含羞草社区

GC Prarabdha Jaipuriar writes that setting up an ethics and compliance programme can shield companies from big troubles

BBusinesses make decisions every day, and these decisions are informed by their strategy, values and assessment of the risks and opportunities in and around the business. A common thread in this process is, or at least ought to be, ethical decision-making, that is, doing the right thing when no one is looking.

It protects the organisation and its people from legal and regulatory actions. It helps earn and preserve reputations. Most importantly, it builds strong foundations for sustainability and profitability. But there is more to business ethics than idealism. It is a set of processes and tools aimed at preventing, detecting and remedying non-compliant situations.

Why build an ethics programme?

When an organisation builds a programme for ethics and compliance, it puts in motion a series of actions that not only demonstrate its ethical commitment, but also empower its people with the right tools to remain vigilant and to take business decisions fairly, without the proverbial fear or favour. Businesses have both internal and external ethical challenges such as corruption, conflict of interest and fraud, to name a few.

Almost every function is exposed to these risks, with some such as procurement, sales, marketing, finance and HR more than others. When caught on the wrong side of the law, companies may face criminal, civil and regulatory actions, often with debilitating consequences. Corruption also weakens the rule of law and damages economic development. It affects free and fair competition and harms society at large.

A robust ethics and compliance programme (ECP) helps shield against fines, penalties, legal fees and regulatory expulsion from the market. By implementing an effective programme, large corporations can plug loopholes in their processes, and small businesses can find better acceptance in the marketplace. All businesses can meet the requirements of the extraterritorial anti-bribery laws of many countries including the US, France and the UK, as long as the ECP meets their yardstick in its design and rigour.

The key components

A good starting point for deploying an ECP is to have a set of policies and procedures, including an ethics charter, a whistleblower policy and a sanction policy at the minimum, as well as bespoke policies for gifting, sponsorship, lobbying and supplier relations, to name a few.

The choice of policies depends on the organisation’s scale of operations, as well as its line of business. Some other integral elements of an ECP include a whistleblowing reporting channel, a third-party due diligence tool, accounting controls and a mechanism for auditing the programme itself.

The human element of an ECP is perhaps the most important. Organisations must train their employees on ethics and compliance. While all employees ought to receive at least a basic training, it is imperative to map the workforce for its relative exposure to specific ethics risks, and to impart focused training to sensitive or high-risk groups.

Since ethics is deeply rooted in culture, the top management must set the tone through a demonstrable commitment. Tone at the top helps shape a speak-up culture. Regular communication, providing adequate resources for the ECP, appointing and empowering a senior employee with relevant experience as the ethics officer, and providing oversight of the ECP are some of the responsibilities expected of leadership. One key role of the top management is ethics risk management, starting with risk mapping.

Risk mapping and mitigation

Mapping the risks relevant to the business is a part of, and closely linked to, the success of the ECP. It enables the organisation to put in place the right tools and processes to guard against ethical risks that are likely to arise, and that can cause a crippling impact if left unchecked.

Risks can be internal or external. Examples of internal risks include gaps in company policies and processes, a prior history of non-compliance, and a low level of moral awareness among employees. External risks include legal and regulatory gaps, low ethical awareness and commitment among customers, partners, vendors and other stakeholders (including civil society), as well as certain prevalent practices in the business environment, both by geography and sector. A methodical approach helps identify and address the key areas of concern.

When to start

Ethics risk mapping should be first carried out when starting a new business venture, foraying into a new geography or forming a new partnership. That said, it is never too late to start. Well-established businesses that do not yet have an ECP in place can conduct the risk mapping exercise whenever they decide to deploy an ECP.

Since ethics risks evolve due to many external factors such as changes in regulations, market, competition and technology, and internal factors such as changes in the size of the organisation, employee turnover and the adoption of new technology, the risk mapping exercise should be revisited regularly, say, once a year. It may also be revisited mid-cycle if circumstances demand it, such as before the launch of a new product.

For instance, if a gaming company plans to launch a new AI-based gaming software targeted at pre-teens, it would be worthwhile to map the ethical dimensions of the risks associated with the software, which include data privacy, verifiable parental consent, compulsion loop, self-injury, suicidal ideation, algorithmic bias and dark patterns, among others. Once identified, mitigation actions, including product adjustments, can be taken in time.

Methodology

Even though there is no single rigid path to ethics risk mapping, there is a general agreement on its broad contours. Management should allocate resources and budget for the exercise. The ethics officer is generally the best person to lead the initiative, although other options exist. HR can help management identify a risk management expert to serve as the risk mapping project manager.

The house remains divided on the desirability of using external resources, such as a law firm or a risk management consultancy, to carry out ethics risk mapping. While many organisations would not be comfortable exposing internal shortcomings, they could benefit from the diverse experience of an external consultant.

The decision depends on the organisation’s maturity and the project manager’s capacity to perform a thorough risk assessment within the timeframe. Depending on the size and complexity of the business, the project manager may choose to form a team and delegate tasks accordingly.