Oh, Behave! Companies Mastering Ethics and Compliance Risks

Six years and more have gone by since the disastrous ethics and compliance breakdowns that ushered in the Sarbanes-Oxley era. So how are companies doing in their efforts to build risk management programs to make sure it never happens again, and to help them withstand the ever-increasing scrutiny of their conduct?

Not bad, according to a massive new study from LRN, a company that helps businesses develop ethical corporate cultures. The firm polled some 460 senior ethics, compliance, legal, risk, and audit professionals to gauge companies' progress toward mastering best practices. The results were encouraging. Nearly nine out of ten enterprises conduct ethics and compliance risk assessments, and increasingly these are integrated into enterprise risk management (ERM) programs. A wide range of functions are involved in the assessments, with legal, internal audit, HR, and finance leading the pack.

Companies haven't relaxed their efforts to polish up tone at the top. About three-quarters offer formal CEO/management development programs, and the popularity of these initiatives has increased since 2007.

More good news is that risks specific to the finance function rank relatively low on the list of companies' top ethics and compliance concerns. The top three challenges today are electronic data protection, data privacy, and intellectual property, LRN reports. Violations of the Foreign Corrupt Practices Act and other anti-bribery regulations are a concern, though, ranking fourth on the list and cited by 27 percent of respondents. Twenty percent cited supply chain risks, and 16 percent pointed to insider trading as a significant exposure.

There are a few dark spots, however, and interestingly a number of them cluster around the challenges of doing business internationally. Global companies consistently offer lower levels of protection activities at their international locations than they do at headquarters, evidence perhaps that multinationals struggle with cultural and linguistic constraints on resources in some locations.

And they still haven't come to grips with ethics and compliance exposures that may be lurking in their supply chain and extended business networks. Only about one in ten offer education to resellers, two in ten to suppliers, and 3 in ten to business partners. Clearly companies will need to step up their efforts in this area, as we learned last year when scandals erupted over tainted pet food and lead paint in toys made in China.

The LRN Ethics and Compliance Risk Management Practices Report 2008 is available here (requires free registration).