)

• December 20, 2006 (February 2007 issue)

��August 2006


Corporate compliance:

Is there a second chance after

committing an environmental

crime?By Thomas M. DiBiagio J.D.

Editor’s Note: Thomas DiBiagio is a Principal in the Washington, D.C. and Baltimore offices of Beveridge & Diamond, P.C., where he focuses his practice on com-plex civil litigation, white collar criminal defense, corporate compliance issues, and internal investigations. Mr. DiBiagio is a seasoned civil and criminal trial lawyer and litigator with over eighteen years of experience before federal and state courts, covering a wide range of areas including commercial litigation and white collar crime. Thomas Dibiagio Contact: [email protected]

Background

Your company pled guilty in fed-eral court to negligent violations of environmental and safety

laws and false statement. These criminal convictions were the result of a fire that resulted during the transportation of a haz-ardous waste. The fire also resulted in two employees being injured. During the sub-sequent investigation, the plant manager lied to federal investigators. As part of the sentence, your company was ordered to pay $9 million in fines and restitution and undertake certain safety and environmen-tal upgrades at the facility.

Is a company convicted of committing an environmental crime ever given a second chance by the government? This article discusses the legal and practical consequences to a company following a criminal conviction for committing an environmental crime and how a compa-ny’s compliance program can mitigate this impact.

Discussion

Clearly, there are a number of legal and practical consequences resulting from a criminal conviction of a company. Typically, in the event of a second or sub-sequent conviction, these consequences include increased penalties and other sanctions. This is especially true in the event of a subsequent conviction aris-ing from an environmental and/or safety matter. Moreover, there are several recent developments in the area of corporate prosecutions that could have a significant effect on future enforcement of environ-mental and safety laws against a company.

Recent developments in environmental

enforcement actions

The following developments in corpo-rate enforcement activity could have a

significant impact in the event of a vio-lation of law by a company, particularly if that violation involves environmental or safety requirements.

Thompson Memo On January 20, 2003, then U.S. Deputy Attorney General Larry D. Thompson issued a memorandum (known as the “Thompson memo”) concerning charging decisions entitled “Federal Prosecution of Business Organizations.” The Thompson memo sets forth a two-step process that should be consulted in deciding whether to seek criminal charges against a corporation. One of the factors identified is the corporation’s prior criminal record.

According to the Thompson memo, prosecutors should apply the same fac-tors used in determining whether to seek charges against an individual: ■ The sufficiency of the evidence.■ The likelihood of success at trial.

Due to the nature of the corporate “per-son” when exercising prosecutorial dis-cretion, some additional factors should be considered:

th

OM

AS

M. D

IbIA

GIO


��August 2006


■ The nature and seriousness of the offense—including the risk of harm to the public, and policies and priorities governing the prosecution of corpora-tions for particular categories of crime.

■ The pervasiveness of wrongdoing within the corporation—including the com-plicity in, or condoning of, the wrong-doing by corporate management.

■ The corporation’s history of similar conduct—including prior criminal, civil, and regulatory enforcement actions against it.

■ The corporation’s timely and volun-tary disclosure of wrongdoing and its willingness to cooperate in the inves-tigation of its agents.

■ The existence and adequacy of the corporation’s compliance program.

■ The corporation’s remedial actions, including implementing an effec-tive corporate compliance program, improving an existing one, replacing responsible management, disciplining or terminating wrongdoers, paying restitution, and cooperating with the relevant government agencies.

■ The disproportionate harm to share-holders and employees not proven per-sonally culpable, and the impact on the public arising from the prosecution.

■ The adequacy of the prosecution of individuals responsible for the corpo-ration’s malfeasance.

■ The adequacy of non-criminal rem-edies such as civil or regulatory enforcement action.

Prosecution priorities

On May 2, 2005, the U.S. Department of Justice (“DOJ”) announced that a joint task force had been formed to involve the Environmental Protection Agency (“EPA”) and DOJ, jointly inves-tigating and prosecuting workplace safety

and environmental violations. This new initiative seeks to bring together a coor-dinated criminal task force aimed at busi-nesses and corporations that repeatedly violate federal safety and environmental regulations. This new enforcement effort and emphasis on criminal prosecutions represents a significant cultural change in the way workplace safety issues will be addressed by the federal government. Government officials indicated that they intend to target corporations that have a “significant record” of work safety and environmental violations and to seek sig-nificant prison sentences.

For example, on April 26, 2006, a New Jersey manufacturer, Atlantic States Cast Iron Pipe Co., and four company officials were found guilty of committing flagrant abuses of environmental and worker safety laws. The evidence at trial showed that the defendants had regularly dis-charged oil into the Delaware River, con-cealed serious worker injuries from health and safety inspectors, and maintained a dangerous workplace that contributed to multiple severe injuries and the death of one employee at the Phillipsburg, New Jersey plant.

The thirty-four count indictment charged Atlantic States, a subsidiary of McWane Inc. of Birmingham, Alabama, and the named managers, with con-spiracy to violate federal clean air and water regulations and laws governing workplace safety, as well as obstruction of criminal and regulatory investigations by the EPA and Occupational Safety and Health Administration.

After the verdict, Sue Ellen Wooldridge, Assistant Attorney General for the Justice Department’s Environment and Natural

Resources Division stated that: “As a multiple offender, McWane has time and again shown a disturbing indifference towards the health and safety of their workers and a blatant disregard for the natural environment we all share. Today’s conviction shows that the Department of Justice takes seriously its responsibility to enforce the nation’s environmental laws. And when companies or individuals break them with such shocking regular-ity, they will be vigorously prosecuted.”

Impact of prior conviction on

prosecutorial decisions and other

matters

Decision to pursue a criminal investigation. Because federal law enforce-ment officials are limited in the number of cases that can be investigated, officials are typically inclined to focus on matters that involve “repeat offenders” and harm to human health or the environment.

Decision to bring criminal charges. Prosecutors typically consider seven fac-tors when deciding to charge an envi-ronmental crime: (1) extent of environ-mental and human harm or risk of harm; (2) extent of economic gain or loss; (3) evidence of criminal intent; (4) prior criminal and administrative record; (5) strength and quality of the evidence; and (6) acceptance of responsibility, coopera-tion and willingness to remediate. In addition, the government typically looks to see if there is any provocative evidence to demonstrate an overall corporate cul-ture of corruption and motive to seek profit and reduce costs at the expense of environmental compliance. Therefore, the success of the government’s case depends on its ability to convince the jury that the mistakes made reflect a cor-porate culture of non-compliance.

Is there a second chance after environmental crime? ...continued from page 2�

��August 2006


Moreover it would follow that in the case of a second or subsequent environmental or safety compliance breach, prosecutors may conclude that the “company” has failed to “learn its lesson” and may look to prosecute senior management.

The following are specific questions that are typically asked during a charging conference where prosecutors discuss whether to charge an organization with an environmental crime:■ Does the evidence indicate that the

violations identified were caused by judgments made by individuals or a culture of corporate corruption or corner cutting?

■ Does the evidence show that there was a financial motive behind the viola-tions made?

■ Does the evidence show that the organization: (A) failed to timely undertake any preventive or corrective maintenance; (B) failed to accurately report the operational status of any critical pieces of equipment; (C) failed to timely repair certain pieces of critical equipment; (D) by-passed any control device; or (E) discharged any pollutant into the environment?

■ Does the evidence indicate that bud-get concerns constrained compliance activity?

■ Does the evidence show that worker safety was compromised?

■ Did the organization self-report and/or cooperate in the investigation, by turning over documents and making its employees available for interviews?

■ Does the evidence indicate that the organization underwent meaningful and independent compliance reviews?

■ Does the evidence indicate that the organization underwent regular and robust compliance and ethics training?

■ Does the evidence indicate that the organization substantially increased the personnel and resources dedicated to environmental compliance?

■ Does the evidence indicate that the organization disciplined or removed any individuals for failing to maintain compliance standards?

Finally, prosecutors may be more inclined to consider charging individuals when an organization is involved in a second subsequent incident.

Impact of prior conviction at trial.Under Rule 404(b) of the Federal Rules of Evidence, at trial the government may be permitted to introduce evidence of its prior conviction to show an absence of mistake or accident, common scheme, common fraud, or culture of corruption.

Impact of prior conviction at future sentencing. As a general matter, a company’s prior conviction and sentence would be relevant and considered by the judge in imposing a sentence for a sec-ond and subsequent conviction. Under 18 U.S.C. Section 3553(c), the prior conviction would be considered as rel-evant to the court’s consideration of the defendant’s prior criminal history and the need to deter the organization from com-mitting further crimes. In addition, under the Federal Sentencing Guidelines, one of the factors that can increase the ulti-mate punishment of an organization is its prior criminal record. In particular, if the instant offense is committed less than 5 years or less than 10 years after a criminal adjudication based on similar conduct, its culpability score under the guidelines would be increased accordingly.

Finally, a second and subsequent con-

viction under several environmental statutes would expose the Company to double the maximum penalty and fine.

Mitigating the effect of the prior

conviction

There are several critical ways that an effec-tive compliance program (as defined under the Federal Sentencing Guidelines for Organizations) could serve to detect and deter criminal conduct. In addition, a com-pliance program could mitigate the impact of a prior conviction on a subsequent enforcement action. Undertaking the following steps, so that evidence of these steps could be presented in the event of an enforcement action, could be helpful:■ Upgrade environmental and safety

compliance measures, and ensure a corporate culture of compliance throughout the company.

■ Undertake regular and independent review of the company’s environmen-tal and safety performance.

■ Ensure that responsibility for envi-ronmental and safety performance is vested with senior management and those individuals are held accountable for any deficiencies.

■ Ensure that financial support for envi-ronmental and safety compliance is robust.

All of these measures would serve to demonstrate a serious commitment by a company to environment and safety compliance and mitigate several of the adverse inferences that could be drawn in connection with a subsequent enforcement action.

Conclusion

A company that is convicted of an envi-ronmental and safety crime is entitled to


�0August 2006


Editor’s Note: Bill Prachar has over thirty years experience in Compliance, Ethics, and Corporate Governance. Mr. Prachar is an attorney practicing with the Compliance Systems Legal Group (CSLG). Because he has an extensive business, as well as legal background, he specializes in the practical issues associated with develop-ing and implementing effective ethics and compliance programs. He can be reached via-email at [email protected]

The revised Organizational Sentencing Guidelines (OSG) challenge all compliance and

ethics professionals (C&E) to think cre-atively about communications across the organization. Periodic and formal train-ing programs are not enough.

The Guidelines state at §8B2.1(b)(4)(A): The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and proce-dures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conduct-ing effective training programs and other-wise disseminating information appropri-ate to such individuals’ respective roles and responsibilities.

While this is just a slight broadening of the original language which pointed to training and disseminating of publica-tions as the appropriate tools for effec-tive communications, there is clear direc-tion. Both the Guidelines and industry best practices state that to be effective

in informing conduct, communications must employ the same techniques our organizations use to deliver important business-related messages. These com-munications need to go beyond training classes and publications, for at least three reasons.

First, the OSG communications provi-sion must be read in conjunction with the other guidance given in §8B2.1. The subsection quoted above is one of the minimum steps required to “promote an organizational culture that encourages ethi-cal conduct and a commitment to compli-ance with the law.” This new emphasis on developing a “culture” of compliance raises the stakes. Compliance professionals have known for years that bad things seldom happen because people don’t know the rules—bad things usually happen because people don’t follow the rules they know. Trying to build a culture of compliance requires us to take a more sophisticated look how organizational culture is shaped and, when necessary, changed.

Second, the emphasis of the revised OSG is on the use of the same tools companies use to successfully manage their business affairs in managing their C&E affairs. For example, §8B2.1(b)(6) requires promotion of the culture of compliance through consistent use of incentives and discipline. Similarly §8B2.1(b)(2)(C) suggests that people engaged in the day-to-day C&E work must actually report to senior manage-ment and, when appropriate, the Board.

For managers used to achieving business success, neither of these steps are rocket science. Business objectives are achieved by comprehensive, and often complex, incentive programs, and business failure usually results in some sort of economic “discipline.” The clearer the channels of communications from those doing the work to those managing it, the more likely project success will be achieved.

Third, we need to look to how outsid-ers see our programs. The best place to look is probably the Department of Justice Thompson Memorandum. The Thompson Memorandum, and the pre-decessor Holder Memorandum, both focus on the need to have a program that is more than a “paper program.” The program needs to have demon-strable life, or put more colloquially, it needs to have “soul.” The only way prosecutors and regulators have to judge this is by looking at how a company promotes those initiatives it really wants to be successful.

For instance, a safety campaign, or an effort to control costs, invariably will be supported by a barrage of communica-tions from leaders at all levels. There will be periodic memos and cheerleading from

Communicating business ethics &

complianceBy Bill Prachar

bIL

L P

RA

Ch

AR

��August 2006


the CEO. There will be weekly discussions at staff meetings. There will be tchotchkes, games, frequently changed posters, and employee testimonials. The list goes on and on. In short, when companies want to accomplish a goal, there is no shortage of communication techniques involved.

Do we see the same level of commu-nications in a C&E campaign? Maybe occasionally, particularly at the launch of a program, but on a sustained basis the answer is usually “no.” We get one CEO speech, a memo, or an appearance on a training video once a year, if we are lucky. Senior local leaders fare little bet-ter. They are focused on meeting their business objectives, which is, as most of them see it, their real job.

Employees are great at smelling out what is really important in a company. They take their cues from their local leaders and from what appear to be the important messages from senior leaders. Thirty-seven memos on meeting targets vs. one on behaving ethically will be adhered to in something close to the same ratio. Even the best purchased on-line training program cannot compete effectively against a competing contrary message delivered by a manager who “signs the pay checks.”

Here’s the real rub about all this. Communications are cheap. Regular, var-ied, credible communications can be done at virtually no cost. The communications infrastructure is in place in virtually every organization. I don’t mean computers, an Intranet, and streaming video, although these are clearly useful. What I mean is the management structure that carries out business objectives. These are the commu-nicators who can affect culture.

This means our organizations must: ■ Offer incentives to managers at all

levels to engage in the communica-tions and program support process as a regular part of their management responsibilities;

■ Provide the messages, training and delivery tools they need to communi-cate effectively on C&E matters; and,

■ Demand accountability for delivering these messages.

This is what companies do when they want to achieve business objectives. It is very difficult to explain to a prosecu-tor why compliance and ethics is not important enough to deserve the same treatment and the same resources. Unfortunately, when one looks through a prosecutor’s glasses, it’s what one sees.

As C&E professionals, our primary objec-tive should be to develop an annual com-munications program which lays out a plan for regular communications through-out the year. I suggest building in what I like to call the “drip, drip, drip” method of communications—lots of short, palatable, non-preachy, varied C&E messages deliv-ered on a regular, repetitive timetable. This approach helps assure that the importance of C&E to the company is never lost to employees. If something is said enough, by the right people, it must be important.

Develop and supply managers with bite-sized C&E messages that they can deliver on a regular basis. Remind your CEO and other senior leaders at least once a month to include a C&E mes-sage in their communications. The tools are in place—use them.

Good training is an important part of an effective communications strategy. But

at the end of the day, nothing is more effective than regular reminders from the boss that doing it right is the right thing to do. ■

a second chance. However, this second chance has to be managed with a deliberate commitment to environ-mental compliance. There is no better way to demonstrate this commitment than through a meaningful compli-ance program. (An effective program is first a means of reducing occur-rences of misconduct; and since there is no failsafe method of preventing all violations, a compliance program at least provides documentation of a good faith effort by the company, that can mitigate the impact of a past and current conviction.) ■

Is there a second chance after

environmental crime?

...continued from page 29

CORRECTIOnS:

Compliance & Ethics June 2006 Issue

Compliance & Ethics Advisory Board Rick Kulevich, JD Associate General Counsel, Aon Service Corporation

SCCE New Member Wayne Whelchel Whelchel Medical Consultants Inc.

We apologize for any inconvenience.

��August 2006


· Hotline and Web Reporting · Information Management · Case Management· Awareness Campaigns

Global Compliance empowers organizations to implement internal controls that addressgovernance, risk management, and compliance. With over 25 years of experience andunparalleled expertise, Global Compliance provides products and services that mitigaterisk and maintain employee and stakeholder confidence.

Trust the outsourced ethics and compliance leader that is already serving nearly one-half of America's Fortune 100 and one-third of America's Fortune 1000 corporations alongwith major universities and many major European-based multinational corporations.

Cultivating Corporate Ethics and Integrity Worldwide

· Interactive Training · Compliance Evaluations· Validation and

Measurement Tools

13950 Ballantyne Corporate Place, Charlotte, NC, USA 28277 • 800-876-6023 • e-mail: [email protected] • www.globalcompliance.com

© 2006 Global Compliance. All Rights Reserved.

Making the world a better workplaceTM

��August 2006


· Hotline and Web Reporting · Information Management · Case Management· Awareness Campaigns

Global Compliance empowers organizations to implement internal controls that addressgovernance, risk management, and compliance. With over 25 years of experience andunparalleled expertise, Global Compliance provides products and services that mitigaterisk and maintain employee and stakeholder confidence.

Trust the outsourced ethics and compliance leader that is already serving nearly one-half of America's Fortune 100 and one-third of America's Fortune 1000 corporations alongwith major universities and many major European-based multinational corporations.

Cultivating Corporate Ethics and Integrity Worldwide

· Interactive Training · Compliance Evaluations· Validation and

Measurement Tools

13950 Ballantyne Corporate Place, Charlotte, NC, USA 28277 • 800-876-6023 • e-mail: [email protected] • www.globalcompliance.com

© 2006 Global Compliance. All Rights Reserved.

Making the world a better workplaceTM

The Thompson Memo: Implications of the Stein decision

for corporate compliance

By Rebecca Walker, JD

RE

bE

CC

A W

ALK

ER

Editor’s Note: Rebecca Walker, JD, is a partner in the law firm Kaplan & Walker LLP, a law firm specializing in corporate compliance, ethics and governance, with offices in Santa Monica, California and Princeton, New Jersey. Ms. Walker advises clients on the development and implemen-tation of ethics and compliance programs. Ms. Walker is the author of “Conflicts of Interest in Business and the Profession; Law and Compliance,” West Publishing (2005). The views expressed herein are the views of the author and do not necessarily represent the views of the Kaplan & Walker LLP. The author wishes to thank Aaron Grieser for his assistance in the prepara-tion of this article. Rebecca Walker can be reached at: [email protected]

The Thompson Memorandum1 is one of the few key bricks in the foundation of corporate

compliance law. That memo, which sets forth the factors that federal prosecutors are to consider when determining wheth-er to indict an organization (as opposed to an individual) for the purported crimi-nal conduct of its employees or other agents, requires prosecutors to consider—among other factors—the existence and adequacy of the corporation’s compliance program when making a charging deci-sion. In other words, it establishes the existence of an effective compliance pro-

gram as a means for corporations poten-tially to avoid prosecution.

On June 26, 2006 Judge Lewis Kaplan, U.S. District Judge for the Southern District of New York, issued a decision finding the Thompson Memorandum unconstitutional to the extent that it required prosecutors, in determining whether to indict KPMG for establish-ing purportedly fraudulent tax shelters, to consider whether KPMG would advance attorneys’ fees to its partners and employees who were also under investiga-tion.2 The court in United States v. Stein also found unconstitutional the conduct of the U.S. Attorney’s Office for the Southern District of New York (USAO) to the extent that the USAO threatened to consider the advancement of attorneys’ fees in determining whether to indict KPMG.

This is the second time in the past couple of years that one of the bedrocks of corpo-rate compliance law has been dealt a glanc-ing blow by the federal courts. The first such occasion, of course, was the Supreme Court’s decision in United States v. Booker3 finding the mandatory nature of the Sentencing Guidelines unconstitutional. Compliance practitioners can rest assured, however, that Judge Kaplan’s ruling con-tains nothing that might weaken the value

of a company’s compliance efforts. It seems unlikely, for example, that the government will abandon its attempt to guide pros-ecutorial discretion in light of the Stein decision, and the existence and adequacy of a company’s compliance program will likely continue to be an important factor to be considered by prosecutors. What the decision does contain is useful guidance for companies and their lawyers contem-plating the investigation of suspected mis-conduct and potential criminal prosecu-tion. What follows is a discussion of the Thompson Memorandum and its value to the field of corporate compliance, followed by a description of Judge Kaplan’s decision and its potential implications for compli-ance programs.

The Thompson Memorandum

In June 1999, the Department of Justice (DOJ) issued a memorandum to federal prosecutors entitled “Federal Prosecution of Corporations,” which became known as the Holder Memo after its author, (then) Deputy Attorney General Eric Holder. The Holder Memorandum was revised in 2001 by (then) Deputy Attorney General Larry Thompson, renamed “Principles of Federal Prosecution of Business Organizations,”


��August 2006

need to disCuss diffiCult ComplianCe issues?

SCCEcanhelp!AsanSCCEmemberyou’llhaveaccesstotop-levelinsightsandworking

solutions.Meetings,conferencesandtheSCCEMembershipDirectory

allaffordyouvaluableopportunitiestodiscussdifficultissueslike...

StandardsofConductSarbanes-Oxley

ComplianceProgramDesignComplianceResources

ProtectionfromFraudandAbuseBenchmarkingTools

BestPracticesForumJobDescriptions

IntegratingSoftwareSolutionsSelfAssessments

TrainingProgramsComplianceAudits

TheSCCEWebsiteoffersanonlinemembershipdirectory

andspecial-interestforumtofacilitatenetworking!

The SCCE is the only non-profit organization solely dedicated

to improving corporate compliance.Who� Joins� SCCE? Executives, managers, officers, and directors of corporations, institutions, government agencies, individual and group providers, and entrepreneurs, in all segments of the corporate industry!

Corporate compliance includes numerous issues such as ethics, education and train-ing, Sarbanes-Oxley, SEC, auditing and monitoring procedures, investigations, enforcement, and due diligence to prevent and detect violations of law.

You may already have a strong compliance program in place, but changing times demand more. Would you like to join in developing a culture that says, “Let’s do it right!” Here’s your opportunity to expand your professional resource network and help your staff excel! Let SCCE membership help to move you and your organization closer to a total compliance spirit.

A pro-compliance mindset is a must for all of us involved with corporate compliance.WELCOME TO OUR SOCIETY!

Become a member today!

TOTAL: Please type or print:

FIRST NAME LAST NAME

DEgREE(S) / LICENSE(S)

TITLE(S)

COMPANY / INSTITUTION

DEPARTMENT

MAILINg ADDRESS

CITY STATE ZIP

TELEPHONE ( )

FAx ( )

E-MAIL ADDRESS

paymeNt iNFormatioN: Check enclosed Charge my credit card: MasterCard VISA

ACCOUNT NO.

NAME ON CARD

SIgNATURE ExP. DATE /

Please make your check payable to SCCE.Fax your order form (credit card orders only):�952-988-0146.

Send�your�order�form�to: Society of Corporate Compliance and Ethics 6500 Barrie Road, Suite 250 Minneapolis, MN 55435

For�information�call�888-277-4977�or�e-mail�[email protected] Tax ID: 23-2882664 Prices subject to change without notice.

Make�Compliance�Part�of��Your�Corporate�Culture!

Membership�ApplicationeduCationalproGrams

professionalnetwork

newsletters and memBer updates

interaCtive weB site www.CorporateComplianCe.orG

ComplianCe workshops

CooperativeproGrams...with other national orGanizations

annual nationalConferenCe

memBer disCounts...and more!

• To promote quality compliance programs and to introduce and maintain them

• To provide a forum for interaction and information exchange

• To enable our members to contribute to the development of industry standards and excellence in compliance programs

• To create vital and timely educational opportunities for the rapidly chang-ing corporate compliance industry

sCCe’s mission

major funCtions

memBership serviCes inClude

SCCE exists to champion ethical practice and compliance standards in the corporate community and to provide the necessary resources for compliance professionals and others who share these principles.

IndividualMembership($295)MultipleEmployeeMembership($250/ea.)

(4ormoreemployeesfromsamecompany)CorporateMembership($1,500)GovernmentorStudent($150)

PleaseacceptmyapplicationforSCCEMembership!Yes!Y

��August 2006


and is now referred to as the Thompson Memorandum, or the Thompson Memo.

Prosecutors have substantial discretion in determining whether to indict a corpora-tion for violations of federal criminal law. The Thompson Memo provides that, in exercising that discretion, prosecutors should weigh all of the factors “normally considered in the sound exercise of pros-ecutorial judgment: the sufficiency of the evidence; the likelihood of success at trial; the probable deterrent, rehabilitative, and other consequences of conviction; and the adequacy of non-criminal approaches.”4 The Memo goes on to provide that, due to the special nature of a business orga-nization, prosecutors should consider the following additional factors:

1. the nature and seriousness of the offense, including the risk of harm to the public, and applicable policies and priorities, if any, governing the prosecution of corporations for par-ticular categories of crime;

2. the pervasiveness of wrongdoing within the corporation, including the complic-ity in, or condonation of, the wrongdo-ing by corporate management;

3. the corporation’s history of similar conduct, including prior criminal, civil, and regulatory enforcement actions against it;

4. the corporation’s timely and voluntary disclosure of wrongdoing and its will-ingness to cooperate in the investiga-tion of its agents, including, if neces-sary, the waiver of corporate attorney-client and work product protection;

5. the existence and adequacy of the corporation’s compliance program;

6. the corporation’s remedial actions, including any efforts to implement an effective corporate compliance pro-

gram or to improve an existing one, to replace responsible management, to discipline or terminate wrongdoers, to pay restitution, and to cooperate with the relevant government agencies;

7. collateral consequences, including dis-proportionate harm to shareholders, pen-sion holders and employees not proven personally culpable, and impact on the public arising from the prosecution;

8. the adequacy of the prosecution of individuals responsible for the corpo-ration’s malfeasance; and

9. the adequacy of remedies such as civil or regulatory enforcement actions.5

Adequacy and existence of a

compliance program

Of course, the factor that makes the Thompson Memo so salient to the law of corporate compliance is factor 5: the existence and adequacy of the company’s compliance program.6 However, compli-ance programs are discussed in two addi-tional sections of the Memo, including the discussion regarding cooperation and voluntary disclosure set out in factor 4. In that section, the Memo provides that the DOJ “encourages corporations, as part of their compliance programs, to conduct internal investigations and to disclose their findings to the appropriate authori-ties.”8 In the section of the Memo regard-ing restitution and remediation (factor 6), the Memo instructs prosecutors to con-sider any remedial actions taken by the corporation after the commission of the offense, including efforts to implement an effective compliance program.9

The Thompson Memo also discusses those factors that prosecutors should consider in evaluating whether a compliance program is adequate. This guidance has been valu-able to compliance practitioners in design-

ing and implementing effective compli-ance programs. In assessing programs, prosecutors are instructed to consider whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct, such as whether directors exercise indepen-dent review and are provided with infor-mation sufficient to enable the exercise of independent judgment, whether internal audit functions are conducted at a level sufficient to ensure their independence and accuracy, and whether directors have established an information and reporting system reasonably designed to provide management and the board of directors with timely and accurate information suf-ficient to allow them to reach an informed decision regarding the organization’s com-pliance with the law.10

Prosecutors are also directed to determine:(i) whether a corporation’s compliance

program is merely a “paper program” or whether it was designed and imple-mented in an effective manner;

(ii) whether the corporation has provided for a staff sufficient to audit, docu-ment, analyze, and utilize the results of the corporation’s compliance efforts;

(iii) whether the corporation’s employees are adequately informed about the compliance program and are con-vinced of the corporation’s commit-ment to it; and

(iv) whether the program is designed to detect the particular types of miscon-duct most likely to occur in a particu-lar corporation’s line of business.11

Cooperation and voluntary disclosure

Judge Kaplan’s decision in Stein focused not on the section of the Thompson Memorandum regarding compliance

The Thompson Memo ...continued from page 33

��August 2006


programs, but instead on factor 4: a corporation’s timely and voluntary dis-closure and willingness to cooperate in the investigation of its agents. In assessing cooperation, prosecutors are to consider a corporation’s willingness to identify the “culprits”; to make witnesses available to the government; to disclose the complete results of its internal investigation; and to waive attorney-client and work product protection.12 The Memo states that one factor to weigh in assessing the adequacy of an organization’s cooperation is whether the organization “appears to be protecting its culpable employees and agents.” Thus, while cases will differ depending on the circumstances, a corporation’s promise of support to culpable employees and agents, either through the advancing of attorneys fees, through retaining the employees without sanction for their misconduct, or through providing information to the employees about the government’s investigation pursuant to a joint defense agreement, may be considered by the pros-ecutor in weighing the extent and value of a corporation’s cooperation.”13 Thus, the Thompson Memo makes a corporation’s payment of attorneys’ fees for its employ-ees a factor weighing in favor of prosecu-tion of the organization.

The facts of the Stein Case

In early 2004, the Internal Revenue Service made a criminal referral to the DOJ related to its investigation of tax shelters created by KPMG and others. The DOJ gave the case to the United States Attorney’s Office for the Southern District of New York (the USAO), which then had to determine whether to indict KPMG and the individuals under investigation for the alleged misconduct. Especially in light of the recent demise of Arthur Andersen, KPMG was understandably anxious to

avoid indictment. KPMG’s lawyers went to great lengths to persuade the USAO that KPMG was being cooperative with the government’s investigation and was in “full compliance with the Thompson Guidelines” in order to persuade the gov-ernment not to indict the firm.14

During meetings and telephone calls between the USAO and attorneys for KPMG, the USAO raised the issue of whether KMPG intended to pay the attorneys’ fees of present and former employees who were under investiga-tion. The court in Stein found that the USAO “deliberately, and consistent with DOJ policy, reinforced the threat inher-ent in the Thompson Memorandum”15 that payment of attorneys’ fees would be weighed against the firm in a deter-mination of whether to indict. KPMG responded to this “threat” by capping the amount of attorneys’ fees that it would advance and making clear that payment would cease upon an individu-al’s being indicted by the government.16

In August 2005, KPMG entered into a Deferred Prosecution Agreement (DPA) with the government, wherein it agreed to waive indictment, admit wrongdo-ing, accept restrictions on its practice, and pay a $456 million fine.17 The DPA requires KPMG to continue to cooper-ate “fully and actively” with the USAO in its investigation. Subsequently the government indicted individual defen-dants, and KPMG stopped paying the legal fees of those individuals.18

In January, those defendants who are former KPMG employees moved to dismiss the indictment, or for other relief, on the grounds that the govern-ment had improperly interfered with

KPMG’s advancement of attorneys’ fees in violation of their constitutional and other rights. The court ordered an evidentiary hearing on the issue of whether the government, “through the Thompson Memorandum or otherwise, affected” KPMG’s decisions with respect to advancing legal fees.19

The decision

In his decision, Judge Kaplan traced the roots of the common law doctrines of employer indemnification20 and advance-ment,21 finding that KPMG had an “unbroken record” of advancing legal costs to partners and employees,22 and that the defendants had “every reason to expect” KPMG to cover their legal costs.23 Kaplan found that the Thompson Memorandum caused KPMG to consider departing from its long-standing policy of paying legal fees, and that the USAO “deliberately, and consistent with DOJ policy, reinforced the threat inherent in the Thompson Memorandum.”24 As Judge Kaplan colorfully stated, “KPMG refused to pay because the government held the proverbial gun to its head.”25

The court then held that “so much of the Thompson Memorandum and the activities of the USAO as threatened to take into account, in deciding whether to indict KPMG, whether KPMG would advance attorneys’ fees to present or for-mer employees in the event they were indicted for activities undertaken in the course of their employment interfered with the rights of such employees to a fair trial and to the effective assistance of counsel and therefore violated the Fifth and Sixth Amendments to the Constitution.”26 The court also ordered the government to adhere to its representation made during


��August 2006


Eight reasons compliance training

doesn’t stick: Making a lasting

difference By Stephen Paskoff Esq.

Editor’s Note: Stephen M. Paskoff, Esq., is the founder and President of ELI, a training company that teaches professional workplace conduct, helping clients trans-late their values into behaviors, increase employee contribution, build respectful and inclusive cultures, and reduce legal and ethical risk. He pioneered the development of interactive, engaging training address-ing fair employment issues by providing practical skills people can apply everyday at work. Paskoff Contact: [email protected]

While the number of ethics and compliance training offerings has prolifer-

ated over the past few years, one of the most common complaints I hear from executives is that people don’t seem to be bringing what they’ve learned back into the workplace. The training fulfills a need to “check the box” as it relates to compli-ance requirements, but it’s not having an impact on daily behavior and the overall workplace culture. The problem can usu-ally be traced to several, if not all, of the following common pitfalls.

1. Lack of strategic alignment

Many leaders, caught up in the barrage of regulatory information and compliance requirements, seem to lose sight of the broader reasons for implementing ethics and compliance programs. Setting up a hotline and putting training in place to

demonstrate compliance are relatively easy tasks. Taking a step back and look-ing at how ethics and compliance issues fit into the organization’s overall strategic direction is a different issue entirely—and one that must be addressed even before decisions are made about what type of training should be implemented.

Move beyond the rhetoric: Ethics and compliance issues are inherently tied to the business’s success, and just as with any other mission-critical initiative, there needs to be a clear link between a compli-ance program and the overall business goals. Without it, the initiative will lose focus, emphasis, and momentum, and employees will sense it’s simply a “flavor of the month” project that need not be taken too seriously. What is “strategic alignment?” Strategic alignment is a company’s clear explanation of how and why behaving ethically and with integrity is crucial to the organization’s success. Because this is an organization’s first best chance to get everyone on board with a compliance training initiative, leaders need to apply the same proven techniques they employ in other strategic planning initiatives, from business alignment, com-munication, and tracking, to reinforce-ment, measurement, and accountability.

2. Messages don’t reflect reality

With the passage of recent laws and regu-

lations, most leaders have begun com-municating messages to their employees about the code of conduct, hotlines, and a commitment to operating legally and ethically. These communications are important, but all too often, they don’t reflect the reality of what’s going on in the workplace. Rank-and-file employees will be more inclined to believe what they see everyday in their work environ-ment rather than the messages delivered down from remote or rarely seen leaders. For example, if an employee’s only con-tact with management is his or her local branch manager or department manager, then it is crucial for that manager to set the ethics and compliance example. In other words, tone at the top depends on where the “top” is for employees in the field. If managers set a poor example, people are retaliated against for raising concerns, or others are “let off the hook” for their egregious behavior because of their power or status, the messages and training will be undermined at every step.

Close the loop: Effective, comprehen-sive ethics and compliance programs are those that operate continuously. Messages must be consistent, repeated, and enforced, and not just by senior


StE

Ph

EN

PA

SK

OFF

��August 2006


the evidentiary hearing that any payments by KPMG of defense costs would not be considered in determining whether KPMG has complied with the Deferred Prosecution Agreement, and ordered the Clerk to open a civil docket number to accommodate claims for advancement of attorneys’ fees by the KPMG defendants.27

Judge Kaplan’s decision makes clear that, as the government seeks to “deputize” cor-porate America in the fight against busi-ness crime—a trend that, in many ways, began with the U.S. Sentencing Guidelines and the incentive therein offered for organizations to adopt formal programs to prevent and detect violations of the law—there may be important implications for the manner in which corporations treat their employees who are suspected of misconduct. To the extent that a corpora-tion is acting at the government’s behest or under government threat, the corporation’s conduct may in some ways be attributed to the government.28

In addition, and more importantly from the corporation’s perspective, this “deputiza-tion” of corporate America creates risks for employees who are under investigation. Under the Thompson Memo, as was vividly illustrated by the facts in Stein, corporations may be forced to sacrifice their employ-ees—as well as principles such as the right to counsel and the presumption of inno-cence—in order to maximize the possibility of avoiding prosecution. Judge Kaplan’s opinion, at least for the time being, creates more of a balance between the competing considerations of employees’ rights and companies’ self-preservation instinct.

So what does all this mean for

corporate compliance?

In that section of the Thompson Memo

regarding cooperation and voluntary disclosure, corporations are encouraged, “as part of their compliance programs, to conduct internal investigations and to disclose their findings to the appropriate authorities.”29 The Thompson Memo further provides that “prosecutors may consider a corporation’s timely and vol-untary disclosure in evaluating the ade-quacy of the corporation’s compliance program and its management’s com-mitment to the compliance program.”30 The way in which a company responds to suspected misconduct—from estab-lishing effective reporting procedures to investigation to discipline of wrongdo-ers—is a critical component of an effec-tive compliance program. Investigations of suspected criminality may also impli-cate non-trivial constitutional rights of employees.

In light of the considerations articulated in the Stein decision, companies may wish to revisit their policies governing investigations of suspected misconduct. Companies may also wish to enact (or revisit existing) policies or bylaws relating to advancement of legal fees, knowing that the government may be hindered from penalizing companies for abiding by such policies. Indeed, the Stein decision highlights the value of a review of traditional corporate gover-nance policies (such as bylaws, corporate governance guidelines, and committee charters) in light of their impact on and interplay with the various components of a corporate compliance program. Finally, we cannot ignore that a com-pany is a collection of individuals, most of whom would highly value some assur-ance of assistance if faced with a govern-ment investigation related to conduct undertaken on the company’s behalf.

Lastly—and perhaps most importantly from the perspective of corporate compli-ance—the Stein decision is a remarkable illustration of the importance of the Thompson Memorandum to the charging decision. To those of us who do not spend our days in the criminal defense world and may have had any doubts about its rele-vance, the comments and conduct of both the prosecutors in the Southern District of New York and KPMG’s defense lawyers vividly illustrate the crucial importance of the Thompson Memo once a government investigation is initiated. Given the pres-ence of compliance programs on that rela-tively short list, the Stein decision is a valu-able reminder of the significance of “the existence and adequacy of the corporation’s compliance program” when misconduct occurs at an organization. ■

1. United States Department of Justice, Memorandum Regarding Principles of Federal Prosecution of Business Organizations (Jan. 20, 2003), available at http://www.usdoj.gov/dag/cftf/corporate_guidelines.htm (hereinafter, “Thompson Memo”).2. U.S. v. Stein, S1 05 Crim. 0888 (LAK) (S.D.N.Y June 26, 2006).3. United States v. Booker, 543 U.S. 220, 125 S.Ct. 738, 160 L.Ed.2d 621 (2005).4. Thompson Memo at II.A.5. Id. at II.A. 6. Id. at VII.A.7. Id. at VI.B.8. Id. at VIII.A.9. Id. at VII.B.10. Id.11. Id. at VI.B.12. Id.13. U.S. v. Stein, S1 05 Crim. 0888 at 24 (S.D.N.Y June 26, 2006).14. Id. at 32.15. Id. at 19.16. Id. at 26.17. Id. at 27. 18. Id. at 30. 19. As Judge Kaplan points out in his opinion, agency law has long required indemnification of agents where “an agent has, without his own default, incurred losses or damages in the course of transacting the business of his agency, or in following the instructions of his princi-pal.” Id. at 34, quoting Joseph Story, Story On Agency § 339, at 413 (Charles P. Greenough ed. 1882).20. The right to indemnification cannot be established until after the defendant is found not guilty at trial. In the meantime, however, the common law doctrine of advancement provides that the employer is authorized to advance defense costs to employees and former employ-ees. Stein at 37 (citing e.g. Kaung v. Cole Nat’l Corp., 884 A.2d 500, 509-10 (Del.Sup.2005)); 8 West’s Del. C. Ann. § 145(e); see generally 3A Fletcher § 1344.10, at 560-61.21. Stein at 38.22. Id. Kaplan went further to suggest that the defendants may have “contractual and other legal rights to indemnification and advancement of defense costs,” but declined to decide that matter in the current deci-sion. Id. at 38-39, 73.23. Id. at 32.24. Id. at 2.25. Id. at 82-3.26. Id. at 83. The KPMG defendants filed a civil claim against KPMG for attorneys’ fees on July 10.27. Ironically, the charges levied by the government in the Computer Associates case in many ways presaged Judge Kaplan’s decision. In that case, the government charged employees with obstruction of justice for purportedly lying to Computer Associates’ counsel when the employees were aware that the company’s lawyers would pass the information on to the government. In other words, the government’s charges in Computer Associates contemplated treating corporate counsel as an extension of the government. In Stein, Judge Kaplan attributes corporate conduct to the government given the government’s pressure on KPMG. Judge Kaplan’s reasoning thus contains a similar (albeit reversed) notion regarding the deputization of corporate America.28. Thompson Memo at VI.B.29. Id.

The Thompson Memo ...continued from page 3�

�0August 2006


Conducting a risk assessment

By Marcia Narine J.D.

MA

RC

IA N

AR

INE

Editor’s Note: Marcia Narine, JD, is Vice President and Deputy General Counsel, as well as the Vice President, Global Compliance of Ryder System, Inc. a Fortune 500 global transportation and supply man-agement solutions company. Marcia Narine oversees the Company’s global compliance, corporate governance, business ethics and privacy, labor, and employment programs. Contact [email protected]

Conducting a risk assessment can be one of the most com-plex and important roles

that a compliance officer can play in an organization. There is no single “right” way to conduct a risk assess-ment. Rather, the methodology will vary based upon the size of the corporation, the company’s culture, the resources at hand, the intended audience for the final report, attorney-client privilege issues, the involvement in internal and external auditors, the industry, the regulatory environment, and a host of other factors.

This article discusses the approach to conducting risk assessments that worked for Ryder Systems Inc., a Fortune 500, publicly traded, multinational transpor-tation and logistics company.

Ryder’s process

Our risk assessment process took approximately 18 months and involved personal interviews of over 200 people in 10 countries, conducted by the VP, Global Compliance and Business Standards, Vice President of Internal Audit, and in some instances, outside counsel. The Company retained outside counsel in several countries to assist in

the identification, assessment, and prior-itization of the risks, while preserving (to the extent allowable) the attorney-client privilege for legal exposures identified and legal advice provided. While the risk assessment was in progress, the Audit Committee of the Board, which main-tains oversight of the compliance pro-gram, received regular status reports at every regularly scheduled Board meeting.

The interviewees were assured that to the extent possible, their names and comments would remain confiden-tial. When possible, the VP of Global Compliance and Business Standards reviewed relevant organizational charts, meeting minutes, business plans, presen-tations, files, documents, annual reports, audit results, and financial filings from the interviewee or the appropriate department or business unit.

Components of the review included a determination of the laws and industry standards that govern Ryder in the coun-tries in which it does business; the poten-tial likelihood of occurrence of a violation considering the number of employees exposed to the risk; the frequency of expo-sure; the experience of other multinational corporations; and the potential impact of the occurrence of a violation considering the severity of the consequences from a legal, financial, reputational, safety, busi-ness and employee relations perspective.

The risks identified were prioritized with a high, medium, low rating for likeli-hood and severity. Priority was given to those areas which require more immedi-ate focus due to either:

■ the high likelihood of occurrence of a potential risk;

■ the severity of potential fines, penalties, or government enforcement action;

■ the likelihood of significant damage to reputation from adverse publicity or reactions to a compliance failure from rating agencies, lenders, or shareholders;

■ the potential to be considered a material weakness in an audit; and/or

■ because of the inadequacy of training or awareness.

A medium rating requires closer atten-tion due, for example, to the large number of employees exposed to the risk and/or increasing legal activity from regulatory agencies or private litigants. Under our system, a low rating requires routine, monitoring action to ensure that existing controls continue to func-tion adequately.

The results were vetted by the compa-ny’s Corporate Compliance Steering Committee, which is chaired by the VP, Global Compliance and Business Standards, and which consists of 20 functional and operational leaders des-ignated by members of our executive team. Interviewees and key business leaders, including members of our exec-utive team, were offered the opportunity

��August 2006


to review risk assessment results and to provide additional facts or corrections prior to the finalization of the report.

A final report with recommended reme-dial measures was provided in writing and in person to the full Board as a part of its annual review process.

Our immediate next steps will be to establish monitoring and auditing pro-cesses to determine whether appropriate corrective measures are being imple-mented, and to disseminate employee awareness surveys throughout the orga-nization.

The following are some key factors that contributed to the success of our risk assessment process.

Decide on a process that makes sense

for your organization: An overview of

one approach

1) Identify global risk areas/activities that apply to your company and ensure that you understand your company’s culture and risk profile.

2) Determine the appropriate universe of interviewees and documents for review.Who will ask the questions? ■ Outside counsel? ■ Consultants? ■ In-house resources? What about

attorney-client privilege issues?What documents will you review and what will you exclude from review?

3) What methodology will you use?■ Surveys (anonymous or not)?■ Brainstorming sessions? ■ Focus groups? Interviews?

4) Prioritize risks to determine major threats.

5) Assess the control environment.

6) Manage major threats and strengthen existing controls.

7) Develop protocols and audit plans for follow up.

8) Conduct employee awareness survey on ethics and compliance policies and reporting mechanisms.

9) Conduct follow-up assessment in 12-24 months.

Convincing key stakeholders that a risk

assessment is necessary

Before beginning a risk assessment, it is critical to understand and to be able to articulate to others the reasons for such an exercise. Some of the reasons may be more persuasive than others, depending on the level of expertise, authority or accountability of the person to whom you are speaking. Some common reasons for conducting risk assessments are:1) The seminal Caremark decision

requires a board to ensure that its company maintains an effective com-pliance program.

2) The 2004 Revised Organizational Sentencing Guidelines make it clear that a periodic risk assessment is critical to maintaining an effective compliance program. (Also required by the NYSE Corporate Governance Listing Standards).

3) The existence of periodic risk assess-ments, corporate compliance training and constructive remedial actions (or lack thereof ) are critical consider-ations as to whether a governmental agency or court grants leniency in a corporate criminal matter or whether such agency considers whether or not to bring a criminal charge in the first place.

4) Risk assessments provide an early warning process for detecting compli-ance and ethics threats, allowing the

company to correct problems before they are discovered by regulators, investors, potential acquirers/buy-ers, the media, or potential plaintiffs, thereby protecting the franchise value of the company.

5) The process allows the company to review and revise policies, initiatives and training to address compliance or ethics issues that require attention.

6) It provides a method of prioritizing compliance risks and strengthening existing controls.

7) The assessment improves the deci-sion-making process by providing managers with critical information on compliance risks and mitigating strategies.

Define the parameters: What are you looking for?■ Compliance risks■ Threats to your company’s strategy,

operations, financial condition, and reputation resulting from a failure to comply with laws, regulations, inter-nal policies and procedures, ethical standards and customer expectations

■ Weaknesses and strengths: compliance violations are more likely to occur in weak control environments

■ Separation of duties and functions is likely to reduce the incidence of con-flicts of interest

■ A properly structured MIS system that ensures transparency in transactions is likely to reduce the incidence of misstatement and fraud in financial statements

■ Appropriate policies and procedures imposing limits and authorizations to establish boundaries to safeguard against inappropriate behavior

■ Ethics training focused on culture and


��August 2006


leadership. Managers—at all levels—must be role models and communica-tors of the standards. Think about who influences the work environment most closely. If these individuals aren’t reflect-ing the company’s stated values through their behavior, then the messages won’t take hold. While setting the tone at the top is vital, don’t forget about the tone that’s being set at the middle.

3. Everyone isn’t held equally

accountable

Every so often, I’ll get a call from an organization wanting to send someone through training again because he or she didn’t “get it” and is continuing to misbehave. Most of the time, the individuals who aren’t “getting it” are high-level or high-producing manag-ers. Surely they have the intelligence and wherewithal to understand simple principles like don’t falsify documents or make offensive comments in the work-place. What’s usually happening in these situations is that these individuals aren’t being held accountable for their actions. While accountability or disciplinary rules may be in place, the rules are being applied selectively, either because of a fear of disciplining certain people or an implicit or explicit message being sent by leadership that the rules don’t really matter—at least not for high ranking or highly productive individuals who con-tribute greatly to the bottom line. The impact of this inconsistent approach to enforcing the company’s code of con-duct is that employees see leaders who are exempt from the code of conduct or they see that the bottom line is more important than ethics and compliance.

Reevaluate your cost-benefit analysis. While it may be tempting to give the

high flyers a pass when it comes to adher-ing to the organization’s standards, no amount of money or clients they bring in can make up for the potentially devas-tating harm their behavior can cause. A business case needs to be built that dem-onstrates the impact of the conduct on all aspects of the organization—not just in legal risk management terms, but also in the ways it affects teamwork, productivi-ty, turnover, corporate reputation, and the ability to attract the best employees. Also, be prepared to address these individuals’ challenges to the rules. If you understand how they’ve rationalized their behavior, you’ll have an opportunity to preempt their challenges with messages they can’t argue with. And finally, look for allies in the organization with the credibility and leverage to support and enforce the stan-dards across the board.

4. no training implementation plan in

place

For many companies, the beginning and end of the implementation plan is the training event itself. In some cases, individuals go through a class once a year—if that often—and no other men-tion of the initiative or the program content is ever made. Additionally, there is no well thought-out development plan in place. Rather, the process seems to be once you’ve been through training, we can check you off the list. This wouldn’t be acceptable for any other vital organi-zational development initiative, so why is it being allowed in instances where the behavior can cause devastating losses to the business?

Plan, evaluate, adjust, and plan some more. Effective training doesn’t just happen. It requires planning, not just around the content or deployment

methods, but also for every step that comes before and after the event itself. The general structure of the plan can be determined through the answers to a few simple questions:■ What should be different in the work-

place culture once this initiative is implemented?

■ From a tactical perspective, what are the action steps that will take us there?

■ How will we link the training to other business initiatives?

■ Who needs to be involved and what are their roles?

■ How will we tell people about the ini-tiative and get their buy-in?

■ How will we gauge our progress and know when and what adjustments to make along the way?

■ How will we achieve sustained change?

5. Measuring the wrong success factors

Measurement, which is integral to any successful implementation, poses anoth-er challenge. It requires not only being able to demonstrate a return but also understanding what metrics should be monitored and tracked in the first place. If the ultimate goal is aligning behav-ior with values, then putting everyone through a check-the-box online training course shouldn’t be considered a primary measure of success.

Think about what success will look like: Organizations should be monitoring a few key factors that reflect day-to-day behaviors and are indicative of the cor-porate culture:■ What messages are leaders sending,

both in their words and actions?■ Are people comfortable bringing up

issues internally or are they taking their complaints to outside agencies?


Top 8 reasons compliance training doesn’t stick ...continued from page 38

��August 2006


by Frank J. DalyFRANKLY SPEAKINGFRANKLY SPEAKINGEditor’s Note:

Frank Daly has been involved in the

business ethics movement for almost twenty years. He directed the ethics program of a $30 billion Fortune 500 corporation on a number of levels since the program’s incep-tion in 198�. From 199� to his retirement in late 2004, Frank Daly was the corpo-rate ethics officer responsible for planning, directing, and executing the program for the company’s 125,000 employees. Over the years, Mr. Daly has addressed a variety of audiences on the subject of business ethics in academic and other settings. Watch for his new book entitled An Ethics Officer’s Perspective. Mr. Daly will write a column called “Frankly Speaking” for future C&E publications.

Major League baseball faces the challenge of protecting the credibility of our national

pastime from performance enhancing sub-stances. The commissioner appointed an investigative committee headed by George Mitchell, former U.S. Senate Majority leader, the architect of the Northern Ireland Good Friday agreement, and a director of the Boston Red Sox. As the LA Times noted: How do you think New York Yankees owner George Steinbrenner would feel having his players investigated by a limited partner of the Boston Red Sox? My gut reaction as a native Bostonian is: too bad. However, given my background in ethics, I’m prompted to ask: Why, in mat-ters great and small, are people insensitive to conflict of interest?

I have no reason to question Senator Mitchell’s integrity, but that’s only part

of the question. What about the percep-tion of millions of fans and others who know little about Mitchell except his affiliation with the Red Sox?

Conflict of interest (COI) is perhaps the most widespread ethical problem in society. A few examples: Years ago I was on the board of a youth athletic program. Some of the members were there for one reason, namely to advance the interest of their child, even over that of one who was clearly more deserving. We expect judges to protect a process characterized by fairness and impartiality. Some recent headlines bring into question not only the judges’ character but the fairness of the process also. A Supreme Court justice fraternizes with a party who has a matter before the court. Three state judges and one federal judge in Nevada are under investigation for rulings favoring parties with whom they have shared interests. A state judge in Florida is chastised by the Florida Chief Justice for having an affair with an attorney who appeared before him in court. Again, what about the perception of citizens that not only might these judges be corrupt, but the system is as well?

Business is not immune from the trends of the larger society. Sarbanes-Oxley recogniz-es this when it defines one of the primary elements of a Code of Conduct as sensi-tivity to conflict of interest. Section 406 defines a code as among other things, “…such standards as are reasonably necessary to promote: 1) honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between per-sonal and professional relationships;”

Admittedly, avoiding the perception of COI is a high standard. Many people

who perceive themselves to be otherwise upright feel that they could be unbiased where the interests of family or friends are involved. Maybe, maybe not. More than likely, not. However, even conced-ing impartiality, personal integrity is not the only consideration. What about the perception of the integrity of the process or institution you represent? You cannot avoid this question no matter how fair you consider yourself to be.

Let me offset the example of the judges above by using the following to demon-strate what I consider to be a first-rate understanding of COI. Lance Ito, the judge at the O.J. Simpson trial, had to rule as to whether his wife, a captain in the LAPD, should be called. After some consideration, Judge Ito ruled that another judge should decide. He said that he loved his wife and was confident that he could rule correctly in accor-dance with the law. However, he noted that many people observing would feel he couldn’t rule impartially. He had an obligation to the system of justice to protect it as well as himself and therefore recused himself from the decision.

Lance Ito generally got terrible marks for his performance in the Simpson trial. That having been said, he sure as hell knows what a conflict of interest is. ■

��August 2006


value-driven ethical decision-making even without specific compliance rules.

Identify what your risk assessment will not cover. Many people in your organi-zation may be confused by the concept of a risk assessment, especially if they have recently undergone Sarbanes-Oxley or other reviews by internal or external auditors. In conducting our risk assess-ment, we worked with Internal Audit, but made sure to distinguish our pro-cesses from theirs by noting that Internal Audit focuses on Sarbanes-Oxley com-pliance, and financial, operational, and forensic audit, while our review focuses on legal, compliance, and ethical risks.

In addition, although we asked about these issues, this assessment process was not an evaluation of risks related to:■ Corporate Strategy■ Business risks, business planning■ Financial matters, other than as they

are related to legal fines/penalties■ Integrity of accounting and financial

reporting systems■ Adequacy of internal controls or other

matters■ Total enterprise management■ Adequacy of reservesThese areas are covered by other groups in our company including Risk Management, the executive team, Internal Audit Services, and our external auditors.

Identify your universe of risks based upon your industry, best practices, and legal requirements. This is a highly specific exercise, and probably the most important step in your risk assessment pro-cess. A risk assessment that focuses on only criminal risks, ethical culture, or compli-ance with internal policies, to the exclusion

of other factors, may be more damaging to the company than failing to conduct a risk assessment at all. We defined our universe by polling in-house and outside counsel, reviewing the regulatory frameworks that govern us, as well as recent settlements and consent decrees with the government, and examining best practices.

As a transportation and logistics com-pany that sells, leases, and rents trucks to consumers and businesses, and that also provides supply-chain logistics services to other multi-national corporations in over fifteen countries, our risk universe includes, but is not limited to:

Enterprise issues:Corporate governanceBusiness continuity Confidential information, knowledge management, and data protectionDocument production, retention, and destructionIT applications/infrastructureObtaining competitive information

Financial issuesFinancial reporting Tax planningDebt financing

Employee behavior issuesInsider tradingForeign corrupt practices act/anti-briberyEmployment law/diversityFraud Conflicts of interestExport controlsMoney laundering

Operations supportCredit reviewSafety and security

Transactions with terrorists Sales and marketing Contracting processWorkers’ compensationEnvironmental Procurement

Before you begin interviews, determine what your questions are trying to elicit. In addition to determining whether peo-ple were aware of the legal, compliance and ethical obligations, we also wanted to find out the following information, and therefore many of our questions were geared to assessing:1) Level of Ethical Culture

■ What do people think?■ Do they believe that people would

be treated differently depending upon their positions or reputations?

2) Trust in certain institutions: how do people get information; where would they report suspected wrongdoing?

■ Law department■ Global compliance■ Human resources■ Finance■ Our hotline or other reporting

mechanisms■ The Board of Directors

3) Morale, levels of fear, anxiety, employee engagement

4) Key concerns and perceptions as to the major compliance and ethics risk areas

5) Gaps in training, legal knowledge, policy development

Key success factors: What made our process work? How did Ryder get buy-in? We ensured our interviewees and executive team that, although it was impossible to avoid all risk, our goal was to mitigate risk so that the business could achieve its objectives. We wanted

Conducting a risk assessment ...continued from page 41


��August 2006


compliance with NOCA accreditation.

One of the main objectives of profes-sional certification is to let people know that the person holding the credential has a basic level of competency in their profession. Therefore, an essential first step that AMP helped us take was to develop a job analysis survey. The survey consisted of more than one hundred questions designed to help establish what functions compliance and ethics professionals perform. Each question was designed to determine if compliance and ethics professionals perform a spe-cific task and the importance of that task to the performance of the job.

The Job Analysis Committee identified every conceivable task that a compliance and ethics professional might perform and it was up to the professionals com-pleting the survey to tell us if, indeed, they perform the task. It is important not to test for what the job was or what the job might be someday, but rather, what the job entails today. Those recognizing the credential (i.e., prospective employ-ers) want to be assured that the indi-vidual holding the credential has some competence in the job as it exists today. This survey must be repeated every few years to ensure that the evolution of the profession is closely tracked for change. The credentialing process must be con-stantly modified to reflect that change.

The job analysis survey was broken into eight sections as described in the recently updated U.S. Sentencing Guidelines (including risk management as an 8th element.) The SCCE’s Job Analysis Committee worked with psychometri-cians employed by AMP to eliminate tasks that were not common to all profes-

sionals. Any task that was not performed by at least 85% of the compliance and ethics professionals was not included in the test development process. It is very important not to bias the certification by industry, geography, personal preferences, etc. Thus, the results were also divided so that responses by subgroups of the popu-lation could be compared to ensure bias was minimized to the extent possible.

The committee studied the job analysis survey data to see if there were sig-nificant differences among industries and regions of the country. Tasks were eliminated if they showed bias toward any group. With the aid of the sur-vey results the group was also able to determine what proportions of each of the eight categories should be tested. Some elements of the job represented a larger portion of the professional’s time and effort. Those sections would need more testing. The number of questions required to adequately test each of the eight categories was determined.

The last major task the Job Analysis Committee performed was to break each of the eight sections into three different test question types—recall, applica-tion and analysis. Some areas of the job require more analysis, others require more recall and another category might require more application testing. In the end, the group identified the tasks com-mon to all professionals, the number of questions needed to test each of the eight elements of compliance and ethics, and what type of questions each category required (recall, application and analysis.)

Several hundred people completed the survey. The consistency of the data between industries was stagger-

ing. Although risk areas differ greatly between industries, the base function of the compliance and ethics professional is remarkably similar. There is a common set of tasks we all perform regardless of our industry. Those in the Committee who were initially skeptical that this level of analysis could be performed on a cross-industry basis were surprised at how readily the work could be done as the project proceeded.

After completing all of these steps as well as other related tasks, the Job Analysis Committee passed their work off to the Test Development Committee. Developing an exam for a certification program is an arduous process. As is often the case with hard work, however, it is also the most rewarding. It is essen-tial to prevent the development of ques-tions that can be answered by someone who does not know the subject matter. Some test takers know clues or tricks that inadvertently identify the correct answer. The psychometricians make sure that the questions are neither mislead-ing nor obvious. For instance, AMP helped us avoid writing questions and answers with the longest answer as the correct answer (one of those “tricks” of test taking). They also prevented us from writing questions using a phrase from the question which is also in the answer. There are many other rules that must be followed so that someone who “knows how to take a multiple choice test” does not have an advantage. It is also impor-tant not to disadvantage those who struggle with the multiple choice testing format. The idea is to test mastery of the subject, not one’s test-taking ability.

Along with prior education, continuing

Professional certification: The time has come ...continued from page �


�� Society of Corporate Compliance and Ethics • (888) 277-4977 • www.corporatecompliance.org

The Society of Corporate Compliance and Ethics (SCCE) will offer the first oppor-tunity to take the Certified Compliance and Ethics Professional certification exam on September 14, 2006 at the Chicago Downtown Marriot. The exam will follow the 5th Annual Compliance & Ethics Institute, September 11–13, 2006. For addi-tional information about the CCEP certifica-tion, including the Candidate Handbook and Examination Application, please visit www.corporatecompliance.org.To register for the exam, please download the Examination Application on our Web site, www.corporatecompliance.org, and fax it to the number provided on the form.For questions please call (888) 277-4977 or email [email protected].

Become a certified Compliance and Ethics Professional!

Sponsored by

Special Promotion! Attendees of the Compliance & Ethics Institute, September 11–13, 2006, are eligible to take the exam on September 14, 2006 at no cost (regularly $250/$350). Prior regis-tration is required and promotion is only valid for the September 14, 2006, test administration.

��August 2006


education, and on-the-job experience requirements, the CCEP qualification will include successful completion of a 100 question test. To have an effective testing system it is desirable to start with a bank of 200 questions and ultimately build up to 500 questions. In this way, test forms do not necessarily include the same questions to minimize the effec-tiveness of those who choose to share information. The committee must write approximately 300 questions just to end up with 200 usable ones, as many questions are eliminated by the commit-tee during the review process. The test development committee takes the test a couple of times to identify questions that do not perform well, or are vague or confusing. They also look for questions that should not be placed together in the same test because they are too similar. Also, questions that inadvertently help answer another question in the test are noted and not used on the same test.

Once the first group of CCEP candi-dates has taken the test (and before they receive their pass/fail notification) the questions are reviewed again. Based on these first results, questions can then be eliminated for poor performance. The psychometricians perform statistical analyses that identify items that are not performing as intended. For example, if those scoring in the top 20th percentile overall get a particular question wrong while lower scoring candidates respond correctly, there is a good chance that there is something wrong with that question. The committee will review those and all other questions that the psychometricians identify as potentially problematic. Some questions will be changed, others will be eliminated, and on occasion the committee will look at

a question and determine that it is just a tough question and leave it as is.

SCCE will follow the organizational model used by HCCA to ensure the integrity and independence of the certi-fication process. In health care compli-ance certification a separate board—the Healthcare Compliance Certification Board—administers the test and the certi-fication. Similarly, SCCE will ensure such a separate body handles the credentialing process. Among other responsibilities, they will ensure the extremely high level of security necessary to protect the legitimacy of the testing and certification process.

SCCE knows that this is a difficult road to travel. We intend to put in all the hours and suffer all the headaches this task calls for; the profession has a right to expect nothing less. We started with one of the best firms in the coun-try to oversee the development of the CCEP credential. We have enlisted the assistance of many of the best compli-ance professionals in the country. These individuals have repeatedly flown across the country to meet and perform the detailed labor this project demands. For me personally, this is the second certifi-cation process that I have experienced. These high-competency, highly motivat-ed individuals have not only worked well together but have been extraordinarily effective in meeting the deadlines. Many years from now they will look back and be able to say, “I was there and I helped develop our professional certification.” Those who developed the certification for the health care compliance profession feel a great deal of pride today.

The development of a worthy credential most often only occurs once in a profes-

sion. This group should be very proud of their work. They are serving their profession well. They have taken action as opposed to ruminating and hop-ing. As a result of their work, they have helped the compliance and ethics pro-fession mature and they have improved the compliance and ethics professionals’ chances of being recognized and respect-ed for their unique and valuable talents.

The first CCEP testing will be done at the SCCE annual meeting in Chicago on September 14, 2006. Individuals can also take the computer-based exam at one of more than 140 locations around the country. All fees associated will be waved for the first group taking the test at the annual meeting. Individuals taking the test offsite between September 14 and October 15 at one of the computer-based sites around the country will receive a 50% discount. The regular application fee is $250 for SCCE members and $350 for non-members. More information on the certification process can be found on www.corporatecompliance.org.

I can be reached at 952/988-0141 or by e-mail at [email protected]

Job Analysis Committee

Marjorie Doyle, DupontOdell Guyton, Microsoft Joe Murphy, Compliance Systems Legal GroupDebbie Troklus, University of Louisville Jolene Miller, RadioShackFrank Sheeder, Brown McCarroll Therese M. Obringer, Lincoln Financial GroupDonald M. Remy, Fannie MaeJanice F. Wilkins, Intel CorporationBrian Sears, Lockheed Martin


Become a certified Compliance and Ethics Professional!

Professional certification: The time has come ...continued from page 45

��August 2006


Scott Mitchell, OCEGAl Josephs, Tenet Healthcare Dan Roach, Catholic Healthcare WestKim Van Doorn, TIAA-CREFSteve Lefar, MediRegsRoy Snell, SCCE Lisa Kuca, Holland & KnightGreg Triguba, Eddie BauerOutside observer: Paula Desio, US Sentencing Commission

Test Development Committee

Debbie Troklus, University of Louisville Jolene Miller, RadioShackRoy Snell, SCCE Lisa Kuca, Holland & KnightGreg Triguba, Eddie BauerLori Trygg, The MMIC GroupMarti Arvin, University of LouisvilleShawn DeGroot, Regional HealthGregg Burgess, SAP Public Services

Melissa Lea, SAP AmericaBrenda Tunstill, St. Johns Health SystemArlinda Willis, Philadelphia Stock ExchangePamela Bennett, Department of Veteran AffairsAdam Turteltaub, LRNAilsa Delgado, Veterans Health AdminVanessa Falkoff, HealthInsightCheryl Wagonhurst, Foley & LardnerEric Wishner, Public Health Trust ■

Professional certification: The time has come ...continued from page 4�

SCCE’s 5th Annual Compliance and Ethics Institute

Corporate Compliance & Ethics weighs heavily on the shoulders of corporate officers, directors, and others who are legally, morally and professionally responsible for corporate actions. The Institute will provide attendees with the knowledge and professional support to make informed decisions.

Who should attend: Compliance professionals, ethics profes-

sionals and risk managers

Human resource managers and information officers

Corporate executives including CEOs and CFOs

Consultants and counsel—both in-house and outside

Regulators and other government personnel

Compliance and ethics journalists

Researchers and policy makers

Staff educators and trainers

Privacy officers

Students

As an Attendee of the 5th Annual Compliance and Ethics Institute you will be able to: Provide your organization with the most

current views concerning the corporate regulatory environment, internal controls, and the overall conduct of business

Enhance strategic thinking on how to develop compliance and ethics programs to address potential corporate regulatory prob-lems

Address compliance, internal audit, and ethics issues common to all industries and professions

Obtain insight on how to develop and implement an action plan for developing compliance and ethics programs that reflect current trends and guidance from broad industry segments

��August 2006


■ Are problems being found out early rath-er than being suppressed or ignored?

■ Is everyone—regardless of tenure or position—being held accountable to consistent standards of behavior?

■ What are employee satisfaction sur-veys telling you about the workplace environment and the accepted norms for conducting day-to-day business practices?

6. Managers learn what they need to

know but not what they need to do For the most part, compliance training has been focused on teaching managers what they need to know without impos-ing any responsibilities for translating that knowledge into action. As a result, managers learn general legal concepts, what types of behaviors to avoid, and where to go if they become aware of problems or violations. They don’t learn how to create a business plan and imple-ment action steps to instill integrity and values-based behavior in their units or work groups over the long term.

Take managers to the next level. Managers today need to know how to do more than stay out of trouble and contact HR for help. They have proac-tive leadership responsibilities that can impact the organization’s ability to pre-vent, detect, and correct problems early on before they become business threats. Specifically, managers need to know what to do, including:■ Communicating and persuading:

Developing a communication plan and being able to articulate, in a meaningful and convincing way, why they believe behaving in line with the values is important.

■ Intervening: Rather than deferring to HR, having the skills to take prompt,

appropriate action themselves to pre-vent and correct problematic behavior.

■ Welcoming concerns: Using effective listening and problem-solving skills to create an environment where employ-ees know their concerns are taken seri-ously and will be addressed properly.

7. Inadequate or misdirected focus on

“gray” issues

From bullying to lying to a general lack of civility, much of the behavior that causes divisiveness and distractions in the workplace doesn’t actually violate the law. However, the conduct can severely damage teamwork, retention rates, the brand, and other key business factors. The problem is that managers are either being taught to try to analyze intricate moral dilemmas that even a professional ethicist would have trouble with or they’re simply learning general, cut-and-dried principles that don’t really apply to everyday work realities.

Equip your first line of defense. In sur-vey after survey, we hear employees say they’re most likely to take concerns first to managers, not the anonymous hotline or even HR. When the issues are subtler, it means managers are going to need advanced communication, detection, and problem-solving skills. Trying to teach every possible scenario that could arise is an impossible task since “gray” areas will vary from person to person, or from one department to another in an organization. Instead, managers need some practical, universal tools they can apply when these types of issues come up. Managers also need to learn how to help their employees work through interpersonal issues with colleagues. It’s a skill that can be taught and should be considered an important step in any

manager’s development path.

8. Incorrect assumptions about

managers’ skills in these areas

A few years ago, I was working with a world-renowned organization whose managers were literally considered to be the top professionals in their fields. These individuals were widely viewed as teachers, mentors, and respected experts and advisors by all those who came to work at the institution, and they talked regularly and passionately with their employees about the importance of adhering to the highest safety and per-formance standards. Yet when I asked them to stand up and tell the group in their own words why operating by the company’s stated values and behaving with integrity and respect was important to them, they were flustered and anx-ious, unsure of what to say.

Organizations are mistaken in assuming that managers who’ve advanced through the ranks and have become experts in their professional fields will have auto-matically developed the skills needed to communicate and guide their employees on issues like ethics, diversity, and cor-porate values. Even those who under-stand the implications and consequences may not know what, specifically, they should do about it.

Make it happen. When putting together development plans, consider the entirety of competencies that your managers need to be successful. Most managers I’ve talked with say they want the skills to communicate effectively about these issues and handle problems appropriately because it makes their jobs easier. The impact of having successful interactions

Top 8 reasons compliance training doesn’t stick ...continued from page 42


�0August 2006


to be seen as business partners and not obstacles to growth. We also differenti-ated our risk assessment from an “audit,” which made interviewees much more comfortable in answering our questions.We ensured that our questions were open ended and non-confrontational. Interviewees and key stakeholders were able to preview the factual assumptions and risk ratings of the areas under their control before our report was finalized. We did not change the ratings unless facts had changed materially since our interviews.

Our Corporate Compliance Steering Committee provided critical manage-ment buy-in for the process at every stage including: providing feedback on the process; being interviewed by coun-sel and the VP of Global Compliance and Business Standards; reviewing some

of the recurrent themes and recom-mended program/policy changes that were implemented even prior to the completion of the risk assessment; and vetting the risk ratings prior to presenta-tion to the executive team.

What do you do once the risk assessment is done?Don’t make the mistake of assuming that once the report has been issued, your work is done. Risk assessment is a continuing process. As a part of your compliance plan, you must determine how and whether to monitor and address more minor risks; develop com-pliance tools and procedures to respond to major risks; identify and analyze new risks; adjust the compliance program if required, and evaluate the compliance program on an ongoing basis.

Conclusion

Conducted properly, a risk assess-ment can be an invaluable component of a successful compliance program. However, the only way to ensure that the process is useful for your enterprise and stakeholders is to tailor to the pro-cess to your culture and business model, and to monitor the implementation to assure the credibility of the process. ■

Conducting a risk assessment ...continued from page 44

with employees then trickles throughout the entire organization, making every-one’s job easier. While these skills may not come naturally to many managers, given the necessary tools and training, they can become the best method an organization has of institutionalizing its values throughout the employee popula-tion.

I often hear executives lamenting the fact their managers can’t seem to take what they’ve learned and have a sustained impact back in the workplace. Usually, there’s little or no strategic context and follow-up to make that a reality over the long range. If they’re serious about mak-ing a difference and not just “checking the box,” leaders need to apply some of the same proven techniques they employ

in other vital, strategic initiatives to their ethics and compliance programs. Seemingly simple steps, including holding everyone accountable to the same standards, carefully planning the implementation process, and measuring the right success factors, are being over-looked, yet they can have a big impact on compliance issues and the overall workplace culture.

Leaders also need to re-examine the skills they’re providing managers in the train-ing itself. Managers need to understand that they are being expected to play a more proactive role than they may have had in the past, and they must be given the skills and tools to help them fulfill their new responsibilities. Helping man-agers succeed in these areas will benefit

the entire work environment many times over.

Too many organizations are missing at least some of the key elements of a com-prehensive plan, leaving them vulnerable not just to ethical violations and poten-tial scandals but also to competitors who can put it all together. Those who are successful will not only protect their businesses and reputations, they’ll build the type of workplace that draws tal-ented people, smart investors, and savvy consumers. ■

Eight reasons compliance training doesn’t stick ...continued from page 49

��August 2006


Continuing Education Credits: MCLE/CLE • CPE/NASBA • ACHE • HCCB • CCEP

SAVE $100 and attend the

pre-conference for

fREE: register by

AUGUST 16!

A $200 TOTAL

VALUE

Register now to attend the5th Annual Compliance & Ethics InstituteCorporate Compliance and Ethics Programs: Case Studies and Risk Areas

Corporate Compliance and Ethics Programs: Case Studies and Risk Areas

September 11–13, 2006 | Chicago Downtown Marriott | Chicago, IL

Corporate Compliance & Ethics weighs heavily on the shoulders of corporate officers, directors, and others who are legally, morally, and professionally responsible for corporate actions. The Institute will provide attendees with the knowledge and professional support to make informed decisions.

This year’s Compliance & Ethics Institute will feature 70 speakers including 30 in-house Compliance Professionals and 6 stellar general session speakers. Judge Ruben Castillo with the USSC and Scott Friestad with the SEC will each be presenting a government update.

full brochure and agenda available at www.corporatecompliance.org

To register, please visit www.corporatecompliance.orgFor questions, please call (888) 277-4977 or e-mail [email protected]

Compliance & Ethics Institute

��August 2006


volume three number three august 2006 published bimonthly · author of business ethics: managing a...

Documents