How to set up an ethics helpline from scratch - the smart way

Today, I made my compliance colleague from Russia happy by sending her more insights and practices on how to take up an ethics helpline from zero. How to start and what is good to know even before you start it...

I am glad to have an international network of compliance and ethics professionals to be able to share knowledge and experience. 

I thought this might fall in the interest of many when facing similar challenge.

Here it is...

Dear D. E.,

...I wanted to prepare something really useful and practical for you. So, I ended up writing an entire handbook on how to establish ethics helpline :), which I can now use in my blog, too. …

Taking into account best practices and some of my experience / lessons learned, I came up with the following steps when implementing an ethics helpline from scratch.   

Next to that, you will find some links to the resources, where you can find examples of:
- code of conduct
- ethics helpline policy
- ethics helpline platform
- non-retaliation policy...
all of which are needed for setting an ethics helpline framework and you will probably create them tailored for your own company, if you don't have them.  

Resources available at SCCE (Society of Corporate Compliance and Ethics) web-site are great and generated at one place. ... I highly recommend you to try to attend their events, too. They are great! You can search SCCE's web site for the events and many resources on compliance and ethics; For this, go to: https://www.corporatecompliance.org ; Choose: "Resources" -> "Library" or "Surveys".

THE STEPS FOR  IMPLEMENTING AN ETHICS HELPLINE  - THE SMART WAY:

1. Before setting up an ethics helpline, discuss it with your management, best with the CEO, or whoever is giving you a mandate to set up an ethics helpline (or an overall compliance program / internal control system):

 

- make your own mandate and responsibilities of others regarding the helpline clear,
- monitoring and reporting about the helpline statistics and effectiveness must be specifically determined,
- find out about the objectives and expectations of management about the helpline / compliance program,
- discuss what kind of misconduct do you want to be reported (only breaches of laws and regulations or internal policies included; only specific kinds of breaches – most severe or any kind ??),
- specifically discuss with legal all the necessary aspects; especially the importance of reacting upon reports and substantiated misconduct (include HR in this, too), discuss arranging the client- lawyer privilege when needed and what if a report is raised against the higher management etc.,

- discuss basic issues also with teams of line managers and your peers; 

- help business people to understand the benefits; why excellent companies find this kind of reporting from employees highly valuable for the sake of company's integrity and reputation (first convince yourself and become immune to discouragements);

These are the most recognized benefits of an ethics helpline:
- having an internal line to report issues helps company to lowers the possibility of negative public exposures, due to lower possibilities that employees would report issues to external bodies or directly to public, given that internal reporting and resolving procedure is existent and effective; in times of social media, bad news gets out easier and spreads faster than ever, so the reputational risks are even greater,
- also, it can help clear issues at more early stage and help protect company, employees and management from harm of greater consequences latter
- supporting a speak up culture and effectively reacting against wrongdoing, you bust up the integrity, consequently a respect and loyalty from employees towards the management grows; this also shines out brightly and attracts best human potential, best customer and investors
- last, but not least: it helps protect the company and its management from legal liability, for it improves chances to demonstrate that controls and due supervision were in place.

2. Address the existing worries and accept good suggestions before you set up the helpline, so you can take it into account when writing policies, procedures and communication.

Also search for and build your support group inside the company, because for sure you will have opposition.

3. Prepare or re-new the Code of conduct / Ethics Code for the basis, if you don't have it or if it's outdated;

It's good practice to be clear in your code of conduct what kind of breaches should be reported to an ethics helpline and to prohibit retaliation against reporting employees in good faith. Also provide direct contacts to which reports can be submitted. If it's possible assure anonymity or at least confidentiality.

4. Create your own, company-tailored ethics helpline policy and procedures, including non-retaliation (reporting employees protection). If you don't protect employees from possible revenge, they won't report serious issues or won't report any issues.

The policy should define all responsibilities for receiving and managing reports and for investigating and then acting upon them.

5. Decide on and set up an IT support for receiving and managing the helpline reports; it can be as simple as a special mail-box and excel sheet, or you can have ready to use IT tools.

6. Design a communication plan for gradual and consist communication to employees and managers about the helpline, the policies and procedures; always emphasize reasons behind it, benefits, that the reporting is kept confidential and retaliation is prohibited. Partner with your PR about this.

7. Launch  and good luck!

EXAMPLES AND RESOURCES

Code of Conduct - Sisco

http://investor.cisco.com/documentdisplay.cfm?DocumentID=3263

Business Conduct Guidelines - Siemens

http://www.siemens.com/sustainability/pool/cr-framework/business_conduct_guidelines_e.pdf

Siemens compliance system - with and ethics helpline ("Tell us" line):

http://www.siemens.com/sustainability/en/core-topics/compliance/system/index.php

ING Bank / Group Whistelblowing policy and a compliance platform:

http://www.ing.com/About-us/Compliance/ING-Group-Whistleblower-Policy.htm

An Ethics Point of Schneider Electrics, France (with different possibilities for helpline reporting):

https://secure.ethicspoint.eu/domain/media/en/gui/100211/index.html

Aon Ethics Helpline:

https://secure.ethicspoint.com/domain/media/en/gui/7663/index-en-D.html

HR Non- retaliation Policy - from SCCE web-site:

http://www.corporatecompliance.org/Resources/ResourceOverview/Library/LibraryDocument/ArticleId/1750/HR-Nonretaliation-Policy.aspx

Internal Controls for Compliacne

Having recognized and assessed compliance risks, namely the week spots in an organization or a business operation, you know what danger they represent regarding compliance, how likely it is to happen and how bad would it be, if it does.

Now you need to exactly locate these risks (if the risk assessment wasn't focused to certain business operation allready in advance). Find the exact busienss procesess/ sub-process where certain things might go wrong and the risk might materialize. The processes documents and maps can be very helpful in doing this.

These are the places you need to build in some control measures; ideally automatic (built in an IT support for specific risk area /processes) or organizational, rule based.

The outomatic controls for sensitiv data protection in the customer helath data basis for example, would be recognizing a person by its password and automative tracing of its acctions in the data base.

The organizational control would be having organized the processes in two phases, handled by two different persons, one controling the other or having a committee oversight etc.. Like 4 eye principle in approving a business deal with an off shore entity or committee approval of big donations, or having data privacy officer approval for employee e-mail supervision etc.

The rule basede controls are having writen rules for certain risk areas in which you oblige persons in charge to certify compliance or to disclose any business deal with a related person etc.

For managing certain compliance risk areas that are most important or typical for your organization or your sector, you can combine all of this types of internal controls for the same risks in the same process. You build in 'layers' of internal controls, risk based and smart.

You want to protect the company from material and moral lossess in case of incompliance, but you also want business processes to be able to operate normally and as simple as possible (given the risks).

Andrijana Bergant,

strongly convinced that a compliance as a business function will mark the future of Slovenian corporations’ governance, and that ethics will become something tangible in terms of business; usable in the process of serious business decision making.

Corporate compliance risk assessment, lessons learned

Since I have already written about risks theory and risk management in general, I am now writing more about compliance specific risks and what can a compliance risk assessment tell you.

In order to be able to manage compliance risks, we first need to recognize them. For this purpose we first have to take up a compliance risk assessment and put in place detective controls.

 

 

Actually, ideally we would first take up a structured, well-thought-over compliance risk assessment throughout our organizations. In reality, many do this after having some practice in compliance or specific compliance risk areas, learning about risks as you go, putting down fires and talking to the 'civilians' in an organization.

 

At least this is the situation in our part of the Europe, where compliance program and compliance management are novelties in the system of governance. Compliance as a governance function is hardly starting to show on the map in the corporate world, making its space 'under the stars'. It has to do a lot with adding to the existing checks and balances and changing power distribution in an organization, penetrating into already owned territories, braking Chinese walls sometimes :) Taking up compliance as an independent function from scratch is a great challenge, it means a change and it takes time, a lot of patience and energy. As most of the bigger changes do...

However, at some point compliance officer will take up a compliance risk assessment.

These would be typical dangers and unwanted consequences of incompliance, that you want to detect and locate the source of and prevent:

• Regulatory Inspection and penalties
• Civil damages and compensations
• Criminal prosecution and penalties
• Business loss or lost opportunities (like ban from a public tender)
• Loss or damage in reputation.

These would be typical indicators that help you detect and locate compliance risks:

• Tips from employees in different forms, like asking questions or direct reports of incompliance
• Internal incidents
• Clients' complaints
• Regulators inspection and findings
• Greater law suits and outcomes
• Employee research findings (like ethics surweys, corporate culture or organizational climate research)
• Process reality that differs from rules and procedures.

Analysing all or some of the above would be one way of conducting compliance risk assessment. However, use it as a base for interviewing the directors and key leaders in the company. This is really crucial in an overall corporate compliance risk assessment.

 

And the following are some of the typical drivers of compliance risks - the factors that you can (more or less) influence and thus act in a preventive manner:

• The corporate culture, ethics
• Tone from the top
• Propriety / integrity of persons on top and middle levels and key positions
• Reporting lines
• Policy management and implementation
• Employee education and awareness
• Rewarding system
• Disciplinary consistency
• Compliance communication and training.

We can express compliance risks by the categories in order to measure them.

We can rate low risk as 1 and 2 = not in focus of your attention for now; however you need to observe it regularly;

Middle risk can be rated as 3 and 4 = there is actual danger that something bad will happen, if we don't do something about it eventually; the time span and nature of measures are dependant of the rating of 3 or 4;

High risk as a 5 = this is a red zone, a 'tempted bomb'; you need to react quickly.
 

You can assign these risk grades to an overall business operation, certain business operation, certain events, relationships, business dealings or a business partner. In order to grade a compliance risk, you would usually follow these steps, which are best shown on an example:

 

1. Specify the situation and the risk; what’s the potential danger of something bad happening in certain business operation or a business relationship;

Situation: You are a well known technology products manufacturer from Slovenia and you are building a plant in Bulgaria. You are hiring an experienced contractor there, who will need to attain some licences from the Bulgarian government.

 

Risk: Danger that a contractor is not fit for the task of building a plant properly, which can lead to regulatory fines, accidents could happen etc. There is also a danger that a contractor would offer inappropriate payments to Bulgarian officials in order to attain licences.

You have risk of getting fined or prosecuted for security issues, a corruption and a reputation risk.

 

2. Evaluate the likeliness of that consequence to happen (you have to base it upon certain facts, experience and assumptions);

Security incident = 2

Corruption = 4

Reputation damage = 4

 

3.  Evaluate the severity of that consequence, if it comes true;

Security incident = 4

Corruption = 5

Reputational damage = 5

 

4. Grade the risks accordingly;

Security incident = (2+4)/2 = 3

Corruption = (4+5)/2 = 4, 5

Reputational damage = (4+5)/2= 4, 5.

 

5. Make propositions for mittigating these risks and then monitor;

As a compliance officer you would recommend that the company arranges for extra security supervision in building the plant later, however addres the highest attention to proper practices in the procedures with the Bulgarian government. You could suggest that the (additional) due dilligence of a contractor is conducted, too. You would want to communicate your code of ethics to that contractor and have some of your corporate professionals to escort this contractor through the procedures with the Bulgarian government. Your company will probably need to plan certain delay in starting your Bulgarian plant, due to longer waiting time and administration to attain the permits. But you will protect your good name (which has shown to be highly threatened) and sleep well.

 

Andrijana Bergant,

strongly convinced that a compliance as a business function will mark the future of Slovenian corporations’ governance, and that ethics will become something tangible in terms of business; usable in the process of serious business decision making.

Switching to english with my compliance and ethics blog

I am switching to English with this blog, so more visitors can understand my notes. I am seeing that many of the visitors are from North America, too. Welcome! I hope it will give you some useful observations about the corporate compliance and ethics environment in this part of the CEE region.

My mission as a compliance professional - of which this blog is an important part - is to share my observations and knowledge from over 6 years of experience in building compliance program from scratch in the Slovenian based corporation. I hope to help advance the compliance and ethics profession development in Slovenia and give some orientation points to the beginners in the field, as well as possible business / professional observers from abroad. Namely, the state of corporate compliance and ethics is a strong definer of the market in general; in terms of stability, maturity, competitiveness etc...

This is the translation of the titles of my previous blogs:
1. The beginning of this diary
2. Do we understand risks or rather feel them
3. What does honesty mean to me
4. What does a compliance do in a corporation, as a governance function?

When I started my compliance job in late 2007, most of corporate professionals and managers in my environment didn't know about compliance and ethics programs at all.

For few years now, compliance function is already present in banks and most of the insurance companies in Slovenia, because of the two EU directives, commonly referred to as Basel 2 and Solvency 2 directives. These directives are recognizing compliance as one of the key functions in the system of governance and are obliging financial sector companies - through the local legislation - to have it embedded into their governance structure.

Some companies from pharma, telecommunications and manufacturing ... sector also have compliance programs, due to the influence of their multinational principles. Most Slovenian managers and directors nowadays know that compliance and ethics are special discipline and ever more present part of corporate governance. There's more recognized link to corporate ethics, too.

Not long ago ethics was taken as something that doesn't really fit in a serious business conversation; not so much because it wasn't considered important, more of underestimated, and definitely not something you manage or have to implement. Today, corporate ethics and integrity is highlighted and talked about a lot.

What is happening now in Slovenia for the last year and some is that several civil and professional organizations started to form initiatives and working groups (of most of which I am an active member) exactly for promoting, educating and good practices sharing about compliance and ethics, using international standards and best practices.

I am just finishing giving an interview for the Compliance and Ethics Professional, the magazine of the mainstream international corporate compliance and ethics organization, the Society of Corporate Compliance and Ethics (SCCE). It covers exactly this topic in more detail and I will post in my blog after it's published in the Magazine first.

Andrijana Bergant,

strongly convinced that a compliance as a business function will mark the future of Slovenian corporations’ governance, and that ethics will become something tangible in terms of business; usable in the process of serious business decision making.

 

Kaj dela skladnost poslovanja kot funkcija upravljanja v podjetju?

V tem blogu želim povzeto in zelo konkretno opisati kaj skladnost poslovanja "dela" v podjetju.

Funkcija skladnosti poslovanja namreč pomaga reševati sistemska vprašanja skladnosti v kontekstu notranjega upravljanja in notranje-kontrolnega okolja, s čimer pomaga upravi uresničevati njihovo primarno odgovornost, da podjetje posluje zakonito (in pošteno...), kar pa je še vedno slišati precej abstraktno...

Skladnost poslovanja kot funkcija notranjega upravljanja ima zelo konkretne in v dobrih praksah jasno opredeljene naloge; namreč vzpostavlja in nadgrajuje sisteme in procese znotraj katerih se:

• zagotavlja skladnost poslovanja z zunanjimi in notranjimi pravili,
• zmanjšuje možnost za nastanek neskladnosti,
• zaznava obstoj neskladnosti,
• odpravlja neskladnost,
• ocenjuje tveganja glede skladnosti ter
• izvaja poročanje organu vodenja in nadzora o stanju skladnosti ter s tem povezanimi tveganji.

S tem povezano, funkcija skladnosti izvaja naslednje aktivnosti:

• spremlja spremembe v pravnem okolju in ocenjuje njihov vpliv na poslovanje
• opredeljuje ali soustvarja notranja pravila oziroma izvedbene akte,
• svetuje in pripravlja izobraževalne programe,
• vzpostavlja sisteme odgovornosti in poročanja,
• sestavlja opis funkcionalnosti informacijske podpore za spremljanje določenih aktivnosti ali drugih kazalnikov in izpolnjevanja dolžnosti,
• spremlja skladnost poslovnih aktivnosti, procesov...,
• rešuje primere neskladja in pripravlja ukrepe
• zbira in analizira različne informacije in podatke s strani poslovnih področij in drugih služb ter drugih razpoložljivih virov
• opredeljuje kazalce in dejavnike tveganja glede skladnosti, jih spremlja ter o njih pripravlja poročila.

Pri tem (so)ustvarja in uporablja orodja, kot so: Kodeks dobrega poslovnega ravnanja in druge notranje akte, poizvedbe in priporočila skladnosti, akcijske načrte in delovne skupine, mnenja glede skladnosti, navodila in obvestila skladnosti ter e-izobraževanja, neposredne delavnice z zaposlenimi, posvet s ciljnimi skupinami ipd...

Temeljni proces funkcije skladnosti poteka med-področno, kar pomeni, da pri izajanju svojih nalog, pooblastil in odgovornosti vključuje praktično vse službe oziroma poslovne divizije, s poudarkom na sodelovanju z notranjo revizijo, funkcijo upravljanja s tveganji, področjem za IT, kadrovsko in izobraževalno funkcijo ter službo pristojno za komuniciranje (notranje in zunanje).

Opis temeljnega procesa funkcije skladnosti poslovanja:

1. Indic oziroma sprožilec za začetek procesa je lahko: (i) vprašanje poslovne divizije ali službe oziroma konkretnega managerja ali strokovnega delavca, (ii) naznanitev neskladnosti, (iii) incident ali drug indikator neskladnosti, (iv) nov predpis, (v) nova praksa nadzornih organov, (vi) usmeritve ali priporočila organov in organizacij, (vii) zahteva notranje revizije, (viii) zahteva organa vodenja ali nadzora, (ix) zahteva zunanjega organa ali institucije.

2. Začetek postopka: priprave mnenja, usklajevanja, vzpostavitve procesov, priprave notranjih pravil, akcijskih načrtov, konceptov sistemov, postopek spremljanja skladnosti oz nadzora, poročila ipd.

3. Analizira relevantnega stanja in pregled relevantnih predpisov, notranjih aktov.

4. Opredelitev udeleženih poslovnih divizij in služb ter pridobivanje dodatnih informacij.

Če gre zgolj za pripravo odgovora ali mnenja, se postopek tukaj konča, seveda z izdelavo odgovora ali kompleksnejšega mnenja.

5. Opredelitev potrebnih aktivnosti in ukrepov, usklajevanje s poslvonimi divizijami in službami glede načina izvedbe, rokov in nosilcev.

6. Podpiranje same izvedbe, po potrebi.

7. Monitoring izvedbe aktivnosti in ukrepov (včasih tudi preko funkcije notranje revizije).

Andrijana Bergant

v prepričanju, da bo skladnost poslovanja kot poslovna funkcija, pomembno zaznamovala prihodnost upravljanja slovenskih podjetij in da bo etika postala nekaj oprijemljivega, pri resnih poslovnih odločitvah uporab(lje)nega.