By Cydney Posner
Following is a link to a potentially useful article from CFO.com, Creating a Culture of Compliance. The author maintains that a culture of compliance in which "employees feel they can report illegal activities or abuses can prevent problems from becoming disasters. This pertains not only to financial controls under the CFO's purview but also to a broad range of operational risks, which can result in costly disasters like last year's oil-rig explosion in the Gulf of Mexico and the implosion of Enron. In both cases, employees accused top management of ignoring their concerns about dangerous internal practices."
The article identifies the five most effective practices to prevent risky or illegal activities.
1) CFOs should acknowledge that they are responsible. When CFOs sign off on financial statements, as required by SOX, they are also, in effect, verifying the accuracy of the underlying related corporate records, such as the sign-off on a transaction by a salesman on the other side of the planet.
2) Make the Corporate Counsel an ally. There is often "a crackling tension between compliance and the company's or business unit's mandate to perform," which can be a political minefield that should not be traversed alone. A commentator cited in the article provides a "common example: the salesperson who posts big numbers yet puts tens of thousands of dollars in personal expenses on the company credit card. Every month, the CFO approves the expenses, which aren't tax deductible and should be reported to the Internal Revenue Service on the salesperson's W-2. If a CFO questions this, the CEO or the head of the salesperson's business unit may offer the kind of nonresponse that [the commentator] characterizes as, ‘Thank you for pointing it out; if it gets abusive we'll take care of it.' That kind of see-no-evil culture has serious ramifications; if employees know such abuse is taking place, it sends a signal that they can abuse the system, too. An employee might say to himself, ‘If that guy can do it, why can't I?' " One approach recommended in the article is to "establish a strong relationship with the general counsel, who typically has the credibility to make a strong case that a problem is serious and must be addressed. ‘The corporate counsel wields enormous power within any corporation,' [another commentator] says. ‘Any CFO who is not listening to the corporate counsel has got to be crazy.' " [As you might guess, emphasis added.]
3) Executives and boards should really deliver the message. It's not just setting a "tone at the top" that matters, but also coupling that message from on high "with some face time" that allows employees to understand the importance of ethics to the organization. In addition, the article suggests that the definition of "the top" is changing; boards are also being required by regulators "to assume greater responsibility for shaping a company's culture." Recent DOJ cases identified a "culture of corruption" that "trickled down" from management and the board. One common error cited in the article is "putting responsibility for various compliance matters into various separate ‘silos.' Compliance should be ‘woven throughout the fabric of the organization,' including the board." Executives responsible for compliance should have "unfettered access" to the board.
4) Educate front-line managers to respond effectively. The article maintains that front-line employees must "feel comfortable in the role of watchdog. When these employees raise potential issues, midlevel bosses and front-line supervisors should know how to respond. Otherwise, employees who know about illegal activities may not tell anyone, out of a fear of being retaliated against or fired. A raft of research has shown that an employee's behavior is far more influenced by his or her direct supervisor or operating-unit head, versus a C-level executive." Apparently, only 5% of reports of misconduct come through anonymous hotlines, making it critical that supervisors be supportive of compliance or risk the probability that employees will not volunteer information regarding problems: although there can always be a bad actor in the system, "employees who know they are welcome to come forward can prevent systemic failures or scandals." In addition, companies should understand the implications of the new incentives under the SEC's whistleblower rules and craft a policy that encourages employees to speak up.
5) Simulating a crisis can uncover potential issues. Working through a crisis plan in advance can help to minimize damage when a crisis occurs, especially in light of the numerous Type A personalities often populating the C-suite: "For top managers who want to learn how politics and personalities can lead to a cover-up that worsens a crisis, consultants recommend they walk through who would be in charge if a crisis occurred." In addition, one of the consultants cited in the article "sometimes puts executives in a room and asks them to put on a fraudster's hat: Could someone manipulate company records or processes to perpetrate a fraud, and if so, how? Who in the room has the knowledge and ability to commit fraud? After one such series of brainstorming sessions, [the consultant] catalogued more than 150 initial fraud risks for one public company," which alerted management to risks they not previously foreseen.