Ethics and Compliance: Are We There Yet?

Five-plus years after Sarbanes-Oxley, companies face ever-increasing regulatory compliance demands and new ethical challenges raised by a more complex and global business environment, according to risk consultancy LRN. Marjorie Doyle is the firm's global practice leader, ethics and compliance solutions, and a former chief compliance officer at Dupont. She talked with Business Finance about the changing risk landscape.

Business Finance: With more than five years of Sarbanes-Oxley behind us, have companies learned the lessons they needed to learn?

Marjorie Doyle: I would have hoped so, but I don't think they have. Different kinds of studies have shown -- and you can see this just by reading the newspaper -- that there are all sorts of organizational fraud and misbehavior. Unfortunately, laws like Sarbanes-Oxley are created after something bad has already happened; they're very reactive. But despite all the grumbling about the detail and work that had to go into compliance, a lot of companies did in fact find that they were not as disciplined as they could be. That's one of the main lessons that finance learned, and it's a message that finance people should be delivering to other functions in the company.

Sarbanes-Oxley put finance into the position of having to reach out to all sorts of functions in the organization because they had to get input from so many people. And this is also what ethics and compliance officers have to do -- reach out and collect information from the various departments and businesses within the company to get a clear picture of the ethics and compliance pulse of the organization.

BF: What's the current state of the dynamic between ethics and compliance departments and finance?

MD: The relationship is really a critical one because there's a financial aspect to almost every process in the enterprise. And finance in most companies is very well established; usually each business unit will have a finance person who sits on their business staff and is very much integrated into the business.

The big challenge is resources. Ethics and compliance is a relatively new department in the company. Everybody knows who the CFO is, who the head of HR is, but the chief ethics and compliance officer is often a new position in the organization. As they try to build their staff, chief ethics and compliance officers have to make the case for exactly what they do and what their value is to the company. And then they have to ask for resources, whereas other departments have resources that are already pretty much established.

So for chief ethics and compliance officers the CFO is among the most important people they can have as an ally to get them involved and to get them a voice at the table, as well as to help them understand some very important processes. Companies are still working hard on perfecting ways to detect potential wrongdoing, and finance people working in the front lines are often the first to see if something is amiss.

BF: Violations of the Foreign Corrupt Practices Act (FCPA) ranked fifth in survey respondents' assessment of top ethics and compliance risks. Do companies have a good handle on FCPA exposure?

MD: They're realizing how important it is. The SEC and the DOJ are focusing on particular industries, but believe me, they'll get around to all industries eventually. So many companies now have experienced allegations of corruption and bribery that they're starting to wake up to the fact that it's not just the people who have relationships with foreign governments who need education on this -- it's all of their people, up and down the chain. Everybody in the organization needs to be aware of anticorruption and bribery laws.

The areas that came out at the top of the list of concerns -- data protection and privacy -- are pervasive across the whole organization. You'll see aspects of data protection and privacy risk when you're dealing with antitrust, with insider trading, with anticorruption and bribery. Privacy and data protection have been sleeping dogs for a long time, and now everybody has had their eyes opened.

BF: By and large, are companies seeing some success in integrating ethics and compliance risk assessments into their enterprise risk management (ERM) programs?

MD: It's a challenge. Enterprise risk management is huge; it involves analyzing all aspects of all kinds of risks in your business processes, and ethics and compliance exposures are a subset of those risks. But if you rely solely on ERM to suss out your ethics and compliance risks you won't get there, because the people who run ERM programs usually don't understand the specifics of ethics and compliance risk in as much detail as they need to. They generally come from an expertise background that's more familiar with insurance, for example, or finance.

It's a great idea to have just one risk assessment process that covers every kind of risk. But in my experience it's a very long and unwieldy process, and so generally what ethics and compliance professionals do is to say "We're going to run our own assessment process because we need to get at our risks, and we need to get at them at certain depth so that we can come up with some mitigation action items."

I'm still hopeful that somewhere in the future experts in ethics and compliance will get together with finance, HR, and insurance to develop a process. I know some companies that have been successful at that, but it has taken a lot of time and it's very expensive.