Part 2: How Law Schools Can Champion Compliance Careers
January 12, 2026
This column turns to law schools, proposing concrete ways to support students interested in compliance and ethics roles.
by Adam Balfour
November 24, 2025
I read a news story earlier this week about a man who used six layers of green fabric paint to paint himself to look like the Hulk. He learned the next day that fabric paint is very different from body paint in that fabric paint does not wash off easily.
Isolated decision making is a risk for any organization. Perhaps someone worries about what others will think of them if they ask a question or they move ahead with their plan thinking “this will be fine” only to later have to deal with unexpected consequences. Or it might be that they talk with someone who either won’t give them the feedback they need or the other person is too close to their own perspective to see it differently.
The risks of isolated decision making and psychological safety go hand in hand. If people do not feel that it is safe to ask for feedback and get different perspectives from others, and if people do not feel they can challenge perspectives of others, then the risks of isolated decision making are very real. We all have bad ideas at times and have blind spots, and we can all benefit from the perspectives of others.
The solution is not that we each need to know everything, but we have to recognize our own limitations (including when our judgment or decision making might be impacted by pressure or our limited perspective) and to have people we feel we can reach out to who will provide candid feedback and help us see things from a different perspective. We all need to have our own community of trusted advisors who can complement and challenge our ideas and perspectives.
November 10, 2025
I think it is a good idea to look to what are considered to be the “best practices” when building or running an ethics and compliance program – a lot of times, using those best practices will make a lot of sense. However, it is equally important to think critically and challenge ideas that have become so widely accepted to see if they truly are “best practices.”
Here are a few “best practices” that, in my view, deserve to be challenged:
1. Attaching Your Code of Conduct to All Vendor Contracts
A lot of organizations will attach their Code of Conduct or a Supplier Code of Conduct to their vendor contracts. While this sounds good in theory, how many vendors do you think will actually read the Code in practice (perhaps other than their Legal team in negotiating the contract) and how will you monitor their compliance? Is your Code worded in such a way that you think you could successfully argue a breach of contract? Challenge the “best practice” approach by including specific language in the contract that reflects the relevant compliance risks and describes what you need the other party to do (or not do).
2. Updating Your Code of Conduct Frequently
Do you frequently update the foundations of your house or does a country constantly update its constitution? It can be expensive to update a Code of Conduct (especially if you get third parties involved in the process) and you can reflect updates through other policies that support the principles in your Code.
3. More Ethics Helpline Reports Is A Sign Of A Healthy Organizational Culture
Is it really a good sign that employees are raising concerns through a 3rd party run helpline rather than to their managers or others at an earlier stage? Does this “best practice” cause us to overlook opportunities for earlier intervention that would be better for your employees, allow managers and others to play their part, and perhaps address concerns or potential concerns other than through an internal investigation? Is it time for us to shift our thinking from counting the number of calls to the fire department to focusing more on smoke detectors that allow for earlier intervention?
“Best practices” are worth considering and thinking about, but don’t be afraid to question and challenge them. What matters most is not what other people think, but what works in practice.
November 03, 2025
Many companies will celebrate Corporate Compliance & Ethics Week in the coming days, launching activities and content to engage employees and reinforce the importance of integrity and the compliance resources available to help them.
E&C Week is a bit like running a marathon (good luck to everyone running the NYC Marathon today). Spectators see the race-day excitement, but they do not necessarily see the months of training and preparation that made it possible.
If you feel stressed or worried about your E&C Week activities, remember that you have already done the hard work. Build into your plans the expectation that something may not go exactly as planned—and if it does not, you are ready to adapt and keep moving forward.
Enjoy the week. Use it to reflect on the other 51 weeks of the year, celebrate the cross-functional collaboration that makes events like this possible (especially your Communications colleagues), and appreciate the other teams and functional groups who contribute to your program’s success year-round.
October 27, 2025
While there are a number of resources to help support ethics and compliance professionals, one of the best resource – and perhaps the greatest strengths of the ethics and compliance profession – is the community itself. This is a field filled with people who want to help others succeed. Whether you are seeking ideas, feedback, guidance through a complex situation, trying to understand why something did not go as planned, or asking for career advice, there is no shortage of people willing to share experience and insight.
Working in ethics and compliance is not always easy, especially if you are a “team of one.” The good news is that you do not have to do it alone. I regularly reach out to others across the profession and continue to be impressed by the generosity of this community. We encourage employees not to struggle through ethical questions in isolation – the same should be true for us.
Reach out to others for help and offer help where you can. If you are early in your career, do not worry about returning the favor immediately – you will have many opportunities to pay forward the support you receive.
If you need guidance on a topic or can offer support to others, please post a comment below.
October 20, 2025
What happens in your organization when someone has done something that is inconsistent with your compliance program standards? Is the matter quietly dealt with to try to put things back together as seamlessly as possible and so that no one (other than those who already know or have a need to know) will know an issue ever existed?
Kintsugi is a Japanese form of art where broken pottery and other ceramics are repaired using a gold-dusted lacquer to put the broken pieces back together. Instead of hiding the damage and trying to make it look like the original, kintsugi visibly highlights the repair work and the gold coloring often makes the pottery even more impressive looking than before. The art form is not about naming and shaming who broke the ceramic in the first place, but about acknowledging that something happened and embracing the damage done to put the broken pieces back together.
People make mistakes – they will not do what is expected of them at times, and they will also break ceramics. While we aim to reduce the likelihood of both, we are always going to have to deal with situations in which damage has been done. Rather than hide when people have made mistakes or violated your compliance program standards, you can use those examples (and you do not have to name and shame) to help rebuild any broken parts of your program, make it stronger and embrace what happened to help others.
Use stories from within your organization to share with others what happened and what was done. Talk about the root causes and contributing factors that lead to the issue. Help employees understand that your organization’s compliance (and other) standards matter and that you look to build a culture where people learn from mistakes.
Trying to hide past compliance issues is a mistake – acknowledge what happened because transparency helps build trust, it shows that the program is driven by continuous improvement, and demonstrates that the organization looks to strengthen itself based on the past.
October 13, 2025
I recently noticed this road sign in my neighborhood that says “No Motor Vehicles.” Despite the lack of motor vehicles in the picture, the policy is practice is that this is a road that regularly has a lot of motor vehicles driving in both directions. It made me wonder (a) what is the intent of this road sign?, (b) how many drivers have even noticed this sign?, and (c) what impact is this sign having and does anyone care?
There might have been a time when it made sense to have this road sign, but it does not seem to make sense any more – at best, one could probably infer that the sign now means “No motor vehicles are technically allowed, but this rule is not enforced.”
This is also why when it comes to ethics and compliance programs we need to continuously think about the standards and controls we have, whether they are still needed and effective, and whether removing standards and controls that are no longer needed or adding value will help ensure people pay attention and comply with the ones that actually do matter. When controls are kept in place that are no longer needed or do not add value, they contribute to compliance fatigue and this does not help your employees or your program.
September 22, 2025
I recently had a lot of fun (and learned a lot) speaking on a panel with Lisa Fine and Andrew McBride at #SCCEcei, where we talked about data analytics and compliance programs.
Data analytics can sound a bit abstract or even intimidating — especially when you see how advanced and comfortable other people are in this area. However, the basic idea behind data analytics is something most of us are already doing in our day-to-day work, whether we realize it or not.
Here is an analogy about driving I shared during the panel to demonstrate this point. You see a road sign showing the speed limit and then look down at your speedometer to see how fast you are going compared to the speed limit — that is a basic form of data analytics that helps you determine if you are complying with the relevant laws and standards. The data provides you with insights and then you might adjust your speed as a result.
Data analytics at its core is simply about looking at relevant data points, comparing them to gain insights and then using those insights to take action or make better / more informed decisions.
Data analytics might require you to step outside your comfort zone, but recognize that you are likely already doing this in some shape or form. Get comfortable nudging yourself out of your comfort zone through intentional learning and trying out different things with data analytics. You might surprise yourself and realize that data analytics is much more familiar — and something you can absolutely engage with to strengthen your compliance program.
September 15, 2025
I like having a written “to-do” list – my written to-do list helps make sure I do what I need to do and prioritize what needs to be done next. I try to make sure that my written “to-do” list captures all the things that I actually need to do, but sometimes there will be something I need to do that is not written down on my list (if you use written to-do lists, you know this feeling and your blood pressure probably just went up slightly). As much as my written to-do list is really helpful for how I work, it is a reminder that a written to-do list is not my actual to-do list but simply trying to put my to-do list into words on a page.
The same is true when it comes to ethics and compliance programs – when it comes to policies, we often think that the document titled policy is the actual policy. In reality, the policy document is not the actual policy and instead an attempt to reflect the actual policy in written form.
Focusing too much on the words describing what the policy is (or is meant to be or we hope it will be) means that we often miss what the policy is in practice and the unwritten rules of an organization. Your organization’s policies are reflected in how people act, in conversations and unstated expectations, as well as seeing what behaviors are tolerated and rewarded – as reality changes and evolves, we have to ensure that the written form of the policy is kept up to date and relevant to ensure an accurate reflection of the actual policy. Focus on the policy itself and not simply the written version of the policy.
August 18, 2025
My#SundayMorningComplianceTip series is back from a little summer vacation. During my time off from posting on LinkedIn, I watched season two of Nathan Fielder’s The Rehearsal on HBO. While it’s a comedy, I found the show to be incredibly relevant to ethics and compliance, especially on the topic of speaking up.
The premise of the show is about helping people prepare for important life events through rehearsing under realistic conditions. Fielder uses this to illustrate his point that many modern airline crashes aren’t the result of mechanical failure, but due to a lack of psychological safety and communication in the cockpit. According to the show, pilots often meet each other for the first time just before a flight – this lack of familiarity can make it incredibly difficult for a co-pilot to speak up and challenge the captain’s actions, even if they see a potential issue.
The show also includes a brief clip of the standard pilot training on psychological safety, which is essentially a 30-second reading of a policy statement. Fielder wants to change this type of ineffective training by helping people rehearse both for speaking up and for listening when someone else speaks up. He creates an environment where people can simulate and experience these moments, with the hope that it will give them the confidence and preparedness to communicate effectively when it matters most.
This is a powerful reminder that an effective compliance program should not just focus on what to do, but on helping people with the how. Speaking up is often an extremely difficult and uncomfortable thing to do, and we need to recognize this. We can lean in and help people prepare for those difficult conversations – not just by talking about them, but by giving them a chance to ‘rehearse’ what it’s like to speak up (and what it’s like to listen when someone speaks up). The good news is that we don’t need an HBO-sized budget to bring this concept to our ethics and compliance programs, but it does require a shift in thinking from “training” to genuine “preparedness” and “learning.”
Has anyone else watched the show and have other insights from this season?
July 21, 2025
Many Codes of Conduct talk about the important role that leaders, managers, and supervisors at all levels of an organization play in ensuring day-to-day activities and decisions align with the compliance program, including providing guidance to employees and helping them with ethical questions.
Leaders might feel like they should know – and be seen to know – all the answers, but the reality is that no one does. As important as leadership, managers and supervisors are to an effective compliance program, that doesn’t mean they are expected to know how to handle every situation or answer every ethical question. If someone comes to you as a leader for help and you don’t know the answer to their question or what to do, saying the words “I don’t know how to best advise on that situation, but let me find out” does not make you look like a weak leader. In fact, it is the opposite – your authenticity, genuineness and wanting to provide the best advice (and acknowledging you need guidance from others) shows you are a leader who is willing to listen, you know your limits and that you are trustworthy. This is the type of leadership many people seek and want to work for, and the type of leadership that your ethics and compliance team also wants (we are here to help you with those types of situations, and we won’t necessarily have all the answers ourselves!).
When we talk about tone at the top and tone at the middle, this doesn’t mean that leaders need to be compliance experts. Your job is to lead with integrity and you can do that when you build trust, demonstrate to others that speaking up and seeking help are encouraged and expected, and are willing and able to help get the right answers even when you don’t have them yourself.
July 14, 2025
I recently read Courageous Cultures by Karin Hurt and David Dye – their book has a number of great ideas and one that really stuck with me is the idea of using a “5×5 Communication Strategy.”
What is the 5×5 strategy? It involves taking an intentional approach of communicating important information five times and in five different ways. The repetition and variation in how the message is communicated is what helps people understand the message, internalize it, make it stick and ultimately drive the desired behavioral change.
How does this apply to ethics & compliance programs? A single training, email or talk by the E&C team is unlikely to lead to the lasting change that we hope for. We need to repeat the message clearly and in multiple ways, and to include different channels of communication and, perhaps even more importantly, who is communicating the message (business leaders, this is why your E&C team asks you to communicate the importance and relevance of integrity and compliance – your voices and the messages you communicate are heard/received differently than when people only hear from the E&C team).
How to apply the 5×5 communication strategy to your E&C program? Not every message needs to use the 5×5 communication strategy – reserve this for the key messages you need to focus on. Once you have identified the key message and the target audience, think about all the different communication channels you can use to communicate the message to the targeted audience. There are probably more communication channels than you might initially think and not all of them will be available or effective for everyone in your organization (e.g., training, policies, getting 5 minutes at another team’s meeting to talk about the idea (either you or asking the leader of that team to talk about the point), email, company intranet sites, newsletters, asking leaders to send an email to their teams or discuss with their direct reports in their 1-1s, posters (physical or digital), etc.).
As I’ve shared before, I believe E&C programs should focus on “learning and engagement” over “training and communication” because we need to think about the impact on the target audience (did they learn and were they engaged? rather than did we provide training or send a communication?). The 5×5 communication strategy is a great way to make sure that the messages we send are impactful and the variety of channels used will help people learn.
Has anyone else used the 5×5 communication strategy or something similar as part of their ethics and compliance program?
July 07, 2025
Whenever I give ethics and compliance trainings, I like to mention some of the many well known examples of wrongdoing that didn’t involve just one or two rogue employees; instead, the wrongdoing was known throughout these organizations and involved many people, despite the fact that many of the organizations operated in highly regulated industries and had established and well staffed compliance programs.
These organizations had numerous formal compliance program elements in place: robust policies, detailed controls, frequent training, and various reporting channels – but these alone were not enough or effective in preventing or stopping the wrongdoing. While essential, an over-reliance on these formal controls and a lack of focus on the deeper elements like culture, misaligned incentives, and failing to address reported concerns or known wrongdoing, means a program will ultimately fall short in practice.
Here is an analogy I like to use: formal controls are like bricks in a wall – they provide much needed structure for the wall. Organizational culture, aligned incentives, and addressing (and being seen to address) issues that are raised or otherwise known are what act as the cement in an effective compliance program – just as cement fills the gaps between the bricks and gives the wall the strength it needs to stop it from crumbling or falling down, effective compliance programs need to have a balance of bricks and cement to be effective. You wouldn’t build a wall with only bricks and no cement (or if you do, you shouldn’t expect the wall to last), so don’t think a compliance program that only or overly relies on formal controls will be effective.
How do you make sure that your program is effective in practice and not overly-reliant on formal controls?
June 23, 2025
I came across this sign last weekend during my long run. The sign – saying “Please Be Kind To Our Hard Working Umpires” – is at a little league baseball field. The sign is too high for most of the kids playing baseball to notice and that’s intentional, because they are not the target audience. By putting the sign at a level that adults can see if they are standing or sitting in the bleachers, the message is being communicated to the people who need the reminder (you might think adults shouldn’t need to be reminded not to yell at the umpires at a kids sporting event, but that’s another matter).
This sign is relevant to ethics and compliance for a number of reasons:
1. Not all standards need to be lengthy policies. This eight (8) word message clearly communicates the standard.
2. Communicate policies / standards to those who need to know about them and at the time they need them most. A reminder to adults to be nice when registering their kid for little league is not going to have same impact as a reminder when the adult finds themselves in a situation where their emotions take over – timing matters.
3. Rather than simply telling people what they cannot do (e.g., “no foul or abusive language”), the sign communicates what to do (“be nice”) and reminds people of how they would hopefully want to behave.
Policies should be helpful for people and speak to them in human terms – sometimes that can take a lot of time and effort (and the simplicity of the final product can mask the amount of thought and effort that went into it), but it is time well spent and will lead to a more effective program.
June 16, 2025
Every compliance professional has no doubt been in a conversation where they or someone else has said “you need to have tone at the top.” Often, we say this as if tone is either present (which is good) or not (which is bad), but the reality is that tone at the top is always there.
Asking if there is tone at the top is the same as asking “is there weather?” – the answer is yes, and the better question is what is the tone and what does that communicate to the rest of the organization.
You can pick from an endless list of examples to demonstrate this – from Theranos to Enron – tone from the top is always there.
And tone at the top isn’t just what senior leadership says or intends – it is about the message, often a combination of explicit and implied messaging, that employees receive about what matters, how things are done and who succeeds (or not).
Next time you hear someone (or yourself) talking about how tone at the top matters, challenge the conversation to go deeper and to ask what that tone is and what tone is needed to help make the ethics and compliance program effective within that organization.
June 02, 2025
One thing we have consistently seen from regulators over the years is that they recognize the impact of organizational culture when it comes to an effective ethics and compliance program. The U.S. Sentencing Guidelines talk about how an organization should “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Similarly, the DOJ’s Evaluation of Corporate Compliance Programs talk about the importance of a “culture of compliance” in reference to policies and procedures, whether the program is adequately resourced and empowered to function effectively, expectations of leaders and managers, compensation and incentives, and program testing and effectiveness.
An effective program cannot rely only on culture – you need the other key elements to build the framework. Organizational culture will always exist, which is why it matters that organizations look to intentionally and continuously build a culture of ethics and integrity since that forms the basis for the compliance program and will play such a huge role in how the program operates and how employees think and act.
May 19, 2025
Spring time in Nashville brings plenty of rain, which means there is little risk of our lawn drying out and needing water during those months. The situation is very different to our summer months when the heat turns up and lawns can quickly go from green to brown without proper care. A well maintained lawn requires regular monitoring and different actions throughout the seasons.
Just as the risks and risk mitigation strategies for lawn care change with the seasons, so do some of the compliance (and other) risks that your organization faces. The risk of something happening or its impact are not necessarily consistent throughout the year, and only looking at risks once a year (especially if you do so at the same time each year) are likely to miss these changes. Effective risk management requires us to understand which risks matter and strategically time our risk-related activities, including communications and training, to ensure the right actions are taken at the right time.
May 19, 2025
Spring time in Nashville brings plenty of rain, which means there is little risk of our lawn drying out and needing water during those months. The situation is very different to our summer months when the heat turns up and lawns can quickly go from green to brown without proper care. A well maintained lawn requires regular monitoring and different actions throughout the seasons.
Just as the risks and risk mitigation strategies for lawn care change with the seasons, so do some of the compliance (and other) risks that your organization faces. The risk of something happening or its impact are not necessarily consistent throughout the year, and only looking at risks once a year (especially if you do so at the same time each year) are likely to miss these changes. Effective risk management requires us to understand which risks matter and strategically time our risk-related activities, including communications and training, to ensure the right actions are taken at the right time.
May 12, 2025
I came across this traffic sign during an early morning run last weekend. While the sign was once new and clear, the Nevada sun and heat together with the passage of time mean that this sign no longer offers clear guidance like it once did.
Just as traffic signs sometimes need a refresh to stay current and useful for the people they are meant to guide and help, your organization’s policies and guidelines need to be periodically reviewed to see if they are still offering the guidance and help that your employees need. This doesn’t mean you necessarily need to update policies or guidelines often, but at least check to make sure that they still work and offer relevant guidance.
April 28, 2025
Policies can be a helpful way to help manage risk, but whether or not that happens depends on the policy owner’s approach.
If your policy is clear about who needs to do what and how (and doing so is both possible and not overly burdensome) and communicates that to the target audience in a way that resonates with them, then your policy is off to a good start in helping to manage risk.
On the other hand, if your policy is not clear on what, how or why people should do something, if it has not been socialized with stakeholders, and if it spends more time telling people about the consequences for not doing what the policy writer wants people to do, then your policy is more likely focused on blame management and not doing anything to help your employees or manage the relevant risk area.
Writing a blame management type policy is often a quick and easy exercise for the policy owner, but that approach does nothing to help your employees or manage risk. If your policy doesn’t help your employees and doesn’t help manage risk, then it’s not adding any value.
April 21, 2025
As with any other technological advancement, whether incremental or transformative, there is always the risk that people will find ways to use the technology to intentionally commit wrongdoing (although if your internal fraud examiners are spending all their time looking at employee meal receipts, they might want to consider if they are focused on the biggest risks).
Technology (including AI) is simply a tool and tools can be used for all sorts of purposes – some good and some bad. These tools are not inherently bad or going to corrupt your employees, nor should we assume all your employees are looking to commit wrongdoing using these tools. People are going to use technology when they think it will help them, and there are many ways that technology can help with ethics and compliance. While I would much prefer that one of your employees reaches out to your compliance team or another employee to help them with ethical dilemmas or compliance questions, if someone asks AI a question and the response helps them do the right thing then it is better than the alternative (yes, there are the risks about confidentiality of these tools and other considerations).
Advancements in technology are often a major headache for compliance (and other related fields) because we have to quickly figure out how humans will use the technology and what its consequences will be, but that’s part of the job and especially when you are dealing with human beings. Don’t let the short term headache of figuring out what new technology means in the short and long term cause you to miss the good that can be done with technology and that not everyone is going to look to use technology to do harm.
April 14, 2025
This week’s #SundayMorningComplianceTip celebrates World Art Day (April 15) with an ethics and compliance twist on a famous quote attributed to Pablo Picasso.
April 7, 2025
I got a preview of a great article that Joe Murphy, CCEP has written for an upcoming edition of Ideas & Answers. Joe’s article highlights the importance of continuous learning even for the most experienced E&C professional, and outlines many ways compliance professionals can expand their knowledge including attending (and speaking at) conferences. Stay tuned for Joe’s article – it’s packed with tons of great advice and resources.
Reading Joe’s article caused me reflect that I’m fortunate to have been able to speak at a number of events over the years and team up with some incredibly talented co-presenters (there are still a lot of people I have not presented with but would like to). Here are my tips to help you think about co-presenter speaking opportunities:
1. There is the obvious point that you should be knowledgeable to speak on the topic (although I don’t necessarily think you always have to be the top expert on a topic), but I also look at speaking opportunities and who I am speaking with as a way to support my own learning and development. Preparing for presentations takes time, and I want to make sure that my investment of time will help others learn but I also think about what and how much I will learn during the process. It might be that I can learn more about the topic in general, from a co-presenter’s different perspective or experience, or even learn from their presentation style.
2. While not everyone enjoys public speaking, it is something that I genuinely enjoy – I like thinking about how to help other people learn and the discussions I have with my fellow presenters. I look for opportunities where both the prep and the presentation will be enjoyable, including if there a collaborative effort to build out the content, how the presenters interact with and help each other, and to hopefully have a bit of a laugh along the way. I’ve become friends with a number of people I have presented with in the past and those presentations were some of the ones I enjoyed the most because my co-presenters were great to work with.
3. I don’t read from a script, I like lots of back and forth discussion, and I will incorporate some oddball humor or use a different approach if I think it will help people learn. My presentation style isn’t for everyone, and not everyone’s presentation style is for me. While different presenter styles can work well, the styles need to be somewhat aligned and help ensure the overall presentation works and will help engage the audience. There are some instances where I know my presentation style won’t work with someone else’s (and that’s okay), and that there might be other better (and more enjoyable) ways to partner with that person to share our knowledge (e.g., writing an article together).
What tips or advice do others have for selecting which co-presenter speaking opportunities to say yes to?
March 31, 2025
I recently read a news article discussing the “remarkable display of sportsmanship” by Patrick Dorgu, a 20 year old Man United player. Dorgu, early in his Man United and overall career, is no doubt looking to impress his team’s decision makers and become a regular on the team.
During a match, Man United were awarded a penalty when the referee said Dorgu had been fouled in the penalty area. While the video assistant referee was reviewing the decision, Dorgu told the referee that he had not been fouled and his team should not be awarded a penalty. The referee overturned the penalty decision.
The Man United manager was later asked about Dorgu’s actions. The article quoted the Man United manager saying that Dorgu’s actions were “a good thing” and that he was “proud of him;” however, the manager went on to add “I cannot say if it’s 0-0 or [we are] losing if I have the same response.”
Soccer/football is notorious for players diving or acting to get decisions in their favor (the article goes on to discuss some of the most egregious examples), but here we have a young player who demonstrates sportsmanship and integrity, and receives a mixed and very public message from someone in a key leadership position. The message is essentially integrity is fine when we are winning, but winning is all that really matters and integrity is not allowed to get in the way of winning.
Words matter, and especially when they are said by someone in a senior leadership role – often, the power and impact of a message is not the words, but who communicates the message. Sometimes leaders (and perhaps this applies to the Man United manager) have good intentions with what they mean to communicate, but the impact is wildly different. Leaders need to constantly remind themselves of the influence their words and decisions can have on others – when you are in an extremely competitive and high pressure environment, such as professional sports and many businesses, they need to repeatedly and explicitly remind their teams that there is no winning if results are achieved in a way that undermines the organization’s values, integrity and compliance program. Integrity always matters – not just when it is convenient.
Winning and integrity – the same with profitability and integrity – do not have to be at odds with each other and actually can support each other (when you have effective and intentional leadership that spreads this mindset throughout the organization), and the message to employees should be to play with integrity rather to win with integrity.
March 10, 2025
It’s rather amazing that all the planets in Star Wars seem to have gravity and oxygen levels, and even the temperatures on most planets are so similar that none of the characters need to change clothes when going from one planet to another (if you are visiting planet Hoth – pack a sweater or something warm). Fighting against the Dark Side is time consuming, so not having to worry about breathing, temperatures or gravity on your intergalactic travels gives you fewer things to worry about and you can pack lighter for your trip.
Unlike most of the planets in Star Wars, no two companies are alike. Every company is different in how it operates, has its own risks and strategies, and might be subject to different laws and regulations compared to other companies. You cannot simply copy and paste an ethics and compliance program that is designed and works effectively for one organization and assume it will work effectively for another organization.
March 3, 2025
Even the most thoughtfully prepared and tailored policy that has gone through appropriate stakeholder socialization in the development stage might still present challenges in practice. Sometimes, you might realize that your policy has unintended consequences or not foreseen a particular situation, and you need to decide how to handle the situation.
Here are a few points consider when deciding how to grant policy exceptions:
1. Number of Exceptions: Granting too many policy exceptions will likely undermine the policy standard overall and also potentially cause confusion for others about what is the actual policy if the policy in practice seems to often be different to what is written in the policy. Refusing to grant any policy exceptions in situations that truly warrant them might come across as overly rigid and bureaucratic.
2. Who Is Getting The Exception: Are you giving senior executives exceptions to the gifts & entertainment policy for lavish items of value but heaven forbid if a lower level employee was $5 over the limit for a dinner? Policy exceptions should be risk based rather than role based – if the policy and policy exception process doesn’t seem fair or equitable then the result can impact employee trust.
3. What Do You Learn From Policy Exceptions: There is a difference between incremental and transformational change – transformational change is sometimes necessary, but it requires a lot of work and effort by the change driver and the people impacted by the change. If you are receiving a lot of policy exception requests, then this might be a sign that your policy is driving significant change and you might not have done enough to socialize your policy and its impact ahead of time. Policy exception requests and approvals should also be used as lessons for the next version of the policy – either you should update the policy to ensure that it is more suitable for your organization or you need to explain more about why parts of the policy (or even the whole policy) matter and are not subject to exceptions.
What other points do you think people need to consider when it comes to policy exceptions?
Feb 24, 2025
There has, as every compliance professional has seen, been a lot of discussion, concern and questions around what the future of FCPA enforcement will be and what that will mean in practice. While patience is required to see what the changes will be in practice once the new guidelines are issued, the level of interest in this topic from both compliance professionals and people in other roles provides an opportunity for real conversation around your compliance program and why your organization cares about bribery and corruption. The more conversations around compliance, integrity, and organizational values (including making sure those values are clear and applied/followed in practice) the better. Whatever you think about the recent announcements and changes, don’t forget the value of engaging in conversations about integrity – doing so benefits your organization, culture and employees.
Feb 17, 2025
How often have you enjoyed a movie or tv show and then when discussing it afterwards you don’t remember scenes or parts of the movie that others do? Even if you watch intently, you will forget a lot of the detail and only a few key points or moments will really stick.
If people are forgetting parts of the latest blockbuster movie, they are definitely going to forget what you cover in your ethics and compliance trainings and other presentations. Rather than hope everyone will remember every point covered, I usually try to pick no more than three or four key points that I want people to leave with and remember. Knowing these points helps me build the structure and flow of the training. And while I might include additional information that is relevant to the topic overall or will help people during the session understand the key points in more detail, I am aware that information will probably be quickly forgotten.
It is unrealistic to expect your audience to understand and remember everything you cover. Instead, start with more realistic outcomes about the amount of information people will retain and see the opportunity to really make those points memorable.
Feb 10, 2025
AI is everywhere, but unlike Justice Potter Stewart’s famous line about obscenity (where he essentially said its hard to define “but I know it when I see it”), I think a lot of non-AI experts (myself included) struggle to define what AI is and don’t always necessarily know when they see it or come across it. Yes, everyone is aware of commonly know AI tools such as ChatGPT, Gemini, and, most recently, DeepSeek, but AI is appearing in all sorts of other places, including in updated technology or by service providers that your organization might have been using for years.
AI has its risk, but it can also be incredibly useful and your employees are not doubt using AI – both intentionally and unintentionally – to do their jobs. If you are going to create a governance framework and likely one or more policies on the use of AI within your organization, you need to ensure that the framework and policy developed by the AI/IT perspective is going to actually make sense and work for other employees in practice. AI can probably write a first draft of your policy in seconds, but it is still going to take a lot of human to human conversations to make sure your organization’s framework and policy on paper become the framework and policy in practice.
Feb 3, 2025
Compliance programs are always subject to continuous improvement. We need to constantly adapt and evaluate the effectiveness of our programs to ensure they address new regulations and enforcement actions, changes in how the organization operates, evolving risks, and also leverage new technology and other best practices. A lot of continuous improvement can mean more work – both for the compliance team and perhaps even others in the organization – and that can overstretch your team (unless you can somehow get more resources and help).
An important part of leading a compliance program is knowing how to prioritize and make decisions based on those priorities. Something that was once a top priority might no longer be a priority anymore and needs to make way so you can focus on other priorities. However, it can feel uncomfortable to stop doing things we have done for years. The reality is that something is likely to go wrong or be missed if you keep trying to do everything you have previously done and continuously add more; however, you also need to balance that with the risks of stopping something you might have done for years.
The concept of reverse piloting can be extremely useful when you have compliance initiatives that you need to stop or scale back, but you are concerned about the risks or consequences of what will happen if you stop those actions or initiatives. Just as you pilot new initiatives for a period of time to test whether or not they work and should be continued, a reverse pilot is where you stop doing an existing initiative for a period of time to test what happens without that initiative and help you decide whether or not the initiative should be continued. At the end of the reverse piloting period, you decide whether or not the initiative should be stopped for the longer term, and you will also have a better sense of any consequences or knock on effects. I learned about this concept years ago, and I have found that it is a practical and simple concept that helps me with change management and getting comfortable with moving forward on what matters most.
Does anyone else have any tips or tricks for how you manage your time and priorities?
Jan 27, 2025
An investigation might conclude that the concerns raised are unsubstantiated, but even if an investigation is unsubstantiated there might still be issues or opportunities for improvement. Here are three points to consider when you see patterns or a significant number of related matters that are unsubstantiated:
1. Are investigations being properly conducted and handled by professionals with appropriate knowledge/experience? While some matters are simple and straightforward to look into, other types of matters can be much more complex and challenging even for an investigator who is knowledgeable and experienced. If an inexperienced investigator is assigned to look into a complex matter, they might conclude a matter is unsubstantiated when a more experienced investigator would arrive at a different conclusion.
2. Is the investigator the common denominator? A number of helpline platforms can provide individual scorecards for investigators, so you can see if any investigators have a much lower (or higher) substantiation rate compared to other investigators in the organization. Having a substantiation rate that is different from the average does not automatically mean the investigator is doing a poor job or they are unqualified, but it is important to understand how they are approaching investigations and if they can share any insights about why they are seeing so many unsubstantiated matters. It could be that there is something unique going on in the part of the organization the investigator covers, but you can’t know that unless you have a conversation with the investigator.
3. A low substantiation rate might indicate that existing policies are inadequate to address actual issues, or that there are no policies covering the relevant topic (it’s difficult to violate a policy that doesn’t exist). Even if you do have policies in place, a low substantiation rate could signal that employees don’t understand the policy (which might signal the policy is unclear and not helping employees) or that additional training is needed to help employees better understand a particular topic or area. If employees are continuing to speak up on topics or matters that the organization then concludes are unsubstantiated, then there is a need to understand what the disconnect is and to make sure the disconnect does not drive down trust within the organization.
A high or low substantiation rate, by itself, doesn’t tell you much, but it should cause you to ask more questions and to be more informed about the questions you ask about what is going on in your organization.
Jan 21, 2025
I continue to believe that employees – especially leaders, managers and supervisors – should have one or more annual performance goals that are directly tied to the organization’s ethics and compliance program, and my post from below includes some practical examples of goals that can be used. This helps reinforce the importance of leadership and delivering results in the right way, while also ensuring employees have a financial interest in supporting the ethics and compliance program.
While not all performance goals can realistically explicitly reference the ethics and compliance program, ethics and compliance should still be kept in mind for how other goals – those that are not directly tied to the ethics and compliance – are developed, measured and assessed on. Embracing “integrity by design” in the goal setting process can help to ensure that organizations, or even departments, are not “pressuring employees to meet unrealistic sales goals” (from a 2020 DOJ press release). Performance goals can be ambitious and help deliver great financial results for the organization, and adopting an “integrity by design” approach in goal setting can ensure that performance goals align with both the strategic priorities of the organization and its ethics and compliance program.
What other performance goals have others seen that help employees support the strategic priorities of the organization and the ethics and compliance program?
Dec 30, 2024
Standards and controls, including policies, are an important part of an effective ethics and compliance program. While I have many other #SundayMorningComplianceTip posts that address policy development and writing, there is one important assumption I think policy owners should make when it comes to policies: assume no one will read your policy.
Hopefully the relevant employees will read the policy, but the point is to recognize that your busy employees are probably subject to scores of policies and have equally little amounts of time and interest in reading new policies. If we assume that employees are not going to read a new policy, we force ourselves to think a bit more about how to bring the policy to your employees and help them understand the requirements. Here are some examples of how to apply this assumption in practice:
1. Engage Leaders, Managers & Supervisors: You can do this through Compliance Manager Toolkits (a one page summary that helps managers understand their role with respect to the policy and how they can support employees with the new policy) and providing them short Compliance Tips of the Month so they can talk with their teams about some key points about the policy that are relevant to their team and will resonate with them.
2. Marketing Campaign: Embrace the marketing principle of the “Rule of 7” – you need to have multiple messages and communications for the relevant employees to help ensure that they are aware of the policy and the key policy requirements.
3. Help People Learn: This can include training (online or live), engaging them during the policy development stage, providing real life (or at least realistic) FAQs that provide realistic scenarios that relate to the policy, and advising employees on how to deal with any challenges or awkward situations that the new policy might create for them (e.g., how do you decline a gift that violates your new gifts and entertainment policy without burning important business relationships).
Even if your employees are going to read all your policies, applying this assumption will only help support both your employees and your ethics and compliance program. Policy documents are just the written version of the policy – there are many other ways that we can communicate a policy to employees and help ensure the words on the page are reflective of the policy in practice.
Dec 16, 2024
This week’s #SundayMorningComplianceTip is obviously inspired by the famous line from George Orwell’s “Animal Farm.” Enterprise wide policies should apply equally to all your employees, including fair and consistent consequences for when people violate the policies. Whether perception or reality, employees will lose trust in the organization when they see that other employees are not held to the same standard as others (especially if the policy includes “zero tolerance” language, which has a whole other topic I’ve covered before).
If you want your policies to seem fair to employees, then they need to be consistently applied to everyone in the organization and there has to be consistently applied and proportionate consequences for when people fall below standards. If you are intentional in doing so, you risk the likelihood that other employees will think that your policies apply equally to all employees, but more equally to some employees than others.
Dec 2, 2024
Organizations – particularly through their Codes of Conduct – often tell employees that they should speak up, and trust that something will be done about and it there will be no negative consequences for doing so. Rather than asking employees to approach speaking up as a massive trust fall exercise, organizations should try to demystify the speak up process as much as possible so that employees can choose whether and how they want to speak up, and what channel (the helpline, their manager, HR, compliance or another way) they will have the most trust in. Sharing information with employees can help give them more certainty about speaking up and trust in the process. Here are some examples of information that can help:
1. Sharing information with employees about how many reports your organization receives and the types of matters raised;
2. Demystify the speak up process by sharing what actually happens once a report or concern is raised and what information someone who speaks up should expect to receive. Employees might think the investigation should take only a day or two or that they will be entitled to all information that the organization finds in the course of the investigation;
3. Sharing stories about when others in the organization have spoken up and what happened (without identifying anyone). This can include demonstrating the types of matters raised and investigated, that the organization actually enforces policies and expectations, and how concerns (such as retaliation) are dealt with.
Speaking up is always going to be a bit of a trust fall exercise, but sharing information and showing care for employees can make a difference.
Nov 25, 2024
Incentives to support effective compliance programs are not new, but this is still an area where I feel many organizations could prioritize more and think about the various types of effective incentives available.
While financial rewards and incentives are great for recognizing individuals and sending a message that shows the organization will use its finite financial resources to demonstrate commitment to its values and those employees who support and protect those values, incentives are, and should be, thought of more broadly. Sometimes an incentive doesn’t even have to have a financial cost to it – socially recognizing someone for doing the right thing or even a simple and sincere “thank you” can go a long way.
There are so many ways that a sincere “thank you” can have a positive impact, including:
1. Thanking someone when they have spoken up or otherwise helped in an internal investigation, and explaining how doing so helped. Speaking up can be uncomfortable and cause people to question if they have done the right thing, so thank them and tell them why what they did made a positive difference.
2. Thanking someone who faced a challenging situation and did the right thing, even – and especially – if others did not act in the same way. We are social creatures and influenced by other people more so than written policies, so thank people when they have been alone in acting with integrity.
3. Thanking someone for complying with your policies even if doing so was socially awkward (e.g., they have to turn down a gift or offer of entertainment that does not align with policy, but they don’t want to offend the person who offered them the gift).
4. Thanking someone who asks for help or support, or even wants to talk through something to ensure they not making decisions in isolation. Isolated decision making when coupled with excessive pressure is a recipe for bad things to happen.
5. If you are a manager or leader, thanking someone who has appropriately challenged your idea or raised concerns about the pressure they are under.
Compliance isn’t just about finding out who is acting inappropriately and stopping them – it’s not just the absence of bad things that we care about, but also the presence of good and appropriate actions. If you continuously look for people who are doing the right thing, then you will likely find lots of people to thank.
Nov 18, 2024
There are lots of great places in Nashville to run, but one of my favorite routes involves running loops around a golf course – it’s never too busy and you get great views of the well maintained greens. Those greens take a lot of work and effort, and unless you are there early in the morning, you might not realize the number of experienced greenskeepers involved and the amount of equipment they have to keep the course in good shape. These professionals and their equipment/resources add to the operating costs of the golf course, but without them the greens would be a mess and golfers would go elsewhere. The greenskeepers don’t take care of the greens once or twice a month, but are constantly and continuously taking care of the greens to support the short and long term financial success of the golf course.
What do golf courses and compliance programs have in common? They both need adequately staffed teams of experienced professionals who have the necessary resources to be effective and do their jobs. You won’t see a world class golf course (not that I’m running round a world class golf course) that is staffed by only one or two people using a push lawn mower, and you won’t see a world class ethics and compliance program that is only staffed by one or two people with few resources to support them. Compliance programs cost money, but having an adequately resourced and qualified compliance team is not just an expectation of regulators, but it is a way to protect the organization and ensure that customers and others continue to trust in, and want to do business with, your organization.
Maintaining a golf course and an effective compliance program are both expensive, but the costs of not investing are much bigger and only getting bigger (at least when it comes to compliance). Your organization’s C-suite probably don’t want their favorite golf course being under resourced or run by greenskeepers who lack relevant experience, and they certainly shouldn’t want the ethics and compliance program to be under resourced either.
Nov 11, 2024
We saw this sign at a restaurant (that had a bunch of alligators) we recently visited during a brief Fall break to Florida. While most of my #SundayMorningComplianceTip posts have a somewhat serious point to make, this one is mainly just for fun – it is refreshing to see a policy that describes consequences beyond the typical “violations of this policy may result in disciplinary action up to, and including, termination of employment.”
Nov 4, 2024
Compliance (and other) policies often require changes in human behavior, but a policy alone is not likely to change behaviors. Policies therefore need to be preceded and accompanied by a proportionate amount of well thought and effective change management to help people understand what the changes are and why, and to ensure the change is lasting. Whether the change required is incremental or transformational, the change process should not be overlooked.
Here are three tips for managing the change management process when it comes to policies:
1. Understand The Status Quo: In order to know how much change management is required, you need to understand how the desired behaviors compare to the status quo. This includes understanding current behaviors, asking why those behaviors exist and looking at the context that supports/expects the current behaviors (e.g., incentives).
2. Stakeholder Engagement Before The Policy Is Final: Training and awareness/communications are needed once the policy has been finalized, but that should not be the first point of stakeholder engagement. Engage different stakeholders (including those who will be impacted by the policy, leaders and managers, and anyone who will play a governance/oversight role for the policy requirements) early in the policy development process – ask them questions, hear their perspectives, and get them to help identify potential change management challenges you might not have considered. While time consuming, this can help start the change management process before the policy is even written, and engaged and informed stakeholders who helped to develop the policy might be more inclined to advocate for the policy once it is rolled out and help others with any necessary change management too.
3. Policies Are Products: You won’t see the Sales & Marketing Department launch a new product and think that sending an email or two to target audiences is enough. They will engage in a whole communication and awareness campaign to connect with and educate the target audiences, speak to them in terms of their interests, identify spokespeople or influential voices who can help engage and persuade others, and do so multiple times knowing that this type of change management will help the product’s success. Policies are essentially our products – if you want the policy to be successful, don’t think a single reference on an intranet site or email is going to support the necessary change management.
What other tactics or approaches have others used to help support effective change management when it comes to policies?
Oct 21, 2024
For the first time, the latest update to the DOJ’s Evaluation of Corporate Compliance Programs includes references to “data analytics” (there are two references). While this is a first for the ECCP, data analytics certainly isn’t something new to compliance.
At times, a lot of us – including myself – think about data analytics and our minds immediately go to the most complex types of data analytics. We fear that our limited Excel skills and basic (and perhaps not even accurate) understanding of AI mean this is an area that will always be outside of our reach.
Keep in mind that data analytics just means looking at data and seeing what the data might tell you. Some types of data analytics – such as predictive analytics or even looking at vast amounts of financial transactions – can be difficult and require special skillsets and/or technology. Other types of data analytics, such as looking at data about your different speak up channels (including your helpline, but also the other channels), is not complicated and is something that all of us can do. While many of us tend to think of data analytics as always being super complex, the reality is that data analytics involves a wide spectrum that goes from very simple to the most sophisticated.
Data analytics is about using data to identify and manage risks, and to continue improving and strengthening our ethics and compliance programs. Don’t overcomplicate it or think it’s outside of your abilities, because you are probably already doing more data analytics that you might think.
Oct 14, 2024
The focus on AI, risk management, effective learning, data, data analytics, understanding incentives and a whole lot more mean that corporate compliance programs need a range of diverse skill sets and professional experiences. This will likely mean you need to add skill sets to your compliance team today (which might mean headcount or just learning new skills), but there is also great future professional growth and perhaps even opportunities for compliance professionals when you build on whatever professional background you bring and add on additional skill sets and knowledge.
You don’t need to become an AI expert, for example, but lean in and learn a bit about the different areas both to help your program become more effective and also because doing so will give you knowledge and experience that will serve you well for the future.
Oct 7, 2024
For years now, I have been making the point that, as social creatures, we are much more influenced by social pressures and other people rather than written policies. This is not an argument against having written policies and written communications, but simply acknowledging the reality of how people influence and communicate with each other. This is a point I cover in Chapter 8 of Ethics & Compliance For Humans, where I talk about how “people, for better or worse, connect with and are influenced by people more so than by policies.”
I have been looking for an expert to quote to back up my thoughts and I finally found the perfect one. “Studies have shown that more information is passed through water-cooler gossip that through official memos” Dwight K. Schrute (Assistant to the Regional Manager) – a quote from an expert ethics and compliance guru who references some important studies to back up my point. 😄
Sep 30, 2024
I’m usually not a fan of technical language, legalese, double negatives, or references to specific statutes or case law in employee facing policies, but there are some instances when including them can actually help both your employees and the organization.
See below for my top five suggestions for when it’s actually a good idea to include these in an employee facing compliance policy.
Sep 23, 2024
Employees are often working quickly and multitasking to manage the different priorities and pressures they are under. If you have policies that you need those employees to comply with, you need to find a way that is effective at getting their attention, explains what they need to do in clear terms and (a step that I think is often missing from policies or badly written) a compelling “why” that explains the need for the policy, and why employees should care.
The importance of a policy “why” is something I cover in Chapter 10 (Policies For Humans That Humans Won’t Hate) in my book, Ethics & Compliance For Humans. The below image is a great example of what I mean – the policy expectations are clear (drive slower than the stated speed limit), the people impacted by the policy are informed just as they are approaching the risk (just as people are unlikely to remember an online training from six months ago, drivers are not likely to remember to slow down if this sign was placed 6 miles or kilometers from the school), and it is a wonderfully simple yet effective single word explanation for the policy (“School”). The policy “why” isn’t (as is too often the case in many compliance policies) tied to the existence of a law or the penalties of potentially getting caught – instead, it appeals to our human sense of not wanting to risk injuring kids as they go to school.
A well written policy “why” can have such an impact on whether or not people actually comply with the stated policy.
Sep 16, 2024
The end of summer means that while outdoor swimming is still fun, it is not like the height of summer when the water is warm and refreshing compared to the heat (and humidity) of Tennessee summers. Last weekend, rather than jumping in the deep end and quickly getting used to the cooler water, I did the painful walk in and paused every step to get adjusted to the temperature. After 10 or so seconds, the water didn’t feel as bad and I took another step where the higher level of water hit me and I had to pause so that it no longer felt as uncomfortable.
I’ve heard various compliance professionals over the years say that you can teach people about compliance, but ethics is fixed and not something you can change by training in the workplace. While formal training in the workplace can certainly help people learn about compliance, I believe there are many ways that people will learn to adapt their ethical standards. Humans are social creatures and we adapt and change based on the environments we are in, the pressures we face and the people around us – that means our workplaces, where we spend a considerable amount of our lives, can significantly influence how we think and behave.
Just as each step into a cold pool is initially uncomfortable and then we soon adjust (both mentally and physically) to accept the temperature and move deeper, a workplace environment can, bit by bit, push us to uncomfortable ethical practices that we then adjust to and we continue to go deeper down a path that erodes and changes our ethical standards (this is also known as ethical fading).
While I do agree that it is harder to teach employees in a classroom setting about ethics as compared to compliance, we have to remember that classroom learning accounts for around 10% of adult learning – 20% comes from coaching and 70% from experiential learning. Our ethical standards are not fixed and we can learn to adjust our standards through our experiences.
Our jobs do more than simply give us our paychecks and support our careers – where you work can impact how you act, think and behave. If you are in an environment that does not have ethical practices and standards that are aligned with your own, you either need to be able to lead an ethical revolution in the organization (probably not going to happen btw) or you run the risk that you either won’t succeed in that environment if you stick to your values or that you are exposing yourself to an environment that puts you and your values at risk.
Sep 9, 2024
There is a fairly well known story of a moment shortly after Alan Mulally took over as Ford CEO in 2006. Mulally introduced a weekly leadership meeting with his reports and they had to present updates using a green, yellow or red status. Despite the significant challenges at the time, most of the presenters were showing their projects as green. Mark Fields was the first leader to present a red status update on a project – as he shared his update. most of the other people in the room supposedly went quiet, looked down and waited for what they expected would be negative consequences (there is a good video online where Mark Fields says he “could feel the chairs moving away” from him).
The story goes that Alan Mulally started clapping and celebrated Mark Fields in the meeting for raising the issue. He wanted others to see that sharing concerns and issues provided an opportunity for others to help and address the situation. Presenting a red status update was not a career ending move for Mark Fields – he went on to be Mulally’s successor and served as CEO from 2014 to 2017.
So what are the ethics and compliance lessons here?
1. Leaders play a key role in making others feel comfortable enough to speak up – it isn’t about simply promoting the different speak up channels, leaders need to build trust with others, encourage them to raise concerns and listen when they do;
2. Speaking up is difficult, even for high up executives. Having an important title doesn’t change the fact that most people find speaking up difficult;
3. People should be recognized and rewarded for speaking up, both in the moment (with Mulally’s clapping and public praise) and in the long run (Fields becoming CEO). Speaking up should not be a career ending move (and it wasn’t for Mark Fields), but there are many examples of people who have spoken up and suffered retaliation and blacklisting as a result (if you want to learn more about the human impact of retaliation and blacklisting, I cover this in Chapter 5 “The Speaking-Up Problem” in Ethics & Compliance For Humans); and
4. If issues are not being raised, it does not mean that there are no issues – it might mean there are issues, but people do not feel comfortable raising them.
Sep 3, 2024
Last weekend, I decided to make baguette. I have made other types of bread before, but this was my first time making baguette. The ingredients are simple: bread flour, salt, yeast and water. The simplicity of the bread recipe and the use of a fairly high tech oven lead to a pretty decent end product.
While an effective ethics and compliance program will inevitably include various pieces of sophisticated and advanced technology solutions (such as your ethics helpline, online training platforms, due diligence and 3rd party risk tools, trade compliance screenings, as well as tools that can help with data analytics, testing and monitoring), an effective program cannot only rely on the most advanced tech solutions alone.
High tech solutions often aren’t able to help with employee engagement in your program or help build and sustain a culture of integrity (perhaps the closest one is an effective ethics helpline platform that your employees actually trust and use). Simple things, such as getting leaders and managers to regularly talk about the importance and relevance of integrity or taking the time to recognize someone for doing the right thing, are often some of the most effective and impactful parts of a compliance program. But you also cannot rely on the simple things alone, because they cannot replicate what some of today’s advanced technology can do.
Just as my baguette baking involved the simple and high tech, the same is true of an effective ethics and compliance program. You need both the simple and high tech to make a program effective.
How has your organization managed to combine advanced technology and more simple things to support your ethics and compliance program?
Aug 26, 2024
Aug 19, 2024
I saw this sign down by Bankside during a recent visit to London. Despite the sign saying to “avoid using amplification,” every time we walked past one of these signs we could see and hear various musicians and performers using microphones and amplifiers to help draw in, and entertain, their audiences. There was no enforcement of the “no amps” policy and no one seemed to care or be bothered by the policy violating behavior. (This sign also appears to be more of a polite suggestion rather than more firm and directional language typically found in most policies, but that could also be the British policy writing style 🤷♂️.)
The lack of compliance and enforcement of a standard means that the policy on paper and policy in practice are two very different things. Policies without monitoring or actions to make sure the desired behavior is obtained are just empty words on a page (or this case, a sign). If people feel that a policy restricts or impedes what they want to do, they see others not complying with the policy and they see little to no risk of enforcement, then it’s highly unlikely that anyone will choose to follow the policy. And if the policy is only infrequently enforced, then it risks people feeling that it is unfair if they get in trouble for violating the policy when others do not, that the policy is not actually important and that periodically catching people out is more important than the policy itself.
What policies really matter in your organization and how can you help make sure that the policy on paper and the policy in practice are one and the same?
Aug 12, 2024
I took this picture on a short bus tour we took during a brief visit to Coruña. Thankfully we had a great driver and no issues with our trip that needed reporting, but telling someone that the only way to raise reports or complaints is to ask the person you are likely complaining about to provide you with a complaint form and then having to hand it back to them to hopefully pass on to their management seems like (intentionally or not) the most socially awkward way for someone to report concerns.
Hopefully your organization has better ways for employees and others to raise concerns and ask questions, but speaking up feels socially difficult for many people regardless of what options are made available. Speaking up is difficult for many people and for many different reasons, but the process that supports people speaking up should not make the process even more awkward and uncomfortable.
Jul 1, 2024
One of the most effective ways to support an effective ethics and compliance program is to engage leadership at all levels in an organization. Leaders, managers and supervisors have to ability and voices that will determine for the rest of the organization what matters, what is a priority and what isn’t. While the impact of leadership engagement and alignment with the compliance program can have a huge impact, the time and effort required by leaders to make this difference is minimal.
Here are six easy ways leaders can make a difference to their teams and broader organization:
1. Use your voice by regularly talking about the importance and relevance of ethics and integrity with your team and any new hires.
2. Provide feedback both when employees exceed and when they fall below expectations when it comes to integrity.
3. Promote the resources available to support employees (and where to find them), including the code of conduct and the various speak-up channels.
4. Be an example by demonstrating organizational values (including speaking up), as well as promptly completing requirements such as online training or certifications.
5. Proactively build trust with your team by sharing stories of the ethical dilemmas you have faced in your career and regularly asking them if they have any concerns or matters they would like to discuss or need guidance on.
6. Be genuine and confident in knowing which matters you can handle and which you need to engage other people to help with.
Leadership engagement matters and makes a difference, and it also isn’t a complex or time consuming task. Need more tips on how to engage leaders in your organization – check out Chapter 11 in my book for more tips and practical advice.
Jun 24, 2024
Many ethics and compliance professionals regularly conduct internal investigations. We know what the processes and steps are, we are comfortable conducting difficult and complex investigations, and the investigation process is familiar to us. We view investigations as being interesting, routine and perhaps we even look forward to conducting some of the more challenging investigations.
The experience of internal investigations for repeat players (like compliance professionals) is often very different to how they are experienced by employees who might only ever be involved in one or two investigations in their entire career. Even if someone (such as a witness or someone who is being interviewed to provide context) has done nothing wrong and has no reason (from the organization’s perspective) to be worried, they might still feel very concerned and unsettled by the process. While it might be entirely routine for an investigator to ask certain questions or want to see emails or other materials, the same request can be experienced completely differently from the perspective of the person sitting on the other side of the table. The feeling of uncertainty and not being in control does not make most people comfortable.
Internal investigations are never going to be something that employees enjoy participating in, but an experienced investigator who understands that investigations will stir up human emotions can make a real and positive difference. While there is a lot of information that cannot be shared with the individuals involved in an investigation, we can help to alleviate the stress and uncertainty by acknowledging when people are experiencing certain emotions and also explaining why a routine request is necessary. Even just explaining that a request is routine and part of the process can help address some of the concern and uncertainty that the person might have.
A bit of genuine care and empathy for people can go a long way when you are conducting an investigation. Ultimately, we need people to open up and trust us in the investigation process – if the people we need to speak with are closed and feeling afraid, we will struggle to get the information we need. A human centric approach to internal investigations not only reduces the stress for those people involved, but can also lead to much more effective investigations.
What tips or advice do you have for how to help put people at ease during the investigation process?
Jun 17, 2024
I’ve worn a variety of different running watches over the years. They are useful for tracking workouts and the data they provide, and it is rather frustrating when I forget to charge my watch or the battery gives out mid run. But even without a fitness tracker or running watch, a run is still a run (it just isn’t as satisfying as compared when you have the data from your run for my fellow Type A runners).
Data matters to runners, just as data and data analytics also matter to ethics and compliance programs. I’m all for data analytics – it’s an expectation of regulators and helps make compliance programs more effective (when done properly). At the same time, I sometimes find that there are compliance professionals who are resistant or even dismissive of compliance efforts that might produce valuable benefits, but those benefits are not as quantifiable as other things. You can measure an online course in many ways, but it is harder to quantify things such as leadership engagement or when someone does the right thing. Just because something is not easy to quantify doesn’t mean that the activity is not valuable; and just because something can be quantified doesn’t mean that it is valuable or more valuable than things that are harder to quantify.
Measure what matters, but sometimes what truly matters and makes a difference is hard to measure.
Jun 10, 2024
My eldest daughter decided to bake yesterday and she found a recipe in an all old cook book we have. She had the book open on a page that had a reminder that baking at different altitudes will impact how the ingredients work together and how the cake bakes. The same ingredients in one place won’t necessarily lead to the same result elsewhere because of the impact of altitude.
Building of my theme from last week’s tip, this was a good reminder for me that the ingredients for what will work and be effective for one part of an organization’s ethics and compliance program will not necessarily lead to the same outcome elsewhere. You have to adjust the tactics and approach of the program based on a variety of factors to get to the desired outcome – sometimes the changes needed will be small or subtle, but the only way to know is to really understand the context and situation of the particular location or part of the organization to understand what needs to change that will still lead to the same outcome.
I’m sure there are a bunch of ethics and compliance bakers out there. What other tips or perspectives have you taken from your baking that can apply to ethics and compliance?
Jun 3, 2024
Most organizations will promote that there are a variety of ways in which employees can speak up and report concerns (including through an employee’s manager, HR, compliance, the ethics helpline and some other functional groups such as legal and audit). Employees should have multiple channels to raise concerns and they should use whatever channel they prefer to use. While multiple options are good, not all employees may feel that the channels advertised by the organization are truly effective or even practical – this can be particularly true for parts of the organization that (a) are either geographically far from the organization’s headquarters / main location(s) or (b) operate with relatively high levels of autonomy from the rest of the organization.
The speak up experience for someone in headquarters and another location might be very different, and an employee outside of the headquarters may feel that their options to speak up are limited. When employees don’t speak up, it is not necessarily a sign that all is well and good – the reality might be that there are issues, but employees feel there are few channels to effectively report their concerns.
May 28, 2024
May 13, 2024
I couldn’t let Star Wars day (albeit yesterday) pass without a Star Wars themed #SundayMorningComplianceTip
As we saw in the Star Wars sequel trilogy, Finn (or FN-2187 when he was a stormtrooper under the First Order) was horrified by the wrongdoing he witnessed under the First Order and took an extreme risk in escaping. While he knew escaping was the right thing to do, he initially struggled with his decision and adapting to life as part of the Resistance. Throughout his struggles and journey, we see Finn as being a good character and someone we cheer on for his bravery and integrity in opposing the First Order.
Speaking up is not easy, and most whistleblowers do not have a massive group of people like General Leia and the Resistance waiting for them when they take a stand against the wrongdoing they have seen and experienced – instead too many of them are left feeling alone and can struggle to find suitable employment opportunities (known as blacklisting). This continues to baffle me – whistleblowers are often unbelievably brave and loyal people who can see right from wrong even if everyone around them is going along with the misconduct.
It’s long overdue that we start to see whistleblowers as the good characters that they often are and cheer them on for their bravery and integrity in opposing wrongdoing. If you supported Finn in the Star Wars movies, you should also be supporting whistleblowers too.
May 6, 2024
Earlier this week, I was flying back to Nashville and had what was meant to be a brief connection through Charlotte. Shortly after we boarded, I got a notification on my phone that the flight was delayed by 90 minutes. The captain announced the reason for the delay: a maintenance employee spotted oil leaking from one of the engines and needed to inspect it further. A few minutes later, the captain announced that we would need to deplane and wait on a replacement plane – the oil leak meant the plane could not fly us home. It was late and now I was going to be home extremely late and had an early start the next day.
The maintenance worker’s actions caused a plane full of passengers and airline staff to not leave on time and arrive really late in Nashville. We could all have complained about the situation, but, thankfully, the passengers sitting around me appreciated what the maintenance employee did and several thanked the airline staff for their commitment to safety as we deplaned. While it was inconvenient for us passengers to have to deplane and be delayed, it was much better than the maintenance worker not raising their concerns and potentially something much worse happening.
In this situation, the maintenance employee spoke up and was listened to (and I hope they even got a financial or other recognition for doing their job well). This is how the speak up process should work everywhere – someone sees something, they speak up, they are listened to, action is taken (even if doing so causes inconvenience) and are then appreciated/rewarded (financially or otherwise). An effective speak up process is not complicated, but too often it fails because the person who spoke up was not listened to.
If people speak up and are not listened to and/or blamed for speaking up, then we run a real risk that small or potential issues will turn into big and actual issues. People who speak up are not problems; they are problem interrupters and they are (as I explain in my book) people who care. Protect the employees in your organization who have spoken up and demonstrated their courage and care for the organization, and look to hire people who care into your organization.
Thanks to the American Airlines maintenance employee at Charlotte Airport who spotted the issue and spoke up about their concerns, and thanks to that person’s colleagues who listened to them. The airline staff demonstrated the speak up process in action and kept us passengers safe, and, as a bonus for me, they also gave me a good story for my #SundayMorningComplianceTip
Apr 29, 2024
Most organizations rely to varying degrees on online compliance trainings. There are all sorts of courses and content out there, including “micro learnings” to longer trainings and a range of different approaches to help with engagement.
With such a variety of different online training options, how do you define success for online trainings?
If you use micro learnings, is success that employees liked the training because the pain was shorter than if the course had been longer? Perhaps employees thought the course was engaging and even entertaining, but does in the moment entertainment lead to lasting behavioral changes? Do higher completion rates correlate with higher levels of knowledge in the organization? Is success based on short term knowledge from how people did in a test at the end of the course or should success be measured by how much information and knowledge employees retain long term? Online courses are completed individually, but how realistic is that for testing how employees behave when interacting with others and the impact of peer pressure? How does other data (such as an increase in questions to the ethics helpline, change in substantiation rates or even a reduction in reports) help indicate whether or not a course was successful?
Online courses can be a useful part of a larger strategy to engage employees and help them learn in the short and long term. How you use online training requires you to think through a variety of different factors and to consider what success will look like for your organization and compliance program.
Does anyone have any other KPIs or measurements for success when it comes to online compliance training?
Apr 22, 2024
From the perspective of the ethics and compliance professional, a speak up campaign is likely (and hopefully) going to result in an increased number of employees speaking up in the organization. If that occurs, the ethics and compliance professional will see the campaign encouraging people to speak up as having been a big success – more people are speaking up following the campaign and that gives the organization the opportunity to address those matters/issues being raised.
From an organizational and leadership perspective, an increase in the number of speak up reports might be seen very differently to compared to the ethics and compliance perspective. Someone could question if a speak up campaign simply created a problem that did not previously exist, and now the organization has to do something about the all the matters being raised – they may not see the problem that the campaign is solving and might see the campaign outcome as a problem you just created. From that perspective, a speak up campaign that leads to increased reporting by employees is not a good outcome.
If you are going to launch a speak up campaign, I recommend socializing the purpose and desired outcome ahead of time. Help leaders and senior management understand why speaking up is a good thing and a sign of a healthy culture, and why you need for increased efforts to support and encourage people speaking up. Having leadership alignment and understanding ahead of the campaign launch can help result in more support for the campaign itself and a shared appreciation of what success looks like for the campaign.
Apr 15, 2024
During our recent family spring break trip, I saw this poster on the wall of the hotel gym encouraging people to “take risks” (there was also another smaller and less colorful sign, not captured in the picture, which highlighted the risks of exercising and to consult a medical professional before working out).
While no organizations (that I know of) have posters on the wall encouraging people to “take risks,” people are always being encouraged, pressured and incentivized to take different risks. Risk is not a bad thing – taking on risk in an informed and intentional way is often a smart business choice and can lead to good outcomes.
One thing organizations need to consider is what leadership may mean and intend as “take risk” might be different to how the message is received and understood by others in the organization. Leadership might be meaning “take some reasonable and appropriate risks” and employees may hear “this has to be achieved at all costs.” Leaders have influential voices and the intent of their messages can be amplified or distorted when heard through pressure and misaligned incentives – leaders need to ensure that their intentions are clearly understood and to regularly talk about the importance of ethics and integrity in what results are achieved and how they are achieved.
Apr 8, 2024
It seems that every policy, no matter the topic, now includes the canned “failure to comply with this policy may result in disciplinary action, up to and including termination.” Most policy writers will see no harm in including the language, since they view it as “part of the template” and “good to have just in case.”
Think about it from the employee’s perspective: how many policies does your organization have and how many of those are truly likely to result in someone being fired? Policies should be clear about what are the consequences for failing to comply, but be judicious and realistic about what is likely to happen if someone doesn’t comply. Does your office dress code policy, for example, really need to have the same consequences as policies that are intended to help comply with laws?
Policy writers in all departments should give thought to all parts of any policy they write, and not simply rush to put policies together with as much canned template language as possible. Policies should be designed to help your employees, including succinctly telling them what they are required to do and making processes and incentives as supportive of the policy as possible. Can the canned language on disciplinary actions for all policies and reserve the termination language for those policies that really need it.
Apr 2, 2024
As a policy writer or presenter on a topic, you will likely know the content inside and out and probably find the content interesting. Even if your writing or speaking can captivate an audience, memories are short and people are likely to forget (or at least not regularly think about) much of the content of your policy or training. If you are trying to convey more than 3-4 key points in a policy or training, chances are you are being too overly ambitious and risking that people will either miss, not understand and/or forget much of the key points covered.
No single training or presentation is likely to transform the way someone thinks, but they can support incremental change. You can also support your overall objective by supplementing training or policies with other regular and relevant communications to help remind, educate and make the content both relevant and resonate.
Too often, I find – with good intentions – that people want to cover too much content in either a policy or training. A policy shouldn’t be a treatise on a subject – it should help guide your employees on what they need to do. A training shouldn’t be an attempt to make other people experts on a topic – it needs to help people understand what they need to know based on their role. Be realistic and reasonable in how you approach policies and training content and you will find how your policies and trainings can make a better impact on your employees.
Mar 18, 2024
We all know that mentoring matters – it is a key way in which adults learn, and mentoring can provide wonderful benefits for both the mentor and the mentee. However, saying “everyone should have or be a mentor” is a bit too oversimplified for our liking at Ideas & Answers because we (from our personal experiences) know that we need different types of mentors at different stages of our careers. From having mentors who help and guide as you go from early to mid to more advanced stages of your career (including reverse mentoring), we know that mentoring relationships are key to helping each other grow and learn. (PS – if you want to hear the stories of how people in our profession have helped each other, you should read one of our favorite compliance books, Sending The Elevator Back Down by Mary Shirley and Lisa Fine).
At Compliance and Ethics: Ideas & Answers, we want to hear your thoughts and stories on mentoring. How has mentoring helped you in a particular career stage? How did you find your mentor? What stage of your career should you consider reverse mentoring? What can our profession do differently to help mentoring be a more effective part of how we grow and learn as a compliance community and profession? We plan to write a short article or two based on the experiences and ideas of our wonderful readers.
Please share your thoughts below, tag someone who has been a mentor to you, or email human@ethicsandcomplianceforhumans.com with your stories and ideas.
Mar 11, 2024
Controls can be an important part of any governance program, including ethics and compliance programs. Controls can help ensure things go the way they are intended to, and help with alignment between the written/stated standards and what happens in reality. However, there is a big difference between having a control and having an effective control – a control that can be easily undone is not an effective control.
A recent basketball practice for one of my kids provided a real life example of how humans can manually get around controls. A simple traffic cone to prop open a door to the gym meant that everyone went through that door rather than going the slightly less convenient door people are told to go through by the sign.
Controls that are based on how people “should” behave (rather than how they are “actually” going to behave) are at real risk of being undone or undermined. If controls are designed without thinking about how people will respond and react, then be prepared to see whether your control can withstand the creativeness of what people can do to get around the control.
Mar 4, 2024
Feb 26, 2024
One of the topics that I wrote about in my book – and is sometimes a challenge for compliance professionals – is the perception that ethical and honest people don’t need ethics and compliance programs to guide their behavior and decision making. It’s an understandable perception, but the reality is that good people are humans and humans are susceptible to influence and pressure (including peer, social and financial), assessed on sometimes unrealistic objectives, and might have incentives that cloud their judgment. We don’t need ethics and compliance programs because everyone is a potentially bad actor, but because we are all human and sometimes we need help ensuring that our actions and decisions are aligned with how we want to act and see ourselves. You might be (and see yourself as) a good driver, but you still benefit from the road markings that help guide you as you drive – external guides can help ensure that we do the right thing and protect you (and others) from harm.
Ethics and compliance programs are much more than simply meant to catch bad behaviors and bad actors – employees who are (and see themselves as) ethical and honest people also benefit from having ethics and compliance programs to help them manage the pressures they face and avoid getting caught up in a situation where their actions don’t align with their own commitment to acting with integrity.
Feb 19, 2024
Feb 12, 2024
I recently read Scott Sonenshein’s book, Stretch, and found one of the chapters to be relevant for ethics and compliance professionals. Sonenshein talked about a (now fairly dated) study that assessed how differing levels of fear inducing information would impact the decision of college students to get a tetanus vaccine. While the students who were presented with lots of fear inducing information initially indicated they were much more motivated to get a tetanus shot compared to the low fear group, the data revealed that their short term motivation and fear did not lead to higher vaccination rates compared to the low fear group. Fear can be stress inducing, but not lead to the desired action or behavior. The study found that the key factor was giving the students a map of the campus showing how to get to the health clinic and asking when would be a practical time for them to go to the clinic.
Ethics and compliance trainings and communications that involve fear based approaches might seem effective in the moment, but they are not necessarily going to result in behavioral or mindset changes that last or lead to the desired action. It is about showing people how to do what is expected of them and making it practical.
How does this translate to ethics and compliance? Instead of stressing people about why they have to speak up and the risks of staying silent, show people the different options for speaking up and ask which option they would likely prefer for a particular situation and what would they find challenging about doing so. Instead of simply sending out a policy that has the usual “failing to comply with this policy” language, take the time to actually and practically help people understand what they need to do (and how). Instead of simply telling managers that they need to be speak up channels, take the time to give them practical guidance for what they should do if someone raises a concern to them.
Fear might seem like a good tactic to get people’s attention, but if you want to change mindsets and behaviors for the long run then it’s not that effective. Instead, focus on creating a simple set of directions and making compliance practical for your employees.
Feb 5, 2024
It is a constant balancing act in deciding how many – and which – policies and guidelines your organization should have. You don’t want to have too many policies because you risk people not reading them and/or being overwhelmed and confused by the number of pages of policies that apply to them, and you don’t want to have too few policies because people might lack the needed guidance to stay compliant and meet the organization’s expectations.
A knee jerk reaction to one off events can be to create a new policy – these are the policies that I call “once upon a time” policies. These policies are so specific in trying to address a particular situation that has little chance of occurring again, and future explanations of why that policy is needed will likely begin with “once upon a time…”. The intent might be good, but the impact is that the policy will lack relevance going forward and there are other more effective ways to help people learn from past mistakes.
You need policies and guidance that help people in practice, but having more policies is not necessarily the answer (especially when policies are badly written, not helpful, lack relevance for the target audience, and not supported with a proper communication and marketing plan). Policies should be regularly reviewed to see if they are still needed and add value, and irrelevant and “once upon a time” policies should have short shelf lives and be removed.
Does anyone have any stories of overly specific “once upon a time” type policies they can share? Post below or let me know separately.
Jan 29, 2024
Ethics helplines are, and should be, a speak up channel that employees can use to raise concerns or ask questions through a third party (and anonymously, if the employee chooses), but they have the potential to be more than that.
Rather than serving only as an additional reporting channel, I think helplines are in a unique position to help support the other speak up channels, and possibly even improve the effectiveness and experience for employees when using the other speak up channels (such as raising concerns through managers).
While managers are often the preferred speak up channel for many employees, many managers might feel unsure about what to do when someone raises concerns to them (should the manager do anything about the concern being raised? do they need to get anyone else involved or can they handle the matter alone?). Even if managers have received guidance or training on what to do if someone speaks up or raises concerns about ethics and compliance, they still might not know how to handle certain situations or may feel conflicted if the concerns being raised involve other people who report into the manager. While you would hope that managers would feel comfortable reaching out to the Compliance or HR teams in those situations, a manager may feel that they will look bad or ineffective as a leader if they ask basic questions about what to do when someone has spoken up to them. Why should the helpline not be available to help managers ask question about how to handle certain situations and what they should do? This could be a way in which matters can be logged into the ethics helpline platform and the right people engaged, or even a way to avoid isolated decision making and provide the manager with the option to (anonymously or not) talk through what to do with someone who works for the helpline provider.
What ultimately is the purpose of an ethics helpline? If it is to help the speak up process at organizations, build trust, and provide employees with options and guidance on how to handle difficult situations, then we must continue to challenge how helplines are designed, run and operated.
Jan 22, 2024
Many ethics helplines are currently used (and promoted as such) to report actual or suspected wrongdoing that has already occurred. While helplines need to support that type of reporting, they also have an opportunity to help encourage people to report learning opportunities that could either allow small mistakes to be reported and learnt from, or even prevent actual or potential wrongdoing at a later stage if early intervention and learning occurs.
Organizations that genuinely seek to drive a growth mindset in their culture and employees would no doubt benefit from encouraging people to speak up if they see opportunities for the organization to learn that help avoid costly mistakes in the future. On a human level, I think a lot of people would find it easier to raise smaller issues that could lead to learning (for themselves or others) than having to speak up about bigger issues that may lead to others getting in trouble. There are likely missed opportunities when the helpline is only marketed as an intake for once wrongdoing has occurred – the opportunity to learn will come after, rather than instead of, the wrongdoing (and usually following an internal investigation that can be time consuming, a drain on resources and an uncomfortable experience for those involved).
Would an approach like this possibly change the number of reports your organization receives through the helpline and drive up your substantiation rates and other metrics? I would guess the answer for many organizations would be yes – and I think that would be a great thing if opportunities are highlighted, learning occurs and issues addressed early or avoided altogether.
Learning before wrongdoing is always better and less costly than learning after wrongdoing.
Jan 15, 2024
I like to restart my #SundayMorningComplianceTip series each year with a reminder about annual performance goals that employees (especially leaders, managers and supervisors) should consider adopting to help support their organization’s culture and commitment to leading with integrity. Here are five recommended (and slightly updated from 2023) performance goals and an explanation of why each of these goals matters.
Ethics and compliance colleagues, what other goals have you seen that you would recommend? If you are a business leader, what other goals have you included in your annual objectives that have made a similar impact on your leadership and organization?
Dec 11, 2023
In a news story that seems almost too bizarre to be true, a Paraguayan government official was forced to resign for signing a memorandum of understanding with the fictional nation of the United States of Kailasa (Kailasa was supposedly founded by a fugitive wanted in India). And this isn’t even the first time that a government has been duped into signing agreements with the fictional nation (apparently Newark signed, and later rescinded, a “sister-city agreement” earlier this year with Kailasa).
Simply because something sounds good on face value doesn’t mean it is actually good in reality – expectations and reality are often two different things, but you can minimize the risk by conducting due diligence and taking other appropriate steps. Due diligence involves understanding who you are dealing with, who is behind an entity and making sure that what they are offering is legitimate, legal and what they say it is – it is also a good way to avoid making an embarrassing error and being made to resign from your job. If a party makes it difficult to perform due diligence on them, then that should be a red flag and not a reason to avoid conducting due diligence.
Due diligence not only protects organization’s, but it can also help support better and more informed decision making, and might even help you avoid being told to resign for errors that could have been detected through due diligence.
Dec 4, 2023
Acting Assistant Attorney General Nicole M. Argentieri gave a speech on November 29, 2023 at the 40th International Conference. Her remarks covered a number of topics, including the DOJ’s achievements third year (including having a “banner year”), the DOJ’s ongoing focus on data analytics and the creation of a new International Corporate Anti-Bribery initiative to “build on our existing bilateral and multilateral partnerships, as well as form new partnerships.”
Here is a link to the speech – https://www.justice.gov/opa/speech/acting-assistant-attorney-general-nicole-m-argentieri-delivers-keynote-address-40th
Nov 20, 2023
As I sat at the traffic lights the other day after dropping my kids off at school, I watched as someone blew leaves off a lawn onto the road and sidewalk/pavement. While the person got the leaves off of their lawn, they didn’t take the time or effort to rake up and bag the leaves. It got me thinking about what I’ll call Leaf Blower Policies – policies that see value in only trying to move liability and responsibility from the organization to the individual, rather than adding value through guiding and helping employees.
Leaf Blower Policies are written from the perspective of “we should just write a policy to try move liability from the organization to the individual employee” – these are the type of policies that essentially restate the law or other external standard, use too many defined terms and technical terms/concepts, don’t tell people what they can actually do and remind people of the obvious (“violating this policy could result in disciplinary action, including, and up to, termination”). Leaf Blower Policies don’t help guide or engage employees – if your policies don’t help the people who can manage, mitigate or amplify a particular risk, then even the best written and highest standard policy that looks great on paper will be ineffective in practice. Leaf Blower Policies are quicker and easier to write (same way that blowing leaves into the sidewalk rather than bagging them up), but they don’t add value or help your employees who are the ones who can help manage risks.
If you want policies that will actually work, you need to design policies that have employees in mind as key stakeholders. Effective policies often take a lot of time because they require a lot of socialization, speaking with different people and looking at the topic from different perspectives. Effective policies are then subject to a learning and marketing campaign to help the written standards become the actual standards. Effective policies take more time and effort, but they are much more useful and valuable than Leaf Blower Policies.
Nov 13, 2023
While some information about your organization’s ethics and compliance program should only be shared with a limited audience due to the sensitivity of the information, other information about the program (such as new initiatives, high level data about helpline reports received and relevant headlines/stories, etc.) can be shared with a broad internal audience. Transparency is a good thing, so sharing appropriate and relevant information with people in your organization can help them understand what compliance is about and what’s going on at your organization.
So why limit the initial distribution of such information to a limited audience?
One thing that I have found to be effective is to share some information with leaders and managers, and then encourage them to share that information with their teams. Leaders and managers need to be actively engaged and seen to be supportive of the compliance program, and they can do so and make an impact when they endorse and communicate messages about the compliance program. Messages are impactful not only because of the wording of the message, but who shares the message and who they share it with. Sharing compliance messages with leaders and managers, and then asking them to further cascade the message is a good way to get them engaged. You can then check if people a few levels below leaders and managers have received the information – this will give you a good sense of which leaders and managers are helping to flow information and where are some potential communication blocks in your organization.
Does your organization know where and why communication lines involving leaders and managers are blocked? What you can do to help increase the flow of suitable information through leaders and managers?
Nov 6, 2023
What if instead of asking employees to certify that they have read and understood your Code of Conduct (or any other policies that your organization has), we ask leaders and managers to certify that they have (1) regularly talked with their teams about the Code and it’s values, (2) made the Code content a regular part of the employee experience, (3) held themselves and their teams accountable and to those standards, and (4) made sure that employees know what they reasonably need to know for their role?
The typical employee annual certifications that are often used assume that the only way employees can know about the organizational policies/values is if each employees reads all policies in their entirety. If that is the case, chances are not enough is being done to bring your organization’s Code, other policies or organizational values to life in employee experiences and leader/manager lead coaching.
Oct 23, 2023
On a recent weekend trip for the school Fall break, we saw this sign with a list of rules at a playground at the hotel we stayed at. As the photograph shows, the text has faded over time – likely due to the summer sun and other elements that the sign is exposed to by the ocean. It got me thinking that written standards, both in playgrounds and organizations, can fade over time.
Written/stated standards in the workplace are likely to fade faster when (a) behaviors inconsistent with the standards go unaddressed, (b) the standards are difficult to find, not understandable, relevant or clear, and not regularly or timely communicated to the right people in the right situation, and (c) standards are not consistently applied and enforced. Written standards don’t immediately disappear; they often fade over time, and especially so when the standards in reality are at odds with the written standards.
While standards can fade, they don’t need to. Written/stated standards can be protected from fading through (a) regular discussion and clear communication of standards to the right people at the right time, (b) ensuring that the actual standards and what is tolerated and incentivized are aligned with the written standards, and (c) regularly assessing if the written/stated standards still work in practice, make sense, need reinforced or to be updated.
People connect with people more than they connect with policies – the best way to ensure that standards don’t fade is for employees to see and experience the standards as they are intended.
Oct 16, 2023
Leaders and managers have the potential to make a positive impact on employees, organizaitonal culture and reinforce standards when they regularly talk about and demonstrate the importance of ethics and compliance. Despite having the potential to make such an impact, some leaders and managers may worry about their ability to properly communicate compliance messages and if it would be better for the Compliance team to deliver all compliance messages instead. How do you help leaders and managers get comfortable using their voice to talk about ethics and compliance?
Here are three tips to get leaders and managers comfortable with talking about compliance.
1. Provide a Compliance Tip Of The Month: a simple yet effective strategy that can help leaders and managers have at least a monthly conversation with their teams on compliance is to provide them with a Compliance Tip Of The Month. Keep the tips simple and provide for flexibility that allows managers to adapt the message to make it relevant and resonate with their target audience. A simple tip that requires a time commitment of 1-3 minutes per month is realistic and still impactful.
2. The Message Needs To Be Impactful, Not Perfect: While the Compliance team might be able to speak with more subject matter expertise on a topic, often the impact of a message is due to who is communicating the message and who they are communicating it to. It is much more impactful for employees to hear from their leaders and managers on compliance rather than simply always the Compliance team. Perfection is not important – a good message from the right person is what matters.
3. Find A Forum That Works: Perhaps a leader or manager does not want to use their “all hands” meetings to talk about compliance, but they can also use 1-1 meetings, meetings with new hires, and informal conversations to use their voice and make an impact. Talking about compliance does not need to be a big formal event – often it is better when the message is naturally worked into conversations.
What other tips or advice do you have to help leaders and managers talk about compliance?
Oct 9, 2023
A 2021 Gallup study found that U.S. adults are reading fewer books than previous years. The decline is across the board for adults, including adults of different ages and genders. Despite this decline, it seems that organizational policies have both increased in number and, in many instances, length too.
If humans are reading fewer and fewer books, we should not expect that these same humans are going to read lengthy workplace policies (especially when those policies are badly written, not helpful and contain technical language that confuses and bamboozles rather than guides). The habits of humans are (and have been for some time) changing and organizational approaches to areas such as ethics and compliance (and many other areas) need to keep up.
Long written policies are going to be less read and less effective as time goes on. Shorter policies that are designed to be useful for humans, use of other media formats to communicate expectations and standards, continued engagement of leaders and managers to bring alive standards and values through conversations and genuine acts, and more efforts such as compliance related incentives are needed.
(Of course, if you are still one of those humans who reads books, I would, of course, recommend Ethics and Compliance For Humans – a.co/d/3GmHpni).
Oct 2, 2023
Bribery is often discussed in the context of the far reaching U.S. Foreign Corrupt Practices Act (or FCPA for short) – while bribery is more prevalent in some countries than others, no country is free from the problem. The allegations and charges this past week relating to a U.S. Senator (as well as other people) highlight that corruption exists everywhere, including here within the United States.
The charges also highlight the many forms that bribery can take, including (as highlighted in the DOJ press release) “gold, cash, a luxury convertible, payments toward… [someone’s] home mortgage, compensation for a low-or-no-show job…, home furnishings, and other things of value.”
While the U.S. is generally a lower risk country for bribery, it is by no means risk free (and ranked as the 24th country on the 2022 Corruption Perceptions Index). Corruption exists everywhere and the efforts to combat corruption (and the devastating impacts it can have on people) must exist everywhere too.
Sep 25, 2023
Most ethics and compliance headlines tend to focus on the people who committed the wrongdoing and their acts, as well as focusing on the consequences they suffered (fines, penalties and/or firing of individuals). The story these headlines tell puts the wrongdoers and their wrongdoing as the subject. That’s often understandable – people should be held accountable for wrongdoing and such reporting is intended to help deter others from engaging in similar behavior.
Even when other humans are the focus of headlines (such as headlines about whistleblower pay outs), such headlines don’t highlight or capture how those individuals likely suffered for years (financially, emotionally and professionally, including that their careers may be over due to what is known as blacklisting). Instead, those headlines can make whistleblowing look like winning the lottery.
What do headlines need to do? Headlines need to see and tell the human stories of the people who are harmed by wrongdoing and the human impact that wrongdoing causes to people and communities.
Take bribery as an example – bribery is not simply a violation of law; oftentimes, bribery can cause significant and lasting harm to individuals and their communities. One example (covered in more detail in chapter 4 of Ethics & Compliance For Humans) is how bribes were paid to government officials in Uganda to have children who were not actually orphans documented as orphans so that they could be placed for international adoption.
The bad actors and bad actions should be made public, but the human stories of those who are impacted by such wrongdoing also matter and need to be recognized. We need to see the humans that ethics and compliance are meant to protect.
Sep 18, 2023
On a recent flight this past week, I was perhaps one of only a few people who appeared to pay any attention to the safety training provided by the airline crew before the plane left the gate – everyone else appeared to be heads down looking at their phones and using headphones. (Even if you have heard the safety briefing a million times, we can show some support and politeness for our fellow human beings by looking up from our phones for a minute or two).
For the airline, they can report that 100% of the passengers on the flight were provided with the required training. Reporting on that is metric is not wrong, but it also doesn’t tell the whole story. Metrics can help measure what matters, but they can also mask reality too – in this instance, only ~10% of people paid any attention to the training provided.
When the focus is on “training” rather than “learning,” organizations can measure and report 100% training rates that do not address whether or not the training had any impact or was even paid any attention to. Training focuses on the input and from the perspective of the person providing the training – “was the training provided?”; whereas learning focuses on the outcome from the learner’s perspective – “did the target audience learn anything and what did they learn?” It is a switch from intent to impact – and this matters (even if it is hard to quantify as nicely and easily as training percentages).
Sep 11, 2023
I often hear of people, usually with good intentions, trying to attach their organization’s Code of Conduct to contracts with third parties as a way of trying to reduce compliance risks. I’m not a fan of this practice and this #SundayMorningComplianceTip explains why.
Your organization’s Code of Conduct is designed for your organization and employees. While it might have some sections that address the parties you work with and how to interact with them, the primary audience for your Code is internal to your organization. You are not doing much from a practical standpoint by simply attaching your Code of Conduct as an exhibit to a contract and expecting the other party and their employees to comply with it.
Will anyone from the other side read your Code of Conduct? Probably not – and even if someone from the other side does read your Code, they might only be involved in the contract review stage and not involved in the performance of the contract. Is attaching a Supplier Code of Conduct better? It is slightly better since it at least attempts to target the audience more, but even then the Supplier Code might be very broad and not address specific risks or situations.
Rather than adding your Code of Conduct as an unread exhibit, think about what ethics and compliance risks the relationship could present (including based on due diligence findings), and then craft and talk through the relevant provisions for a written contract that address those risks. And if you have audit rights in a contract, use them – there is no point in spending a whole bunch of time negotiating audit provisions and then never actually using them. If you use a contract management system, you can often leverage those systems to provide reminders about following up on relevant contract provisions to ensure they are being complied with.
Third parties can and do present compliance risks and those risks need to be managed. However, you need to be smart at how you address those risks and not simply throw in your organization’s Code of Conduct as a contract exhibit and think that’s going to add value or mitigate risk.
Sep 4, 2023
In 69 BC, a messenger returned from the battlefront to tell Tigranes the Great that Lucullus and his Roman army were approaching (this became the Battle of Tigranocerta).
Tigranes was apparently so angered by the news that he ordered the messenger to be decapitated – not surprisingly, no further news was sent from the battlefront. Lucullus and his army prevailed, and Tigranes lost and fled to the mountains.
Retaliation and silencing of whistleblowers has existed for millennia, but so too have the lessons that silencing and retaliating against whistleblowers is a bad strategy that is likely to backfire. Tigranes not only retaliated against someone for sharing unwelcome news, but he did himself no favors in sending a chilling effect to the rest of his troops that bad news would be punished.
Aug 21, 2023
I often get asked by people how many compliance reports should an organization hope to have (the answer is not whatever average number of reports per 100 employees a benchmark report cites).
Often – and understandably – people might expect that having no ethics helpline reports (or reports raised through any other channel) is a good thing.
No reports means no problems, right? Not quite.
Ideally (and unrealistically), there would be no reports because no issues are occurring that need to be reported. you can either call that utopia or delusional.
The reality is that issues exist in every single organization and it is better that issues are raised (and ideally as early as possible).
People speaking up is a good thing and often a sign of a healthy culture. The problem is when issues are occurring and not being reported. imagine if no one went to their doctor with the cold or flu in winter – that would not be a sign that people are not getting sick; it would likely be a worrying sign that people are getting sick and are not getting help, and likely that untreated illness will spread to others.
If issues are being raised in an organization, it should not be a cause for panic. It provides an opportunity for the organization to understand what is going on and address any issues.
So, how many compliance reports should your organization realistically want to have?
If all issues are being raised early, out of care and openly with an organization, then that is the desired number of reports at that moment in time. issues underlying the reports are the problem, not the reports themselves. Reports are simply an opportunity to address actual or potential issues.
No reports is a much bigger worry than having reports.
Aug 21, 2023
Internal investigations can be challenging for many people and asking someone to be interviewed in any language that is not their preferred language can make the situation even more stressful for the individual and increase the risk of a misunderstanding. Ideally, the interviewer will be able to interview the interviewee in the interviewee’s preferred language, but sometimes you might need to bring in a translator to help with the communication. While translators can be very useful and support conversations that might not otherwise be able to take place, you also need to think about some of the potential risks and downsides involved in using a translator during an interview:
1. “Basically, what they said was…”:
I recall a conversation from my travels many years ago where someone spoke to my translator in an animated matter for several minutes. After watching and listening to (but not understanding) the conversation, the translator turned to me and said “basically, what they said was…” and provided a 20 second summary of the last few minutes of dialogue. If someone speaks for several minutes yet the translator only conveys to you a summary of what was said, you are likely missing important information, including how they person communicated what they said. Interviews are a mix of facts, emotions and perceptions and brief translated summaries can mean a lot of that information is lost.
2. It can make an already uncomfortable conversation even more uncomfortable:
Sometimes (and understandably) interviews can be emotionally difficult and uncomfortable for the interviewee, and the investigators should do what they reasonably can to minimize the level of discomfort. If someone is being asked to recount a painful or awkward situation, it can become even more uncomfortable if there are too many people involved in the conversation, the conversation takes twice as long because of the translation, and then they also might not understand what the translator is telling you and if the translator truly heard and reflected what they said accurately. You need to carefully think about what the impact of a translator will be on the conversation and the people involved in the conversation – the presence of the translator should be to support communication and not cause a level of discomfort that will impact or limit the conversation.
3. Building rapport:
Most investigators will try to build some rapport with the person they are interviewing, as doing so can build trust and support open dialogue. Building rapport can be more challenging in situations when you have a translator involved, as it causes a delay in the communication and you also cannot benefit from the non-verbal communications that often accompany the verbal communication. This is why it matters to not simply have any translator involved, but someone who will be able and effective to help build communication and dialogue between the interviewers and the interviewee.
There are many incredibly talented and experienced translators out there who can help address these risks – strategically engaging those people in the right situations is what will lead to effective communications across languages during investigations.
Aug 14, 2023
Last Saturday, my kids finally finished watching the live action Aladdin movie. While there are a decent number of compliance messages in the movie, the one that sticks out to me is that some fairly basic due diligence would have revealed that “Prince Ali” was not who he presented himself to be. While Jafar was a rather crazy villain, he seems to be the only character in the movie who grasps the importance of conducting due diligence and background checks. People and risks can hide behind entities, and conducting due diligence and background checks on third parties can help ensure you know who you are actually dealing with and doing business with.
Does a third party appear to be overly impressive, makes outlandish claims and boasts an incredible background that cannot be verified? Chances are you are not dealing with who they say they are, and you can confirm that with some basic due diligence.
Aug 7, 2023
There is understandably a lot of discussion about the benefits and risks of AI, and what its impact will be on humans, society and humanity as a whole. Technology and AI are certainly going to be part of ethics and compliance programs going forward, and I view it more as “how to do we use effectively” rather than “should we use this.”
Sociologist, Dr. Sherry Turkle is, has made a number of comments on technology that really resonate with me and I view as relevant to how compliance programs will approach AI, including “I am not anti-technology, I am pro-conversation” and “I am less concerned about computers becoming human and more concerned about humans becoming like computers.”
Chatbots, AI and other technology have their place and use, but so does human to human conversation and interaction. Artificial and emotional intelligence are both needed to support today’s employees – I don’t think you can have one without the other. Technology such as Global Entry is great because I can skip the lines at immigration and don’t feel a need to speak with a person as part of the process, but there are other times when human needs are better served by connecting with another person.
How are other people introducing artificial intelligence into their programs while balancing this with emotional intelligence and maintaining a human focused approach?
July 17, 2023
The early morning hours of summer are the perfect time of day for me to walk around the small park by our house here in Nashville. It is a great way to start the day and enjoy the outdoors so close to home as the sun rises and before the summer temperatures get too high.
The park has a short path that goes around and through the park. I like to mix up which direction I walk if I have time to do more than one loop of the park. What I find interesting is that what feels like a gentle and barely noticeable slope in one direction can feel like an uphill effort when travelled from the opposite direction. Perspective matters and changes how we experience the same thing.
Perspective also matters when it comes to ethics and compliance. We, in ethics and compliance, might introduce what seems from our perspective to be simple and barely noticeable requirements (such as policies, controls or procedures) that will make our jobs easier and improve the ethics and compliance program. We are at the top of the hill (especially if we are in the headquarters) – from our perspective, the requirement involves little effort and is not a burden. Our colleagues in other parts of the organization might be looking at the same requirement or change we have introduced, but they see the uphill effort it will require of them. At other times, our colleagues in other parts of the organization might think that rolling out a new learning program, writing a new policy or running a program require little effort. From their perspective, they might not see the uphill challenges that we face in designing, building, running and testing our programs, or understand why we feel additional resources and support are needed.
Perspectives impact the way we see and experience things. When rolling out new initiatives or changes to our ethics and compliance programs, we have to make sure that we think about the perspective of others and where those different perspectives are on the metaphorical hill. Having good relationships with people across the organization can help, as can rotating people from compliance into other parts of the organization and finding ways to engage people in other parts of the organization to see and experience elements of the compliance program.
Challenging, and perhaps changing, our perspectives does not mean that the hills are less steep or challenging, but it can help us see why easy or hard things from one perspective can be seen and experienced very differently from another.
July 03, 2023
I was recently looking at the ethics helpline intake process of another organization. The intake process included the following two sentences:
“You are protected from retaliation if you report in good faith to the best of your knowledge. At the same time, malicious reports are prohibited and may lead to legal consequences.”
Perhaps the organization has had a number of problems involving malicious reports and feels the second sentence is necessary, but I can’t help but wonder what the impact of such a message is on someone who is raising a valid concern in good faith and already worried about what the process will be like and how they will be treated. Such a message is likely to cause people to question whether speaking up is worth the risk or think they are safer speaking up anonymously – neither outcome is beneficial for the individual, the organization or the organizational culture.
Properly conducted and timely investigations can reveal when matters are raised without any real or good faith basis, but I don’t think most organizations have a problem of malicious reports – the bigger and more common problems relate to underreporting, nothing being done once an issue has been raised and the treatment of people who do speak up (they are treated badly and/or they experience other negative consequences).
Rather than making people think the organization will sue them for speaking up, organizations can, and should, recognize that people who speak up are people who care and aim to make the process less painful.
June 26, 2023
Obi-Wan Kenobi was able to detect “a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were suddenly silenced” and could tell “something terrible has happened” even though he was physically far from where the event occurred (when the planet Alderaan was destroyed by the Death Star). Not only do we not have light sabers, but ethics and compliance officers have also not yet figured out a way to use the Force to detect risks and wrongdoing. Check out this week’s #SundayMorningComplianceTip for a Star Wars inspired tip about how data analytics can help and let me know what you think.
June 19, 2023
I have heard several ethics and compliance professionals over the years talk about something that their CEO told them was their job, but is something I think is definitely not the responsibility of the ethics and compliance officer.
June 12, 2023
Ted Lasso has many lessons of integrity, culture and leadership (as well as being an overall great and enjoyable show). The focus is often on Ted and how he is such a great leader while also showing his human flaws too (because great leaders are real people and not the perfectly polished version many would like to project).
Nate, on the other hand, is not someone who is often talked about in favorable terms. For anyone who has seen the show, you know about Nate’s rapid rise from low confidence kit caretaker, to Richmond coach and then to being portrayed as the fairly arrogant manager of West Ham – as well as his greying hair that apparently signaled his turning to the dark side followed by his fall from grace as he left Richmond.
But what if Nate’s story was seen from a different perspective? Perhaps Nate’s graying hair was less about him turning to the dark side and more a physical response to the stress and pressure he was under (including that he was being promoted too quickly and pushed too far beyond his abilities). If someone looks so physically or mentally stressed that their hair is literally turning grey overnight, maybe ask how that person is, look into the organizational culture and understand what pressure people are experiencing. A professional sports team is a high pressure environment, and Nate had been vocal that he felt discarded by Ted and that his efforts had not been recognized – there were signals that all was not well for Richmond FC’s backroom staff.
Don’t get me wrong – Nate could and should have handled many situations better and he was not very nice at times. However, portraying Nate as the villain rather than an employee who felt such a level of pressure that it impacted him physically and also his thinking and actions is not accurate or productive. Simply blaming Nate might seem (but definitely is not) beneficial to the organization in the short term, but doing so ignores the many other contributing factors at play and such an approach will only lead to bigger problems for employees and the organization in the future. Fixing organizational problems and changing the workplace culture can take time and effort, but is something that organizations need to do to help prevent other employees going down the same path as Nate.
June 5, 2023
One of the things I often notice when I visit Japan is that most people will wait patiently at cross walks even if there is no traffic coming. While there are similar controls and standards to other places (traffic lights, pedestrian crossings and penalties for jaywalking, etc.), a key difference is culture and how people – both individually and collectively – interact with those standards and controls.
Standards and controls are (of course) important to compliance, but culture is what will “make or break” standards and controls and determine whether or not (and how) they will work in practice. You can develop as many well intentioned and well thought standards and controls as you want, but they not be effective in practice if the culture of an organization is not properly considered when building and designing any standards and controls. As important as standards and controls are, the U.S. Department of Justice’s Lisa Monaco summed it up well in September 2022 when she said “As everyone here knows, it all comes back to corporate culture.”
May 29, 2023
I took this picture at Nashville airport on a recent work trip. One of two possible things has happened:
1. Nashville airport is now transporting students to Hogwarts and this is a platform 9 3/4 situation. This is not a wall, but a portal to get you to the gate that will take you to Hogwarts*; or
2. There used to be a one way walkway here, but it was recently walled over. The sign used to serve a good purpose, but now no longer provides value (other than content for my #SundayMorningComplianceTip) and could cause people to question if other standards and policies are outdated and need to be followed or not.
This situation reminded me of two basic – but often overlooked – points when it comes to standards and controls:
1. Policies should supplement common sense; not replace it. If a wall literally blocks someone from entering an area, a policy telling them not to enter is not needed – the wall is sufficient for common sense to determine that this is not an access area.
2. When your operations, risks or vulnerability to risk change, make sure to adapt and update your policies and standards (including determining if the policies or standards are even needed any more).
*(Sorry Harry Potter fans – I’ve walked down that walkway before it was walled over, but don’t let that stop you from visiting Nashville to check for yourselves and see our incredible revamped airport)
June 22, 2023
Can you write a policy that says employees are banned from using ChatGPT and other similar technology in the course of their work? Yes.
Will all employees comply with such a policy? Short answer: probably not.
Longer answer: (here is part of the response from ChatGPT when I asked “Will employees comply with a policy that bans ChatGPT?”)
“Ultimately, the success of implementing a policy banning ChatGPT or any other tool depends on a combination of effective communication, support, enforcement, and the specific dynamics within the organization. It’s important to consider these factors when implementing and assessing the compliance of such policies.”
It’s a pretty good answer from ChatGPT.
Writing a policy is not that hard; but writing a policy that will actually work in practice and be followed and enforced takes time, effort and socialization with various stakeholders, including those who will be impacted by the policy. Policies need to be accompanied by effective communication, support from employees and leadership, enforceable and enforced in practice, and thoughtfully tailored for the dynamics within your organization. Organizations need to carefully think about whether and how they want their employees to use new technology (especially to protect confidential and other sensitive information), but an outright policy ban without more will not automatically result in employees not using it.
Search the site
This column turns to law schools, proposing concrete ways to support students interested in compliance and ethics roles.
It might sound strange to others. It might sound odd. It might even sound really weird. But there’s like an internal alarm going off inside my head. I know. I
Is there a connection between professional ethics and company codes of conduct? I was doing work with the Working Group in the development of their “Good Practice Guidance” relating to
What does the future hold for the field of compliance and for compliance professionals everywhere? Here are a few ideas that might sound good.
1. Compliance people are in high