“The organization demonstrates a commitment to integrity and ethical values” (COSO Principle 1 – Commitment to Integrity and Ethical Values http://www.coso.org/IC.htm) is the first of five principles relating to the Control Environment component of internal control. The most important word in this principle is “demonstrates”. For the leaders of the organization to have an effective internal control system, they must not only “talk the talk” but more importantly they must “walk the walk”. Actions speak louder than words. The only way to develop, nurture and maintain an ethical culture is by consistent actions that demonstrate leaderships’ commitment to these values at all levels.
Each organization must define and communicate the expectations of all employees via a Code of Conduct, Employee Handbook, policies and procedures and other means. One set of core expectations must apply to employees at all levels. It is incumbent on the leaders of the organization to explicitly and publicly demonstrate behavior consistent with these core expectations. All persons at all levels must be held accountable for deviations from these core expectations in order for these to become a part of the organizational culture. Importantly, failure to hold stakeholders accountable can lead to a culture that expects and accepts deviations. General Motors is a recent example of a company that is undergoing the painful process of redefining/recommitting to their core expectations of integrity and ethical values resulting from inadequate internal and external communication of product safety issues due to faulty ignition switches. CEO Mary Barra is facing a difficult task getting the actual actions inside the company to reflect the standards of conduct most insiders like herself expected. To quote Ms. Barra’s testimony to a House of Representatives subcommittee, “This is a tragic problem that should never have happened, and must never happen again.” http://docs.house.gov/meetings/IF/IF02/20140618/102345/HHRG-113-IF02-Transcript-20140618.pdf
Most great organizations consist of a diverse group of people with varying norms, cultures and expectations. For these reasons, it is critical for an organization to define standards of conduct for their employees and other stakeholders. Without defined standards, the stakeholders will justifiable act based on their own norms which collectively will lead to inconsistent and unclear standards of behavior. The organizational leaders must define one standard of behavior that is sympathetic to the standards of their diverse workforce (i.e., does not ask anyone to violate their ethical standards) and then apply training, communication, oversight controls and corrective action to ensure these standards are consistently followed.
The organization extends to all parties for which management has oversight and/or those representing the organization. One of the larger challenges is maintaining your standards by co-source, outsource, joint venture and other vendor partners, especially across international borders. The April 2013 factory collapse is Bangladesh is one recent example of these challenges. Appropriate programs with training, monitoring and independent assessment for all significant vendors and business partners is required. A comprehensive risk assessments will identify all those partners for whom such programs apply. For those that have not yet implemented such programs, the time is now. Your firm is not satisfying Principle 1 without a risk-assessment and a program of compliance activities, monitoring and independent assessment for such vendors/partnerrs.
Overall, to demonstrate that Principle 1 is in place and functioning consistently in your organization requires the definition and communication of expected integrity and ethical behavior, training programs for all stakeholders with tracking to ensure completion, explicit demonstration of the expected integrity and ethical behavior by all managers to set the “Tone at the Top”, identification of appropriate monitoring methods and criteria and implementation of monitoring programs, including independent monitoring where appropriate, and finally consistent and appropriate actions to address deviations from the standards. Although this is a major effort, the potential problems, distractions and reputation harm avoided by clear ethical programs are well worth the effort. These programs help the organization to effectively leverage compliance.
About the Author
Glenn Murphy, the co-founder of BestGRC and founder of GRC Management Consulting, primarily focuses on empowering entities to leverage their compliance activities through the BestGRC “cloud” software, his consulting work, publications and the “Leverage Compliance” blog. Find Glenn’s full profile at http://www.linkedin.com/in/glenntmurphy/ , follow him @GlennMurphyGRC and subscribe to the Leverage Compliance blog at http://www.bestgrc.com/blog/