Adam Balfour Ethics and Compliance for Humans

Adam Balfour Compliance for Humans page header

Adam D.J. Balfour is on a mission to help make ethics and compliance more relatable and relevant for his fellow human beings. He likes to design ethics and compliance programs that employees can actually relate to, engage with and find useful. Adam currently works in Nashville, Tennessee, as Vice President and General Counsel for Corporate Compliance and the Vice President for Global Management Risks for Bridgestone Americas, and also chairs Bridgestone’s global compliance group meetings. He has written several articles on ethics and compliance and enjoys speaking at conferences and other events. He previously worked for Kirkland & Ellis LLP and Paul, Weiss, Rifkind, Wharton & Garrison LLP in New York. He is a graduate of the University of Dundee, Scotland and Harvard Law School and is CCEP certified.


Compliance and the start of the school year

It’s almost the start of the school year again (at least for my kids). There will, no doubt, be some kids that will bring in treats or gifts for their new teacher. Some gifts are totally fine – such as a small token gesture to build an appropriate relationship with your child’s teacher (our kids will probably take their new teachers some of the homemade jam they made this summer from the berries we picked). There is a legitimate reason to the gift and unlikely to unduly impact the teacher or how they treat our kids or any other students.

But then there are other types of gifts – cash, iPads, gift cards and the like – where every other parent would be perfectly entitled to roll their eyes and questions what it is really going on (thankfully, I haven’t heard of anything like this at my kids’ schools). Those gestures – even if very generous – are so questionable and just feel wrong to everyone else. Even though there is no bright line that goes from harmless/acceptable to causing every other parent and teacher to raise their eye brows and shake their heads, everyone knows the difference – just not everyone complies with the norm.

We get the basic principles of gifts, meals, entertainment and travel when it comes to schools and similar principles apply at most organizations. Yes, some organizations will take different approaches (some don’t allow any giving or receiving, some allow moderate amounts and others are more generous particularly if entertainment is a part of what their company does), but the basics still apply. In most instances (but check your organization’s policy, especially relating to government or unions officials), a small gift or item of value that is intended to build an appropriate relationship will be okay. Looking like, or acting like, the parent who goes over the top with teacher gifts is not only going to land you in trouble with your employer but will also make you just look bad.

We deal with ethics and compliance in so many aspects of our lives, but ethics and compliance at work can often seem scary and abstract. This is why it’s so important to not simply make employees aware of your ethics and compliance program, but to make it relevant and resonate with employees.


SUNDAY, JULY 31, 2022

Booth’s Rule #2 and Compliance

I recently learned about Booth’s rule #2, which relates to skydiving. The rule states that “the safer skydiving gear becomes, the more chances skydivers will take, in order to keep the fatality rate constant.” Essentially, improvements in safety will often be offset by risky human behavior to keep things constant and unchanged.

Booth’s rule #2 is something that I think should be considered in assessing the effectiveness of your organization’s ethics and compliance program and overall operations. Here are three points I think worth considering in applying Booth’s rule #2 to ethics and compliance:

1. If you are continuously improving and strengthening your compliance program but the organization’s operations are taking on more risks, then your compliance risk rate will either remain constant (or even increase). This should set off an alarm bell for your organization and should be addressed quickly.

2. Changes in the risk profile of your organization should be matched or exceeded by strengthening and evolving the ethics and compliance program to make sure the compliance risk rate is intentionally managed. Regularly assessing your organization’s compliance program using the Department of Justice’s three key questions (whether the program is well designed, sufficiently resourced and independent, and if the programs works in practice) can help determine whether your program is doing what it is meant to and what is happening with the compliance risk rate.

3. Booth’s rule #2 should also serve as a reminder that it is not enough to assess changes or improvements to your program without thinking about whether or not the changes or improvements are actually helping the organization to reduce ethics and compliance risks overall.

Organizations need to be aware of whether the compliance risk rate is constant, increasing or decreasing, and also be intentional about deciding what that rate should be and committing resources to ensuring the desired rate. This is also why your organization’s senior leaders need to understand the importance of ethics and compliance and how their decisions can impact the program, and why Compliance needs to have a seat at the table and a voice that is listened to when strategy is being set and important decisions made.


SUNDAY, JULY 24, 2022

Seeing The Human Stories of Compliance Violations and Ethical Wrongdoing

I regularly reference a 2015 article in the Guardian that looked at the Petrobras corruption scandal. The journalist who wrote the article, Jonathan Watts, shared various quotes from different individuals who were low paid employees and who lost their jobs because of the scandal. One quote in particular from someone who lost their job following the scandal has really stuck with me from that article: “I’m very worried. I have a two-year-old daughter who depends on me. I’m sinking into depression. I’ve lost 6kg since this started.”

We often don’t see or hear these voices and they are drowned out by other headlines relating to scandals. Many employees depend on their jobs to provide for themselves and their loved ones, and some of them might not have much in the way of savings to get them through periods of unemployment. Regulators and enforcement agencies are important stakeholders in ensuring your organization’s ethics and compliance program works well, but there are many other stakeholders (including employees and those who rely on your employees to have an income) who also have a vested interest in your organization’s ethics and compliance program. A good way to care for, and show care for, your organization’s employees is by making sure they aren’t at risk of losing their jobs as a result of the organization going through a massive compliance scandal.


SUNDAY, JULY 17, 2022

Where Should the Ethics and Compliance Program Report Into?

I often see and hear a lot of strong opinions about where an organization’s ethics and compliance program should report into – some people feel strongly that it should report into legal, some feel the complete opposite, others think compliance can and should own areas such as ESG, and others think ethics and compliance should be separate from each other.

So which reporting structure is correct?

The Department of Justice expects that a compliance program should be well designed, adequately resourced and empowered to function effectively, and that it works in practice. The DOJ does not say that one reporting structure is inherently right or wrong or that one is better than the other. If a program is well designed, adequately resourced and empowered and working in practice, then it is probably a good sign that the reporting structure used in that organization is working well.

While I have yet to see any studies that demonstrate one way or another that more serious violations occur with one reporting structure or another, organizations with different reporting structure have found themselves committing serious violations – reporting structure alone is not enough to keep your organization out of trouble. [If anyone is aware of any studies that shows number and type serious violations broken down into reporting structure, please share.]

So where should your organization’s compliance program report into? It should report into whichever part of your organization will ensure that the program will be well designed, properly resourced and empowered, and that it works in practice. That’s the primary objective that your reporting structure should be based on and looking to achieve – obsess less about what is the theoretical “right” reporting structure and figure out what is best for your organization and your organization’s compliance program.


SUNDAY, JULY 3, 2022

EY’s Now Much Publicized $100M Ethics Exam Cheating Scandal

Despite only being announced a few days ago, I have seen lots of coverage and commentary about the “simply outrageous” (that’s what the SEC said) behaviors and culture at EY (including that EY hindered the SEC’s investigation). Unfortunately this isn’t the first time we have seen exam cheating amongst the Big Four (anyone remember KPMG’s $50M fine?) and who knows if it will be the last.

An employee’s career brand is partially derived from the brand of the organization they work for (as well as other factors). EY’s brand has certainly taken a pretty big hit this week and some (but unlikely all) of the people involved in, or responsible for, the wrongdoing will have taken a similar hit on their professional reputation. Unfortunately, the brand and reputational consequences will also impact other EY employees who played no part in the wrongdoing including those who (i) took the exams in the period of 2017 to 2021 and did not cheat (and weren’t aware of the cheating) and (ii) the employees who had “informed [the firm] of potential cheating on a CPA ethics exam” and weren’t listened to. These are the people who now have to face the consequences for wrongdoing by their colleagues (including anyone who was involved in the wrongdoing and has since left EY and gone to another employer) and are trying to manage their career brand as a trusted and qualified professional. A $100M fine is a drop in the bucket for EY that will have little – if any – impact, but the impact of wrongdoing by an organization like EY can be significant and material on the career brands of innocent employees who thought they could trust in their employer, leadership and colleagues. Compliance scandals and violations of trust are about much more than just the wrongdoing, fines and headlines – there are often many human stories that are not seen or considered when wrongdoing has occurred.

The EY matter should also be a reminder that leadership and ethics and compliance really go hand in hand. If you are a leader or manager in an organization, make sure those employees within your scope of responsibility know (and do) what is expected of them, protect your organizations values when you see them being compromised, make sure employees won’t be harmed by wrongdoing by others and listen to someone when they speak up. And if trust is a key part of your brand in how you sell to customers or what your customers think is important (as it was with EY’s), then trust better be a key part of how your organization operates internally.


SUNDAY, JUNE 26, 2022

Gaming Compliance

One of the main issues I have with compliance e-learning courses is that they train and test an individual in isolation from their colleagues and remove other social processes/pressures within the organization. Even someone who is an “individual contributor” does not work in isolation from other people or the pressures/influence of other people. When something goes wrong in an organization, it is rarely the fault of one single “bad actor” and likely due to multiple people and how they interact with each other (e.g., this is from the DOJ 2020 press release about Wells Fargo referencing pressure and thousands of employees – “a practice between 2002 and 2016 of pressuring employees to meet unrealistic sales goals that led thousands of employees to provide millions of accounts or products to customers under false pretenses or without consent”).

Training and testing need to move from isolated training to be more realistic of how much work is done and influenced by how we interact with other people. We are already seeing a lot more use of group projects in schools, colleges and various other organizational learning (I can’t think of any good leadership training programs that I have taken that did not involve working with other people), yet ethics and compliance programs and e-learnings are still testing people in isolation. People are influenced by pressure and the acts and omissions of other people, and training in isolation removes a key element of how organizations actually operate and work.

My hope is that today’s e-learning format will, in the coming years, be replaced in some (but not necessarily all) instances by gaming that allows people to interact and influence each other during the training. If you want to hear a much more persuasive case for why gaming can have such a positive impact, check out Jane McGonigal’s TedTalk from 2010 called “Gaming can make a better world.”



SUNDAY, JUNE 19, 2022

Sometimes Compliance Can be Awkward

A vendor or supplier might, with good intentions, want to give your employee a gift or take them to an event that might be in violation of your policy but not the vendor or supplier’s policy. If your employee has an appropriately good relationship with the vendor or supplier, your policy puts that employee in an awkward position – they are going to have to say “no” to an offer or decline/return something and that can be socially awkward.

Writing a strict policy that says “no” and not leaning into the challenging situations that employees might find themselves in is not helpful. Policies don’t exist in isolation – they live alongside the pressures and social norms that your employees live in.

Compliance programs cannot shy away from taking a stance on issues where needed, but an effective and employee-centric program will anticipate and help people with the challenges and awkwardness that might result from complying with your policy. Seeing the awkwardness in situations and offering ways to help employees through the awkwardness will go a long way in helping your employees and the credibility and effectiveness of your program.



SUNDAY, JUNE 12, 2022

Closing the Loop After Someone has Spoken Up

Imagine watching a TV series or movie. You have invested time and energy and tried to guess how it will all end. Just as the end is nearing and you are about to find out what happened, a message appears that says “this movie/TV show and the story line were resolved to the satisfaction of the production team and is now considered to be complete. Thank you for watching.” While this might have (definitely would have) been a better way for Game of Thrones to have ended, it would be largely unsatisfying for most other movies and TV shows and would make me less likely to watch a show or movie by the same producer/director in the future. No one wants to invest time watching and then not to know how something ends.

Yet, this is the experience that so many people are left with when they have spoken up with concerns and are simply given the canned response of “your concern has been looked into and appropriate actions, if any were deemed necessary or appropriate, have been, or will be, taken by the organization.” The person raises a concern, perhaps even helps the investigation by being interviewed and providing information, and then nothing.

I get there are totally valid reasons as to why organizations don’t provide completely transparent responses, but we need to explore and find ways that recognize that we see the reporter as a human being and that her/his/their story has been heard (even if the allegations or concerns raised are unfounded). When someone speaks up, it is a moment of trust – either trust will be destroyed or it can be rebuilt/sustained if the person is (and feels) listened to and respected. We want speaking up (and listening on the part of the organization) to become a habit and not a one time immediately regrettable action. Even if you cannot share the complete ending of the organization’s story when it comes to the investigation, look for human ways in which you can help provide closure for the story of the person who spoke up.



SUNDAY, JUNE 5, 2022

What Value are You Adding or Problem are You Solving With Compliance e-Learning Courses?

E-learning can either help people learn or be a colossal waste of time and energy. One way to test if your training will be useful or not is to know (before rolling out the course) what problem you are trying to solve or other value you are adding by pushing a course to employees. You won’t find your colleagues in sales and marketing launching a new product for no reason other than “it’s been a while since we last launched one.” New products are launched when doing so solves a consumer problem or otherwise adds value.

If you are rolling out an e-training course, there needs to be a more convincing reason than simply “it’s been a while since we launched one.” Is it because you want to help people understand an area more and believe training is the most effective way? Is it because of a new or evolving risk or problem you are trying to solve or avoid? There might be many different compelling reasons, but don’t fall into a trap of relying on answers of “it’s been a while since we launched one,” “we always push X number of courses each year” or “we can say we have trained all our employees on compliance this year.”



SUNDAY, MAY 29, 2022

Compliance Program Pillars

No matter how many pillars your compliance program has or how you define those pillars, most corporate compliance programs tend to have some similarities when it comes to the program framework (i.e., Leadership, Risk Assessment, Standards and Controls, Learning and Engagement, and Monitoring and Responding – your program might have different pillars and that’s okay). Having pillars can help your program in a number of ways, including helping sort/group initiatives and priorities, and helping others understand and visualize the program elements. Things can go wrong though when those pillars are treated as separate and independent from each other, essentially meaning each pillar becomes a program silo rather than supporting the program.

Only looking at one pillar – e.g., how do we provide more effective training/learning? – without thinking about the other pillars is a siloed way of thinking. Employee learning should certainly take into account the risks the organization faces (and those the individuals looking to be trained actually face), what standards and controls exist (or are about to be launched) and be mindful of whether or not people are speaking up and what matters they are speaking up about. We need to engage “systems thinking” when thinking about different aspects of our program (because it is all one connected system), rather than thinking about the program in terms of silos.

How are your program pillars supporting or siloing your program?



SUNDAY, MAY 22, 2022

How Many Ethics and Compliance Policies Should You Have?

Standards and guidance (whether in the form of policies or some other form of communicating expectations and procedures) are an important part of an effective ethics and compliance program, but don’t make the mistake of assuming that “if some policies are good, more must be better.”

I recently read about a traffic experiment that was previously conducted in Drachten, the Netherlands, in which the town removed the majority of the traffic lights and signs to improve road safety for drivers, cyclists and pedestrians (the number of accidents went down as a result – the thinking was that drivers were more aware of their surroundings, including other people, when required to think and not just rely on signs). Policies can be useful in the right culture when they provide appropriate guidance without employees abandoning other judgment and thought processes, but policies (and adding more and more) is not always the right option to achieve the desired outcome.

So how many policies should your organization have? The answer will depend not only on what risks your organization faces, but also the culture of your organization and assessing whether more or fewer policies will get to the desired outcome.

Join the conversation on LinkedIn


SUNDAY, MAY 15, 2022

Who is Coming Up With the Ideas for Your Ethics and Compliance Program?

Some of the best ideas I have heard this past week to improve our ethics and compliance program came from people who are not part of our core compliance team (they come up with awesome ideas too). People in other functions see things differently, and are the people who are more likely facing some of the risks and challenges that the program is trying to help with. Seeking out conversations, feedback and ideas from colleagues in different parts of your organization will both help improve your program and help you understand what is going on in the different parts of the organization your program is meant to support. It is hard to say you have a well designed program that works in practice if you don’t seek out feedback and input from different stakeholders and viewpoints in the organization.




SUNDAY, MAY 8, 2022

What Are The Day 1 Priorities for New Hires?

Day 1 priorities on a new job that are practical and memorable – how do I get my email to work, where are the bathrooms, where can I find good coffee close by, and maybe a few other critical “day 1” pieces of information to help transition a new hire into their new role and/or not mess up on.

Not a day 1 priority – endless PowerPoint presentations with information that is neither relevant to the day 1 experience nor will be remembered past day 3.

There are so many more ways to introduce new employees to your ethics and compliance program (and other areas) and it is time to be more creative and engaging than a new hire Code of Conduct PowerPoint training (especially if there are so many other presentations being forced on the new hire). Find ways to introduce organizational values (including ethics and integrity) in the interview process, have the new hire’s manager to talk her/him/them about ethics and organizational values during the first week, communicate anything particularly funky or nuanced about your program in a digestible format, and start a dialogue that allows you to engage with the new hire on an ongoing basis (e.g., ask them to complete a short survey about their perceptions of the organization after 6-9 months).

If new hire training does not result in long (or perhaps even short) term new hire learning, then what is the training actually doing and achieving?


SUNDAY, MAY 1, 2022

Engaging Leaders on Ethics and Compliance

Leadership engagement is one of the key aspects of any ethics and compliance program. One of the ways I find it can be most effective to engage senior leaders is to schedule a one hour conversation with them individually where we walk through the key aspects of our program, how we approach our program (including the rationale for some of our non traditional activities that work) and to get the honest feedback on what leaders like and don’t like about our program. These one hour discussions can help you learn more about the challenges that different parts of the organization face, as well as helping to build relationships with leaders throughout the organization. Sometimes the best way to move your program forward is not to providing a presentation to a large group of people, but to really invest in a meaningful conversation with one or two key leaders or influencers in that group who can really cascade the message in a way that is relatable and resonates with the rest of that group.

How are other people finding ways to have meaningful conversations about ethics and compliance with their organization’s leaders?

SUNDAY, APRIL 24, 2022

Printed Codes of Conduct are About as Well Read as Printed Airplane Safety Instructions

My “mini-me” recently read the airplane safety instructions on a spring break ski trip because it was something new for him while he was bored before takeoff. I didn’t see any adults reading the safety instructions (myself included), yet every seat had a printed copy. Printed policies and mundane trainings might be what everyone has “always” done, but it doesn’t mean they always work or are effective – it is absolutely key to make sure employees understand the relevant standards applicable to their role, but there are many ways beyond printed policies and mundane trainings to get to that result. It is another reason why we need to shift mindsets away from “training and communication” to “learning and engagement” – focus on the desired and actual impact on the target audience and find effective ways to get to that outcome, rather than focusing only on the “traditional” approaches and hoping for the desired outcome.



MONDAY, APRIL 11, 2022

Don’t Forget — This Thursday is International E-Learning Day

Okay – it isn’t and I hope there will never be anything so lame as National or International E-Learning Day. Giving something a “celebratory” name that is definitely not a celebration, calling an under performing operation a center of “excellence” or labeling training a “game” without proper gamification are ineffective and will cause your ethics and compliance program to lose credibility. Be creative and innovative with how you help your employees learn and how you engage with them, but don’t think anyone will fall for insincere or artificial labeling. Some parts of your program are not appropriate to make fun and that’s okay – explain the “why” behind any such items and do what you can to minimize the pain and burden, but don’t try to sell these aspects of your program as something they are not.


What Is One Key Thing That Will Cause Your Ethics and Integrity Program to Be a Success or Failure?

Leaders, managers and supervisors are the superfruit of an effective ethics and integrity program – a program will not be successful, effective or sustainable without them being engaged, using their voices and being incentivized accordingly. It really is hard to overstate the importance of leadership engagement for a program to be effective and organizational values to flourish. Employees in your organization need to know and understand the organization’s values and expected standards of behavior, but we shouldn’t assume (or even think) that the only way employees can or should learn about those expectations is by reading the Code of Conduct or other policies (especially if they are not employee centric policies that offer actual and practical guidance). A Code of Conduct should be a written version of the actual values and expectations, but we can’t forget that the most effective way for employees to learn and understand those values and expectations is by hearing leaders, managers and supervisors regularly talk about them in relevant and relatable terms and to see the values and expectations actually operate in practice.

It is not too late (but this is your last chance) to sign up for tomorrow’s SCCE webinar on “The Role of Leadership In An Effective Ethics And Compliance Program – Why, How And What To Do To Effectively Engage Leadership In Your Organization” to learn several strategies and tips for how you can engage leaders in your organization.


Organizational Culture and Weather

Describing your organization’s culture is a bit like describing the weather. Unless you live in somewhere like San Diego where the weather is fairly consistent, chances are the weather does not stay the exact same where you live and neither does your organization’s culture. Not only do weather and culture change over time, but an organization that spans multiple geographic areas is likely to experience different weather and culture in each location. Trying to define a culture for an entire organization is a bit like trying to define the weather for the entire United States. Rather than relying on what your organization states your culture is (or, more likely, wishes it to be) and thinking culture is static, it is important to understand what the culture is like in each part of the organization and whether or not employees experience that culture as healthy, ethical and psychologically safe.


‘Generally, Your Supervisor or Manager Will Be in the Best Position to Resolve an Integrity Concern.’

So many Codes of Conduct use the above sentence, but you have to ask whether it is actually true. What percentage of supervisors and managers in your organization feel comfortable and know how to handle/resolve integrity concerns? What has your organization done to help supervisors and managers understand what to do if someone speaks up with a concern (should the manager investigate the issue? Tell the person to call the hotline? Do something else?) or asks a question or seeks guidance? Managers and supervisors are key to making sure an ethics and integrity program is more than just a written Code of Conduct and we have to help employees in those roles know what to do. Simply stating in your Code that leaders, managers and supervisors are in the “best position” without doing more is not helping your supervisors, managers, employees or organizational values.

Do you want to learn more about how to engage leaders, leverage their voice and use incentives to recognize leaders who set the gold standard when it comes to ethics and integrity? If so, please join me on April 11 at 12pm central where I will be presenting a webinar for the Society of Corporate Compliance and Ethics (SCCE) on this topic. Link to the registration page in the comments below.



#leadership #codeofconduct

SUNDAY, MARCH 20, 2022

Multinational Ethics and Compliance Programs – One Size Does Not Fit All

If you are building an ethics and compliance program for an organization that spans more than one country, then it is important to consider what elements of the program need to be adjusted so the program works effectively in each of the different countries. Some fundamental (and fairly obvious) differences can include addressing different risks (including types of risks, which employees can amplify/mitigate/manage risks, how to mitigate/manage risk, and impact of risk), different laws (including employment laws which can vary significantly and need to be considered before conducting investigations), language differences (even if English is your organization’s official working language, translate your policies, messages and other communications into local languages) and cultural differences (comparing hotline data without thinking about cultural factors can cause you to make assumptions). Beyond those basic differences that likely apply to most organizations, you also need to consider the differences that might be unique to your organization – for example, are employees in other countries using the same IT systems (including being able to access the relevant policies and guidance), do internal communications go to all operations in other countries, are people in a particular location facing unique challenges or pressures, and is there functional support from groups such as HR, Legal, Compliance and Audit in each country. The ethics and compliance program needs to be well designed, adequately resourced and work in practice in each location, but the means of achieving that outcome will likely need to vary for each location. There is a need for ethics and compliance professionals to regularly get to other locations and to see for themselves what life is like for colleagues in different parts of the organization.




SUNDAY, MARCH 13, 2022

What do Restaurant Chefs and Ethics and Compliance Officers have in common?

I think many people might enjoy occasionally going to a nice restaurant where the Chef is responsible for the menu and making sure the menu works for both the restaurant and the customers. Nobody would realistically or reasonably go to a restaurant, order food off the menu and then expect the Chef to eat what they ordered on the basis that the Chef is responsible for the menu and therefore should be responsible for all activities – including eating of the food – related to the menu. As diners, we recognize that we have a role to play in the process (selecting what we want to eat, eating the food and paying for the food) and not just the Chef (and other restaurant staff).


The above sounds like a terrible and bizarre way to enjoy a meal at a restaurant and yet is how some employees at your organization might think about ethics and compliance. If employees say “it’s covered by the Code of Conduct, so Compliance must own it,” the Compliance Officer/Team needs to challenge that thinking and perhaps the above Chef related analogy can help explain why not all Code related activities can or should be owned/performed by the Compliance Officer/Team. Just as the Chef in a restaurant is responsible for the menu but not all activities relating to the menu, the Ethics and Compliance Officer/Team is/are responsible for creating and maintaining the Code and they cannot be the only ones who handle topics related to the Code.


Ethics and Compliance programs can sometimes appear daunting to employees, but Compliance Officers can add value and help employees by making the program less scary/more relatable and helping employees understand what their role is (and why). And whatever you do, please make sure your Code of Conduct is not written like an overly pretentious restaurant menu that uses words no one is familiar with to describe normal ingredients; if that describes your Code, then you do need to re-think what you are serving as part of your ethics and integrity program.


#investinintegrity #sundaymorningcompliancetip

#ethics #compliance #integrity


Is a Culture of Compliance Always Inherently Good?

A culture of compliance is good when employees are complying with the relevant laws, policies and other written/stated standards; however, a culture of compliance also arguably existed in many organizations that have experienced ethical scandals and violations of law. Take Wells Fargo and the pressure on sales people several years to open millions of new accounts without customer authorization, for example – large numbers of employees (while not complying with their ethics and compliance standards) were complying with the pressures within the organization and delivering on what was expected of them. If the norm in part of an organization is to stay silent about issues and misconduct, then someone speaking up is doing the right thing and also not complying with the expected code of silence. We cannot simply ask if a “culture of compliance” exists in our organizations – we have to really understand what people are being encouraged and incentivized to comply with, and whether such compliant behavior demonstrates if there is a “culture of integrity and ethics.”



#culture #compliance



How Would Frozen’s Prince Hans Have Been Treated In Your Organization?

I like to tease my eldest daughter that Prince Hans was the hero in Frozen. My argument is that if Hans had not swung his sword towards Elsa then Anna might not have stepped in as she turned to ice to save her sister. It turned out that Anna stepping in front of Hans’ sword to shield her sister was the act of true love she needed to perform in order to be saved from becoming a permanent human/cartoon ice cube. If Hans had not tried to kill Elsa, would Anna have turned to ice forever? I might be on thin ice with my argument and might need to let it go, but I think Anna would not have survived.

So was Hans actually a hero? Absolutely not – he tried to murder someone (Elsa) and ended up assaulting Anna with a deadly weapon. However, his bad act appears to have some contributing role in producing good consequences for both Anna and Elsa. Thankfully, Hans was not celebrated as a hero in the movie (although he seems to have escaped with only community service for his wrongdoing since he was seen shoveling horse manure in Frozen Fever).

But how would Hans have been treated in a corporate setting? Would management and HR have taken the position that Hans should face little disciplinary action, given a free pass or perhaps even be celebrated and rewarded for the consequences of his wrongdoing? Celebrating wrongdoing because it somehow has a contributing role in leading to a good outcome is nothing more than a celebration of wrongdoing. Outcome bias can distort how we see wrongdoing, but the wrongdoing is still wrong.

Are there Prince Hans’ in your organization that are not only avoiding punishment but are even being celebrated for the fortunate outcome associated with their terrible behaviors?



#ethics #compliance


“We have been working with this third party for years and we trust them and they trust us. Do we really need a contract and due diligence?”

Relationships (including trust), business continuity and not wanting to have to deal with Legal/Compliance are all completely understandable. But think of contracts with third parties and due diligence using the following analogies:

  1. I trust most airlines will take me to wherever I have purchased a flight to, but I want to have an email confirmation for my reservation and ticket to make sure expectations are clear and I have an easily enforceable claim if the airline doesn’t perform. If you thought you were flying first class to a warm winter destination and the airline flies you somewhere that is well below freezing in coach, then you won’t want it to be your word against the airline’s. Written contracts help expectations become reality and provides remedies for if/when reality turns out differently than planned.

  1. Just because you haven’t had health issues in the past, it doesn’t mean that you shouldn’t go for regular check ups – an annual exam is essentially a form of due diligence. If you don’t have any health issues, then an annual exam will confirm that, give you peace of mind and likely cost you little time. If you do have health issues, better to detect and address them early on rather than waiting for the issue to get out of hand.

Trust isn’t destroyed by having a written contract or performing due diligence; having a written contract and conducting due diligence help establish a basis for the trust to exist in the first place and continue, and ensure that if things go wrong, then they can be addressed quickly and appropriately. You don’t want to end up with major heath issues or in the wrong destination and you don’t want things to go badly with your third parties either.

#investinintegrity #sundaymorningcompliancetip #contracts #duediligence #compliance #ethics


Do you need to have a law degree or a legal background to work in ethics and compliance?

Some people will disagree with me, but I think the answer is a definite “no.” Having a legal background helps me in some aspects of my job, but seeing all ethics and compliance issues through a legal lens is often too narrow – the rules/laws are important, of course, but there is a lot more to building and running an effective ethics and compliance program than just knowing the law. Ethics and compliance are ultimately about human behaviors and seeing people only through a legal/rules based lens is not effective and missing the bigger picture. Ethics and compliance professionals need to think as lawyers, leaders, marketers, behavioral scientists, negotiators, HR, investigators, public speakers, as humans, and in a whole host of other ways too. A multi-disciplinary, curious and innovative mindset is needed to excel and be effective rather than a particular (or even any) degree – plus, if you have more than one person in the ethics and compliance team, then you can become a stronger team by leveraging the different knowledge, skills and experience of each person. I know many incredible ethics and compliance professionals who are lawyers and non-lawyers alike – it is pretty foolish, in my opinion, to think someone will be a better or worse ethics and compliance professional simply because they have a law degree or not.




#ethics #compliance


GPS versus written directions – a lesson for ethics and compliance.


As someone who has no sense of direction, I rely on GPS to get to most places (often to places I really shouldn’t need GPS for). There is zero chance that I am going to remember and follow 20 directional instructions correctly even if the directions are clearly written and stated. GPS addresses that by leveraging technology to help with short and timely instructions so we can focus on driving or whatever mode of transport we are taking. Policies are like written directions and my hope is that technology will continue to enable organizations to embed short, clear and timely directions for employees in a way that is much more user friendly and data driven. I don’t need to know all the directions if Waze can give me those directions when I need them, and this needs to be the direction we pursue for ethics and compliance. There will, in my opinion, always be a need for policies, but we can combine the policies with technology to design and implement processes that are meant to help guide human decision making and actions. Ethics and compliance programs need to be, in the words of the U.S. Department of Justice, “allocated sufficient funds” in order to leverage technology and data to help guide people in simple and clear ways that is easy for people to connect with. I’m no tech whiz, but we need to lean in heavily to the value that technology will inevitably offer our programs and challenge the technology companies to help us build ethics and compliance programs that are built for, and built around, humans.


How is your organization’s program leaning in to technology to help employees with ethics and compliance?




#compliance #ethics #technology


Do leaders, managers and supervisors say “ethics and compliance are important – that’s a given” and then move on?

The words of leaders matter and set the tone for the rest of the organization underneath that leader’s position and influence. Sales and profits should be “a given” for a for profit company and yet are, and should be, continuously discussed, analyzed, measured and incentivized in a variety of ways. Saying the importance of ethics and compliance is “a given” and then moving on is not enough in the same way that saying profits are “a given” is not enough. Leaders, managers and supervisors need to be willing and able, and on a regular and ongoing basis, to help explain why ethics and compliance matter and their relevance to employees in that part of the organization. The message doesn’t need to be long, profound or complex; a genuine and sincere message that speaking up is encouraged and appreciated, and the ways to speak up, can have a meaningful impact. Many things in life are important and should be “a given,” but we can really make them so by talking about them on a regular basis and helping other people really understand their importance.




#ethics #compliance


Does your organization have pressure, psychological safety or both?

Pressure is not inherently bad. Pressure can help challenge us, bring people to work together and drive us to achieve more, and faster, than otherwise. The risks of pressure are when it becomes too much, or the pressure is to achieve something at the expense of safety, legal standards or other social or ethical values. Pressure without psychological safety is a recipe for potential disaster as people will remain silent and/or be punished for raising concerns; whereas a culture that is intentionally focused, and built, on psychological safety (including where people are encouraged and supported to speak up with concerns) will be able to leverage pressure effectively to be successful. According to the “2020 Global Business Ethics Survey – Pressure in the Workplace,” 31% of people in North America and 37% of people in Latin America who participated in the survey said they felt pressure to comprise their organization’s ethical standards, policies or the law (the global response rate was closer to 20%). That’s a lot of laws, policies and standards that risk being violated if those organizations don’t have psychological safety.


What is your organization doing to ensure that psychological safety is a key aspect of how you work?







Are you or your #ethics and #compliance program facing challenges with program “scope creep”?

Program scope creep can often result from continuous incremental additional work and responsibilities for the #CECO and ethics and compliance team without commensurate increases in resources and support.  The consequences – both professional and personal – can be serious and damaging for the ethics and compliance program, the organization, and the burned out #CECO and compliance team.  Please take a read through this article that Ellen M. Hunt, Melanie Sponholz, MSPT, CCEP, CHC, CHPC and I authored for the Society of Corporate Compliance and Ethics (SCCE)’s CEP Magazine to learn how to manage program scope creep, including how to communicate your program brand, how to evaluate opportunities and how to say “no.” 


Our article compares scope creep to the boiling frog effect. No frogs were harmed in the writing of this article, although I am sure one or two croaked…


Is your organization using annual performance goals to support ethics and compliance?

It is that time of year when employees are mapping out their goals and objectives for the year ahead. Goal setting is one way in which you can help ensure alignment and focus on ethics and compliance by having leaders, managers and supervisors include one or more goals relating to how they will help move the program forward using their role and responsibility. In case you missed it before, here is a short piece I put together for the SCCE blog last year with some examples of goals to consider. What other goals would you recommend to help build and sustain a culture of integrity, ethics and compliance?






How would your helpline answer the question of “can gas station employees smoke at gas stations?”

A few months ago, I was filling up my car at a gas station near my house and noticed two gas station employees standing outside smoking in fairly close proximity to the gas pumps. As with any gas station, there were multiple safety signs prohibiting smoking and the use of open flames (for pretty obvious reasons – Google “orange mocha frappuccino” if in doubt). I decided to report the matter to the very large and well known gas station company since it seemed like a valid safety concern and I asked what their policy was. Here is the verbatim email response I received: “We’re sorry your experience during your visit didn’t live up to your expectations. Please know I have forwarded the details of this incident to all appropriate parties in an effort to implement any possible improvements. Thank you for allowing me the opportunity to assist you.”


I appreciate that this person seems to have taken action by sharing the concerns raised with other stakeholders, but the response didn’t “close the loop” on the policy question. I get why most companies don’t give any information about disciplinary actions against individuals or risking exposing themselves to potential claims or lawsuits, but this type of canned response didn’t answer my question about whether the policy is that smoking is not allowed (a) only if right at the gasoline pump or (b) on the gas station property.


Are your reporting channels set up in such a way that any questions asked by a reporter that can be reasonably answered without creating or exposing the organization to significant risk or liability will actually be answered? A helpline that does not answer questions is going not to be experienced by most reporters (employees or otherwise) as helpful.




#ethics #compliance


What are five common myths about #ethics and #compliance and what’s the real scoop behind these myths?

 Check out this short article I wrote for NotMe Solutions’ newsletter to learn more about these five myths and why we need to put people at the center of ethics and compliance programs.  What other myths would you add to the list?  


Many thanks to the team over at NotMe Solutions for including this piece in their #newsletter, including Ariel Weindling, Karine Teffah, M. LeBaron Meyers, Andy Hinton and Christine Fedrow.


Speaking Up And Tangled Holiday Lights

Sometimes when someone speaks up, they will present a collection of facts, perceptions and emotions that are all tangled up like the holiday lights when I take them out of the box (no matter how carefully I put them away the prior year). As investigators, it is on us to carefully untangle and sort the information, as best we can, into what are facts, what are perceptions and what are emotions. It doesn’t mean that we will ignore the perceptions or emotions, but we have to ensure we are mindful of the different data that we receive and how we treat it. Decisions should be based on facts, but seeing and hearing the emotions and perceptions will help employees be, and feel, seen and heard, and help to make speaking up a repeated part of a culture and not a one time activity.






Is your organization’s ethics and compliance program conducting effective employee surveys?

I skipped my #sundaymorningcompliancetip last week to enjoy the #Thanksgiving holiday weekend (and will probably, and intentionally, skip a few more with the upcoming holidays); however, I’ll make up for it this week by sharing “eight tips for an effective ethics and compliance survey.” Many thanks to the Society of Corporate Compliance and Ethics (SCCE) CEP magazine team for publishing this piece in their latest edition:


What additional tips would you add for how to make a survey effective? What other ways do you get employee feedback?






Do customers kill your business because you offer a generous return policy?

Return policies, in theory, could kill companies in terms of inventory and financial impact, but they don’t. Return policies hope no one will return anything but make it safe for customers that do want to return an item and specifically address an actual or perceived risk for the customer in terms of choosing to buy. While theoretically risky, I haven’t heard of any companies being inundated with frivolous or bad faith returns that have had a material financial or other impact on the company. If a product or service is so bad that many customers are returning the item, then they are highlighting a bigger problem and the problem is not with the customers. No one would retaliate against a customer or align with other sellers to blacklist a customer for returning an item in good faith.


Just as customer return policies don’t kill your business, having employees speak up also won’t kill your business. If anyone ever tells you “you have to be careful about encouraging or – heaven forbid – rewarding people who speak up, because people will just create issues and make stuff up,” ask that person if their organization has a customer return policy and the impact that has had on business. The occasional customer may return something under questionable circumstances and the occasional employee might report something under questionable circumstances too, but we don’t kill customer return policies or assume that all customers have bad motivations or only bring frivolous matters. Organizations trust that most customers won’t abuse the return policy and those same organizations should trust that employees won’t abuse the speak up process.


Customer return policies and speak up cultures for employees will only help your organization (including financially). Treat your employees as you do customers (with trust and respect) and employees will take care of the customers. Nordstrom’s return policy says “We’ll always do our best to take care of customers—our philosophy is to deal with them fairly and reasonably. We have long believed that when we treat our customers fairly, they in turn are fair with us.” How would your organization’s business, brand and culture improve if you treated employees like Nordstrom customers?




#speakup #customerexperience


Has anyone actually fully read and understood the terms of the Apple End User License Agreement?

I’m guessing very few – if any – of the many people with Apple devices who have clicked the box that says something to the effect of “I hereby certify I have read and understood the following terms in their entirety” have actually read the terms. I haven’t fully read the terms and likely never will, but like many other Apple users I will happily click the little box to access my device or account.


If the last step in your compliance e-learning course requires someone to certify and electronically sign a statement saying “I hereby certify I have read and understood the X policy in its entirety” then recognize that people are not likely reading the policy (especially if it is written in legalese) and are simply clicking “yes” because they want the pain of e-learning to be over. If you want employees to know, understand and abide by your standards and policies, then find ways that will meet employees where they are and explain to them in human terms what they need to know for their particular role (also make it safe for people to say they don’t understand a policy without making them feel stupid or bad). If you are tracking and reporting out on the percentage of employees who have provided a written/electronic acknowledgement don’t fool yourself or anyone else that having a high percentage means you have a strong or effective program – it likely just means you have a large percentage of employees who have clicked a check box because they were forced to or to end some other pain.


And, if you have read and understood this post in it’s entirety, please click the “like” and/or “share” buttons below. If you haven’t read or understood this post in it’s entirety, please still click the “like” and/or “share” buttons below.




#ethics #compliance


What does your organization tell employees about why you have an ethics and compliance program?

While it is true that regulators expect organizations to have a well designed and effective ethics and compliance program, that is not the only reason as to why an organization should have an ethics and compliance program. There are many other reasons, including as examples: (1) ensuring the corporate mission statement and values are more than words; (2) supporting and helping employees/other stakeholders and valuing/seeing them as people; and (3) as many studies have shown, to be a more financially successful organization with reduced OpEx and increased ROA (amongst other financial metrics). Telling employees that the only, or main, reason you take ethics and compliance seriously is keep regulators at bay will signal to employees and other stakeholders that your organization is reluctantly embracing ethics and compliance to avoid bad things (fines, penalties and negative media coverage) because “it has to,” and not choosing ethics and compliance for the many benefits they provide to employees, stakeholders, society and the organization itself. If you want employees to “buy into” ethics and compliance then they need to see that the organization does the same – an organization that only embraces ethics and compliance because “it has to” should not be surprised if employees show the same approach to the organization’s ethics and compliance program.




#compliance #ethics


Does your compliance program see the human stories behind data?

Actionable and measurable data can help monitor how your organization’s ethics and compliance is doing, and also help measure if initiatives and strategies are effective and working. While hotline data, for example, can be helpful for tracking and reporting to the Board and other stakeholders, it is important to not lose sight of the human stories and experiences behind those numbers (our aim should be more than to “not lose sight of the human stories” and instead to see and hear them clearly). Only looking at whether the data is in line (or not) with benchmarking averages will fail to see the people who’s stories and experiences are behind that data (and the impact on those people). The numbers and data are ways in which you can assess if you have an effective program to support and help your employees and other people, but don’t forget that an effective program should serve, and see, the people who it is meant to help and not just see them as statistics or data points.






What Can Beatrix Potter’s Peter Rabbit Tell Us About Effective Stories for Encouraging Ethical and Compliant Behavior? 

My kids are really into reading Peter Rabbit at the moment. Peter’s mother tells him and his siblings not to go steal/eat vegetables from Mr McGregor’s garden because Peter’s “father had an accident there, he was put in a pie by Mrs. McGregor” (by “accident,” she means murdered and eaten 😳). This story was effective in deterring Peter’s siblings from going to the garden, but it was not effective – for whatever reason – in deterring Peter (perhaps the rewards outweighed the risks for him or perhaps the story wasn’t told in a way that really resonated with him).


There are several studies that show stories are effective in helping adults learn and remember, and stories can be incredibly powerful in helping employees learn about ethics and compliance in real life terms; however, we have to ensure that the stories are relevant, relatable and will have the desired impact. I used to think that ethics and compliance stories from the headlines were the most effective way of helping people learn, but many people struggle to connect with the story of a C-suite wrongdoer they have never met who has been fined millions of dollars (an amount most of us will never come close to having). Stories from within an organization can have a much bigger impact since they are more relevant and relatable, but don’t assume that all employees will be impacted the same way (even if the story seems like it should have an impact). There will be Peter’s in every organization and we need to find ways and stories to connect and engage with them.





What can Netflix’s Squid Game teach us about ethics and compliance? [No plot spoilers, but don’t read if you want to be super cautious]

  1. Incentives matter. What incentives do you offer to people? How much do the incentives motivate them and what are people motivated/permitted to do to achieve the incentive? Is your Compensation team only looking at how much people are paid or looking at the potential and actual impact of your incentive structures on behaviors?


  1. Ethical fading is real and can happen fast. Ethical fading is like intending to eat one or two spoonfuls of ice cream and before you know it, the tub is empty.


  1. Pressure drives behavior and people to do things they wouldn’t normally do. Check out the ECI survey from early 2020 on how pressure impacts ethical behavior.


  1. People look to others for what is acceptable (or not acceptable). Policies are helpful, but people will look at what other people are doing and what people are getting away with to determine what the actual (versus written) standards are.


  1. Undisclosed conflicts of interest rarely end well and often get found out. If you have an actual, suspected or even the appearance of a conflict of interest, disclose it.


  1. Zero tolerance policies can be harsh. Use sparingly, proportionately and intentionally. Showing tolerance for behaviors prohibited by zero tolerance policies will indicate some actual level of tolerance and undermine the “zero tolerance” position.


  1. Not ethics and compliance related, but the exchange rate for USD to South Korean Won is around $1 to KRW1,185 (yes, like you, I Googled that). And no, I don’t know what type of cell phone one of the characters had, if the character had a portable charger or how on earth his battery lasted so long.






Is your organization’s ethics and compliance program more focused on being average than best in class?

I am a big believer in benchmarking – data from various public sources can help you size up your ethics and compliance program and provide ideas/insight for where you need to improve/invest in your organization’s program. However, it is important to make sure you understand (a) what the benchmark data is telling you and (b) what the aspirations are for your program. If you want a best in class program, but obsess about ensuring your metrics are in line with the averages reported by benchmarks (i.e. number of reports per 100 employees or average number of anonymous reporting rates) then you are aiming for safety amongst the middle of the pack (I’m not saying that’s bad, but it isn’t best in class) and also not using the benchmarked data effectively. Benchmarking is a useful and productive exercise, but don’t confuse the benchmark “average” with being the “gold standard” that you have to be in line with. It is hard to say you have a best in class program if all your metrics indicate “average.”




#ethics #compliance


Is your organization mindful about whether new or updated policies are aiming to drive incremental or transformational change?

I’ve had several conversations recently about change management, and enjoyed reading about incremental versus transformational change in Lisa Beth Lentini Walker and Stef Tschida’s book, “Raise Your Game, Not Your Voice.” It got me thinking how new or updated policies can either bring about incremental or transformational change, and why it is so important that ethics and compliance professionals are aware of how much change, and what changes, any new or updated policies bring (or hope to bring). Sometimes big, transformational changes are needed, but those can be hard to introduce in a way that will be well received and followed in practice. Policies that introduce incremental change can be easier to roll out and get people to change their behaviors to meet the changed standard(s), but may not be appropriate if big changes are needed. Neither is particularly right or wrong, but it is important to understand how much and what change is desired (and likely to be achieved) and how to achieve the desired change in a way that employees won’t resent. What may seem like an incremental change to the policy drafter may in fact result in transformational change for employees who need to comply with policies – socialize policies with employees who will be potentially impacted and get their feedback (and hopefully buy in) to intentionally decide whether you should pursue incremental or transformational change with your policies.




#compliance #ethics #changemanagement


Does your organization think about people when it comes to risk management?

Does your organization’s risk management program look like this – identify risks, train on the risks and then monitor the risks (including data from your hotline and other KPIs)? That all sounds good, but it ignores the fact that risks can either be amplified, mitigated or otherwise influenced by employees or other people who work with your organization (i.e. employees of third parties).  It is important to identify who are the people that touch upon particular risks and see them as key to an effective risk management program. Rather than training all employees on all risks, seek to understand which employees touch upon a particular risk and what that risk means for that person’s role and then provide training specific to how that risk manifests and needs to be managed.  It is not enough, for example, to say that “anti-bribery” is a risk (which is far too broad and more a risk category rather than an actual risk) without identifying what that means in practice for your employees and what they can do in their respective roles to help detect, manage and mitigate the risk.  




#compliance #riskmanagement


Does your organization know who and when a third party is a competitor?

Athletes at a club level can be competitors, but can be on the same team (and not competitors) when it comes to national level (and vice versa). Who is a competitor is not always a static concept and there can be certain situations where the same person/entity can be a competitor in one instance and not in another. Someone can be a supplier or customer in one instance, but a competitor in a different instance – it’s not always as easy as sports to identify the difference. Athletes figure this out so they don’t pass to another athlete when they are competitors and it is important that employees understand when a third party is a competitor and when they aren’t and act accordingly.







As I’ve previously shared, I think the moment an employee speaks up is an opportunity to either build or destroy trust depending on how the organization responds and the employee’s experience. Demonstrating empathy and seeing the reporter as a person are fundamentally basic ways to demonstrate to your employees that you listen and care when they speak up. Humanizing ethics and compliance (including the speak up process) make simple sense when you recognize that we are dealing with people and not just rules and regulations.


Many thanks to Adam Turteltaub CCEP, CHC for kindly letting me join him on one of his Society of Corporate Compliance and Ethics (SCCE) podcast episodes where I got to talk about this topic in more detail. Here is a link to the episode and check out the other great content while you are there –


What do you think? Does showing empathy present any real risks? If you don’t show empathy, how does your speak up process (including your helpline) ensure psychological safety to support and encourage people to speak up?








Should you look at getting an ethics and compliance certification or accreditation?

I have had a number of conversations recently with people looking for advice on whether to pursue various certifications to help them in their careers as ethics and compliance professionals.  My answer is a very lawyerly “it depends.”  Certifications take varying amounts of time, money and effort to obtain, so you should make sure you have a good reason for pursuing a particular certification and know if the certification will help you towards your longer-term career goals.  I think it is healthy to continuously learn and stretch yourself and certifications (and the studying and learning in pursuit of the certification) can be useful for your overall growth, but I would be wary of those that will certify you as an “expert” if no real prior knowledge or experience is necessary and if the course is short in length.  Invest in your career and your development, and think intentionally about whether a particular certification will make a difference in your career (some definitely will, but depends on what you want from your career).





#certifications #career


Does your organization think about diversity, equity and inclusion when it comes to ethics and compliance trainings and communications?

Filmmaker Lisa Valencia-Svensson asked the question of “who is telling whose stories to whom, and why?” more than a decade ago, but it is still – and perhaps more so – relevant today. Ethics and compliance should go hand in hand with DE&I and I think one way that can happen is to be mindful about images and pictures you include as part of any ethics and compliance (or other) training or messages. I like including visuals and pictures in my presentations and training materials – I think they can make a presentation more engaging and I sometimes tie them into analogies that I use to help adults learn. Most of the time, I will use stock/online images from PowerPoint; however, I find it can be a real struggle at times to find pictures involving much, if any, diversity. People other than white males are significantly under represented when you search for pictures involving professional jobs. Type in “leader” and you will need to do a lot of scrolling to find any pictures of women or African American, Latino or Asian people. Type in “CEO” and all 50 of the first 50 pictures with people in them are male. Type in “attorney,” “CFO,” “scientist,” “athlete” or try your own search terms and see how much these pictures are lacking in diversity. Presentations become part of the story being told in your organization, so make sure you consciously think about whose story is being told (and whose story is not being told) by the pictures and images you include in trainings and communications.






Does your organization’s ethics and compliance program understand the difference between complicated and complexity?

I often hear people use the terms “complicated” and “complex” as synonymous, but this is, I believe, a mistake (Stanley McChrystal’s “Team Of Teams” does a much better job explaining this distinction than my post will). Something that is complicated (take a car engine or a mechanical watch) may be difficult to understand, but involves predictability and if a part is changed or removed it will not be able to work as expected. Something that is complex often involves interdependence on other things as part of a system and can also adapt even if parts or elements of it are removed. So what’s the connection to ethics and compliance? If wrongdoing has occurred in an organization, it is important to understand if the root cause is a matter of complexity or complicatedness so that the right steps and actions can be taken to address the root cause. Removing an employee for wrongdoing may not solve an issue if the behavior will continue even without that employee there (that suggests the issue may be one of complexity). Understanding the nature of the root cause is critical to be able to stop/treat and prevent the issue happening again.




#complex #complicated #rootcause


Does your organization understand the difference between “data security” and “data privacy”?

Data security and data privacy are both important, but are not the same concept. Not sure how they are different? Think about it this way – Magneto’s prison cell in the X-Men movie is (or, spoiler alert for X-2, was at least intended to be) secure, but is not private. Simply because data is secure doesn’t mean it is necessarily being kept private. It is important to make sure your organization understand what data needs to be secure, private or both.




#dataprivacy #datasecurity #xmen

SUNDAY, JULY 25, 2021

Does your organization’s Code of Conduct give employees the direction they need?

Ever tried to get around New York with a map of Boston or around London with a map of Los Angeles? A map of Boston works well for someone trying to navigate Boston, but doesn’t mean it will have the same value for someone trying to navigate another city because it isn’t designed for that purpose. Your Code of Conduct should be your organization’s “ethical map” that gives direction to your employees about the organization’s ethical values and principles and helps them to navigate potentially difficult or ethical situations that they may encounter in your organization. There is a lot to be learned by benchmarking and looking at the Codes of other organizations, but you can’t just copy another Code or just use something “generic”/“off the shelf” (you could, but it would be a waste) because that is the same as trying to navigate a city with a map of a different city. Having a Code of Conduct is not enough – you need to have a Code of Conduct that will guide your employees at your organization.




#compliance #ethicsandcompliance

SUNDAY, JULY 18, 2021

Is your organization’s ethics and compliance program more focused on the perfectly worded message or the most effective message?

I am currently teaching my 6 year old daughter to learn how to ride her bike. After taking 4 hours of e-learning and certifying that she has read and understood the policy on “how to safely ride your bike,” I am confident she should now know how to ride her bike. To ensure ongoing engagement and commitment, she also signed an acknowledgment that she understands that violating our cycling rules may result in disciplinary action, up to and including no TV for a week. She is super excited about cycling.


While I am actually helping my daughter learn to ride her bike this summer, we did none of the above. I’m not a cycling instructor and have no experience teaching a kid to ride a bike, but I am taking my best shot at it and my less than perfect teaching is more effective than putting her in front of a screen and thinking she would learn that way. In the same way, managers and supervisors don’t need to be ethics and compliance experts to help employees or have a positive impact on your culture of ethics and compliance. Having managers and supervisors regularly talk about ethics and compliance (even if the message isn’t perfect) makes a positive and lasting impact. A less than perfect message from an employee’s direct manager (which can be based on an outline/talking points from ethics and compliance) is much more effective, personal and likely to resonate with employees than staring at a computer screen or certifying about policies. E-learnings, polices and certification are important and can have a role that adds value to your program, but they cannot replace the role of managers and supervisors.