No compliance officer worth her salt would argue with this statement: “We strive to maintain an ethics-based organization.” But compliance teams, with all of the internal and external scrutiny, with all the regulations and increased enforcement activities, with the ever-present mantra of “always do the right thing,” still to this day have difficulty instilling a true ethics-based culture into their compliance programs. They struggle to define it, to measure it and prove its ongoing value to the organization.
Maurice Stuecke, a professor in the College of Law at the University of Tennessee, recently published a fascinating paper entitled “In Search of Effective Ethics & Compliance Programs” that compares the more typical extrinsic, incentive-based compliance program to one that takes an intrinsic, ethics-based approach. While not necessarily answering these questions for compliance leaders, this paper prompts reflection on what we mean by effective compliance and how that relates to an ethical culture.
When we think about the “zen” of compliance best practices, we usually turn to the US Federal Sentencing Guidelines for Organizations (FSGO) and the “seven elements of compliance” as the gold standard. However, Stuecke’s insights should raise some eyebrows (especially at the DOJ) as he looks at “extrinsic” versus “intrinsic” compliance. He contends that the regulators should turn their view of compliance around in a way that motivates organizations to promote ethics first, and that compliance will follow.
Looking at compliance from an extrinsic perspective, Stuecke says, basically means that regulators tell organizations what they must do to meet compliance standards, then those organizations do the bare minimum to meet those requirements. Organizations that follow this approach run “command-and-control” compliance programs that, essentially, look to attack the symptoms rather than the disease. To enforcement agencies, these programs meet the requirements of the FSGO and can work in the organization’s favor by limiting liabilities and penalties. In this way, organizations look at compliance as insurance. That is, an “effective” compliance program will “pay out” should misconduct occur and individuals within a company are found guilty of circumventing the company’s policies. The company may still be liable, but the damages will be lessened because of this insurance.
But remember, with insurance comes a premium, a tangible cost required to “hold the paper” of the insurance policy. It’s akin to our driving habits: you don’t want to have a car accident, but if you do, you have insurance. Could you be driving with a bit less care and diligence since you know you have that insurance? Possibly. I doubt if you would admit to that, but think about it.
Most of us (and most organizations) believe ourselves to be ethical. Most are unwilling to think of themselves as “less ethical” than their fellows. Yet if we are honest, we know that we don’t always “do the right thing” (even though we might like to think that we “would,” if the opportunity presented itself). But even with policies and training and executive messages, employees can develop what Stuecke calls “ethical blindness,” taking an attitude of “how much can I legally get away.” When the organization allows that attitude to take root, it becomes bare-bones, “check-box” compliance that is well-removed from an ethical attitude. According to Stuecke, “Individuals can morally disengage. They blame their boss or co-workers, perceive the unethical conduct as widespread, or otherwise rationalize their misconduct. They inaccurately predict how they will behave when confronted with an ethical dilemma, their actual unethical behavior, and their rationalizations to maintain their ethical self-image.”
And that’s a potential tar pit for an organization, and, if you’re truly concerned about people (i.e., your employees), it’s a trap for them as well. They learn to “game the system” and look at business (and life) as risks that must be taken in order to succeed. Would you want to attest to this statement? “Yes, we have a values-based Code, but we’re ok with breaking the rules, just a little, if we have to. We can expect the enforcers to cut us some slack when we say we have a compliance program and stepped over the line only a little.” Yikes. As an uncle of mine used to say, “The road to hell is paved with good intentions.”
I like this story that Stuecke tells us in his paper. His local supermarket prides itself that the customer is always right, and never counts items like the number of ears of corn that the customer has bagged up. The store trusts its customers, and even better, most customers don’t abuse that trust. As Stuecke says, “the supermarket not only signals trust, but enables its customers to behave ethically and to habituate that ethical conduct.” That’s an example of intrinsic, ethics-based compliance at its very best.
Stuecke’s point is that regulators and enforcement agencies should move away from the extrinsic, incentive-based approach promoting a “check-box” compliance mentality, and should instead re-align the FSGO to provide tangible ways for organizations to build an ethical culture that innately drives compliance.
The bottom-line message is this: The catalyst for an organization’s compliance best practices must be its ethical nature. Doing so creates value, tangible and intangible, internal and external, for the organization, its employee, its stakeholders, and its customers.