Effective Ethics & Compliance Programs Reduce the Likelihood of an FSGO Violation
The Federal Sentencing Guidelines for Organizations (FSGO) apply to a wide range of companies and organizations, including corporations, partnerships, workforce unions, pension funds, trusts, non-profit entities and governmental units.
Any mention of sentencing guidelines immediately brings two questions to mind: “How much?” and “How long?”
However, at the heart of the FSGO guidelines there are two key elements of sentencing: ‘just punishment’ and ‘deterrence.’
With the ‘just punishment’ element, the punishment is intended to justly and demonstrably reflect the degree of blameworthiness of the offender, whether that is an organization or individual. With the ‘deterrence’ element, potentially significant incentives (as outlined below) are offered for organizations to detect and prevent issues.
Introduction to the FSGO
An organization can be held criminally liable for the acts of its employees, even if an employee acts directly contrary to organizational policy and training. As a consequence, despite its best efforts to prevent wrongdoing, an entire organization can be affected, and face financial, reputational and employee-morale damage.
Given this ‘institutional vulnerability’, the design of the FSGO sentencing guidelines recognized the potential preventive and deterrent benefits of systematic compliance and ethics programs. As such, potential fines can be mitigated by anything up to 95% if an organization can demonstrate that it had put in place an effective compliance and ethics program.
Moreover, cases such as that of Garth Peterson at Morgan Stanley, involving violation of federal anti-corruption laws, now show that an organization that can demonstrate an effective compliance and ethics program is in a far better position to defend itself, should those circumstances arise. (Note that “effective” can be a subjective term.)
The FSGO’s ‘effective compliance and ethics program’: The seven key criteria, summarized
Under the FSGO, to have an effective compliance and ethics program, organizations are required to:
- Establish appropriate standards and procedures to prevent and detect issues.
- Establish program oversight by high-level management, typically the Board.
- Demonstrate due care regarding individuals to whom substantial discretionary program authority is delegated.
- Establish effective communications and training.
- Establish effective monitoring, auditing and evaluation of the compliance and ethics program, and establish and publicize a (whistleblower hotline) system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual issues without fear of retaliation.
- Promote and enforce the compliance and ethics program consistently throughout the organization through appropriate incentives and disciplinary measures, both for engaging in wrongdoing and also for failing to take reasonable steps to prevent or detect wrongdoing.
- Take reasonable steps to respond appropriately to wrongdoing once detected and also to prevent further similar conduct, including making any necessary modifications to the compliance and ethics program. As part of this, a periodic risk assessment should also be undertaken, and appropriate changes made to the compliance and ethics program.
Ideas & Innovation for Compliance Based Ethics Programs
Arguably, few (if any) of the FSGO’s seven key criteria, are unique and, indeed, most can be found in compliance and ethics programs across the globe, to a greater or lesser extent.
Compliance officers face broadly the same challenges when implimenting FSGO, regardless of industry, sector, or geography, and it is for this reason that compliance and ethics events typically include sessions on training, communications and influencing the Board.
Indeed, regulators and the organizations that they regulate have historically focused on ‘input’ compliance – on the basis that if the inputs (such as training) are right, then the ‘output’ will be a compliant organization. Unfortunately, history is now littered with organizations that might well have trained everyone, but were subsequently found to be far from compliant and ethical.
What follows are just a few, brief examples of new ideas and innovative approaches that offer the potential to fundamentally change the effectiveness and genuine reach of an organization’s compliance and ethics program:
Turning Compliance ‘Push’ into Employee ‘Pull’
‘Push’ is central to compliance and ethics programs in most organizations; pushing out training, pushing out training reminders, pushing out escalations, pushing out communications emails and so on.
Not surprisingly, this leads to compliance and ethics fatigue, push back and a host of other issues, both for employees on the receiving end, and for the compliance and ethics function.
However, the push-related issues that I’ve encountered during my career caused me to think about how I could turn compliance push into employee pull — where employees genuinely wanted to receive compliance and ethics-related materials because they were important to them. From that came a number of ideas, three of which did prove to be very successful:
- The Compliance and Ethics Covenant. The Covenant was loosely based on the concept of the UK’s Military Covenant, and my experience – using a passionately written Compliance and Ethics Covenant delivered to everyone in the organization from the most senior to the most junior – was that it fundamentally shifted the perception of compliance and ethics. Largely, this was because for the first time it was more personalized, and certainly pulled no punches about why compliance and ethics is important and relevant.
- The Compliance and Ethics Passport. Most organizations have some form of compliance and ethics training regime, which involves the printing of a simple certificate upon completion of a course — a certificate which often gets thrown in a drawer and forgotten. The Compliance and Ethics Passport, however, changes that. It means that once an individual’s training and other related actions are up-to-date, they have their passport, which is a more formal, valuable and durable certification of achievement. It also offers the opportunity to make training completion a more celebrated and recognized achievement, and a valued professional qualification, which opens up a number of new compliance and ethics incentivization opportunities.
- Scores on the Doors. Whilst the Passport worked well for individuals, there is also a similar opportunity for teams, from shop-floor to top-floor, and even third-parties such as suppliers and vendors. Scores on the Doors used the simple five-star hygiene rating scheme used by many cafes and restaurants as the foundation for a team compliance rating system, driven by a number of parameters – including compliance training completion levels, failure rates, numbers of ‘serial offenders’ (i.e. employees and contractors who had consistently failed to complete their training on time), and senior management compliance training performance, which included levels of attendance at special education sessions.
Many of the perennial challenges for compliance and ethics officers involve whistleblower hotlines. For example, what’s good — a high level or a low level of reports?
However, a common experience of compliance and ethics officers is that employees (and contractors) often perceive calling the hotline to be a very major step; something not to be undertaken lightly and something that perhaps goes against their very upbringing.
From personal experience, these issues can be exacerbated in locations and countries where an organization has a small presence. For example, an employee may be in a small office sitting directly opposite the very manager about whom they wish to make a hotline report. However, they have no idea – and little confidence – whether their report will get back to that manager, and whether they will remain truly anonymous given the relative ease by which they could be identified using simple process of elimination.
As a consequence, we opted to provide both a hotline and a helpline, with the intention of removing, or at least mitigating, initial concerns employees might have about calling the hotline.
We also went one step further, deciding to brand the helpline. Thusly, VeRoniCA (Virtual Regulatory Compliance Assistant) was born. Branding, or naming, compliance in this way gave compliance ‘a face’ – which, in turn, provided greater reassurance and support to employees, together with the perception of easier, friendly access.
Put simply, this approach served to get people used to calling and/or emailing VeRoniCA. ‘Ask VeRoniCA’ became common parlance within the organization.
In practice, those calls and emails went, just as they would have done before, to the compliance team. But, employees were now more prepared and used to raising compliance-related issues. VeRoniCA provided a channel to raise issues semi-formally whilst also facilitating escalation directly to the hotline if deemed appropriate. In this way, the major step often associated with calling the hotline itself was mitigated.
Moreover, VeRoniCA facilitated direct, indirect and subliminal messaging, including direct messaging via e-mail, and indirect messaging via posters. Life-sized cardboard cut-outs of VeRoniCA were also used in building receptions and other areas to reinforce the compliance and ethics message very effectively.
Benford’s Law, or the first-digit law
Data collected by the Sentencing Commission shows that organizations are sentenced for a wide range of crimes. The most commonly occurring (in order of decreasing frequency) are:
- Environmental waste discharge
- Tax offenses
- Antitrust (competition law) offenses
- Food and drug violations
Whilst fraud may not fall under every compliance and ethics officer’s remit, there is an intrinsic link between compliance and ethics failures and other issues. For example, modern slavery, or human trafficking, very rarely occurs without bribery and corruption.
Benford’s Law states that in lists of numbers from many real-life sources of data, the leading digit is distributed in a specific and non-uniform way.
According to this law, the first digit is 1 about 30% of the time, 2 about 18% of the time, and larger digits occur as the leading digit with lower and lower frequency, to the point where 9 as a first digit occurs less than 5% of the time. This counter-intuitive result has been found to apply to a wide variety of data sets, including invoices and utility bills.
Whilst Benford’s Law gives an interesting (and surprising) result, it has direct relevance to the work of compliance and ethics professionals in the areas of fraud, bribery and corruption.
One good example is that if someone attempts to falsify an accounting return then, inevitably, they will have to invent some data. When trying to do this, the tendency is for people to use too many numbers starting with digits in the mid-range such as 5, 6 or 7 — and not enough numbers starting with 1. Clearly, this violation of Benford’s Law would immediately set alarm bells ringing.
As another example, if Benford’s Law had been applied prior to the Enron scandal then it would have revealed issues with the earnings reports released in 2001 and 2002; revenue numbers were subject to upwards management, as were the Earnings per Share (EPS) numbers which showed a marked discontinuity in the distribution.
In procurement and compliance, Benford’s Law can be used to show any skew in invoice values. Typically, this analysis will highlight that invoices are concentrated around, say, 4 – to get below a signing threshold of $500 or $5,000. If suppliers are attempting to circumvent such rules — usually involving collusion, tacit or otherwise — then what else is going on?
Benford’s Law needs data that is neither totally random nor overly constrained, but rather lies somewhere in between. However, this is exactly the type of data that is encountered in real-life business situations and that is why Benford’s Law is such a useful, simple, and often underutilized compliance and ethics tool.
The Realities of Retaliation, Helpful Human Behavior Insights, & Innovation For a More Effective Compliance Program
The Federal Sentencing Guidelines for Organizations (FSGO) outlines seven key criteria that any effective ethics and compliance program requires. However, the guidelines are far from unique, and facets of each can be found in programs throughout the world.
In this series, my goal is to offer actionable suggestions and insights that readers can use in their own compliance programs. Implementing measures such as these can help compliance officers prove the efficacy of their initiatives, particularly in regards to the FSGO.
The realities of whistleblower retaliation
Most organizations have a ‘No Retaliation’ policy for whistleblowers. This is clearly the right thing to do. However, most policies are just that; they sit on the shelf and often have little impact on what happens in day-to-day reality.
Moreover, despite so many ‘No Retaliation’ policies, it takes mere moments to find appalling cases of retaliation, involving some very high-profile and household name organizations, that have taken place around the globe.
Whatever form the retaliation takes, it certainly impacts the individual and means that other people will inevitably think twice before whistleblowing. In fact, fears of retaliation is the principle reason why people say they would not make a whistleblower hotline report.
With this concern guiding me, I decided to look at the whistleblower data to determine who the whistleblowers were (in cases where we had that information) and then link those individuals to data that could be indicators of retaliation. I discussed the process and results thoroughly in this article, if you’d like to learn about the details. In essence, my manual analysis made it quite clear that retaliation is alive and well. While I couldn’t eradicate retaliation entirely, the data allowed me to raise the issue. Additionally, it demonstrated that the problem was being monitored in some capacity.
Using psychology concepts to ‘Nudge’ behavior
Nudge is a concept in behavioral science which focuses on the power of positive reinforcement and indirect suggestions as ways to influence the behavior and decision making of groups or individuals.
Clearly, delivering effective communications is a key component of any compliance program. Still, it remains one of the biggest and most persistent challenges for virtually every compliance officer. Implementing an effective communications regime hinges on a host of interconnected issues, including:
- Messaging frequency
- Effective stakeholder management
However, in my former role as CECO at British Telecom, I became concerned that our communications program was simply not effective, based on both anecdotal and factual evidence that many of our communications were being ignored, skim-read at 4:55 p.m. on a Friday night or, worse still, deleted without reading.
The downsides of using legalese when drafting ethics and compliance-related documents
Most of our early communications were written in the language that felt most natural: ‘business speak’. These communications were prepared generically for an organization-wide audience, with little focus on personalization for department or job function. For us, as the compliance and ethics team, this approach meant that we could write something, involve legal, HR, and any other stakeholders to get it cleared, and then simply send it out… job done!
Unfortunately, the job wasn’t done. Therefore, we experimented with the concept of ‘nudge’, ultimately achieving major improvements in impact from modest changes to channels, language, techniques, terminology and images.
Similar to many other organizations, we experienced a formidable logistical challenge in training those employees who were on the road or in warehouses, as they did not have straightforward access to a work-based PC. Taking groups of these employees or contractors off production, distribution, or customer service would have very direct and immediate effects on organization performance.
As a consequence, we implemented a process nudge by creating telephone training, where employees undertook their basic training over the phone and could do so from virtually anywhere.
This was one of our most successful programs. Further, by allowing the training to be undertaken at home, we fostered an environment of even greater trust.
Experimenting with tactics can yield impressive results
Much of our nudging involved experimentation — we discovered that minor terminology changes can make a huge difference, and sometimes brought surprising benefits.
Crucially, however, those communications benefits came at zero cost, and often hinged on just simple re-phrasing. Why not use nudge to budge your compliance and ethics program?
How far would you go to ensure FSGO compliance?
I raised this question at the end of my last article, but it’s a useful query to ask repeatedly. By asking ourselves this question on regular basis, innovation in the delivery and implementation of organizational compliance programs is fast tracked and made more effective.
In continuation of this FSGO-related series, Katie Smith will share additional ways to modernize your program while satisfying the FSGO. For now, I’ll leave you with two memorable examples from my CECO career:
- Would you, as I did, send a fictitious letter to managers following their Anti-Bribery and Corruption training, inviting them and their families to an all-expenses paid ‘day at the races’. (Astonishingly, many of the responses either accepted the invitation or were along the lines of ‘I would have come, but you didn’t give us enough notice’ …!)
- Another time, I sent a wrapped bottle-shaped box to everyone in the procurement team at Christmas, containing a copy of the Gifts & Hospitality policy.
These are just some examples of different approaches to achieving and maintaining world-class compliance and ethics… how far would you go? Please feel encouraged to share your ideas in the comments section – I’d love to hear them.
Innovative Ethics & Compliance Program Ideas You Can Use to Achieve FSGO Excellence
As Keith Read mentioned above, most of us in the CECO role don’t just aspire to meet the Federal Sentencing Guidelines (FSGO), we want to achieve world class compliance and ethics.
You don’t need an army of 100 or a million-dollar training budget to turn aspiration into achievement, either.
Using the FSGO and the results of your organization’s risk assessment as roadmaps, * you can strategically craft a 3-year plan to operationalize an updated compliance program, then start chipping away. But, if the organization’s program feels stuffy and stale before you even begin – sort of like you’re jamming to a Milli Vanilli song – let’s explore some modern ways to exceed the FSGO’s standards.
* If you haven’t done a risk assessment yet, we’ve got you covered here.
The human side of ethics and compliance
Humanizing the ethics and compliance program should be a central goal. A program’s success is directly tied to how employees perceive it, so they need to trust the entire ethics and compliance team. Employees need to believe that ‘organizational justice’ will be delivered when it’s needed most.
For this to happen, you have to step out from behind the proverbial “Wizard of Oz” curtain, a place where us compliance pros often get stuck. In my experience, this is best done with a two-punch strategy:
- Boots on the ground
- Virtual initiatives
There are plenty of options to win on both fronts, and what follows are experiences from my own career. These are all initiatives that have worked well for me over the years, and I hope they can be of use to you, too.
Boots on the ground is best
Employees need to know you and your team. When I was the Chief Ethics Officer at USAA, one of my first goals was to pull the ethics office out of the shadows. We had to build our internal brand.
At live training events, I always challenged the participants to seek out the Ethics Office and visit us in person to receive a “special surprise,” which amounted to ethics branded pens and toys. We would also hold office hours in common areas. After all, if they can’t or won’t come to you, bring the Ethics Office to them.
Every year, we took advantage of National Ethics & Compliance Week. It’s the perfect opportunity to do a full week of events with speakers, games, scavenger hunts, and other activities.
My favorite theme was the year we used compliance-based lessons from Willy Wonka. Employees received golden tickets with ethical lessons from the movie. We gave everyone an afternoon break, complete with chocolate fountains. “Wonka Bars” with our helpline info on them were passed out, and some of our ethics liaisons even dressed up as Willy Wonka characters and walked around taking selfies and thanking employees for making good decisions every day. It might sound a bit silly, but it was also a fun break from the workday. It was pretty memorable, too.
In 2018, Ethics and Compliance Week takes place November 4 – 10. If you want to learn more about ways to celebrate, click here.
Expanding your internal network
Another boots on the ground must-do is expanding your network internally.
If you don’t already have an ethics & compliance liaison network in place, make that a first priority. This network exponentially increases your direct impact on the workforce because these people are fellow employees within the business. They also have a unique perspective that helps you sort through any conflict of interest issues.
Global doesn’t have to mean boring
When your organization has a geographically separated team and/or remote workers, you absolutely must identify innovative ways to connect with them. Use an internal social media tool like Slack or Yammer to send out communications, short videos, and even compliance trivia questions.
For the trivia contests, we would send little surprises to the winners in the mail (and who doesn’t love getting non-junk snail mail?)
Another effective way to level-up your compliance program is to transform your one-sided code of conduct into an interactive code. As a bonus, you can track employee engagement with the code. Using Web analytics, you’ll know what topics people are concerned about or interested in, and which areas receive no traffic or engagement.
This data gives you a roadmap to the types of content you should push out to mitigate your organization’s risks and achieve compliance excellence. Additionally, interactive codes give you real-time data about how your communication and training campaigns are impacting employee behavior.
Measure impact and effectiveness of compliance based ethics, not activity
Measuring effectiveness, not just activity, is key. Tracking the number of conflict of interest (COI) disclosures you receive is interesting, but it doesn’t tell you much beyond the fact that employees know how to fill out a form.
In contrast, here’s how you measure impact and efficacy:
Let’s assume you’ve pushed out a communication or training spotlight on a particular type of COI, and you soon see a spike in disclosures. You’re now the proud owner of data that validates the fact that your communication efforts impacted behavior. This is an ideal outcome, because any compliance professional’s ultimate goal should be to impact behavior.
If you can get employees consciously (or subconsciously) asking, “Does this activity support our values?” you’re in a great place. Infusing ethics into the DNA of a company’s culture drives more impact than a 20-minute training course.
Meet the reporter where they’re comfortable
The FSGO dictates that a program should have standards to prevent and detect misconduct. To achieve this in the 21st century, that means we have to meet the reporter where they’re comfortable.
Calling an 800 number isn’t the most comfortable way for most employees to report issues. In fact, according to Ethisphere’s World’s Most Ethical Company 2017 survey data, only 12% of employees report misconduct through a helpline or Web portal. However, with recent technology like anonymous SMS reporting, new communication channels have opened. Many employees may feel more comfortable using these tools for reporting sensitive issues; offering them helps you build trust to solve problems.
Likewise, Ethisphere also noted that 68% of employees report issues to their immediate manager. This means we must ask ourselves, “What measures are in place to set front-line leaders up for success?”
One tool that has worked exceptionally well for me is building an internal app for ethics and compliance:
- Give leaders a virtual toolkit to navigate the issues reported to them (i.e. what issues can they handle, how to best handle them, what issues need to be escalated, and how to follow that process). This ensures your leaders are equipped to respond to employee concerns appropriately, without compromising the sanctity of any investigations.
- The app also served as a pocket resource for the rest of the workforce, with a robust FAQ, a gamified ethical decision-making tool, quick links to disclose a conflict, and ways to report ethical concerns right from their smartphone.
- Apps can also be used to push out quick training sprints or to create awareness with QR codes that people can scan for points in a game. For some employees, getting to the top of the Leader Board is a big priority. Capitalize on this competitive spirit and use it as a creative way to sneak in some content on a compliance topic.
Use incentives to illustrate operational justice
When new emphasis was placed on incentives, I think it’s safe to say that the majority of us in the compliance space struggled with how to operationalize this new expectation.
When I was at USAA, we implemented an Ethical Courage Award to promote employees that had the courage to speak up. Whether it was to report an ethical concern, an idea for a process improvement, or to raise a question, we created an environment that encouraged and celebrated that behavior.
We asked for employee nominations, and the field of winners were privately notified. If the recipient was comfortable being identified publicly, the senior executive in that business unit celebrated their achievement at a town hall or other organization event. All recipients were also presented with an ethical courage medal. Some recipients were featured on a company-wide news article highlighting their stories of ethical courage. If the reporter wanted to remain private, the ethics team and I presented the medal to the individual in a private meeting in the Ethics Office.
In the spirit of the FSGO and Ethics & Compliance excellence, don’t be afraid to experiment
Being the trailblazer behind a brand-new compliance program can be a daunting task, but, rest assured: there are ways to achieve excellence that pay off in real business dividends.
By weaving ethics into the company DNA, and therefore pulling employees into active participation, you can meet FSGO standards while managing a more effective program. The first step is to create your roadmap – when will you do yours?
In the meantime, here’s some additional reading that will help you achieve and maintain FSGO compliance: A Practical Guide to Compliance Program Review & FSGO Benchmarking. This comprehensive guide includes a Compliance Program Hallmarks Assessment Template you can use when assessing the efficacy of your compliance program, plus an actionable, 4-phase program that the entire compliance team can use to ensure FSGO compliance throughout the company.