The Corporate Ethics Committee: Doing the Right Thing

Recent government guidelines spell out serious consequences if your company spots a risk and does nothing. But does that mean you should go looking for trouble? Yes.

March 01, 2005 — CSO — I recently found myself reviewing the revised corporate sentencing guidelines in preparation for a meeting of our corporate ethics committee. This latest framework, which went into effect Nov. 1, 2004, has two important functions: It spells out the kinds of ethics policies corporate officers should establish and enforce, and it guides judges when they weigh penalties and mitigating factors they may consider in cases of corporate wrongdoing. The bottom line: These guidelines show the ethics buck stops at the top, including our desks.

"Directors and executives now must take an active leadership role for the content and operation of compliance and ethics programs," the U.S. Sentencing Commission's statement reads in part. "Companies that seek reduced criminal fines now must demonstrate that they have identified areas of risk where criminal violations may occur, trained high-level officials as well as employees in relevant legal standards and obligations, and given their compliance officers sufficient authority and resources to carry out their responsibilities."

The commission notably adds: "If companies hope to mitigate criminal fines and penalties, they must also promote an organizational culture that encourages a commitment to compliance with the law and ethical conduct by exercising due diligence in meeting the criteria."

I work for a global financial institution that has a tradition of "doing the right thing" as a core value of our corporate culture. As the CSO, this ethical way of life and the accompanying expectations have been an incredible asset to my group's ability to add value. Like the broken window theory that has guided crime reduction efforts in so many cities, we deal with even minor policy violationsregardless of the perpetrator's statuslest ignoring them would invite more serious transgressions. Security doesn't need to push its way into investigations of wrongdoing; we are routinely invited in by legal counsel, HR, internal audit and line-of-business managers. We are valued as business partners, not as corporate cops. It's a joy to be the CSO here.Our Ethics Are Healthy, But...Having said that, we are cognizant of the ever-changing risk environment in which we conduct our global operations. We know our safeguards aren't bulletproof. The cost of implementing those safeguards must be balanced against the likelihood of events. Our company has more than 50,000 employees. Experience has shown that people don't always do the right thing. We have an obligation to protect our clients' and shareholders' trust.

Sometimes I think about the pluses of our ethically grounded environment, and I can't help wondering: What if my career had taken me to the failed Bank of New England, or the once-mighty Enron, or other targets of criminal investigation and reputational meltdown? I've often wondered what signs my colleagues at these organizations might have seen, then escalated to top management and been told not to worry. What must it be like to be a CSO in a company whose senior management is up to their eyeballs in fraud and cover-ups? How would I act? What would I do? We've seen the aftermath for the auditors at these places. Would there even be a security, ethics or compliance organization at a company where pervasive wrongdoing was accepted practice?