Integrity and the continuous batlle against fraud and corruption are stepping out of the limelight where they've been pushed into for far too long. Recent integrity issues, such as the LIBOR scandal, highlight the need for ethical behaviour from the top down, with clear and hard boundaries which are consistently enforced. The case should also be made for the establishment of integrity oversight committees to complement existing committees in organization's boards to ensure consistency and transparancy.
Past initiatives have not solved the problems
If I look at the past 12 years, starting with the Worldcom and Enron affairs, it seems like every year has been marred by at least one large fraud or corruption scandal. And I'm still to be convinced that initiatives such as Sarbanes-Oxley and others matter all that much in combating fraud and corruption. With hindsight it appears that we're trying to fix a problem not at the root cause, but at the point where it starts showing up: in financial and administratives processes and procedures. That is not necessarily a cost-effective manner. These past initiatives have clearly not solved the problem.
The question then appears to become an easy one: are there alternatives? I actually believe this to be a complex question, but establishing integrity oversight committees at the level of the board, in addition to compensation and audit committees, can go towards a viable solution in the combat agains fraud and corruption.
Where do we start?
As a point of departure for this approach we need to agree that there is to be a zero tolerance for fraud, corruption and breaches of integrity. "Zero tolerance" needs to be read here not as "we will not have any", but as "when we become aware of a breach, we will irradicate it." Now that's easy to say, but where do we start?
Values as a reference for behavior are best established by all stakeholders
Most control frameworks such as COSO-ERM and ISO-31000 state that the "tone at the top" is an important if not the most important element in establishing a pattern of ethical and non-corrupt behavior in collaborators. A number of studies, such as this one, this one and this one have also highlighted that ethical behavior or lack thereof is influenced by the behavior of the manager directly responsible for that collaborator.
Hence, management at all levels of the organization needs to walk the talk for the collaborators to comply to a certain required pattern of ethical behavior. You cannot expect your direct reports to behave in a certain manner if you yourself are not consistently showing this behavior as their manager. This is not new.
The question then becomes, what constitutes a recognized behavioural pattern? Going all the way up, what is the correct behavior to reflect? What are the values of the organization that you need to show and to comply with as a manager? What behavior are your managers showing you? Is this a set of values which are imposed on an organization from the outside, often as a result of an external consulting project? Or is something else needed?
I believe that values are established by and with all stakeholders, people we touch as an organization, collaborators of the organization and owners of the organization. I also believe the board, as representative of the owners, has a significant role to play in both determining the relevant values, monitoring compliance with them and dealing with identified transgressions of them. After all, owners own a business which operates in a business reality. The stakeholders influence that business reality. Owners therefore need to be very aware of that influence and make sure they adeqately adapt to it. If they fail to do that, they will have no business left.
Developing the integrity framework is an integrated, concerted effort
An integrity framework is aset of values and corresponding behaviors which serve as guiding principles for an organization. It should be a formal translation of all of the above mentioned factors and influences. But of course such an integrity framework only makes sense if it has been developed in close collaborating with the people working for the organization and the people with a stake in the organization: clients (in the broadest possible sense), collaborators (those who develop and deliver to clients) and the board.
Thus, for an integrity framework to make sense to the collaborators and clients it needs to be developed in collaboration with the collaborators and the clients, in their language to ensure a proper understanding of the specifics of the framework which they will need to apply and comply with.
In my personal opinion, it also pays to have the board intimately involved in the development effort. After all, while the board members are not usually actively involved in day to day management, they need to see their positions and concerns reflected in that ethical framework. Again, as stated above, those concerns need to be, amongst other factors, a reflection of the way they see the influence of outside stakeholders on their activities.
To illustrate, consider an organization which has its ethical framework developed by outside consultants, without active board involvement. A significant risk exists it will reflect only the vision of the few people consulted in the development, it will likely use the consultants' language rather than that of the collaborators, and it will not necessarily reflect the values held high by the investors, owners or stakeholders, represented by the board members. The likelihood of acceptance by the board and adoption and application by the collaborators will therefore be significantly lower than a framework which was developed in close collaboration by the members of an organization themselves.
Compliance monitoring is ultimately a board responsibility which requires a strengthening of internal audit
Once the framework is in place, its application needs to be monitored. It's clear that if a framework is only considered to be an exercise in writing, with no monitoring taking place, its adoption will not be very high.
Monitoring the compliance of an organization and its members with the specificities of the adopted ethical framework should occur under the ultimate control of the board, just like internal audit is ultimately under control of the board. Because of its independence and yet its proximity to the organization the "analysis and assessment" capacity directly linked to the board, the internal audit, can both monitor and investigate allegations made of transgressions of the ethical framework. Of course, assigning this as an additional responsibility to internal audit will require a strengthening of internal audit both in numbers and in capabilities. For example, we've significantly invested in enhancing our capabilities in data analysis for fraud investigations.
Compliance monitoring is important not only for enforcement through identification and appropriate action, but also to ensure that the message of the framework has gotten across. It's entirely possible that for all intents and purposes the development of the framework was done in the best possible manner, but the message fails to be clear on a number of aspects. These need to be clarified. Monitoring of compliance can give us an indication of where things have gone wrong or were not appropriately formulated to be well understood.
Enforcement needs to be transparant with respect for the individuals involved
There will be transgressions. Every organization needs to get rid of the naïve assumption that this will not happen to them. It's likely to happen. Quite probably, it has happened already. Fraud, corruption and breaches of ethical behavior do occur. However, once identified and appropriately confirmed they need to be dealt with as soon as possible.
And while the management team has a role to play here, I would strongly suggest to actively involve the board as well.
Why? First, it's about transparancy. The board has a right to know where and how the integrity framework they helped establish as a reflection of their values is being circumvented.
Second, management is not always the best placed to take the appropriate measures. The board remains a structure which is removed from day-to-day operations. Management, on the other hand, needs to deal with these people every single day. Correct enforcement may influence or damage working relations. Some managers may not feel comfortable enforcing a policy towards direct reports. Even if they want to, management is not necessarily, in substance nor in form, totally independent in deciding on the most appropriate measures.
We can have a long discussion on whether or not this is a task of the manager (I think it is, for the record) but with direct reports it may turn into some sort of hidden self-regulation. It is not necessarily transparant, hence my suggestion to involve the board in this. Its role is not complex: based on the analysis of the breach, assess the severity of the breach, recommend appropriate measures to deal with the breach, and monitor correct application of the recommendations. All of this needs to occur in a manner which is both transparant to the organization and which maintains the anonimity of the people involved in the specific case.
The need for a structure: the integrity oversight committee
Given the width of the activities the board will actively be involved in, establishing a separate committee in addition to committees such as compensation committees and audit committees makes sense. These are advisory committees to the board and help in the preparation of the decisions for the board.
The integrity oversight committee is a way of ensuring a more consistent ethical conduct in organizations.