Adam Balfour Ethics and Compliance for Humans

E&C4H wide avail
Adam Balfour Compliance for Humans page header

Adam D.J. Balfour is on a mission to help make ethics and compliance more relatable and relevant for his fellow human beings. He likes to design ethics and compliance programs that employees can actually relate to, engage with and find useful. Adam currently works in Nashville, Tennessee, as Vice President and General Counsel for Corporate Compliance and the Vice President for Global Management Risks for Bridgestone Americas, and also chairs Bridgestone’s global compliance group meetings. He has written several articles on ethics and compliance and enjoys speaking at conferences and other events. He previously worked for Kirkland & Ellis LLP and Paul, Weiss, Rifkind, Wharton & Garrison LLP in New York. He is a graduate of the University of Dundee, Scotland and Harvard Law School and is CCEP certified.


2024 Annual Performance Goals Relating To Ethics & Compliance

I like to restart my hashtagSundayMorningComplianceTip series each year with a reminder about annual performance goals that employees (especially leaders, managers and supervisors) should consider adopting to help support their organization’s culture and commitment to leading with integrity. Here are five recommended (and slightly updated from 2023) performance goals and an explanation of why each of these goals matters.

Ethics and compliance colleagues, what other goals have you seen that you would recommend? If you are a business leader, what other goals have you included in your annual objectives that have made a similar impact on your leadership and organization?


I usually only post one SundayMorningComplianceTip a week, but with the holidays coming up (and my plans to take the last two weeks of the year off from LinkedIn), I thought I would share a second (and more light hearted) post for today.


Can Due Diligence Help You Keep Your Job?

In a news story that seems almost too bizarre to be true, a Paraguayan government official was forced to resign for signing a memorandum of understanding with the fictional nation of the United States of Kailasa (Kailasa was supposedly founded by a fugitive wanted in India). And this isn’t even the first time that a government has been duped into signing agreements with the fictional nation (apparently Newark signed, and later rescinded, a “sister-city agreement” earlier this year with Kailasa).

Simply because something sounds good on face value doesn’t mean it is actually good in reality – expectations and reality are often two different things, but you can minimize the risk by conducting due diligence and taking other appropriate steps. Due diligence involves understanding who you are dealing with, who is behind an entity and making sure that what they are offering is legitimate, legal and what they say it is – it is also a good way to avoid making an embarrassing error and being made to resign from your job. If a party makes it difficult to perform due diligence on them, then that should be a red flag and not a reason to avoid conducting due diligence.

Due diligence not only protects organization’s, but it can also help support better and more informed decision making, and might even help you avoid being told to resign for errors that could have been detected through due diligence.


Can We Afford Not To Learn From This?

The title of my SundayMorningComplianceTip post is from a point that I learned from Matthew Syed’s book, “Black Box Thinking.” Mistakes, errors and wrongdoing are common occurrences with human beings – while we are not likely to learn from all our mistakes and shortcomings, there are some where we really cannot afford not to learn from them. Those are the mistakes or shortcomings that require a commitment of time, energy and resources to understand what happened and what are the learnings, and to then apply the lessons learned to help avoid the same issue or wrongdoing occurring again in the future – failing to do so will be too costly to an organization and its people (perhaps financially, but can also be costly to organizational culture, values and governance).

There has been a lot of talk, media and LinkedIn posts about OpenAI’s board firing Sam Altman because he was apparently “not consistently candid in his communications.” Like everyone else, I have no idea what has really happened or what will happen with that matter. If wrongdoing has taken place, the firing of a CEO by the Board looks like decisive action and “tone from the top” – but you have to also ask what else the organization needs to do (and communicate) to ensure that the organization and its employees are learning from what happened, including lessons for those employees who might have been influenced by, and mirrored, the behavior of the former leader(s).

It might seem less painful and more forward looking to not dwell on the past and quickly move on once an issue or wrongdoing has occurred, but that is often short sighted thinking. The removal of an individual or two might not be enough to bring any needed change, and organizations owe it to their employees, their stakeholders and their values and governance to take the time to really learn from those matters that they cannot afford not to learn from.


Leaf Blower Policies

As I sat at the traffic lights the other day after dropping my kids off at school, I watched as someone blew leaves off a lawn onto the road and sidewalk/pavement. While the person got the leaves off of their lawn, they didn’t take the time or effort to rake up and bag the leaves. It got me thinking about what I’ll call Leaf Blower Policies – policies that see value in only trying to move liability and responsibility from the organization to the individual, rather than adding value through guiding and helping employees.

Leaf Blower Policies are written from the perspective of “we should just write a policy to try move liability from the organization to the individual employee” – these are the type of policies that essentially restate the law or other external standard, use too many defined terms and technical terms/concepts, don’t tell people what they can actually do and remind people of the obvious (“violating this policy could result in disciplinary action, including, and up to, termination”). Leaf Blower Policies don’t help guide or engage employees – if your policies don’t help the people who can manage, mitigate or amplify a particular risk, then even the best written and highest standard policy that looks great on paper will be ineffective in practice. Leaf Blower Policies are quicker and easier to write (same way that blowing leaves into the sidewalk rather than bagging them up), but they don’t add value or help your employees who are the ones who can help manage risks.

If you want policies that will actually work, you need to design policies that have employees in mind as key stakeholders. Effective policies often take a lot of time because they require a lot of socialization, speaking with different people and looking at the topic from different perspectives. Effective policies are then subject to a learning and marketing campaign to help the written standards become the actual standards. Effective policies take more time and effort, but they are much more useful and valuable than Leaf Blower Policies.


Compliance Communications – Sharing Messages Suitable For A Broad Audience With An Intentionally Limited Audience

While some information about your organization’s ethics and compliance program should only be shared with a limited audience due to the sensitivity of the information, other information about the program (such as new initiatives, high level data about helpline reports received and relevant headlines/stories, etc.) can be shared with a broad internal audience. Transparency is a good thing, so sharing appropriate and relevant information with people in your organization can help them understand what compliance is about and what’s going on at your organization.

So why limit the initial distribution of such information to a limited audience?

One thing that I have found to be effective is to share some information with leaders and managers, and then encourage them to share that information with their teams. Leaders and managers need to be actively engaged and seen to be supportive of the compliance program, and they can do so and make an impact when they endorse and communicate messages about the compliance program. Messages are impactful not only because of the wording of the message, but who shares the message and who they share it with. Sharing compliance messages with leaders and managers, and then asking them to further cascade the message is a good way to get them engaged. You can then check if people a few levels below leaders and managers have received the information – this will give you a good sense of which leaders and managers are helping to flow information and where are some potential communication blocks in your organization.

Does your organization know where and why communication lines involving leaders and managers are blocked? What you can do to help increase the flow of suitable information through leaders and managers?

The typical employee annual certifications that are often used assume that the only way employees can know about the organizational policies/values is if each employees reads all policies in their entirety. If that is the case, chances are not enough is being done to bring your organization’s Code, other policies or organizational values to life in employee experiences and leader/manager lead coaching.


Is It Time To Re-Think Annual Code of Conduct Certifications?

What if instead of asking employees to certify that they have read and understood your Code of Conduct (or any other policies that your organization has), we ask leaders and managers to certify that they have (1) regularly talked with their teams about the Code and its values, (2) made the Code content a regular part of the employee experience, (3) held themselves and their teams accountable and to those standards, and (4) made sure that employees know what they reasonably need to know for their role?

The typical employee annual certifications that are often used assume that the only way employees can know about the organizational policies/values is if each employees reads all policies in their entirety. If that is the case, chances are not enough is being done to bring your organization’s Code, other policies or organizational values to life in employee experiences and leader/manager lead coaching.


Standards Fade Over Time

On a recent weekend trip for the school Fall break, we saw this sign with a list of rules at a playground at the hotel we stayed at. As the photograph shows, the text has faded over time – likely due to the summer sun and other elements that the sign is exposed to by the ocean. It got me thinking that written standards, both in playgrounds and organizations, can fade over time.

Written/stated standards in the workplace are likely to fade faster when (a) behaviors inconsistent with the standards go unaddressed, (b) the standards are difficult to find, not understandable, relevant or clear, and not regularly or timely communicated to the right people in the right situation, and (c) standards are not consistently applied and enforced. Written standards don’t immediately disappear; they often fade over time, and especially so when the standards in reality are at odds with the written standards.

While standards can fade, they don’t need to. Written/stated standards can be protected from fading through (a) regular discussion and clear communication of standards to the right people at the right time, (b) ensuring that the actual standards and what is tolerated and incentivized are aligned with the written standards, and (c) regularly assessing if the written/stated standards still work in practice, make sense, need reinforced or to be updated.

People connect with people more than they connect with policies – the best way to ensure that standards don’t fade is for employees to see and experience the standards as they are intended.


“What If I Mess Up The Message Or Get It Wrong?” – 3 Tips To Help Leaders And Managers Get Comfortable Talking About Compliance

Here is my latest SundayMorningComplianceTip with 3 Tips To Help Leaders And Managers Get Comfortable Talking About Compliance. My SundayMorningComplianceTip will take a brief pause next week as I prioritize family time for fall break, and will return the following week.

What do you think about this week’s tip? What other tips or advice do you have to help support leaders and managers get comfortable talking about compliance?


Bribery Is Not Just A “Foreign” Problem

Bribery is often discussed in the context of the far reaching U.S. Foreign Corrupt Practices Act (or FCPA for short) – while bribery is more prevalent in some countries than others, no country is free from the problem. The allegations and charges this past week relating to a U.S. Senator (as well as other people) highlight that corruption exists everywhere, including here within the United States.

The charges also highlight the many forms that bribery can take, including (as highlighted in the DOJ press release) “gold, cash, a luxury convertible, payments toward… [someone’s] home mortgage, compensation for a low-or-no-show job…, home furnishings, and other things of value.”

While the U.S. is generally a lower risk country for bribery, it is by no means risk free (and ranked as the 24th country on the 2022 Corruption Perceptions Index). Corruption exists everywhere and the efforts to combat corruption (and the devastating impacts it can have on people) must exist everywhere too.


Typical Compliance Headline – “Bad Person/Organization Did Bad Act And Now Faces Bad Consequences”

Most ethics and compliance headlines tend to focus on the people who committed the wrongdoing and their acts, as well as focusing on the consequences they suffered (fines, penalties and/or firing of individuals). The story these headlines tell puts the wrongdoers and their wrongdoing as the subject. That’s often understandable – people should be held accountable for wrongdoing and such reporting is intended to help deter others from engaging in similar behavior.

Even when other humans are the focus of headlines (such as headlines about whistleblower pay outs), such headlines don’t highlight or capture how those individuals likely suffered for years (financially, emotionally and professionally, including that their careers may be over due to what is known as blacklisting). Instead, those headlines can make whistleblowing look like winning the lottery.

What do headlines need to do? Headlines need to see and tell the human stories of the people who are harmed by wrongdoing and the human impact that wrongdoing causes to people and communities.

Take bribery as an example – bribery is not simply a violation of law; oftentimes, bribery can cause significant and lasting harm to individuals and their communities. One example (covered in more detail in chapter 4 of Ethics & Compliance For Humans) is how bribes were paid to government officials in Uganda to have children who were not actually orphans documented as orphans so that they could be placed for international adoption.

The bad actors and bad actions should be made public, but the human stories of those who are impacted by such wrongdoing also matter and need to be recognized. We need to see the humans that ethics and compliance are meant to protect.


Training Versus Learning

On a recent flight this past week, I was perhaps one of only a few people who appeared to pay any attention to the safety training provided by the airline crew before the plane left the gate – everyone else appeared to be heads down looking at their phones and using headphones. (Even if you have heard the safety briefing a million times, we can show some support and politeness for our fellow human beings by looking up from our phones for a minute or two).

For the airline, they can report that 100% of the passengers on the flight were provided with the required training. Reporting on that is metric is not wrong, but it also doesn’t tell the whole story. Metrics can help measure what matters, but they can also mask reality too – in this instance, only ~10% of people paid any attention to the training provided.

When the focus is on “training” rather than “learning,” organizations can measure and report 100% training rates that do not address whether or not the training had any impact or was even paid any attention to. Training focuses on the input and from the perspective of the person providing the training – “was the training provided?”; whereas learning focuses on the outcome from the learner’s perspective – “did the target audience learn anything and what did they learn?” It is a switch from intent to impact – and this matters (even if it is hard to quantify as nicely and easily as training percentages).


There Are Better Ways To Manage Risks Than Attaching Your Organization’s Code Of Conduct To Your Contracts With Third Parties

I often hear of people, usually with good intentions, trying to attach their organization’s Code of Conduct to contracts with third parties as a way of trying to reduce compliance risks. I’m not a fan of this practice and this #SundayMorningComplianceTip explains why.

Your organization’s Code of Conduct is designed for your organization and employees. While it might have some sections that address the parties you work with and how to interact with them, the primary audience for your Code is internal to your organization. You are not doing much from a practical standpoint by simply attaching your Code of Conduct as an exhibit to a contract and expecting the other party and their employees to comply with it.

Will anyone from the other side read your Code of Conduct? Probably not – and even if someone from the other side does read your Code, they might only be involved in the contract review stage and not involved in the performance of the contract. Is attaching a Supplier Code of Conduct better? It is slightly better since it at least attempts to target the audience more, but even then the Supplier Code might be very broad and not address specific risks or situations.

Rather than adding your Code of Conduct as an unread exhibit, think about what ethics and compliance risks the relationship could present (including based on due diligence findings), and then craft and talk through the relevant provisions for a written contract that address those risks. And if you have audit rights in a contract, use them – there is no point in spending a whole bunch of time negotiating audit provisions and then never actually using them. If you use a contract management system, you can often leverage those systems to provide reminders about following up on relevant contract provisions to ensure they are being complied with.

Third parties can and do present compliance risks and those risks need to be managed. However, you need to be smart at how you address those risks and not simply throw in your organization’s Code of Conduct as a contract exhibit and think that’s going to add value or mitigate risk.


What Can Tigranes The Great Teach About Retaliation Of Whistleblowers?

In 69 BC, a messenger returned from the battlefront to tell Tigranes the Great that Lucullus and his Roman army were approaching (this became the Battle of Tigranocerta).

Tigranes was apparently so angered by the news that he ordered the messenger to be decapitated – not surprisingly, no further news was sent from the battlefront. Lucullus and his army prevailed, and Tigranes lost and fled to the mountains.

Retaliation and silencing of whistleblowers has existed for millennia, but so too have the lessons that silencing and retaliating against whistleblowers is a bad strategy that is likely to backfire. Tigranes not only retaliated against someone for sharing unwelcome news, but he did himself no favors in sending a chilling effect to the rest of his troops that bad news would be punished.


Why “Ethics & Compliance For Humans”?

A question that I often get asked is why do I use the hashtag #EthicsAndComplianceForHumans and why is “Ethics & Compliance For Humans” the title of my soon to be published book.

I have been an advocate for several years that an ethics and compliance program is not about complying with the law; it’s about getting your organization’s employees and other human beings to act in a way that ensures the organization complies with the law. People—whether they are your organization’s employees, contractors, customers, or suppliers—are, or should be, at the heart of your ethics and compliance program because they (and not the legal entity) are the ones who do the actual compliance (or noncompliance). We have to see ethics and compliance through a people-focused lens (rather than vice versa) if we want our ethics and compliance programs to actually work in practice. Ethics and compliance programs are about people, and that’s why I focus on “Ethics & Compliance For Humans.”


3 Challenges of Using Translators During Internal Investigations

Sometimes it might be necessary or useful to have a translator help in conducting an internal investigation. While translators can be very useful and support conversations that might not otherwise be able to take place, you also need to think about some of the potential risks and downsides involved in using a translator during an interview. This week’s #SundayMorningComplianceTip looks at 3 challenges of using a translator during internal investigations.

How have others effectively used translators to support internal investigations?


Disney’s Aladdin And The Basics Of Third Party Due Diligence

Last Saturday, my kids finally finished watching the live action Aladdin movie. While there are a decent number of compliance messages in the movie, the one that sticks out to me is that some fairly basic due diligence would have revealed that “Prince Ali” was not who he presented himself to be. While Jafar was a rather crazy villain, he seems to be the only character in the movie who grasps the importance of conducting due diligence and background checks. People and risks can hide behind entities, and conducting due diligence and background checks on third parties can help ensure you know who you are actually dealing with and doing business with.

Does a third party appear to be overly impressive, makes outlandish claims and boasts an incredible background that cannot be verified? Chances are you are not dealing with who they say they are, and you can confirm that with some basic due diligence.

SUNDAY, JULY 30, 2023

Ethics, Compliance and Artificial Intelligence

There is understandably a lot of discussion about the benefits and risks of AI, and what its impact will be on humans, society and humanity as a whole. Technology and AI are certainly going to be part of ethics and compliance programs going forward, and I view it more as “how to do we use effectively” rather than “should we use this.”

Sociologist, Dr. Sherry Turkle is, has made a number of comments on technology that really resonate with me and I view as relevant to how compliance programs will approach AI, including “I am not anti-technology, I am pro-conversation” and “I am less concerned about computers becoming human and more concerned about humans becoming like computers.”

Chatbots, AI and other technology have their place and use, but so does human to human conversation and interaction. Artificial and emotional intelligence are both needed to support today’s employees – I don’t think you can have one without the other. Technology such as Global Entry is great because I can skip the lines at immigration and don’t feel a need to speak with a person as part of the process, but there are other times when human needs are better served by connecting with another person.

How are other people introducing artificial intelligence into their programs while balancing this with emotional intelligence and maintaining a human focused approach?

SUNDAY, JULY 23, 2023

Ineffective Policy Attempts: Glasgow’s Duke of Wellington Statue and Traffic Cones

It had been more than 10 years since my last visit to Glasgow, but I was pleased to see on a recent and enjoyable (albeit brief) family trip back to my home city that the Duke of Wellington statue still has a traffic cone on its head. For as long as I can remember, the local authorities in Glasgow have tried to deter people putting a traffic cone on top of the statue (partly for safety reasons and to protect the statue from harm) – as determined as the authorities have been over the years, the people of Glasgow have shown they are even more determined and the removal of one traffic cone is promptly followed by the placement of another on the Duke’s head.

The Glasgow authorities should realize that policies, standards and controls don’t exist in isolation. Knowing your target audience, their culture, and their motivation and willingness to comply are key to understanding if a policy, standard or control will be effective and work in practice. Old habits, especially those that are part of a culture, are hard to change – it’s one of the reasons why understanding culture is so important to any program. You can build all the programmatic elements you want, but without a culture that is aligned a program will never be a lasting and real success.

No alternative text description for this image

SUNDAY, JUNE 25, 2023

Encouraging People To Speak Up With Threats Of “Legal Consequences”

I was recently looking at the ethics helpline intake process of another organization. The intake process included the following two sentences:

“You are protected from retaliation if you report in good faith to the best of your knowledge. At the same time, malicious reports are prohibited and may lead to legal consequences.”

Perhaps the organization has had a number of problems involving malicious reports and feels the second sentence is necessary, but I can’t help but wonder what the impact of such a message is on someone who is raising a valid concern in good faith and already worried about what the process will be like and how they will be treated. Such a message is likely to cause people to question whether speaking up is worth the risk or think they are safer speaking up anonymously – neither outcome is beneficial for the individual, the organization or the organizational culture.

Properly conducted and timely investigations can reveal when matters are raised without any real or good faith basis, but I don’t think most organizations have a problem of malicious reports – the bigger and more common problems relate to underreporting, nothing being done once an issue has been raised and the treatment of people who do speak up (they are treated badly and/or they experience other negative consequences).

Rather than making people think the organization will sue them for speaking up, organizations can, and should, recognize that people who speak up are people who care and aim to make the process less painful.

SUNDAY, JUNE 18, 2023

Sensing Great Disturbances In The Force

Obi-Wan Kenobi was able to detect “a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were suddenly silenced” and could tell “something terrible has happened” even though he was physically far from where the event occurred (when the planet Alderaan was destroyed by the Death Star). Not only do we not have light sabers, but ethics and compliance officers have also not yet figured out a way to use the Force to detect risks and wrongdoing. Check out this week’s #SundayMorningComplianceTip for a Star Wars inspired tip about how data analytics can help and let me know what you think.

No alternative text description for this image

No alternative text description for this image

SUNDAY, JUNE 11, 2023

One Thing That Is Definitely Not Your Job If You Work In Ethics And Compliance

I have heard several ethics and compliance professionals over the years talk about something that their CEO told them was their job, but is something I think is definitely not the responsibility of the ethics and compliance officer. Check out this week’s #SundayMorningComplianceTip and let me know what you think.

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

SUNDAY, JUNE 4, 2023

Re-framing Nate’s Story – Ted Lasso (small spoiler alerts for season 2)

Ted Lasso has many lessons of integrity, culture and leadership (as well as being an overall great and enjoyable show). The focus is often on Ted and how he is such a great leader while also showing his human flaws too (because great leaders are real people and not the perfectly polished version many would like to project).

Nate, on the other hand, is not someone who is often talked about in favorable terms. For anyone who has seen the show, you know about Nate’s rapid rise from low confidence kit caretaker, to Richmond coach and then to being portrayed as the fairly arrogant manager of West Ham – as well as his greying hair that apparently signaled his turning to the dark side followed by his fall from grace as he left Richmond.

But what if Nate’s story was seen from a different perspective? Perhaps Nate’s graying hair was less about him turning to the dark side and more a physical response to the stress and pressure he was under (including that he was being promoted too quickly and pushed too far beyond his abilities). If someone looks so physically or mentally stressed that their hair is literally turning grey overnight, maybe ask how that person is, look into the organizational culture and understand what pressure people are experiencing. A professional sports team is a high pressure environment, and Nate had been vocal that he felt discarded by Ted and that his efforts had not been recognized – there were signals that all was not well for Richmond FC’s backroom staff.

Don’t get me wrong – Nate could and should have handled many situations better and he was not very nice at times. However, portraying Nate as the villain rather than an employee who felt such a level of pressure that it impacted him physically and also his thinking and actions is not accurate or productive. Simply blaming Nate might seem (but definitely is not) beneficial to the organization in the short term, but doing so ignores the many other contributing factors at play and such an approach will only lead to bigger problems for employees and the organization in the future. Fixing organizational problems and changing the workplace culture can take time and effort, but is something that organizations need to do to help prevent other employees going down the same path as Nate.

SUNDAY, MAY 21, 2023

Standards and Controls and Culture

One of the things I often notice when I visit Japan is that most people will wait patiently at cross walks even if there is no traffic coming. While there are similar controls and standards to other places (traffic lights, pedestrian crossings and penalties for jaywalking, etc.), a key difference is culture and how people – both individually and collectively – interact with those standards and controls.

Standards and controls are (of course) important to compliance, but culture is what will “make or break” standards and controls and determine whether or not (and how) they will work in practice. You can develop as many well intentioned and well thought standards and controls as you want, but they not be effective in practice if the culture of an organization is not properly considered when building and designing any standards and controls. As important as standards and controls are, the U.S. Department of Justice’s Lisa Monaco summed it up well in September 2022 when she said “As everyone here knows, it all comes back to corporate culture.”

No alternative text description for this image

SUNDAY, MAY 21, 2023

Policy/Standards 101

I took this picture at Nashville airport on a recent work trip. One of two possible things has happened:

1. Nashville airport is now transporting students to Hogwarts and this is a platform 9 3/4 situation. This is not a wall, but a portal to get you to the gate that will take you to Hogwarts*; or

2. There used to be a one way walkway here, but it was recently walled over. The sign used to serve a good purpose, but now no longer provides value (other than content for my #SundayMorningComplianceTip) and could cause people to question if other standards and policies are outdated and need to be followed or not.

This situation reminded me of two basic – but often overlooked – points when it comes to standards and controls:

1. Policies should supplement common sense; not replace it. If a wall literally blocks someone from entering an area, a policy telling them not to enter is not needed – the wall is sufficient for common sense to determine that this is not an access area.

2. When your operations, risks or vulnerability to risk change, make sure to adapt and update your policies and standards (including determining if the policies or standards are even needed any more).

*(Sorry Harry Potter fans – I’ve walked down that walkway before it was walled over, but don’t let that stop you from visiting Nashville to check for yourselves and see our incredible revamped airport)

No alternative text description for this image

SUNDAY, MAY 14, 2023

Writing Policies vs. Writing Policies That Will Actually Work

Can you write a policy that says employees are banned from using ChatGPT and other similar technology in the course of their work? Yes.

Will all employees comply with such a policy?

Short answer: probably not.

Longer answer: (here is part of the response from ChatGPT when I asked “Will employees comply with a policy that bans ChatGPT?”)

“Ultimately, the success of implementing a policy banning ChatGPT or any other tool depends on a combination of effective communication, support, enforcement, and the specific dynamics within the organization. It’s important to consider these factors when implementing and assessing the compliance of such policies.”

It’s a pretty good answer from ChatGPT.

Writing a policy is not that hard; but writing a policy that will actually work in practice and be followed and enforced takes time, effort and socialization with various stakeholders, including those who will be impacted by the policy. Policies need to be accompanied by effective communication, support from employees and leadership, enforceable and enforced in practice, and thoughtfully tailored for the dynamics within your organization. Organizations need to carefully think about whether and how they want their employees to use new technology (especially to protect confidential and other sensitive information), but an outright policy ban without more will not automatically result in employees not using it.

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

SUNDAY, MAY 1, 2023

Conflict vs. Compliance vs. Commitment

I recently read a book that talked about conflict, compliance and commitment. It is an interesting spectrum and one that can be useful and relevant to ethics and compliance.

Organizations sometimes see conflict with the standards and values they are required to meet or otherwise set for themselves – essentially when people don’t, won’t or can’t comply with the standards/values for whatever reason. This is the equivalent of a “fail” in a “pass/fail” exam. The expected standards are not being met.

Most organizations aim for compliance with the standards and values they are required to meet or otherwise set for themselves. Compliance is not a bad thing if the standard set is high enough or meeting the standard is considered enough, but often compliance means that the minimum is done to meet or pass the standard. This is the equivalent of a “pass” in a “pass/fail” exam.

Commitment is the ideal level of engagement and organizations should aim to have a culture that is based on a commitment to integrity. When you have a commitment to integrity, people are not motivated to do the minimum but instead pursue integrity as an objective and purpose. This is the equivalent of an “A+” in an exam.

Does your organization prioritize conflict, compliance or a commitment to integrity? Is your Ethics and Integrity program focused only on compliance or pursuing a commitment to integrity?

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

No alternative text description for this image

SUNDAY, APRIL 30, 2023

Why We Need To Rethink And Reframe What Is Meant By A “Speak Up Culture”

A speak up culture is an essential element of an effective ethics and compliance program. While the previous sentence is nothing new, we need to rethink and reframe what is meant by a “speak up culture.”

Today, the concept is widely used to mean that employees should speak up when they are aware of some wrongdoing. When used this way, the burden of a speak up culture is put on employees – they need to speak up and if enough people do so regularly, then a speak up culture will follow. But why would any employee think it is safe to speak up if their employer has not first taken real and genuine steps to build trust, demonstrate that employees will be listened to and how they will be treated in the process?

Organizations and their leaders/managers are responsible for building a speak up culture – their actions (or inactions) will determine whether or not employees experience a speak up culture. In order to build the trust, dialogue and transparency needed for employees to reasonably believe a speak up culture exists, organizations and leaders need to consistently and genuinely take various actions and steps to do so. This includes: (1) showing the organization and its leaders genuinely care and will listen to people when they raise concerns, (2) making the reporting process more transparent, including explaining what happens when concerns are raised and sharing data/stories to show that speaking up is safe, commonly done by others and examples of what the organization has done in the past, (3) having leaders, managers and supervisors talk at least monthly about ethics and integrity (this can be a short message, but has to be genuine), and (4) taking other measures to show that the organization values people who speak up (recognitions for people who speak up, training for leaders on what to do if someone raises a concern, proactively asking employees about concerns, and asking candidates about integrity during the interview process as a way to demonstrate this matters and, ideally, supporting the hiring of people who have spoken up in other organizations).

If a speak up culture exists, then employees will feel more comfortable knowing that speaking up is safe and expected within the organization. And once employees believe that a speak up culture exists, the organization and leaders need to keep building trust with employees to keep the culture alive. Speaking up will never be easy for many people, but we don’t have to make it harder by putting the burden on employees to be the ones who will build a speak up culture. Organizations need to own building a speak up culture and once they do, they may benefit from employees speaking up more.

SUNDAY, APRIL 23, 2023

Leadership, Written Standards, Organizational Culture And Incentives

I had fun this past week briefly attending Ethisphere ‘s Global Ethics Summit in Atlanta and speaking on a panel about how to use incentives as part of an effective ethics and compliance program. Incentives – like any other feature of an ethics and compliance program – don’t exist in isolation and need to be considered in terms of how they will impact, and be impacted by, other aspects of how an organization operates. Organizations need to consider the interplay and alignment between four key areas (including incentives) to ensure there is an organizational commitment to integrity:

1. Leadership (including the direction set by leaders, managers and supervisors throughout an organization and what they permit in terms of behavior),

2. An organization’s written standards and controls,

3. Organizational culture/pressure, and

4. Incentives.

If all four areas are aligned and pointing in the same direction of an organizational commitment to integrity, then employees will have clarity on what is expected of them (the written standards), the actual standards will be consistent with the written standards, employees will supported and held accountable by leadership and others to do the right thing, and employees will be financially and socially rewarded for doing the right thing.

If these four key areas are not aligned or not aligned to support an organizational commitment to integrity then that should be a cause for concern. Remember, it was (in the words of the Department of Justice) “a complete failure of leadership at multiple levels” and “pressuring employees to meet unrealistic sales goals that led thousands of employees” at Wells Fargo to open millions of accounts without customer authorization. Leadership, organizational culture/pressure and incentives were clearly not aligned with the written/stated standards of their ethics and compliance program, as a result there was no organizational commitment to integrity.

It is not enough to have written standards that are not supported and put into practice by leadership, the organizational culture and incentives. All of them need to be aligned to build and sustain an organizational commitment to integrity.

No alternative text description for this image

No alternative text description for this image

SUNDAY, APRIL 16, 2023

7 Signs Of Psychological Safety In The Workplace

Psychological safety is an important concept for ethics and compliance, but also key for any organization to operate effectively. Here are seven ways to tell if the levels of psychological safety that your employees feel and experience are low or high.



Finding Your Own Ethical And integrity Diamond Dogs (What Ted Lasso Can Teach Us About Psychological Safety And Isolated Decision Making)

While a lot has been written about the lessons of leadership from the show “Ted Lasso”, I have not seen anything written about the Diamond Dogs.

For anyone not familiar with the show (and I only started watching it a few weeks ago myself), the Diamond Dogs are a group of some of the main characters (Ted Lasso, Coach Beard, Leslie, and Nate). During their Diamond Dog meetings, they bring problems and challenges they are each facing to the group to talk them out and seek guidance. the Diamond Dogs are an example of psychological safety and how it can reduce isolated decision-making.

Isolated decision-making, pressure, and a lack of psychological safety are often a recipe for disaster, as well as leading to poor work environments, a lack of creativity, and lower and slower levels of productivity. Psychological safety and isolated decision-making often do not get the focus they really should. When we build and sustain psychological safety in organizations and reduce isolated decision-making (especially when it comes to matters of ethics and integrity), we can make better decisions, leverage the diverse perspectives within the organization and lead to better results for both the people involved, and the organization. Next time you face an ethical dilemma or decision, think about who are your Diamond Dogs that you can reach out to.



Turning The Fraud Triangle Into The Ethical Behavior Triangle

The fraud triangle is a fairly well-known and simple visual tool that can be used to explain three conditions that can lead to fraud – namely, (1) opportunity, (2) rationalization, and (3) motive/pressure. While we should look at the reasons that can cause people to commit wrongdoing, we should also look at what conditions can increase the likelihood of compliance and ethical behavior. Many of the same conditions that can lead to wrongdoing such as fraud are also similar to the same conditions that can cause people to do the right and ethical thing too

The fraud triangle can help us understand why people might do bad things such as fraud, but we also need to understand how we can help people do the right and ethical thing. Ethics and compliance are not simply about the absence of bad behavior; they are also about adding value to individuals, organizations and the broader community/communities served by an organization by encouraging ethical behavior. Most people want to – and will do – the right thing and we can make it easier for them to do so by creating the right conditions. Give people the opportunity, make doing the right thing rational and psychologically safe, and motivate people to do so through incentives and support from others.

SUNDAY, MARCH 26, 2023

Our coffee machine recently provided a few good reminders for ethics and compliance and HR professionals

1. Good things (such as espresso) can come from appropriate amounts of pressure.
2. Pressure is something that can, and should, be measured and monitored.
3. Excessive pressure is not good (for people or coffee machines).

Organizations need to understand what pressures people are under, what they are being pressured to do, what the consequences are of those pressures and whether it is healthy for the organizational culture. Pressure is not inherently bad, but it needs to be carefully monitored and managed.

Thankfully no coffee machines were harmed in the making of this post…

SUNDAY, MARCH 12, 2023

How Do We Ensure That Past Ethics And Compliance Issues Are Not Forgotten Or Repeated

During a recent run, I came across the below sign post and stopped to take a picture of it. Similar to Japan’s “tsunami stones,” this sign is intended to help people to learn from the past events and the harm caused, as well as helping human decision making in the future.

No organization is perfect and most organizations will have faced various ethical and compliance matters during their existence. Whether these past issues have been in the headlines or handled internally, they provide learning opportunities for others to help understand what happened and what needs to occur to prevent/minimize the issue occurring again in the future. While it might be painful for organizations to retell stories of the past, these stories can help employees understand risks in realistic terms and help their decision making in the future. However, these lessons can be quickly and easily forgotten if they are not regularly told and kept alive. Stories and lessons from the past can be of great help to employees part of the onboarding process, talked about regularly in trainings and meetings and used as reference points when considering new initiatives.

How does your organization help today’s employees and ensure that stories from the organization’s past are not forgotten?


Six Ethics And Compliance Topics That Leaders Can Easily And Quickly Talk About With Their Teams

Leaders, managers and supervisors play such a key role in helping to build and sustain a culture of integrity at any organization. Some leaders might worry about whether they will get the message “perfectly” right or might even wonder what they should talk about with their teams. The truth is that the message does not need to be perfect to make a difference, and a good message delivered by a leader or manager will have an impact because of who is communicating the message.

Here are six short ideas for topics that leaders and managers can easily talk about with their teams.


“Compliance [or insert any other topic] Is Everyone’s Responsibility.”

These types of statements – whether they are printed on posters on an office wall, in codes of conduct, part of training materials or elsewhere – are true, often well intentioned but also of little to no practical use or value. These statements do not tell employees what is expected of them, how their responsibility differs from that of other people in the organization or how they will be assessed on that responsibility.

Rather than simply saying compliance is everyone’s responsibility, invest time in communicating what that responsibility really means and how people can live up to their responsibility. Otherwise compliance will be everyone’s responsibility, but no one will really own it.


I had the privilege earlier this week of getting to speak to a class of law school students for their course on ethics and compliance. I even managed to catch the tail end of one of the student group presentations and it was great to listen to the talented minds that are contemplating a career in ethics and compliance. What gave me a lot of hope was that these future professionals were not only interested in how to think about ethics and compliance programs, but how to build ethics and compliance programs that people can trust and will actually make a difference. They asked great questions on how to build trust with employees in terms of speaking up, how can we better support people who are victims of harassment and other wrongdoing such as retaliation, and how to effectively tackle global issues such as bribery and corruption (and whether today’s efforts are doing enough).

I never even considered the idea of taking an ethics and compliance class when I was in law school, but it so encouraging to see that things are changing and the caring and talented future professionals who will be leading the charge in the years to come. Whether the future ethics and compliance professionals are in law school, another academic field or learning through work or other means, those of us practicing today have a great opportunity and responsibility to help those looking to enter the profession, and to hear and learn from them.

What are some other ways that people are helping to support the future ethics and compliance professionals?


“These Aren’t The Droids You’re Looking For”

Even as adults, we are always watching and taking cues from influential people in the workplace such as leaders, managers and supervisors. The behavior of others is much more influential on our thinking and future actions than what is written in a policy. Obi-Wan Kenobi might have had good intentions in lying, but what was the impact of his actions?


What Is Going On In Your Organization But Not Being Officially Reported?

Speaking up can be difficult – it can be an emotionally challenging experience that feels isolating for many people, and reporting through an ethics hotline (or another reporting channel) can take time and energy. While many ethics and compliance programs focus on the 1.4 reports per 100 employees (which is simply an average of various companies, but not a “best in class” standard” that organizations must match), we cannot forget the other ~98.6% of employees who might be experiencing or aware of issues and yet have not raised those matters through the ethics hotline or another reporting channel. Some issues within your organization might not result in employees picking up the phone or submitting a report (perhaps they feel it is not worth their time, they are not sure how the organization and others will perceive or treat them for raising the concern, or they or someone else they know have had a bad experience before), but it doesn’t mean that those issues aren’t impacting your employees (both impacting them as people or their ability to do their jobs), your organizational values, potentially creating liability or claims, or otherwise holding your organization back from being more effective and financially successful.

Only focusing on issues that come through the ethics hotline and other reporting channels is neither employee centric nor likely to result in an effective program. Find out ways in which you can regularly and proactively reach out to employees to get a sense of the issues that are going on and what life is like for them in their part of the organization, including employee roundtables, short surveys conducted by the compliance team, data from employee surveys by HR, stay/exit interview data, and just talking with people are just a few examples of things that can provide useful insight and surface issues that should be addressed.

Good things happen (for employees, culture, standards, profits and results) when organizations seek to build trusting and psychologically safe workplaces and when organizations proactively look at what is going on in the workplace.


Good News Does Not Need A Third Party Hotline For People To Anonymously Share The Good News

Can you imagine what would happen if your organization encouraged that all good news should be reported through the organization’s ethics and compliance hotline (and even reminded people about the option to do so anonymously)? Compare the different journey in your organization of messages (and the people who are the messengers) involving (A) increased sales, winning a new customer or contract, or better than expected financial results, versus (B) someone speaking up with an ethics or compliance concern or to report other wrongdoing.

In scenario A, the good news will flow freely and quickly because this type of news is generally easy to deliver, people can assume how they will be treated, and, perhaps most importantly, good news is well received and listened to, and, sometimes, even rewarded. The organizational culture and communication channels are clearly known, effective and work in practice, and it would sound crazy to encourage people to report that news through a hotline run by a third party (and even reminding them they can do so anonymously).

Organizations should provide and publicize multiple and effective (including that employees see them as effective) ways to speak up, including the use of third party help/hotlines that allow (if someone chooses) to report confidentially or anonymously (there are some great helpline companies out there with impressive technology, compassionate listeners and visionary leaders); however, we can, and should, seek to transform organizational cultures to raise the psychological safety and listening of workplaces so that employees and employers feel that the information in scenarios A and B are treated, and perceived, in the same way. This includes making sure scenario B concerns and the messengers are listened to, treated well, even rewarded and to help make what can be a difficult conversation less difficult (including sharing stories of other examples where people have spoken up, how the organization handled the situation and the outcome for the people who spoke up).

If people in your organization are only or mainly relying on the hotline to report scenario B matters, what lessons can you learn from how scenario A messages/messengers are treated and apply those lessons to support scenario B messages/messengers?


Who Said It – Your Code of Conduct or Professor Snape?

While people should always be encouraged to speak up if they are aware of wrongdoing by others, simply having a written statement in your organization’s Code of Conduct that says “you must report that information” puts the burden 100% on employees and fails to reflect reality. If an organization wants people to speak up, it should focus more on ensuring there is a culture that listens, is built on psychological safety and values people who speak up as people who care. Check out the below image and see if you think it is a quote from your organization’s Code of Conduct or Professor Snape.


It’s that time of year when many people are putting together their annual performance goals and objectives for the year ahead. This is a good opportunity to help ensure that ethics and compliance are part of employee objectives (especially for leaders, managers and supervisors). The type and number of objectives will depend on both an individual’s role but also the maturity of your organization’s ethics and compliance program, but here are some suggestions for goals (and why they matter) to consider for your organization.


My #SundayMorningComplianceTip series is back after a few weeks off for the holidays and a wonderfully fun family trip.

To start off 2023, here is a tip inspired by a recent run around #Nashville – two separate construction areas that impacted where pedestrians could go, but one provided an alternative path and helped manage overall risk whereas the other avoids one risk but creates additional risk.

Howdo employees perceive your organization’s policies and standards? Do your standards simply tell people not to do certain things without taking into account that people have objectives, are under pressure and have jobs to do? Or do your policies help people avoid risks and provide useful guidance?



My #SundayMorningComplianceTip will be taking a break over the next few weeks as I look to prioritize family time and relaxing over the holidays. I’ll wrap this year up with my “7 Tips For Launching New Ethics & Compliance Policies.” Stay tuned for more compliance tips in 2023 and some other exciting projects coming soon.


Every organization should aspire to have a culture of psychological safety that means employees are as comfortable and passionate about speaking up as the players are to the referee and other officials in the FIFA World Cup.


When Policies And Standards Make No Sense


I like to go for a longer run on Saturday mornings around one of my favorite parks here in Nashville. As I finished my run yesterday morning, I ran past a small strip of what otherwise looks to be a sidewalk with signs facing both directions and even signage on the ground saying “not a sidewalk.” With that many signs, it is rather clear that someone does not want anyone using this as a sidewalk; however, it really is not clear why they do not want it used as a sidewalk (especially since it is by a road) and I happily run on it when a car comes by.

If you are going to create a policy or standard, then you can get higher levels of actual compliance if you can explain the “why” behind the policy or standard. If you cannot explain why you need a policy or standard, then you need to give some real thought to whether the policy or standard is needed and set expectations low for actual compliance. More policies and standards are not always the answer – provide people with clear guidance and help them understand why they should or should not do a particular thing.



Ethical Leadership To Do List


Leaders, managers and supervisors are one of the key ingredients to helping make ethics and compliance a priority in any organization. It isn’t enough for a Code of Conduct to say that they have a “special responsibility” when it comes to ethics and compliance, you need to help people in these roles understand what they need to do. Here is a quick “to do” list that any leader, manager or supervisor can use to use their voice and influence to support employees and set the right tone.

What else would you add to the list? What are the biggest challenges you think leaders, managers and supervisors face in helping to build and sustain a culture of integrity?



How To Make A Speak Up Habit Loop vs. Making Speaking Up A One Time Regrettable Event


A speak up culture is an important element of sustaining an effective ethics and compliance program and an indication of whether or not the program is working in practice. A speak up culture is not simply the individual responsibility of anyone who should, or wants to, speak up – it is a collective responsibility to ensure that speaking up becomes a habit and an individual and organizational norm, and not a one time immediately regrettable event for the person speaking up (or deter others if they see or hear about the bad experience others have gone through when speaking up). As many Codes of Conduct encourage, people who have relevant information should speak up – but that alone won’t build a habit or culture of speaking up. The organization has to listen to the person (including their story and not just facts relevant to potential liability for the organization) and ensure that the person is, and feels, listened to and that the process provided a more positive outcome than not speaking up. Cue; routine; reward; repeat (aka the habit loop).

While perhaps overly simple (and missing some other things that organizations can do to build a speak up culture), the below images show the differences in how to create a speak up culture through the habit loop and how to not have a speak up culture by breaking the loop. The images might be overly simple, but in some ways I think the concept of creating a speak up culture is fairly simple – listen to people, treat them with respect, appreciate and recognize them for speaking up and continuously build trust.

People who speak up are people who care, and organizations should in turn take care of these people. People should be rewarded for speaking up – otherwise an organization cannot expect to build or maintain a speak up culture.

Thoughts? Agree? Disagree? Share your thoughts in the comments below.


The Island of California – Why Future Generations will Probably Laugh at Today’s Commonly Held Beliefs about Ethics and Compliance


There was a long held belief that started in the 16th century that California was an island. This incorrect belief continued to be reflected on some maps throughout the 17th century despite the fact that there was plenty of evidence that California was not an island (including, to state the now obvious, that California was in fact connected to the rest of the contiguous United States). Based on what we know today, the notion that anyone could think that California was an island and maintain that belief for such a long period of time seems absurd and comical. However, despite the evidence to the contrary, the mistaken belief persisted for a long period of time.

As much as we might not want to admit it, some of today’s commonly and tightly held beliefs about ethics and compliance will no doubt seem backward and comical to future generations. These “erroneous beliefs” will seem so obvious to future generations, yet we are unable to see the flaws in our thinking or the potential to see things differently. Commonly held beliefs can be hard to critically reflect on, but we absolutely have to challenge why we think certain things, seek differing perspectives and explore new ways of thinking.

I personally hope that we abandon “training and communication” in favor of “learning and engagement” (this is something that can, and should in my opinion, be done by every organization now), that Codes of Conduct and online training will look very different in the future, and that programs will seek to add value to their employees, culture and organization (which includes today’s program pillar of risk assessment/management) rather than being primarily driven to only minimize risk for the organization (an effective program does reduce risk, but also can add so much financial and other benefits and value).

What are some aspects of today’s ethics and compliance programs that you think will be challenged and rethought in the future? What’s one transformational or radical change you would like to see ten years from now and what are the one year and five year incremental milestones we would need to hit to get there?


How to Get Your C-Suite to Talk About Ethics and Compliance


Over the years, I’ve been asked by a few people from other organizations “how do you get the CEO and other senior leaders to talk about ethics and compliance?” The answer is simple – you start by asking the C-suite to talk about ethics and compliance. Yup, it is that simple.

Your CEO and other senior leaders are incredibly busy, but I have yet to come across a senior leader who is driven to deliver results and leads with integrity, and who has not immediately said “yes” to helping reinforce organizational values and using their voice for good. Regulators expect “tone at the top” and – more importantly, in my opinion – I think most employees want to hear directly from their organization’s leaders and what they really think. This is an opportunity for senior leaders to reinforce the key messages of the ethics and compliance program, and also for them to share their personal stories about their careers, ethical dilemmas they have faced and when/how they spoke up (and what their experience was like in doing so). People connect with people and they connect with human stories – your organization’s senior leadership are hugely influential people who will inevitably have interesting and impactful stories to tell. No policy or PowerPoint presentation can equal the impact of senior leaders talking about organizational values. If you haven’t asked your senior leaders to talk about ethics and compliance, then reach out to them and find opportunities that work for their schedules to make it happen.

Tomorrow starts Bridgestone Americas’s 8th annual Ethics and Compliance Week and I could not be more excited to kick off our “Trust Week” theme with a panel discussion on trust, ethics and integrity with Paolo FerrariChris NicastroDane Parker (Board Member) and special guest Asha J. Palmer, JD, CCEP, LPEC (SVP of Compliance Solutions at Skillsoft. Each of these four people are leaders who role model integrity and trust, and I am sure our teammates and I will learn a lot hearing from them.


The Time It Takes To Conduct Internal Investigations Is Relative


Some internal investigations are going to take longer than others (due to various factors such as complexity, number of people to be interviewed, materials to be reviewed, specificity of the allegations etc.), but many companies consider 30 days as being the target (whether or not they actually hit it) to complete most investigations within.

From an organization’s standpoint – and perhaps the investigator’s too if their workload is so high – 30 days is not a lot of time. However, from the perspective of the person who reported actual or alleged wrongdoing or (if the reporter is aware of, and spoke up about, wrongdoing impacting someone else) the person suffering the wrongdoing, 30 days can seem like a really long time. If someone is dealing with harassment, retaliation or workplace bullying, then 30 days (especially if there is not much communication from the organization about what is happening) is going to feel a lot longer to the individual than it will to the organization. The reality, as seen in NAVEX’s latest benchmarking report, is 22% of organizations had a median case closure time of 100 days or more.

Investigations should never be rushed and they need to be made a priority to ensure that wrongdoing is addressed in a timely manner and also to make sure that employees are, and feel, seen and valued as people. Speaking up is often hard, but it doesn’t need to be made worse by the organization taking what might feel like an eternity to respond.



Compliance Learning


Like many others, I learned a lot from this week’s Society of Corporate Compliance and Ethics (SCCE) CEI in #Phoenix. I picked up a number of new ideas from the different sessions I attended, and also learned just as much from the conversations I had with other attendees during the coffee breaks, walking around the vendor exhibits, over meals and other random interactions during the few days there. Learning can take place during formal training (such as classroom or online training), but we can also learn so much through less formal ways including conversations, coaching and mentoring.

When organizations – especially leaders, managers and supervisors – regularly have conversations with employees about ethics and integrity, we can really enhance the opportunities for employees to ask questions, see different perspectives and to learn in a less formal environment. If we only focus on helping employees learn about ethics and compliance in traditional class room settings, then we are (according to the Center for Creative Leadership’s 70-20-10 model) missing out on 90% of how adults learn. There are so many different things organizations can do to help employees learn – share stories of when other people have spoken up (especially personal stories by leaders), connect strategic projects to organizational values and help employees get more comfortable with understanding whether leaders are truly committed to the organization’s compliance program.



Risk-Based Due Diligence is Just a Fancy Way of Describing…


Risk-based due diligence can sound both abstract and scary – and, perhaps understandably, something that anyone would want to kick over to the Legal and/or Compliance departments to handle. We all perform risk-based due diligence every single day, but we just don’t use that term to describe the following things:

1. Looking at the price, brand and expiration date on produce at the grocery store.

2. Checking the Yelp or Google reviews of a restaurant before deciding whether to make a reservation and/or what to order.

3. Checking whether it is safe to cross the road before you do so.

4. Checking the weather forecast before you head out for a walk.

5. Doing as your Peloton instructors say and “taking a quick 360 around the treadmill to make sure there are no children, pets or objects.”

These are all examples of risk-based due diligence that many of us can relate to and we all do ourselves without even realizing it is risk-based due diligence. Some types of due diligence definitely do require legal and/or compliance expertise, but we can do a lot to make most risk-based due diligence seem a lot less scary and abstract.



Scary Headlines and Compliance Program Branding


While scary ethics and compliance headlines are sometimes useful for explaining the importance of ethics and compliance, they often reinforce the brand that compliance programs are only about “not doing bad things” and “avoiding fines and penalties.” A well designed, well resourced and effective ethics and compliance program does a lot more than simply preventing “bad things” – such a program can support the financial success of an organization (see the Ethisphere ethics premium and the university study from a few years ago that showed increase return in assets, fewer materials lawsuits and lower settlement costs amongst other benefits), helps employees and other people who work with your organization, and will also support any organization’s mission statement that includes a social focus.

Fear based training and communication on any topic has limitations and is something that should be used in moderation. Ethics and compliance can add value to any organization and it is important to help ensure the program brand helps communicate the actual and potential value. A well designed program that has a lousy and/or fear based brand will struggle to really be effective and engage employees.



Making Compliance Painful and Laborious


Sometimes doing the right or ethical can be emotionally challenging – for example, it can be difficult to speak up or to challenge existing norms even if someone knows doing so is the right thing to do. Organizations need to be aware of this and always try (whenever possible) to design compliance processes to ensure that doing the right or ethical thing is not more painful or laborious compared to not doing the right or ethical thing. If the speak up process is too painful or laborious (for example, the hotline process takes too long to report matters or lacks empathy, or someone reports a matter to a manager and is then told to call the hotline), then it will put people off from continuing the reporting process or they won’t want to do it again. If finding guidance requires too many “clicks,” then only the most motivated and persevering individuals are likely to find the guidance. If a policy or procedure is so long and filled with technical terminology, then it won’t be read or understood (and possibly not complied with). Doing the right thing should be made as easy as possible – if doing the right thing is emotionally and logistically hard to do, then an organization should not be surprised when overworked people aren’t doing what the organization hopes they will do.



Spot The Traffic Sign

I took this picture on a recent evening run in my neighborhood. A traffic sign can be clear and easy to understand, but if it is hidden by trees or other objects then it is not helping anyone and certainly not fair if someone is given a ticket for not complying with the traffic sign.

The issue is not only hidden traffic signs, but also organizations that have their Codes of Conduct hidden in obscure places or only on password protected intranet sites. A Code of Conduct should be clear, easy to find and visible to all. If an organization’s Code isn’t visible and easy to find, then it won’t have any positive impact and it also would not be fair to enforce disciplinary proceedings for not complying with it.

Ethical organizations don’t hide their values – they make them visible for stakeholders (internal and external) to see and operate by those values.



Building A Compliance Program Is A Never Ending Task

I used to run marathons and I usually found that once I reached the ~20 mile mark, I would only focus on the last ~6.2 miles ahead of me and not give much thought to the ~20 miles that I had already completed. Often the road ahead – especially when times are tough – consumes our attention and focus, and we immediately forget the road behind us.

While a marathon has an end, the work of an ethics and compliance professional will never be complete. It is understandable why those of us working in ethics and compliance often look at the road ahead and the (often daunting amount of) work that still needs to be done. While it is important to think about, and have a plan for, the future, it is also good to occasionally reflect on the progress your program and those involved have made. Reflecting on the progress made can help you, your colleagues and the organization take stock of the hard work and value you have added over an extended period of time, while also helping provide motivation for the road ahead. Building a compliance program is a never ending task – we need to keep that in mind to ensure we help others stay motivated, not overwhelmed or burning out while still moving forward.

Ethics and compliance community, how can you use this coming week to reflect on and celebrate how far you and your team have come on building your program or even a project?



“Shirt and Shoes Required” Store Policies Don’t Mean a Lack of Lower Half Clothing is Okay

Ethics and compliance (and other) policies should be clear and practical for employees, especially if there is a risk that someone could lose their job or face other disciplinary action for violating an organization’s policy. However, policies should also exist alongside common sense – if someone does something that any normal, reasonable human being would consider wrong or inappropriate, then the defense of “the policy doesn’t specifically cover or prohibit that” is not a valid excuse. If human beings can figure out that “shirt and shoes required” policies don’t mean a lack of lower half clothing is okay, then organizational policies should focus on helping employees with guidance that adds value and not aim to cover every type of behavior that no normal, reasonable human being would need guidance on.



Ethical Learning Opportunities

Ethical lapses or other non-compliance issues in an organization can present learning opportunities for those involved, as well as other employees and the organization as a whole. However, “learning opportunities” are simply opportunities for learning – learning does not automatically occur and not helping the relevant employees learn from the situation is a missed opportunity. If an ethical lapse has occurred in your organization that presents a learning opportunity, it is important to (i) understand who the learning opportunity is for, (ii) identify what the potential learning is, and (iii) develop, and then implement, a learning plan that actually supports, and results in, the desired learning.

Learning can come in many forms (e.g., feedback conversation with manager, individual or group training, or even using the scenario to help others learn from, etc.) and helping people learn from ethical and compliance shortcomings can support an organization’s culture, support a growth mindset, and reinforce the importance and expectations around an organization’s standards.



Make Sure Employees Know Their Ethical Contributions Are Seen and Appreciated

It is that time of the year when summer is ending (as least in the northern hemisphere) and many organizations are soon to start ramping up for year end and even looking to next year. While ethical behavior should always be recognized and rewarded, this is the time of year when genuine recognitions for employees who have shown a commitment to ethics and integrity can help reinforce desired behaviors, boost morale, support organizational values and just let employees know they matter and make a difference. Whether it is through recognitions, rewards or a simple “thank you,” genuine appreciation for the actions of employees makes a positive difference. If you are a manager or supervisor of others, what can you do this coming week to recognize and appreciate someone on your team for demonstrating your organization’s value of ethics and integrity?



Sharks, Bath Tubs and Compliance

What is more scary to you: a Jaws sized great white shark with rows of razor sharp teeth or a bath tub? Most people (including myself) would say the shark is the scarier of the two. But which is more dangerous? The answer (at least from a statistical point of view) is the bath tub. Bath tubs are responsible for more than 350 deaths per year in the U.S. compared to only 1 shark related deaths per year in the U.S. (the absolute risk for both is really small before anyone freaks out, especially if you don’t go into shark-infested waters and take showers over baths).

So what’s is the connection to ethics and compliance? Sometimes things that are familiar might not seem scary, but doesn’t mean they don’t bring compliance risk or other danger to the organization. Perhaps your organization has worked with a third party for many years – you have a good relationship with the third party, they are familiar and they don’t seem all that scary. Simply because a third party is not as scary as a great white shark doesn’t mean that the third party might not be dangerous or bring risk to your organization.

It might seem frustrating to some employees as to why there is such a need to focus on things that don’t appear on their face to be scary for the organization (gifts and entertainment, conflicts of interest, etc.), but often those are the areas where real danger and risk are for your organization.



One of the (Many) Pitfalls of ‘Zero Tolerance’ Policies

Policies that include zero tolerance statements are often well intentioned, but good intentions do not always result in good consequences. Zero tolerance policies are often ineffective when inconsistently enforced and also because (as an EEOC task force commented in 2016) they can lead to underreporting “particularly where they [the employee being subjected to workplace harassment] do not want a colleague or co-worker to lose their job over relatively minor harassing behavior – they simply want the harassment to stop.”

Zero tolerance policies that focus on automatic consequences for wrongdoer (e.g., termination of employment) are really not effective in most instances and do run a real risk of underreporting. In contrast, zero tolerance policies that focus on behaviors are likely to be more effective and can better support victims of wrongdoing who simply want the wrongdoing to stop. Sometimes wrongdoing can be effectively and fairly addressed and stopped through feedback and coaching or other measures short of termination, but a hardline zero tolerance stance that focuses on the person rather than the behavior does not allow for that. There will still be occasions when the wrongdoer should be fired (and hopefully they will be fired in those instances), but such decisions should be taken with thought after assessing the particular circumstances rather than an automatic decision. A people centric approach allows organizations to go hard on behaviors that there is zero tolerance for while taking a fair approach to all the relevant people involved and the organization’s values.



Compliance and the start of the school year

It’s almost the start of the school year again (at least for my kids). There will, no doubt, be some kids that will bring in treats or gifts for their new teacher. Some gifts are totally fine – such as a small token gesture to build an appropriate relationship with your child’s teacher (our kids will probably take their new teachers some of the homemade jam they made this summer from the berries we picked). There is a legitimate reason to the gift and unlikely to unduly impact the teacher or how they treat our kids or any other students.

But then there are other types of gifts – cash, iPads, gift cards and the like – where every other parent would be perfectly entitled to roll their eyes and questions what it is really going on (thankfully, I haven’t heard of anything like this at my kids’ schools). Those gestures – even if very generous – are so questionable and just feel wrong to everyone else. Even though there is no bright line that goes from harmless/acceptable to causing every other parent and teacher to raise their eye brows and shake their heads, everyone knows the difference – just not everyone complies with the norm.

We get the basic principles of gifts, meals, entertainment and travel when it comes to schools and similar principles apply at most organizations. Yes, some organizations will take different approaches (some don’t allow any giving or receiving, some allow moderate amounts and others are more generous particularly if entertainment is a part of what their company does), but the basics still apply. In most instances (but check your organization’s policy, especially relating to government or unions officials), a small gift or item of value that is intended to build an appropriate relationship will be okay. Looking like, or acting like, the parent who goes over the top with teacher gifts is not only going to land you in trouble with your employer but will also make you just look bad.

We deal with ethics and compliance in so many aspects of our lives, but ethics and compliance at work can often seem scary and abstract. This is why it’s so important to not simply make employees aware of your ethics and compliance program, but to make it relevant and resonate with employees.


SUNDAY, JULY 31, 2022

Booth’s Rule #2 and Compliance

I recently learned about Booth’s rule #2, which relates to skydiving. The rule states that “the safer skydiving gear becomes, the more chances skydivers will take, in order to keep the fatality rate constant.” Essentially, improvements in safety will often be offset by risky human behavior to keep things constant and unchanged.

Booth’s rule #2 is something that I think should be considered in assessing the effectiveness of your organization’s ethics and compliance program and overall operations. Here are three points I think worth considering in applying Booth’s rule #2 to ethics and compliance:

1. If you are continuously improving and strengthening your compliance program but the organization’s operations are taking on more risks, then your compliance risk rate will either remain constant (or even increase). This should set off an alarm bell for your organization and should be addressed quickly.

2. Changes in the risk profile of your organization should be matched or exceeded by strengthening and evolving the ethics and compliance program to make sure the compliance risk rate is intentionally managed. Regularly assessing your organization’s compliance program using the Department of Justice’s three key questions (whether the program is well designed, sufficiently resourced and independent, and if the programs works in practice) can help determine whether your program is doing what it is meant to and what is happening with the compliance risk rate.

3. Booth’s rule #2 should also serve as a reminder that it is not enough to assess changes or improvements to your program without thinking about whether or not the changes or improvements are actually helping the organization to reduce ethics and compliance risks overall.

Organizations need to be aware of whether the compliance risk rate is constant, increasing or decreasing, and also be intentional about deciding what that rate should be and committing resources to ensuring the desired rate. This is also why your organization’s senior leaders need to understand the importance of ethics and compliance and how their decisions can impact the program, and why Compliance needs to have a seat at the table and a voice that is listened to when strategy is being set and important decisions made.


SUNDAY, JULY 24, 2022

Seeing The Human Stories of Compliance Violations and Ethical Wrongdoing

I regularly reference a 2015 article in the Guardian that looked at the Petrobras corruption scandal. The journalist who wrote the article, Jonathan Watts, shared various quotes from different individuals who were low paid employees and who lost their jobs because of the scandal. One quote in particular from someone who lost their job following the scandal has really stuck with me from that article: “I’m very worried. I have a two-year-old daughter who depends on me. I’m sinking into depression. I’ve lost 6kg since this started.”

We often don’t see or hear these voices and they are drowned out by other headlines relating to scandals. Many employees depend on their jobs to provide for themselves and their loved ones, and some of them might not have much in the way of savings to get them through periods of unemployment. Regulators and enforcement agencies are important stakeholders in ensuring your organization’s ethics and compliance program works well, but there are many other stakeholders (including employees and those who rely on your employees to have an income) who also have a vested interest in your organization’s ethics and compliance program. A good way to care for, and show care for, your organization’s employees is by making sure they aren’t at risk of losing their jobs as a result of the organization going through a massive compliance scandal.


SUNDAY, JULY 17, 2022

Where Should the Ethics and Compliance Program Report Into?

I often see and hear a lot of strong opinions about where an organization’s ethics and compliance program should report into – some people feel strongly that it should report into legal, some feel the complete opposite, others think compliance can and should own areas such as ESG, and others think ethics and compliance should be separate from each other.

So which reporting structure is correct?

The Department of Justice expects that a compliance program should be well designed, adequately resourced and empowered to function effectively, and that it works in practice. The DOJ does not say that one reporting structure is inherently right or wrong or that one is better than the other. If a program is well designed, adequately resourced and empowered and working in practice, then it is probably a good sign that the reporting structure used in that organization is working well.

While I have yet to see any studies that demonstrate one way or another that more serious violations occur with one reporting structure or another, organizations with different reporting structure have found themselves committing serious violations – reporting structure alone is not enough to keep your organization out of trouble. [If anyone is aware of any studies that shows number and type serious violations broken down into reporting structure, please share.]

So where should your organization’s compliance program report into? It should report into whichever part of your organization will ensure that the program will be well designed, properly resourced and empowered, and that it works in practice. That’s the primary objective that your reporting structure should be based on and looking to achieve – obsess less about what is the theoretical “right” reporting structure and figure out what is best for your organization and your organization’s compliance program.


SUNDAY, JULY 3, 2022

EY’s Now Much Publicized $100M Ethics Exam Cheating Scandal

Despite only being announced a few days ago, I have seen lots of coverage and commentary about the “simply outrageous” (that’s what the SEC said) behaviors and culture at EY (including that EY hindered the SEC’s investigation). Unfortunately this isn’t the first time we have seen exam cheating amongst the Big Four (anyone remember KPMG’s $50M fine?) and who knows if it will be the last.

An employee’s career brand is partially derived from the brand of the organization they work for (as well as other factors). EY’s brand has certainly taken a pretty big hit this week and some (but unlikely all) of the people involved in, or responsible for, the wrongdoing will have taken a similar hit on their professional reputation. Unfortunately, the brand and reputational consequences will also impact other EY employees who played no part in the wrongdoing including those who (i) took the exams in the period of 2017 to 2021 and did not cheat (and weren’t aware of the cheating) and (ii) the employees who had “informed [the firm] of potential cheating on a CPA ethics exam” and weren’t listened to. These are the people who now have to face the consequences for wrongdoing by their colleagues (including anyone who was involved in the wrongdoing and has since left EY and gone to another employer) and are trying to manage their career brand as a trusted and qualified professional. A $100M fine is a drop in the bucket for EY that will have little – if any – impact, but the impact of wrongdoing by an organization like EY can be significant and material on the career brands of innocent employees who thought they could trust in their employer, leadership and colleagues. Compliance scandals and violations of trust are about much more than just the wrongdoing, fines and headlines – there are often many human stories that are not seen or considered when wrongdoing has occurred.

The EY matter should also be a reminder that leadership and ethics and compliance really go hand in hand. If you are a leader or manager in an organization, make sure those employees within your scope of responsibility know (and do) what is expected of them, protect your organizations values when you see them being compromised, make sure employees won’t be harmed by wrongdoing by others and listen to someone when they speak up. And if trust is a key part of your brand in how you sell to customers or what your customers think is important (as it was with EY’s), then trust better be a key part of how your organization operates internally.


SUNDAY, JUNE 26, 2022

Gaming Compliance

One of the main issues I have with compliance e-learning courses is that they train and test an individual in isolation from their colleagues and remove other social processes/pressures within the organization. Even someone who is an “individual contributor” does not work in isolation from other people or the pressures/influence of other people. When something goes wrong in an organization, it is rarely the fault of one single “bad actor” and likely due to multiple people and how they interact with each other (e.g., this is from the DOJ 2020 press release about Wells Fargo referencing pressure and thousands of employees – “a practice between 2002 and 2016 of pressuring employees to meet unrealistic sales goals that led thousands of employees to provide millions of accounts or products to customers under false pretenses or without consent”).

Training and testing need to move from isolated training to be more realistic of how much work is done and influenced by how we interact with other people. We are already seeing a lot more use of group projects in schools, colleges and various other organizational learning (I can’t think of any good leadership training programs that I have taken that did not involve working with other people), yet ethics and compliance programs and e-learnings are still testing people in isolation. People are influenced by pressure and the acts and omissions of other people, and training in isolation removes a key element of how organizations actually operate and work.

My hope is that today’s e-learning format will, in the coming years, be replaced in some (but not necessarily all) instances by gaming that allows people to interact and influence each other during the training. If you want to hear a much more persuasive case for why gaming can have such a positive impact, check out Jane McGonigal’s TedTalk from 2010 called “Gaming can make a better world.”



SUNDAY, JUNE 19, 2022

Sometimes Compliance Can be Awkward

A vendor or supplier might, with good intentions, want to give your employee a gift or take them to an event that might be in violation of your policy but not the vendor or supplier’s policy. If your employee has an appropriately good relationship with the vendor or supplier, your policy puts that employee in an awkward position – they are going to have to say “no” to an offer or decline/return something and that can be socially awkward.

Writing a strict policy that says “no” and not leaning into the challenging situations that employees might find themselves in is not helpful. Policies don’t exist in isolation – they live alongside the pressures and social norms that your employees live in.

Compliance programs cannot shy away from taking a stance on issues where needed, but an effective and employee-centric program will anticipate and help people with the challenges and awkwardness that might result from complying with your policy. Seeing the awkwardness in situations and offering ways to help employees through the awkwardness will go a long way in helping your employees and the credibility and effectiveness of your program.



SUNDAY, JUNE 12, 2022

Closing the Loop After Someone has Spoken Up

Imagine watching a TV series or movie. You have invested time and energy and tried to guess how it will all end. Just as the end is nearing and you are about to find out what happened, a message appears that says “this movie/TV show and the story line were resolved to the satisfaction of the production team and is now considered to be complete. Thank you for watching.” While this might have (definitely would have) been a better way for Game of Thrones to have ended, it would be largely unsatisfying for most other movies and TV shows and would make me less likely to watch a show or movie by the same producer/director in the future. No one wants to invest time watching and then not to know how something ends.

Yet, this is the experience that so many people are left with when they have spoken up with concerns and are simply given the canned response of “your concern has been looked into and appropriate actions, if any were deemed necessary or appropriate, have been, or will be, taken by the organization.” The person raises a concern, perhaps even helps the investigation by being interviewed and providing information, and then nothing.

I get there are totally valid reasons as to why organizations don’t provide completely transparent responses, but we need to explore and find ways that recognize that we see the reporter as a human being and that her/his/their story has been heard (even if the allegations or concerns raised are unfounded). When someone speaks up, it is a moment of trust – either trust will be destroyed or it can be rebuilt/sustained if the person is (and feels) listened to and respected. We want speaking up (and listening on the part of the organization) to become a habit and not a one time immediately regrettable action. Even if you cannot share the complete ending of the organization’s story when it comes to the investigation, look for human ways in which you can help provide closure for the story of the person who spoke up.



SUNDAY, JUNE 5, 2022

What Value are You Adding or Problem are You Solving With Compliance e-Learning Courses?

E-learning can either help people learn or be a colossal waste of time and energy. One way to test if your training will be useful or not is to know (before rolling out the course) what problem you are trying to solve or other value you are adding by pushing a course to employees. You won’t find your colleagues in sales and marketing launching a new product for no reason other than “it’s been a while since we last launched one.” New products are launched when doing so solves a consumer problem or otherwise adds value.

If you are rolling out an e-training course, there needs to be a more convincing reason than simply “it’s been a while since we launched one.” Is it because you want to help people understand an area more and believe training is the most effective way? Is it because of a new or evolving risk or problem you are trying to solve or avoid? There might be many different compelling reasons, but don’t fall into a trap of relying on answers of “it’s been a while since we launched one,” “we always push X number of courses each year” or “we can say we have trained all our employees on compliance this year.”



SUNDAY, MAY 29, 2022

Compliance Program Pillars

No matter how many pillars your compliance program has or how you define those pillars, most corporate compliance programs tend to have some similarities when it comes to the program framework (i.e., Leadership, Risk Assessment, Standards and Controls, Learning and Engagement, and Monitoring and Responding – your program might have different pillars and that’s okay). Having pillars can help your program in a number of ways, including helping sort/group initiatives and priorities, and helping others understand and visualize the program elements. Things can go wrong though when those pillars are treated as separate and independent from each other, essentially meaning each pillar becomes a program silo rather than supporting the program.

Only looking at one pillar – e.g., how do we provide more effective training/learning? – without thinking about the other pillars is a siloed way of thinking. Employee learning should certainly take into account the risks the organization faces (and those the individuals looking to be trained actually face), what standards and controls exist (or are about to be launched) and be mindful of whether or not people are speaking up and what matters they are speaking up about. We need to engage “systems thinking” when thinking about different aspects of our program (because it is all one connected system), rather than thinking about the program in terms of silos.

How are your program pillars supporting or siloing your program?



SUNDAY, MAY 22, 2022

How Many Ethics and Compliance Policies Should You Have?

Standards and guidance (whether in the form of policies or some other form of communicating expectations and procedures) are an important part of an effective ethics and compliance program, but don’t make the mistake of assuming that “if some policies are good, more must be better.”

I recently read about a traffic experiment that was previously conducted in Drachten, the Netherlands, in which the town removed the majority of the traffic lights and signs to improve road safety for drivers, cyclists and pedestrians (the number of accidents went down as a result – the thinking was that drivers were more aware of their surroundings, including other people, when required to think and not just rely on signs). Policies can be useful in the right culture when they provide appropriate guidance without employees abandoning other judgment and thought processes, but policies (and adding more and more) is not always the right option to achieve the desired outcome.

So how many policies should your organization have? The answer will depend not only on what risks your organization faces, but also the culture of your organization and assessing whether more or fewer policies will get to the desired outcome.

Join the conversation on LinkedIn


SUNDAY, MAY 15, 2022

Who is Coming Up With the Ideas for Your Ethics and Compliance Program?

Some of the best ideas I have heard this past week to improve our ethics and compliance program came from people who are not part of our core compliance team (they come up with awesome ideas too). People in other functions see things differently, and are the people who are more likely facing some of the risks and challenges that the program is trying to help with. Seeking out conversations, feedback and ideas from colleagues in different parts of your organization will both help improve your program and help you understand what is going on in the different parts of the organization your program is meant to support. It is hard to say you have a well designed program that works in practice if you don’t seek out feedback and input from different stakeholders and viewpoints in the organization.




SUNDAY, MAY 8, 2022

What Are The Day 1 Priorities for New Hires?

Day 1 priorities on a new job that are practical and memorable – how do I get my email to work, where are the bathrooms, where can I find good coffee close by, and maybe a few other critical “day 1” pieces of information to help transition a new hire into their new role and/or not mess up on.

Not a day 1 priority – endless PowerPoint presentations with information that is neither relevant to the day 1 experience nor will be remembered past day 3.

There are so many more ways to introduce new employees to your ethics and compliance program (and other areas) and it is time to be more creative and engaging than a new hire Code of Conduct PowerPoint training (especially if there are so many other presentations being forced on the new hire). Find ways to introduce organizational values (including ethics and integrity) in the interview process, have the new hire’s manager to talk her/him/them about ethics and organizational values during the first week, communicate anything particularly funky or nuanced about your program in a digestible format, and start a dialogue that allows you to engage with the new hire on an ongoing basis (e.g., ask them to complete a short survey about their perceptions of the organization after 6-9 months).

If new hire training does not result in long (or perhaps even short) term new hire learning, then what is the training actually doing and achieving?


SUNDAY, MAY 1, 2022

Engaging Leaders on Ethics and Compliance

Leadership engagement is one of the key aspects of any ethics and compliance program. One of the ways I find it can be most effective to engage senior leaders is to schedule a one hour conversation with them individually where we walk through the key aspects of our program, how we approach our program (including the rationale for some of our non traditional activities that work) and to get the honest feedback on what leaders like and don’t like about our program. These one hour discussions can help you learn more about the challenges that different parts of the organization face, as well as helping to build relationships with leaders throughout the organization. Sometimes the best way to move your program forward is not to providing a presentation to a large group of people, but to really invest in a meaningful conversation with one or two key leaders or influencers in that group who can really cascade the message in a way that is relatable and resonates with the rest of that group.

How are other people finding ways to have meaningful conversations about ethics and compliance with their organization’s leaders?

SUNDAY, APRIL 24, 2022

Printed Codes of Conduct are About as Well Read as Printed Airplane Safety Instructions

My “mini-me” recently read the airplane safety instructions on a spring break ski trip because it was something new for him while he was bored before takeoff. I didn’t see any adults reading the safety instructions (myself included), yet every seat had a printed copy. Printed policies and mundane trainings might be what everyone has “always” done, but it doesn’t mean they always work or are effective – it is absolutely key to make sure employees understand the relevant standards applicable to their role, but there are many ways beyond printed policies and mundane trainings to get to that result. It is another reason why we need to shift mindsets away from “training and communication” to “learning and engagement” – focus on the desired and actual impact on the target audience and find effective ways to get to that outcome, rather than focusing only on the “traditional” approaches and hoping for the desired outcome.



MONDAY, APRIL 11, 2022

Don’t Forget — This Thursday is International E-Learning Day

Okay – it isn’t and I hope there will never be anything so lame as National or International E-Learning Day. Giving something a “celebratory” name that is definitely not a celebration, calling an under performing operation a center of “excellence” or labeling training a “game” without proper gamification are ineffective and will cause your ethics and compliance program to lose credibility. Be creative and innovative with how you help your employees learn and how you engage with them, but don’t think anyone will fall for insincere or artificial labeling. Some parts of your program are not appropriate to make fun and that’s okay – explain the “why” behind any such items and do what you can to minimize the pain and burden, but don’t try to sell these aspects of your program as something they are not.


What Is One Key Thing That Will Cause Your Ethics and Integrity Program to Be a Success or Failure?

Leaders, managers and supervisors are the superfruit of an effective ethics and integrity program – a program will not be successful, effective or sustainable without them being engaged, using their voices and being incentivized accordingly. It really is hard to overstate the importance of leadership engagement for a program to be effective and organizational values to flourish. Employees in your organization need to know and understand the organization’s values and expected standards of behavior, but we shouldn’t assume (or even think) that the only way employees can or should learn about those expectations is by reading the Code of Conduct or other policies (especially if they are not employee centric policies that offer actual and practical guidance). A Code of Conduct should be a written version of the actual values and expectations, but we can’t forget that the most effective way for employees to learn and understand those values and expectations is by hearing leaders, managers and supervisors regularly talk about them in relevant and relatable terms and to see the values and expectations actually operate in practice.

It is not too late (but this is your last chance) to sign up for tomorrow’s SCCE webinar on “The Role of Leadership In An Effective Ethics And Compliance Program – Why, How And What To Do To Effectively Engage Leadership In Your Organization” to learn several strategies and tips for how you can engage leaders in your organization.


Organizational Culture and Weather

Describing your organization’s culture is a bit like describing the weather. Unless you live in somewhere like San Diego where the weather is fairly consistent, chances are the weather does not stay the exact same where you live and neither does your organization’s culture. Not only do weather and culture change over time, but an organization that spans multiple geographic areas is likely to experience different weather and culture in each location. Trying to define a culture for an entire organization is a bit like trying to define the weather for the entire United States. Rather than relying on what your organization states your culture is (or, more likely, wishes it to be) and thinking culture is static, it is important to understand what the culture is like in each part of the organization and whether or not employees experience that culture as healthy, ethical and psychologically safe.


‘Generally, Your Supervisor or Manager Will Be in the Best Position to Resolve an Integrity Concern.’

So many Codes of Conduct use the above sentence, but you have to ask whether it is actually true. What percentage of supervisors and managers in your organization feel comfortable and know how to handle/resolve integrity concerns? What has your organization done to help supervisors and managers understand what to do if someone speaks up with a concern (should the manager investigate the issue? Tell the person to call the hotline? Do something else?) or asks a question or seeks guidance? Managers and supervisors are key to making sure an ethics and integrity program is more than just a written Code of Conduct and we have to help employees in those roles know what to do. Simply stating in your Code that leaders, managers and supervisors are in the “best position” without doing more is not helping your supervisors, managers, employees or organizational values.

Do you want to learn more about how to engage leaders, leverage their voice and use incentives to recognize leaders who set the gold standard when it comes to ethics and integrity? If so, please join me on April 11 at 12pm central where I will be presenting a webinar for the Society of Corporate Compliance and Ethics (SCCE) on this topic. Link to the registration page in the comments below.



#leadership #codeofconduct

SUNDAY, MARCH 20, 2022

Multinational Ethics and Compliance Programs – One Size Does Not Fit All

If you are building an ethics and compliance program for an organization that spans more than one country, then it is important to consider what elements of the program need to be adjusted so the program works effectively in each of the different countries. Some fundamental (and fairly obvious) differences can include addressing different risks (including types of risks, which employees can amplify/mitigate/manage risks, how to mitigate/manage risk, and impact of risk), different laws (including employment laws which can vary significantly and need to be considered before conducting investigations), language differences (even if English is your organization’s official working language, translate your policies, messages and other communications into local languages) and cultural differences (comparing hotline data without thinking about cultural factors can cause you to make assumptions). Beyond those basic differences that likely apply to most organizations, you also need to consider the differences that might be unique to your organization – for example, are employees in other countries using the same IT systems (including being able to access the relevant policies and guidance), do internal communications go to all operations in other countries, are people in a particular location facing unique challenges or pressures, and is there functional support from groups such as HR, Legal, Compliance and Audit in each country. The ethics and compliance program needs to be well designed, adequately resourced and work in practice in each location, but the means of achieving that outcome will likely need to vary for each location. There is a need for ethics and compliance professionals to regularly get to other locations and to see for themselves what life is like for colleagues in different parts of the organization.




SUNDAY, MARCH 13, 2022

What do Restaurant Chefs and Ethics and Compliance Officers have in common?

I think many people might enjoy occasionally going to a nice restaurant where the Chef is responsible for the menu and making sure the menu works for both the restaurant and the customers. Nobody would realistically or reasonably go to a restaurant, order food off the menu and then expect the Chef to eat what they ordered on the basis that the Chef is responsible for the menu and therefore should be responsible for all activities – including eating of the food – related to the menu. As diners, we recognize that we have a role to play in the process (selecting what we want to eat, eating the food and paying for the food) and not just the Chef (and other restaurant staff).


The above sounds like a terrible and bizarre way to enjoy a meal at a restaurant and yet is how some employees at your organization might think about ethics and compliance. If employees say “it’s covered by the Code of Conduct, so Compliance must own it,” the Compliance Officer/Team needs to challenge that thinking and perhaps the above Chef related analogy can help explain why not all Code related activities can or should be owned/performed by the Compliance Officer/Team. Just as the Chef in a restaurant is responsible for the menu but not all activities relating to the menu, the Ethics and Compliance Officer/Team is/are responsible for creating and maintaining the Code and they cannot be the only ones who handle topics related to the Code.


Ethics and Compliance programs can sometimes appear daunting to employees, but Compliance Officers can add value and help employees by making the program less scary/more relatable and helping employees understand what their role is (and why). And whatever you do, please make sure your Code of Conduct is not written like an overly pretentious restaurant menu that uses words no one is familiar with to describe normal ingredients; if that describes your Code, then you do need to re-think what you are serving as part of your ethics and integrity program.


#investinintegrity #sundaymorningcompliancetip

#ethics #compliance #integrity


Is a Culture of Compliance Always Inherently Good?

A culture of compliance is good when employees are complying with the relevant laws, policies and other written/stated standards; however, a culture of compliance also arguably existed in many organizations that have experienced ethical scandals and violations of law. Take Wells Fargo and the pressure on sales people several years to open millions of new accounts without customer authorization, for example – large numbers of employees (while not complying with their ethics and compliance standards) were complying with the pressures within the organization and delivering on what was expected of them. If the norm in part of an organization is to stay silent about issues and misconduct, then someone speaking up is doing the right thing and also not complying with the expected code of silence. We cannot simply ask if a “culture of compliance” exists in our organizations – we have to really understand what people are being encouraged and incentivized to comply with, and whether such compliant behavior demonstrates if there is a “culture of integrity and ethics.”



#culture #compliance



How Would Frozen’s Prince Hans Have Been Treated In Your Organization?

I like to tease my eldest daughter that Prince Hans was the hero in Frozen. My argument is that if Hans had not swung his sword towards Elsa then Anna might not have stepped in as she turned to ice to save her sister. It turned out that Anna stepping in front of Hans’ sword to shield her sister was the act of true love she needed to perform in order to be saved from becoming a permanent human/cartoon ice cube. If Hans had not tried to kill Elsa, would Anna have turned to ice forever? I might be on thin ice with my argument and might need to let it go, but I think Anna would not have survived.

So was Hans actually a hero? Absolutely not – he tried to murder someone (Elsa) and ended up assaulting Anna with a deadly weapon. However, his bad act appears to have some contributing role in producing good consequences for both Anna and Elsa. Thankfully, Hans was not celebrated as a hero in the movie (although he seems to have escaped with only community service for his wrongdoing since he was seen shoveling horse manure in Frozen Fever).

But how would Hans have been treated in a corporate setting? Would management and HR have taken the position that Hans should face little disciplinary action, given a free pass or perhaps even be celebrated and rewarded for the consequences of his wrongdoing? Celebrating wrongdoing because it somehow has a contributing role in leading to a good outcome is nothing more than a celebration of wrongdoing. Outcome bias can distort how we see wrongdoing, but the wrongdoing is still wrong.

Are there Prince Hans’ in your organization that are not only avoiding punishment but are even being celebrated for the fortunate outcome associated with their terrible behaviors?



#ethics #compliance


“We have been working with this third party for years and we trust them and they trust us. Do we really need a contract and due diligence?”

Relationships (including trust), business continuity and not wanting to have to deal with Legal/Compliance are all completely understandable. But think of contracts with third parties and due diligence using the following analogies:

  1. I trust most airlines will take me to wherever I have purchased a flight to, but I want to have an email confirmation for my reservation and ticket to make sure expectations are clear and I have an easily enforceable claim if the airline doesn’t perform. If you thought you were flying first class to a warm winter destination and the airline flies you somewhere that is well below freezing in coach, then you won’t want it to be your word against the airline’s. Written contracts help expectations become reality and provides remedies for if/when reality turns out differently than planned.

  1. Just because you haven’t had health issues in the past, it doesn’t mean that you shouldn’t go for regular check ups – an annual exam is essentially a form of due diligence. If you don’t have any health issues, then an annual exam will confirm that, give you peace of mind and likely cost you little time. If you do have health issues, better to detect and address them early on rather than waiting for the issue to get out of hand.

Trust isn’t destroyed by having a written contract or performing due diligence; having a written contract and conducting due diligence help establish a basis for the trust to exist in the first place and continue, and ensure that if things go wrong, then they can be addressed quickly and appropriately. You don’t want to end up with major heath issues or in the wrong destination and you don’t want things to go badly with your third parties either.

#investinintegrity #sundaymorningcompliancetip #contracts #duediligence #compliance #ethics


Do you need to have a law degree or a legal background to work in ethics and compliance?

Some people will disagree with me, but I think the answer is a definite “no.” Having a legal background helps me in some aspects of my job, but seeing all ethics and compliance issues through a legal lens is often too narrow – the rules/laws are important, of course, but there is a lot more to building and running an effective ethics and compliance program than just knowing the law. Ethics and compliance are ultimately about human behaviors and seeing people only through a legal/rules based lens is not effective and missing the bigger picture. Ethics and compliance professionals need to think as lawyers, leaders, marketers, behavioral scientists, negotiators, HR, investigators, public speakers, as humans, and in a whole host of other ways too. A multi-disciplinary, curious and innovative mindset is needed to excel and be effective rather than a particular (or even any) degree – plus, if you have more than one person in the ethics and compliance team, then you can become a stronger team by leveraging the different knowledge, skills and experience of each person. I know many incredible ethics and compliance professionals who are lawyers and non-lawyers alike – it is pretty foolish, in my opinion, to think someone will be a better or worse ethics and compliance professional simply because they have a law degree or not.




#ethics #compliance


GPS versus written directions – a lesson for ethics and compliance.


As someone who has no sense of direction, I rely on GPS to get to most places (often to places I really shouldn’t need GPS for). There is zero chance that I am going to remember and follow 20 directional instructions correctly even if the directions are clearly written and stated. GPS addresses that by leveraging technology to help with short and timely instructions so we can focus on driving or whatever mode of transport we are taking. Policies are like written directions and my hope is that technology will continue to enable organizations to embed short, clear and timely directions for employees in a way that is much more user friendly and data driven. I don’t need to know all the directions if Waze can give me those directions when I need them, and this needs to be the direction we pursue for ethics and compliance. There will, in my opinion, always be a need for policies, but we can combine the policies with technology to design and implement processes that are meant to help guide human decision making and actions. Ethics and compliance programs need to be, in the words of the U.S. Department of Justice, “allocated sufficient funds” in order to leverage technology and data to help guide people in simple and clear ways that is easy for people to connect with. I’m no tech whiz, but we need to lean in heavily to the value that technology will inevitably offer our programs and challenge the technology companies to help us build ethics and compliance programs that are built for, and built around, humans.


How is your organization’s program leaning in to technology to help employees with ethics and compliance?




#compliance #ethics #technology


Do leaders, managers and supervisors say “ethics and compliance are important – that’s a given” and then move on?

The words of leaders matter and set the tone for the rest of the organization underneath that leader’s position and influence. Sales and profits should be “a given” for a for profit company and yet are, and should be, continuously discussed, analyzed, measured and incentivized in a variety of ways. Saying the importance of ethics and compliance is “a given” and then moving on is not enough in the same way that saying profits are “a given” is not enough. Leaders, managers and supervisors need to be willing and able, and on a regular and ongoing basis, to help explain why ethics and compliance matter and their relevance to employees in that part of the organization. The message doesn’t need to be long, profound or complex; a genuine and sincere message that speaking up is encouraged and appreciated, and the ways to speak up, can have a meaningful impact. Many things in life are important and should be “a given,” but we can really make them so by talking about them on a regular basis and helping other people really understand their importance.




#ethics #compliance


Does your organization have pressure, psychological safety or both?

Pressure is not inherently bad. Pressure can help challenge us, bring people to work together and drive us to achieve more, and faster, than otherwise. The risks of pressure are when it becomes too much, or the pressure is to achieve something at the expense of safety, legal standards or other social or ethical values. Pressure without psychological safety is a recipe for potential disaster as people will remain silent and/or be punished for raising concerns; whereas a culture that is intentionally focused, and built, on psychological safety (including where people are encouraged and supported to speak up with concerns) will be able to leverage pressure effectively to be successful. According to the “2020 Global Business Ethics Survey – Pressure in the Workplace,” 31% of people in North America and 37% of people in Latin America who participated in the survey said they felt pressure to comprise their organization’s ethical standards, policies or the law (the global response rate was closer to 20%). That’s a lot of laws, policies and standards that risk being violated if those organizations don’t have psychological safety.


What is your organization doing to ensure that psychological safety is a key aspect of how you work?







Are you or your #ethics and #compliance program facing challenges with program “scope creep”?

Program scope creep can often result from continuous incremental additional work and responsibilities for the #CECO and ethics and compliance team without commensurate increases in resources and support.  The consequences – both professional and personal – can be serious and damaging for the ethics and compliance program, the organization, and the burned out #CECO and compliance team.  Please take a read through this article that Ellen M. Hunt, Melanie Sponholz, MSPT, CCEP, CHC, CHPC and I authored for the Society of Corporate Compliance and Ethics (SCCE)’s CEP Magazine to learn how to manage program scope creep, including how to communicate your program brand, how to evaluate opportunities and how to say “no.” 


Our article compares scope creep to the boiling frog effect. No frogs were harmed in the writing of this article, although I am sure one or two croaked…


Is your organization using annual performance goals to support ethics and compliance?

It is that time of year when employees are mapping out their goals and objectives for the year ahead. Goal setting is one way in which you can help ensure alignment and focus on ethics and compliance by having leaders, managers and supervisors include one or more goals relating to how they will help move the program forward using their role and responsibility. In case you missed it before, here is a short piece I put together for the SCCE blog last year with some examples of goals to consider. What other goals would you recommend to help build and sustain a culture of integrity, ethics and compliance?






How would your helpline answer the question of “can gas station employees smoke at gas stations?”

A few months ago, I was filling up my car at a gas station near my house and noticed two gas station employees standing outside smoking in fairly close proximity to the gas pumps. As with any gas station, there were multiple safety signs prohibiting smoking and the use of open flames (for pretty obvious reasons – Google “orange mocha frappuccino” if in doubt). I decided to report the matter to the very large and well known gas station company since it seemed like a valid safety concern and I asked what their policy was. Here is the verbatim email response I received: “We’re sorry your experience during your visit didn’t live up to your expectations. Please know I have forwarded the details of this incident to all appropriate parties in an effort to implement any possible improvements. Thank you for allowing me the opportunity to assist you.”


I appreciate that this person seems to have taken action by sharing the concerns raised with other stakeholders, but the response didn’t “close the loop” on the policy question. I get why most companies don’t give any information about disciplinary actions against individuals or risking exposing themselves to potential claims or lawsuits, but this type of canned response didn’t answer my question about whether the policy is that smoking is not allowed (a) only if right at the gasoline pump or (b) on the gas station property.


Are your reporting channels set up in such a way that any questions asked by a reporter that can be reasonably answered without creating or exposing the organization to significant risk or liability will actually be answered? A helpline that does not answer questions is going not to be experienced by most reporters (employees or otherwise) as helpful.




#ethics #compliance


What are five common myths about #ethics and #compliance and what’s the real scoop behind these myths?

 Check out this short article I wrote for NotMe Solutions’ newsletter to learn more about these five myths and why we need to put people at the center of ethics and compliance programs.  What other myths would you add to the list?  


Many thanks to the team over at NotMe Solutions for including this piece in their #newsletter, including Ariel Weindling, Karine Teffah, M. LeBaron Meyers, Andy Hinton and Christine Fedrow.


Speaking Up And Tangled Holiday Lights

Sometimes when someone speaks up, they will present a collection of facts, perceptions and emotions that are all tangled up like the holiday lights when I take them out of the box (no matter how carefully I put them away the prior year). As investigators, it is on us to carefully untangle and sort the information, as best we can, into what are facts, what are perceptions and what are emotions. It doesn’t mean that we will ignore the perceptions or emotions, but we have to ensure we are mindful of the different data that we receive and how we treat it. Decisions should be based on facts, but seeing and hearing the emotions and perceptions will help employees be, and feel, seen and heard, and help to make speaking up a repeated part of a culture and not a one time activity.






Is your organization’s ethics and compliance program conducting effective employee surveys?

I skipped my #sundaymorningcompliancetip last week to enjoy the #Thanksgiving holiday weekend (and will probably, and intentionally, skip a few more with the upcoming holidays); however, I’ll make up for it this week by sharing “eight tips for an effective ethics and compliance survey.” Many thanks to the Society of Corporate Compliance and Ethics (SCCE) CEP magazine team for publishing this piece in their latest edition:


What additional tips would you add for how to make a survey effective? What other ways do you get employee feedback?






Do customers kill your business because you offer a generous return policy?

Return policies, in theory, could kill companies in terms of inventory and financial impact, but they don’t. Return policies hope no one will return anything but make it safe for customers that do want to return an item and specifically address an actual or perceived risk for the customer in terms of choosing to buy. While theoretically risky, I haven’t heard of any companies being inundated with frivolous or bad faith returns that have had a material financial or other impact on the company. If a product or service is so bad that many customers are returning the item, then they are highlighting a bigger problem and the problem is not with the customers. No one would retaliate against a customer or align with other sellers to blacklist a customer for returning an item in good faith.


Just as customer return policies don’t kill your business, having employees speak up also won’t kill your business. If anyone ever tells you “you have to be careful about encouraging or – heaven forbid – rewarding people who speak up, because people will just create issues and make stuff up,” ask that person if their organization has a customer return policy and the impact that has had on business. The occasional customer may return something under questionable circumstances and the occasional employee might report something under questionable circumstances too, but we don’t kill customer return policies or assume that all customers have bad motivations or only bring frivolous matters. Organizations trust that most customers won’t abuse the return policy and those same organizations should trust that employees won’t abuse the speak up process.


Customer return policies and speak up cultures for employees will only help your organization (including financially). Treat your employees as you do customers (with trust and respect) and employees will take care of the customers. Nordstrom’s return policy says “We’ll always do our best to take care of customers—our philosophy is to deal with them fairly and reasonably. We have long believed that when we treat our customers fairly, they in turn are fair with us.” How would your organization’s business, brand and culture improve if you treated employees like Nordstrom customers?




#speakup #customerexperience


Has anyone actually fully read and understood the terms of the Apple End User License Agreement?

I’m guessing very few – if any – of the many people with Apple devices who have clicked the box that says something to the effect of “I hereby certify I have read and understood the following terms in their entirety” have actually read the terms. I haven’t fully read the terms and likely never will, but like many other Apple users I will happily click the little box to access my device or account.


If the last step in your compliance e-learning course requires someone to certify and electronically sign a statement saying “I hereby certify I have read and understood the X policy in its entirety” then recognize that people are not likely reading the policy (especially if it is written in legalese) and are simply clicking “yes” because they want the pain of e-learning to be over. If you want employees to know, understand and abide by your standards and policies, then find ways that will meet employees where they are and explain to them in human terms what they need to know for their particular role (also make it safe for people to say they don’t understand a policy without making them feel stupid or bad). If you are tracking and reporting out on the percentage of employees who have provided a written/electronic acknowledgement don’t fool yourself or anyone else that having a high percentage means you have a strong or effective program – it likely just means you have a large percentage of employees who have clicked a check box because they were forced to or to end some other pain.


And, if you have read and understood this post in it’s entirety, please click the “like” and/or “share” buttons below. If you haven’t read or understood this post in it’s entirety, please still click the “like” and/or “share” buttons below.




#ethics #compliance


What does your organization tell employees about why you have an ethics and compliance program?

While it is true that regulators expect organizations to have a well designed and effective ethics and compliance program, that is not the only reason as to why an organization should have an ethics and compliance program. There are many other reasons, including as examples: (1) ensuring the corporate mission statement and values are more than words; (2) supporting and helping employees/other stakeholders and valuing/seeing them as people; and (3) as many studies have shown, to be a more financially successful organization with reduced OpEx and increased ROA (amongst other financial metrics). Telling employees that the only, or main, reason you take ethics and compliance seriously is keep regulators at bay will signal to employees and other stakeholders that your organization is reluctantly embracing ethics and compliance to avoid bad things (fines, penalties and negative media coverage) because “it has to,” and not choosing ethics and compliance for the many benefits they provide to employees, stakeholders, society and the organization itself. If you want employees to “buy into” ethics and compliance then they need to see that the organization does the same – an organization that only embraces ethics and compliance because “it has to” should not be surprised if employees show the same approach to the organization’s ethics and compliance program.




#compliance #ethics


Does your compliance program see the human stories behind data?

Actionable and measurable data can help monitor how your organization’s ethics and compliance is doing, and also help measure if initiatives and strategies are effective and working. While hotline data, for example, can be helpful for tracking and reporting to the Board and other stakeholders, it is important to not lose sight of the human stories and experiences behind those numbers (our aim should be more than to “not lose sight of the human stories” and instead to see and hear them clearly). Only looking at whether the data is in line (or not) with benchmarking averages will fail to see the people who’s stories and experiences are behind that data (and the impact on those people). The numbers and data are ways in which you can assess if you have an effective program to support and help your employees and other people, but don’t forget that an effective program should serve, and see, the people who it is meant to help and not just see them as statistics or data points.






What Can Beatrix Potter’s Peter Rabbit Tell Us About Effective Stories for Encouraging Ethical and Compliant Behavior? 

My kids are really into reading Peter Rabbit at the moment. Peter’s mother tells him and his siblings not to go steal/eat vegetables from Mr McGregor’s garden because Peter’s “father had an accident there, he was put in a pie by Mrs. McGregor” (by “accident,” she means murdered and eaten ). This story was effective in deterring Peter’s siblings from going to the garden, but it was not effective – for whatever reason – in deterring Peter (perhaps the rewards outweighed the risks for him or perhaps the story wasn’t told in a way that really resonated with him).


There are several studies that show stories are effective in helping adults learn and remember, and stories can be incredibly powerful in helping employees learn about ethics and compliance in real life terms; however, we have to ensure that the stories are relevant, relatable and will have the desired impact. I used to think that ethics and compliance stories from the headlines were the most effective way of helping people learn, but many people struggle to connect with the story of a C-suite wrongdoer they have never met who has been fined millions of dollars (an amount most of us will never come close to having). Stories from within an organization can have a much bigger impact since they are more relevant and relatable, but don’t assume that all employees will be impacted the same way (even if the story seems like it should have an impact). There will be Peter’s in every organization and we need to find ways and stories to connect and engage with them.





What can Netflix’s Squid Game teach us about ethics and compliance? [No plot spoilers, but don’t read if you want to be super cautious]

  1. Incentives matter. What incentives do you offer to people? How much do the incentives motivate them and what are people motivated/permitted to do to achieve the incentive? Is your Compensation team only looking at how much people are paid or looking at the potential and actual impact of your incentive structures on behaviors?


  1. Ethical fading is real and can happen fast. Ethical fading is like intending to eat one or two spoonfuls of ice cream and before you know it, the tub is empty.


  1. Pressure drives behavior and people to do things they wouldn’t normally do. Check out the ECI survey from early 2020 on how pressure impacts ethical behavior.


  1. People look to others for what is acceptable (or not acceptable). Policies are helpful, but people will look at what other people are doing and what people are getting away with to determine what the actual (versus written) standards are.


  1. Undisclosed conflicts of interest rarely end well and often get found out. If you have an actual, suspected or even the appearance of a conflict of interest, disclose it.


  1. Zero tolerance policies can be harsh. Use sparingly, proportionately and intentionally. Showing tolerance for behaviors prohibited by zero tolerance policies will indicate some actual level of tolerance and undermine the “zero tolerance” position.


  1. Not ethics and compliance related, but the exchange rate for USD to South Korean Won is around $1 to KRW1,185 (yes, like you, I Googled that). And no, I don’t know what type of cell phone one of the characters had, if the character had a portable charger or how on earth his battery lasted so long.






Is your organization’s ethics and compliance program more focused on being average than best in class?

I am a big believer in benchmarking – data from various public sources can help you size up your ethics and compliance program and provide ideas/insight for where you need to improve/invest in your organization’s program. However, it is important to make sure you understand (a) what the benchmark data is telling you and (b) what the aspirations are for your program. If you want a best in class program, but obsess about ensuring your metrics are in line with the averages reported by benchmarks (i.e. number of reports per 100 employees or average number of anonymous reporting rates) then you are aiming for safety amongst the middle of the pack (I’m not saying that’s bad, but it isn’t best in class) and also not using the benchmarked data effectively. Benchmarking is a useful and productive exercise, but don’t confuse the benchmark “average” with being the “gold standard” that you have to be in line with. It is hard to say you have a best in class program if all your metrics indicate “average.”




#ethics #compliance


Is your organization mindful about whether new or updated policies are aiming to drive incremental or transformational change?

I’ve had several conversations recently about change management, and enjoyed reading about incremental versus transformational change in Lisa Beth Lentini Walker and Stef Tschida’s book, “Raise Your Game, Not Your Voice.” It got me thinking how new or updated policies can either bring about incremental or transformational change, and why it is so important that ethics and compliance professionals are aware of how much change, and what changes, any new or updated policies bring (or hope to bring). Sometimes big, transformational changes are needed, but those can be hard to introduce in a way that will be well received and followed in practice. Policies that introduce incremental change can be easier to roll out and get people to change their behaviors to meet the changed standard(s), but may not be appropriate if big changes are needed. Neither is particularly right or wrong, but it is important to understand how much and what change is desired (and likely to be achieved) and how to achieve the desired change in a way that employees won’t resent. What may seem like an incremental change to the policy drafter may in fact result in transformational change for employees who need to comply with policies – socialize policies with employees who will be potentially impacted and get their feedback (and hopefully buy in) to intentionally decide whether you should pursue incremental or transformational change with your policies.




#compliance #ethics #changemanagement


Does your organization think about people when it comes to risk management?

Does your organization’s risk management program look like this – identify risks, train on the risks and then monitor the risks (including data from your hotline and other KPIs)? That all sounds good, but it ignores the fact that risks can either be amplified, mitigated or otherwise influenced by employees or other people who work with your organization (i.e. employees of third parties).  It is important to identify who are the people that touch upon particular risks and see them as key to an effective risk management program. Rather than training all employees on all risks, seek to understand which employees touch upon a particular risk and what that risk means for that person’s role and then provide training specific to how that risk manifests and needs to be managed.  It is not enough, for example, to say that “anti-bribery” is a risk (which is far too broad and more a risk category rather than an actual risk) without identifying what that means in practice for your employees and what they can do in their respective roles to help detect, manage and mitigate the risk.  




#compliance #riskmanagement


Does your organization know who and when a third party is a competitor?

Athletes at a club level can be competitors, but can be on the same team (and not competitors) when it comes to national level (and vice versa). Who is a competitor is not always a static concept and there can be certain situations where the same person/entity can be a competitor in one instance and not in another. Someone can be a supplier or customer in one instance, but a competitor in a different instance – it’s not always as easy as sports to identify the difference. Athletes figure this out so they don’t pass to another athlete when they are competitors and it is important that employees understand when a third party is a competitor and when they aren’t and act accordingly.







As I’ve previously shared, I think the moment an employee speaks up is an opportunity to either build or destroy trust depending on how the organization responds and the employee’s experience. Demonstrating empathy and seeing the reporter as a person are fundamentally basic ways to demonstrate to your employees that you listen and care when they speak up. Humanizing ethics and compliance (including the speak up process) make simple sense when you recognize that we are dealing with people and not just rules and regulations.


Many thanks to Adam Turteltaub CCEP, CHC for kindly letting me join him on one of his Society of Corporate Compliance and Ethics (SCCE) podcast episodes where I got to talk about this topic in more detail. Here is a link to the episode and check out the other great content while you are there –


What do you think? Does showing empathy present any real risks? If you don’t show empathy, how does your speak up process (including your helpline) ensure psychological safety to support and encourage people to speak up?








Should you look at getting an ethics and compliance certification or accreditation?

I have had a number of conversations recently with people looking for advice on whether to pursue various certifications to help them in their careers as ethics and compliance professionals.  My answer is a very lawyerly “it depends.”  Certifications take varying amounts of time, money and effort to obtain, so you should make sure you have a good reason for pursuing a particular certification and know if the certification will help you towards your longer-term career goals.  I think it is healthy to continuously learn and stretch yourself and certifications (and the studying and learning in pursuit of the certification) can be useful for your overall growth, but I would be wary of those that will certify you as an “expert” if no real prior knowledge or experience is necessary and if the course is short in length.  Invest in your career and your development, and think intentionally about whether a particular certification will make a difference in your career (some definitely will, but depends on what you want from your career).





#certifications #career


Does your organization think about diversity, equity and inclusion when it comes to ethics and compliance trainings and communications?

Filmmaker Lisa Valencia-Svensson asked the question of “who is telling whose stories to whom, and why?” more than a decade ago, but it is still – and perhaps more so – relevant today. Ethics and compliance should go hand in hand with DE&I and I think one way that can happen is to be mindful about images and pictures you include as part of any ethics and compliance (or other) training or messages. I like including visuals and pictures in my presentations and training materials – I think they can make a presentation more engaging and I sometimes tie them into analogies that I use to help adults learn. Most of the time, I will use stock/online images from PowerPoint; however, I find it can be a real struggle at times to find pictures involving much, if any, diversity. People other than white males are significantly under represented when you search for pictures involving professional jobs. Type in “leader” and you will need to do a lot of scrolling to find any pictures of women or African American, Latino or Asian people. Type in “CEO” and all 50 of the first 50 pictures with people in them are male. Type in “attorney,” “CFO,” “scientist,” “athlete” or try your own search terms and see how much these pictures are lacking in diversity. Presentations become part of the story being told in your organization, so make sure you consciously think about whose story is being told (and whose story is not being told) by the pictures and images you include in trainings and communications.






Does your organization’s ethics and compliance program understand the difference between complicated and complexity?

I often hear people use the terms “complicated” and “complex” as synonymous, but this is, I believe, a mistake (Stanley McChrystal’s “Team Of Teams” does a much better job explaining this distinction than my post will). Something that is complicated (take a car engine or a mechanical watch) may be difficult to understand, but involves predictability and if a part is changed or removed it will not be able to work as expected. Something that is complex often involves interdependence on other things as part of a system and can also adapt even if parts or elements of it are removed. So what’s the connection to ethics and compliance? If wrongdoing has occurred in an organization, it is important to understand if the root cause is a matter of complexity or complicatedness so that the right steps and actions can be taken to address the root cause. Removing an employee for wrongdoing may not solve an issue if the behavior will continue even without that employee there (that suggests the issue may be one of complexity). Understanding the nature of the root cause is critical to be able to stop/treat and prevent the issue happening again.




#complex #complicated #rootcause


Does your organization understand the difference between “data security” and “data privacy”?

Data security and data privacy are both important, but are not the same concept. Not sure how they are different? Think about it this way – Magneto’s prison cell in the X-Men movie is (or, spoiler alert for X-2, was at least intended to be) secure, but is not private. Simply because data is secure doesn’t mean it is necessarily being kept private. It is important to make sure your organization understand what data needs to be secure, private or both.




#dataprivacy #datasecurity #xmen

SUNDAY, JULY 25, 2021

Does your organization’s Code of Conduct give employees the direction they need?

Ever tried to get around New York with a map of Boston or around London with a map of Los Angeles? A map of Boston works well for someone trying to navigate Boston, but doesn’t mean it will have the same value for someone trying to navigate another city because it isn’t designed for that purpose. Your Code of Conduct should be your organization’s “ethical map” that gives direction to your employees about the organization’s ethical values and principles and helps them to navigate potentially difficult or ethical situations that they may encounter in your organization. There is a lot to be learned by benchmarking and looking at the Codes of other organizations, but you can’t just copy another Code or just use something “generic”/“off the shelf” (you could, but it would be a waste) because that is the same as trying to navigate a city with a map of a different city. Having a Code of Conduct is not enough – you need to have a Code of Conduct that will guide your employees at your organization.




#compliance #ethicsandcompliance

SUNDAY, JULY 18, 2021

Is your organization’s ethics and compliance program more focused on the perfectly worded message or the most effective message?

I am currently teaching my 6 year old daughter to learn how to ride her bike. After taking 4 hours of e-learning and certifying that she has read and understood the policy on “how to safely ride your bike,” I am confident she should now know how to ride her bike. To ensure ongoing engagement and commitment, she also signed an acknowledgment that she understands that violating our cycling rules may result in disciplinary action, up to and including no TV for a week. She is super excited about cycling.


While I am actually helping my daughter learn to ride her bike this summer, we did none of the above. I’m not a cycling instructor and have no experience teaching a kid to ride a bike, but I am taking my best shot at it and my less than perfect teaching is more effective than putting her in front of a screen and thinking she would learn that way. In the same way, managers and supervisors don’t need to be ethics and compliance experts to help employees or have a positive impact on your culture of ethics and compliance. Having managers and supervisors regularly talk about ethics and compliance (even if the message isn’t perfect) makes a positive and lasting impact. A less than perfect message from an employee’s direct manager (which can be based on an outline/talking points from ethics and compliance) is much more effective, personal and likely to resonate with employees than staring at a computer screen or certifying about policies. E-learnings, polices and certification are important and can have a role that adds value to your program, but they cannot replace the role of managers and supervisors.