How to Build a Culture of Ethics and Compliance

People building a puzzleDonna Boehme and Jim McGrath continually rail against the notion that a ‘rogue employee’ causes the majority of bribery and corruption charges under such laws as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. Companies continually claim that they do business ethically and in compliance with such anti-bribery and anti-corruption legislation and that it is only one or a few of “them-those pesky rogue employees” who have brought the company to grief. Even GlaxoSmithKline (GSK) is now beginning to distance itself from its Chinese business unit and executives who confessed to engaging in bribery and corruption to sell GSK products in China.

The first problem with this “rogue employee” claim is that it is wrong. The second problem is that by making this bogus claim and denying that it was a company failure, a company may well never correct the underlying problem which led to the compliance failure. However, if a company does not recognize its role in any such compliance catastrophe, it will probably have a repeat of a similar event in the not-too-distant future. Once again, witness GSK, which agreed in 2012 to a $3 billion fine for fraud in marketing of its products and within one year is caught up in allegations of corruption in China.

I recently read an article in the summer 2013 issue of the MIT Sloan Management Review, entitled “Designing Trustworthy Organizations,” by a quartet of authors: Robert F. Hurley, Nicole Gillespie, Donald L. Ferrin and Graham Dietz. In this article, the authors address the question “How can companies recover from trust failures and create reputations for trustworthiness?” Using their article as a starting point, I will discuss how ethics and compliance failures occur, what companies can do to build effective ethics and compliance programs and three companies that returned from the brink of catastrophic ethics and compliance failures to reclaim their good corporate names.

Why Ethics and Compliance Failures Occur

Signals of an Ethical Business

In the FCPA Guidance, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) make clear that paper compliance solutions, which companies only employ to “check-the-box” on compliance with the FCPA, are doomed to fail. The FCPA Guidance states, “A well-designed compliance program that is not enforced in good faith, such as when corporate management explicitly or implicitly encourages employees to engage in misconduct to achieve business objectives, will be ineffective. DOJ and SEC have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant FCPA violations because management has failed to effectively implement the program even in the face of obvious signs of corruption.” This is a clear recognition that more effort is required to make a compliance program effective than simply having one in place; unfortunately, many companies seem to hold this belief.

While the authors write about trust, I believe that their research, findings and framework all translate to ethics and compliance; so I will make that substitution throughout my discussion of their article. To begin their discussion, the authors believe that there are six identifying signals that employees consider when deciding to follow a company. They are:

  1. Common values: does the company share our beliefs and values?
  2. Aligned interests: do the company interests coincide, rather than conflict with ours?
  3. Benevolence: does the company care about our welfare?
  4. Competence: is the company capable of delivering on its commitments?
  5. Predictability and integrity: does the company abide by commonly accepted ethical standards and is the company predictable in how it behaves?
  6. Communication: does the company listen and engage in a dialogue or not?

Why Do Ethical and Compliance Violations Occur?

Here, the authors begin with a definition. They define trust as “a judgment of confident reliance on another (a person, group, organization or system) based upon positive expectations of future behavior.” For the compliance practitioner, a violation of that trust occurs and there is unethical behavior not in compliance with the norm; for example, when “a party significantly deviates from positive expectations” by engaging in such conduct as bribery and corruption. The authors believe that they see such conduct condoned, explicitly or tacitly from management, they also lower their own personal expectations of the type of conduct they will personally engage in.

Such a failure leads to individual employees engaging in bribery and corruption. However, the authors make clear that this is not done simply to the individual or rogue employee, but such unethical conduct is “predictable in organizations which allow dysfunctional, conflicting or incongruent elements of their organizational system to take hold.” The authors cited three examples where this played out with devastating results for companies. The first was the Mattel Corporation, which had a strong reputation for quality, but weak oversight of its supply chain led to production of contaminated toys and a massive toy recall. The second was BP and the Deepwater Horizon disaster, where the company’s strategy and culture of minimizing costs to enhance profitability conflicted with its stated emphasis on safety, leading to a multibillion-dollar claim. Finally, Goldman Sachs and its role in the Abacus fund, where “investigators found that Goldman’s stated values of client focus and integrity were at times overshadowed by a less formal culture that emphasized getting deals done with less than full disclosure.”

The authors noted that in all three examples they cited, each company had extensive systems processes and procedures in place to produce trustworthy behavior. However, “other elements undermined the companies’ ability to deliver on their core responsibilities.” Recall that as part of its $3 billion settlement, GSK agreed to a Corporate Integrity Agreement (CIA). The company had a compliance committee whose job was to oversee full implementation of the CIA and all compliance functions at the company. The company had “integrity champions” within each business unit, as well as management accountability and certifications from each business unit. Training of GSK employees was specified.

GSK’s code of conduct stated, “The GSK attitude towards corruption in all its forms is simple: it is one of zero tolerance, whether committed by GSK employees, officers, complementary workforce or third parties acting for or on behalf of the company.” The company had a third-party code of conduct, which required that third parties conduct their business in an ethical manner and act with integrity.

All of this was backed up by a global ethics and compliance team, “which is responsible for providing oversight and guidance to ensure compliance with applicable laws, regulations and company policies, as well as fostering a positive, ethical work environment for all employees.” The code of conduct also stated that “GSK has an active system of internal management controls to identify company risks, issues and incidents with appropriate corrective actions taken. Our Risk Management and Compliance Policy provides the framework for these internal controls to ensure significant risks are escalated to the proper levels of senior management.”

The authors’ research led them to several different areas of organizational weakness that allowed for ethics and compliance violations to occur. Company leaders “focused on fundamental aspects of how the organization functioned: organizational restructuring and instability, poor support and follow-through, poor talent management, lack of communication and information and leadership and strategies.” Interestingly, when employees were interviewed, they had the following thoughts on how to improve ethics and compliance: “improve communication, enhance senior management capability, provide more accountability for performance, empower employees and enhance collaboration groups.”

Yet in their examinations, the authors found “one type of incongruence that frequently led” to breakdowns in doing business ethically and in compliance. That breakdown came when the interests of one stakeholder group was favored over another stakeholder group. The authors identified some various stakeholders as shareholders, employees, customers, suppliers and communities. The authors said that this incongruence has “been defined as letting shareholder profits take precedence over core responsibilities to other stakeholders.” But it is simply more than serving one stakeholder better than the others. It is favoring one stakeholder to at “the expense of and even causing harm to” other stakeholders.

In other words, if profits are put ahead of all other measurements for an employee, that employee will get the message and make sure that he or she makes their numbers. The authors conclude this section by noting that with the current 24-hour news cycle and social media, what may have been yesterday’s event can rapidly spiral across the globe and out of control more quickly than ever. Once again, witness how little time elapsed between GSK being put on notice of allegations of corruption and bribery in China and the time its Chinese employees admitted to such conduct on state TV. It was mere days.

Building an Ethical Organization

To build an ethical organization, the compliance practitioner needs to instill ethics and compliance into the organization. This can include “setting formal and informal constraints, incentives, expectations, values and norms,” all of which influence the behaviors of employees and even third parties with whom the company does business. The authors note that employees are influenced by both formal and informal controls, which can promote either “diligence and honesty—or recklessness and malfeasance.” Lastly, positive signals — through various mechanisms — help, but if you have mixed or “deviant messages,” this can lead to cynicism or unethical behavior by your company’s employees.

Near and dear to my heart is the role of such anti-corruption legislation as the FCPA and UK Bribery Act, which the authors acknowledge play an integral role in supporting a company’s ethics and compliance program. But they note the warning, as voiced in the FCPA Guidance, that such laws are only the starting point to create an effective ethics and compliance regime. Moreover — and this next statement speaks directly to those who believe that a compliance defense will lead to more companies following the prescripts of the FCPA — the authors note, “Sadly, external regulation may give organizations a false sense of security that can lull them and their stakeholders into complacency” about their ethics and compliance regime. Take GSK, which had about the strongest paper program that a company can provide.

The authors have devised a six-step approach which they call a “Model of Organizational Trust.” I believe these are six steps you can use to build up a culture of ethics and compliance. This model is based upon their collective research and study, systems theory and strategic organizational design. The model, which allows you to embed such a culture of ethics and compliance into your organization, weaves the six signals that employees draw upon when making decisions of trust into “their infrastructure and core processes,” which the authors believe over time earns the trust of the various company stakeholders. Their Model of Organizational Trust, and some key questions pertaining to each step, are as follows:

Leadership and Management. This requires leaders who embody the company values and expect the same from its employees.

  • Does management at all levels model company values?
  • Does management serve stakeholder interests before self, act with integrity and competently and predictably deliver on commitments?
  • Does management communicate openly, listen and demonstrate concern for employees?
  • Do managers hold their teams accountable for competent execution of strategy while upholding company values?

Culture.  This requires strong shared norms and beliefs that encourage all stakeholders to uphold companywide values and deter deviation from those values.

  • Are there strong cultural values and beliefs that bond people and unify subcultures to serve stakeholders?
  • Are the values of respect and fairness for stakeholders, acting with integrity, doing business with competence and predictability in delivering on expectations held deeply enough within the company that acting against them is perceived to be wrong?
  • Are company values articulated and activated such that employees support the company’s mission beyond the interests of self or subgroups?

Systems.  There must be systems in place for planning, reporting and budgeting to reinforce ethical and compliant behaviors, all linked to culture and strategy.

  • Do selection, induction, training, compensation, promotion, evaluation and succession systems reinforce the company-espoused values?
  • Do communication, planning and information systems enable effective coordination, alignment of interests and meaningful, mutual dialogue?
  • Are there robust mechanisms to surface and facilitate reporting of ethical violations?

Product and Service Development, Production and Delivery.  There must be processes in place to ensure that stakeholder needs and expectations are met, that company values are upheld and that relevant anti-bribery and anti-corruption laws are met.

  • Are development and production processes focused on serving both company and stakeholder interests, including those of the customers and suppliers?
  • Is there testing to ensure that production competently and predictably meets standards?
  • Is the company’s supply chain monitored to ensure that it meets the goals of respect, fairness, predictability and competence to reach stakeholder expectations?
  • Does the company listen and respond to non-company stakeholders such as the supply chain and customers?
  • Is there a robust product service recovery process?

Structure. There must be formal organization and governance that set clear roles and accountability and provide discretion within prudent internal oversight.

  • Does the company structure provide clear roles, responsibilities, accountabilities and alignment of interests across groups?
  • Does the company structure provide adequate governance and monitoring at all levels to ensure competent execution of strategy in a manner that upholds the company’s values?
  • Does the company structure engage and facilitate open communication with stakeholders?

Strategy. The organization must have a clear mission that it will do business ethically and in compliance and that these values accommodate stakeholder values as well.

  • Is the company clear about its mission and strategy to serve all stakeholders?
  • Is the execution of this strategy evaluated from all stakeholders’ perspectives?
  • Does the company strategy align with its values?
  • Are decisions made and resources allocated in a way that shows respect, fairness, integrity and alignment with stakeholder interests?
  • Do the stakeholders perceive that strategic trade-offs are made in a transparent and fair manner?

The authors write that all six of these concepts must be fully integrated. So an “effective organizational infrastructure (strategy, leadership and management, culture, structure and systems)” should work to generate and sustain the “effective core processes (development, production and delivery of products and services).” For the compliance practitioner, this means that elements of doing business ethically and in compliance must be woven into all elements of infrastructure and core company processes over time. If not, ethics and compliance failures are likely to occur “when important elements are allowed to become misaligned.”

But, at the end of the day, the authors report that the “key differentiator between companies that violate trust and those that sustain it is integrity and consistency within and across the organization.” While every company says it does business with integrity, this review shows how the message from the top of an organization can be driven down through the DNA of the entity. Not to be overlooked is the second part of the phrase, consistency. If leadership sends out mixed signals about the values that it deems paramount, then all the talk about doing business ethically and in compliance may well be for naught.

Rebuilding an Organization After a Catastrophic Compliance Failure

The authors correctly note that much can be learned from an organization in how it responds to crisis. Paul McNulty often says that the key analysis to make in any assessment of a potential penalty under the FCPA is “What did you do about it?” I label this as “McNulty’s Maxim No. 3.” However, after every storm there is an opportunity for a company to rebuild a culture of ethical behavior and doing business in compliance. The authors identified what they believe to be three critical stages in any such comeback. They are investigation, organizational reform and evaluation.


In order to begin the process of repairing a corrupt corporation, the authors believe that there must “credibility, rigor, independence and accuracy of the investigation.” A clear example where this was not done was in the situation where the Wal-Mart corporate office sent the investigation of allegations of bribery and corruption in its Mexican subsidiary back to the people alleged by the company’s internal whistleblower to have headed up the bribery and corruption, with predictable results. The authors believe situations like this occur when a company is “so concerned with appearance and damage control that they are unwilling to engage in the degree of examination required to root out entrenched” ethics and corruption violations.

The FCPA Guidance anticipated this problem when it issued this advice to companies: “Once an allegation is made, companies should have in place an efficient, reliable and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” Jim McGrath, among others, regularly writes about the need for companies to employ outside counsel who specialize in such investigations. McGrath’s suggestion would certainly fit with the authors’ recommendation on this point.

The authors also note that the investigation must drill down and determine “how each element of the organizational system directly or indirectly contributed” to the ethical and compliance failures. Only by such a thorough investigation can a company begin the road to recovery. Not only will an independent investigation bring an unbiased eye to discover the facts, but such a granular view will lead to the necessary “recommendations for systemic reform.”

Organizational Reform

The authors begin with a single line that all compliance practitioners need to paste in front of senior management and company executives: “Since all trust [i.e. compliance] failures are systemic, the organizational reforms need to be systemic as well.” Rogue employees exist or are created by a company culture and internal control system that either encourages such behavior or actively rewards it. Due to this, the authors recommend that “Structures, systems and processes should be the first point of intervention.” But the authors caution that this is only the start, and if these are the only items addressed, they are “unlikely to produce sustainable change.” This is because the more difficult, yet more important, changes in ethics and doing business in compliance involve an organization’s “culture, strategy and leadership and management practice.” In other words, if management does not make the start at changing the culture, violations will likely continue.

To make such a universal change, the authors believe that “systemic reforms need to be reinforcing and congruent so that trustworthiness becomes embedded in the organization’s culture over time.” So not only must leaders change the way they lead, but employees must change the way they do their work. A true change in company DNA may be required to move to doing business ethically and in compliance with the burgeoning, worldwide regime of anti-bribery and anti-corruption legislation.


The authors caution that even if systemic changes are made by an organization, they still “must be evaluated to ensure that they are working as intended and pitfalls must be addressed.” Because a true systemic change can be so difficult, the most important prong in repairing a culture which has fallen short of doing business ethically and in compliance is through “ongoing assessment, learning and course correction.” The first step is “to take a systems perspective to accurately diagnose and reform the true faults in the organizational system, and then to evaluate the effectiveness of the reforms.” This aids in not only helping repair a culture of ethics and compliance, but also in embedding such values in an organization. Lastly, by embedding such values within an entity, the organization becomes more resilient to future ethics and compliance failures by (hopefully) detecting them early and remediating the issue(s) quickly.

Three Examples

The authors concluded with examples of three well-known companies that were able to repair themselves and do business more ethically and in compliance.


Siemens AG is well-known for having the highest fine in the history of the world for its FCPA violations, $800 million, paid to the U.S. government. It also paid the equivalent amount to the German government for a total fine in the neighborhood of $1.6 billion. Such fines do not include investigative costs. The authors detailed the following steps that Siemens took:

  • Appointment of an externally led, comprehensive and independent investigation, including some staff amnesty provisions during the investigation.
  • Appointment of a respected independent expert to advise on ethics and compliance reforms.
  • Revisions to the company’s code of conduct, reformation to policies and procedures on doing business ethically and in compliance and creation of an internal company ombudsman and compliance help desk.
  • The training of more than 200,000 employees on anti-corruption practices to shift beliefs and values.
  • Streamlined structures to provide clear lines of responsibility.
  • A five-fold increase in the number of employees dedicated to doing business ethically and in compliance.
  • High-profile departures from the company and more than 900 disciplinary actions related to anti-corruption.

BAE Systems

It is well-known that former British Prime Minister Tony Blair is famous for shutting down his country’s Serious Fraud Office’s investigation into bribery and corruption allegations against the UK aircraft manufacturer under UK anti-bribery and anti-corruption law. However, such help from friends on high did not help the company stay out of bribery and corruption hot water, as it was hit with a $400 million fine for its FCPA transgressions. The authors reported that it took the following steps in its repair of its ethics and compliance culture:

  • The Woolf Committee was formed to investigate the company and ultimately made 23 recommendations regarding doing business ethically and in compliance.
  • New responsible trading practices were put in place to help employees in commercial decision making going forward.
  • The code of conduct was revised and new policies and procedures were put in place on bribes, donations, hospitality and political lobbying.
  • A new corporate governance structure was put in place which allowed oversight by an independent ethical leadership group and the creation of an ethics helpline.
  • A training program for all senior management in ethics and compliance was instituted.

Mattel Toys

The company was not faced with anti-corruption allegations as were the first two companies above. However, its sins may have been even worse because of the safety issues involved. A Chinese manufacturer for the company outsourced the production of certain toys. This allowed the use of lead-based paint by the subcontractor in the production of millions of toys. The use of lead paints has been banned for the production of toys for many years in the U.S. due to safety concerns. The authors reported that Mattel took the following steps:

  • Production in the facilities alleged to have used lead-based paint was ceased and all products were recalled.
  • There was full and proactive cooperation with regulators across the globe.
  • There was an independent and thorough investigation.
  • There was a second product recall, linked to faults in Mattel’s own design of a toy.
  • There were coordinated, sector-level discussions in the company on mandatory safety regulation.
  • There was a revision and strengthening of supply chain audit procedures.
  • The company established a new corporate responsibility division which reports directly to the Chief Executive Officer (CEO).
  • The company agreed to an audit by an independent Non-Governmental Organization (NGO) of its supply chain practices.

I have labeled the GSK corruption and bribery scandal as the most significant event for compliance practitioners in 2013. This is because of the entry of the Chinese government into the investigation and possible prosecution of western companies for conduct that the Chinese government heretofore turned a blind eye toward. I do not believe it will be long before other countries begin to look at the corruption of their officials under the rubric of their own domestic anti-bribery legislation. Subsequently, companies need to have a system in place to do the three things that the FCPA Guidance suggests.  The agency states, “A well-constructed, thoughtfully implemented and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.”

But more than simply having such a system in place to comply with anti-corruption laws, “An effective compliance program promotes an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” The authors have taken their concepts and wrapped them into an entire corporate culture. They believe that organizations with such commitment to doing business ethically and in compliance “tend to be high-performing, with lower employee and customer turnover, lower monitoring costs and even better financial returns.” That final sentence is the bottom line for all of this. Companies committed to such conduct do better financially. It does not get much starker or clearer than that.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2013


Create your Terms and Conditions agreement

Thomas Fox

Thomas Fox has practiced law in Houston for 25 years. He is now assisting companies with FCPA compliance, risk management and international transactions.

He was most recently the General Counsel at Drilling Controls, Inc., a worldwide oilfield manufacturing and service company. He was previously Division Counsel with Halliburton Energy Services, Inc. where he supported Halliburton’s software division and its downhole division, which included the logging, directional drilling and drill bit business units.

Tom attended undergraduate school at the University of Texas, graduate school at Michigan State University and law school at the University of Michigan.

Tom writes and speaks nationally and internationally on a wide variety of topics, ranging from FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.

Thomas Fox can be contacted via email at or through his website

Follow this link to see all of his articles.

Related Post

man pulling ace from his sleeve

Winning at All Costs

Posted by - February 16, 2017 0
If you know a colleague is taking questionable shortcuts in an attempt to deliver strong performance, and you say nothing,…
smiling woman cupping her ear to hear better

What is Your Ethical Culture?

Posted by - January 26, 2017 0
Overcoming Key Obstacles Does your organization have a “speak up” culture? Is it widely understood that there won’t be retaliation…
man in suit with question mark where his head should be

What Would You Do?

Posted by - April 5, 2017 0
All of us are faced by those moments when doing what’s right is very different from doing what’s easy or…