December 2024

2024 Ethics and Compliance Recap: Insights and Key Trends Shaping 2025

Posted on December 19, 2024December 19, 2024 by Ethisphere

The case for why culture is so important has never been made clearer, with the DOJ’s updated guidance bringing ethical culture front and center.

This has been an extremely eventful year for the Ethics and Compliance community. Major regulatory enforcement actions, a big Evaluation of Corporate Compliance Programs guidance update from the Department of Justice, the operationalization of artificial intelligence, evolving supply chain risk, and many more issues have made the best practices of the business integrity space more valuable than ever before.

As we look back at some of the most important issues that shaped the past year, Ethisphere thought leaders will also look ahead at what challenges and opportunities are worth considering for 2025.

On Leadership

Tom Bubeck Chief

Chief Executive Officer, Ethisphere

Journeys and missions are not linear. They have ups and downs that must not derail the mission. As we head into 2025, we need to reflect on what has worked and what hasn’t and learn, grow, and adapt. To move ahead mindfully, reflectively, and bravely.

On Governance

Erica Salmon Byrne

Chief Strategy Officer, Ethisphere

2024 gave us fresh examples of what a lack of effective board oversight can mean, most notably in the TD Bank settlement. The explicit adoption of ‘zero expense growth’ without any apparent discussion of what risks that entailed should be a table top exercise for every smart board in 2025. I’ll also be keeping an eye on how boards are evaluating the ‘de-siloing’ expectations laid out in recent DOJ guidance; they should be seeing more explicit coordination between control functions going into next year, and if they’re not seeing that, they should be asking why.

On AI and the E&C Tech Stack

Nausheen Moulana

Chief Technology Officer, Ethisphere

In 2024, Ethics & Compliance teams effectively leveraged Gen AI for automating processes like training, policy management, and speak-up culture, while continuing to employ traditional AI and data analytics for areas such as AML, tax compliance, trade surveillance, and supply chain risk management. This progress was marked by a careful balance between utilizing technological innovation and addressing critical risks, including data privacy, security, intellectual property, and reliability/accuracy of AI-based outcomes.

In 2025, focus on integrating data and enhancing observability in the E&C technology stack and systems will be key. Breaking down silos to create a 360° view of data required for E&C use will empower teams to further leverage AI and data analytics to obtain insights and actionable intelligence across E&C ownership areas, predict and address risks, prioritize actions, and monitor program progress effectively.

On the E&C Community

Kevin McCormack

Executive Vice President, Ethisphere

Executive Director, Business Ethics leadership Alliance

Diversity is a hallmark of the BELA community. Diversity of issues that E&C leaders are facing; diversity of roles and risk owners; diversity of industry; and diversity of markets. It’s on full display during our Global Ethics Summit, but throughout the year it is captured in the 50+ BELA roundtables hosted both in-person and virtually. The voice of BELA is a powerful one and the knowledge exchanged at these roundtables is even more powerful. Whether the focus has been on peer example of leveraging Artificial Intelligence tools to increase compliance capabilities or inviting dialogue with Chief Compliance Officers, and our SMEs from Ethisphere, on the impact of new DOJ guidance, the community has played full out in 2024. Candid in conversation and supported by both data and tested practices, there is arguably no better platform to surface new ideas, ask the tough questions, and do so together.

2025 will require Ethisphere, in partnership with the BELA community, to build on that momentum. We will continue to seek a better balance between breadth and depth. Industry-specific depth is one roundtable attribute that we will see in 2025 as we are experience a groundswell of interest in sectors that have unique challenges, inclusive of software & tech, healthcare, insurance, retail, and manufacturing. Depth of external authorities that can offer even more guidance to the BELA community as we continue to assess the road ahead with ongoing A.I./tech disruption, supply chain challenges, regulatory shifts, ethical culture risks, and more. We often talk about the need to have best practices in place for ongoing monitoring of risks. We will need to apply a similar approach so that our BELA roundtables can pivot as we assess where our community needs the support the most. What gives us confidence is that BELA continues to demonstrate, year after year, that it is a rising tide that lifts all boats and among the most trusted sources for everyone who participates as they did in record numbers this year.

On Culture

Doug Allen

Vice President, Data Strategy, Ethisphere

The big, macro piece on Culture this year is the reference to it in the latest Department of Justice update to the Evaluation of Corporate Compliance Programs guidance. That really brought culture front and center in a way we have not seen before. The case for why culture is so important has never been made more clear. And complimenting that is the research we have provided that determines that organizations that perform well on our culture assessment also perform well overall as businesses. Combined, those highlights made a clear case for why we measure culture.

For 2025, what’s at top of mind for us is how well folks integrate a smaller suite of questions from their engagement surveys or, how they implement speak-up culture. We’re looking at how organizations don’t want to over-survey, so how can they get visibility on data that is timely, accurate, reliable, and most of all, good? As all that comes to bear, we’re increasing looking through a lens of going outside of full-blown surveys and drilling down more on how folks are integrating smaller, more regular interactions like pulse surveys that provide just-in-time data around specific topics.

On Supply Chain

Craig Moss

Executive Vice President, Measurement, Ethisphere

The past year was dominated by a renewed focus by companies on supply chain resiliency. This was driven by the lingering effects of several major, unexpected disruptions–the COVID pandemic, the Suez Canal blockage, the war in Ukraine, etc. The evolving geopolitical landscape signaled an end to the drive to having a single highly efficient, low-cost global supply chain. It forced companies to start to think about creating constellations of suppliers to serve specific market segments due to local regulations or customer demands. The 2024 approval of the EU’s Corporate Sustainability Due Diligence Directive (CSDDD) highlighted a growing trend toward sustainability regulations that will accelerate the need for companies to embed managing sustainability performance and risks into how they manage their supply chain. The CSDDD goes far beyond requiring a company to know the environmental and social risks of their suppliers. It requires remediation, monitoring, and reporting. One of the major challenges that emerged in 2024, was getting reliable data. Adding environmental and social requirements to the list of other compliance requirements, including anti-corruption, data privacy and trade sanctions, made resiliency a bigger challenge than ever.

Looking to 2025, there are two major themes companies should focus on. First, how will you implement a supply chain risk management program that sufficiently covers the breadth of your supply chain and delivers a scalable way to go in-depth with your key suppliers? For the key suppliers, a combination of technology and human expertise will provide visibility beyond a supplier’s inherent risk and into how mature their systems are that manage those risks. With key suppliers, it is important to take a “measure and improve” approach. Part of making this practical is to think holistically about the spectrum of compliance and ESG risks and prioritize what needs to be addressed based on what is more relevant and material to the business. This will increasingly drive the need for cross-functional collaboration about what is critical to address and how to do it a practical way.

Second, how can you start to explore the use of AI (Generative AI, specifically) to improve supply chain resiliency and risk management? This is an area that will see a lot of attention. The key for companies will be to start with the specific problem they are trying to solve with Gen AI and to determine if they have the reliable data that is needed.

To stay abreast of the latest trends and issues in the field of business integrity, be sure to visit the Ethisphere Events page to register for upcoming webinars, roundtables, and the Global Ethics Summit.

And to draw on the best thought leadership in the ethics and compliance space, check out the Ethisphere Resource Center, for a wealth of free reports, white papers, interviews, and the latest issue of Ethisphere Magazine.

How Often Should You Conduct an Ethical Culture Assessment?

Posted on December 19, 2024December 19, 2024 by Ethisphere

96% of World’s Most Ethical Companies conduct ethical culture surveys at least every two years to track progress and strengthen organizational culture.

Ethical culture matters to employees, investors, and most of all, stakeholders. Case in point, this year’s Five-Year Ethics Premium is 12.3%. That is how much the publicly listed honorees of the 2024 World’s Most Ethical Companies outperformed a comparable index of global companies from January 2019 to January 2024. The thing that unites those high-performing companies is a terrific culture of ethics.

Such metrics make the case for performing organizational culture assessments to see where a culture’s true strengths and improvement opportunities might be. But since culture assessments are not a once and done thing, how often should you assess your culture?

In this blog post, we will explore why running recurring culture assessments builds immense value for your organization.

Why organizations conduct recurring culture assessments

Culture assessments are a snapshot in time of how your employees feel about different programmatic elements of your culture. Many internal and external factors contribute to that moment, as well as any action plans from of your ethics and compliance department that might be underway. That is why it is important to measure culture periodically to see how you are improving long-term.

The Department of Justice’s recent ECCP Update includes language around how and how often organizations measure ethical culture. The key is measuring how your actions are affecting ethical culture over time, as well as what external factors that might affect your ethical culture. Also, you want to be able to compare those results year over year, ideally, every two years. 96% of World’s Most Ethical Companies honorees, for example, do some sort of ethical culture survey at least every two years, and 49% measure their culture at least yearly.

Key considerations for culture & cadence

When setting up a cultural assessment cadence, look at your corporate calendar to see what other things are going on in the organization (particularly things like other surveys). Those come to mind first. That’s a thing that a lot of organizations look at.

Also, consider if you have a busy season or a slow season for when the best time for a culture survey might be. Conducting a survey when the organization is undergoing a big change—such as changes in senior leadership or key training—tends to take employees’ attention away from your survey.

Avoiding major holidays is a good idea, but for global organizations, this may not be possible. Likewise, try to avoid times when many employees might be on vacation (such as August, for European employees).

The key thing to remember is that there probably is not a perfect time to conduct your culture assessment, but it is still important to conduct them even if you can’t find a perfectly quiet time in your corporate calendar.

Supporting initiatives

Culture surveys are a great foundational effort to collect a lot of data and feedback on how your employees are feeling about the elements of your program. But they also provide opportunities to collect qualitative data through other measurement efforts.

As you decide when to do your main ethical culture survey, think about some of the questions the survey data may raise that you may wish to examine further. As you schedule your culture assessment, planning additional efforts like site visits, management interviews, and focus groups can help better understand your main culture survey results.

Post-survey communications

Most organizations experience survey fatigue. This doesn’t necessarily mean that employees are tired of taking surveys, however. Rather, they are tired of taking surveys where nothing happens based on their feedback. 76% of World’s Most Ethical Companies honorees communicate their culture survey results to all people leaders. They are really the tide that raises all ships. If your managers talk with their teams about some of the opportunities or key things that came from the survey, especially as you begin to implement action plans, those plans will be much more impactful.

Throughout the year, it is important to tie those actions back to the feedback from your culture survey. Let employees know you have taken action and implemented their feedback. The cadence of such communication depends on how many messages employees receive from the organization, but the key is to regularly tie your action plan to survey results so that people don’t feel like their voices fell on deaf ears.

To learn more about how strong ethical cultures improve business performance, visit the Ethisphere Resource Center for free policy examples, best practices reports, interviews, and more.

And to request a culture assessment demo for your organization, please visit the Ethisphere Culture page.

Follow Ethisphere on LinkedIn and join the conversation on why good ethics is good busine

Vendors of Choice for Compliance Workflow Solutions

Posted on December 18, 2024December 18, 2024 by Ethisphere

Spreadsheets and manual tools are still heavily used for compliance workflows, highlighting an opportunity for technology-driven efficiencies.

Ethics and Compliance leaders apart of our Business Ethics Leadership Alliance (BELA) have the benefit of our concierge service to ask questions on any number of topics. One of the most common questions we get is “who are other members using for [fill in the blank compliance workflow]?” and its close corollary “do they like them?” We have answered these questions on a one-off basis as they come in, but this year we released our first compliance vendor survey.

A third of the BELA Community took the survey this summer, and we were very pleased with the results. A few things stood out to the Ethisphere team:

Training, Communications, and Learning Management Systems

In-house training and communication tools remain common, with a quarter of respondents indicating they built their training in-house and 82% using in-house communications solutions instead of using a vendor. The teams building training are typically using tools with customizable templates to build online training content or partnering with the internal Learning and Development function.

On the communications front, most are tapping into channels and platforms already in use at their organizations, which is what we recommend. Using the communications systems that are already preferred, or known to employees, instead of introducing yet another app into an already staggering flow of information outlets gives a greater chance that E&C messaging will be received.

However, nearly half (47%) had no opinion on the solution because they did not use or interact with it. While this does not indict in-house Communication systems, it does draw attention to how often E&C professionals are not using in-house systems in general. This is a huge, missed opportunity for E&C and Communications to collaborate more tightly, whether it is through their preferred delivery system or elsewhere.

Learning management systems

In-house systems chosen by Human Resources were the most common LMS option chosen in this survey, though it is not an especially popular one (unsatisfied: 33%, neutral: 39%, no opinion: 23%). With a positive rating of only 7%, in-house LMSs do not inspire a great deal of confidence, which is concerning, given the important role they play in continuing education and as an auxiliary to mandated ethics and compliance training. (It is worth noting that LMS’s chosen by the E&C team are much less common, but have a much higher favorability rating than their HR-chosen counterparts, at 33% neutral and 44% positive).

Overreliance on Manual Processes for Risk Assessment, Disclosures, and Third-Party Management

Spreadsheets and other manual tools are in heavy use, particular for risk assessments (35%), tracking disclosures (Conflicts of Interest at 24% and Gifts & Entertainment at 28%) and even third-party risk management (18%). This was a surprise to us, as there has been significant growth in the tools offered for these workflows and manual tracking is very labor-intensive.

Speaking of third parties, a sizeable percentage of respondents are not engaged enough with the third-party management platform their organization uses to have an opinion on it. The tools are commonly the purview of procurement or supply chain management instead of compliance.

More than a third (34%) of respondents listed Other as their TPM vendor, the vast majority of whom have no opinion or a neutral one, which suggests a disconnect in this sector between E&C and the use of vendors in this space. Another 18% listed their vendor as In-House, but with a similar overall impression.

The three most common named vendors each only accounted for a single digit share of this space. Beyond those vendors were another 11 named vendors, each of which held very small portion of respondents, but many of which returned 100% favorable ratings, which is to say that there is a broad field of vendors that have earned small, but happy audiences within the BELA community.

Hotlines and Case Management Systems

Two vendors dominate both spaces among BELA member companies. The top mentioned vendor for case management is the clear solution of choice in this area accounting for nearly half (49%) of all responses in this section, and it also enjoys an overall 53% positive rating. The second most mentioned vendor has a little less than half of the top vendor’s share in this area (21%) and enjoys the same positive rating (52%).

Beyond these two kingpins of the space, responses cover another 10 named vendors within the Other category, and another 6 named vendors with single-digit shares in this space. Across this breadth of responses, users report generally favorable impressions of their vendor, though many of them are sample sizes of only one or two responses.

For hotlines, we see the same top vendor as for case management, with 59% of respondents naming them as their hotline vendor. This provider also receives generally high marks (60% positive, 27% neutral). The next-largest vendor comes in at 21% for usage, also receiving generally favorable reviews (55% positive, 36% neutral.

Notably, while few users reported using an In-House system, those that did gave it a negative review two thirds (67%) of the time.

How satisfied (or not) are companies with their compliance workflow tools and technology solutions?

Curious about the names of vendors and their satisfaction rating? BELA members receive access to the complete report with additional data points on usage and satisfaction of specific vendors. To request guest access visit: https://ethisphere.com/request-bela-guest-access/

5 Codes of Conduct We Love & Why

Posted on December 5, 2024December 5, 2024 by Ethisphere

The Code of Conduct sets the tone for an organization’s culture, providing guidance on how employees should behave and why it matters.

The Code of Conduct is the foundational document that broadly establishes the expectations for behavior and can be described as the “house rules” for an organization. It is the cornerstone of how the company chooses to do business and provides guidance on interactions with colleagues, customers, business partners, third parties, and other stakeholders.

The Code sets the tone for an organization’s culture and should be tailored to its specific risks, industry, geography, and history and be grounded in the mission and values of the organization. No one document can cover all the do’s and don’ts for every possible scenario, but an effective Code communicates principles for behavior and explains why employees should care.

What makes a good Code of Conduct?

1. Tone

The tone of the Code of Conduct should be aspirational and serve as a guide to employees for how they and others at the organization should behave. It should be consistent with the mission, purpose, and values of the company.

Make sure the Code includes:

A clear statement of how the company chooses to do business
Letter from leadership (CEO or Chief Compliance Officer) that sets an inclusive, inspirational tone and connects the Code with the company’s mission or purpose
Explanations of why the reader should care about the topics in the Code

2. Content

Effective Codes emphasize the importance of asking questions and sharing concerns, as well as provide guidance on how to speak up and detail the company’s commitment to non-retaliation. This information can be first introduced in the letter from leadership and should be reinforced throughout the Code. Ideally, callouts for Speak-Up should be included in key locations throughout the Code.

All reporting channels should be listed predominately with direct links to websites, platforms, emails, or phone numbers as applicable. Consider also including the process or workflow of investigations to increase transparency for employees and show them how they will be protected from retaliation.

The Code should address the company’s position on key risk areas and provide guidance on the best course of action that aligns with the company’s values through the use of concrete examples and comprehension aids like decision trees, tips, or definitions of key terms.

Common risk areas addressed in Codes include (but are not limited to):

Inclusion & Diversity
Bullying
Harassment & Discrimination/Equal Opportunity
Health & Safety
Conflicts of Interest
Gifts & Entertainment
Free & Fair Competition
Preventing Financial Crimes
Economic Sanctions
Confidential Information
Vendor/Third-Party Relationships
Open & Honest Feedback
Speak Up
Social Media & Communications
Recordkeeping
Corporate Responsibility & Sustainability
Human Rights
Data Privacy & Information Security
Protecting & Appropriate Use of Company Assets
Workplace Violence
Investigations

3. Accessibility

Increasingly, companies are sharing their Code of Conduct both internally (i.e., on a main intranet site, a Policy Hub, the Ethics & Compliance intranet page, etc.) and externally (i.e., on their public website). It should be easy to find and compatible with both desktop and mobile viewing. The Code should be available in the relevant languages for employees, third parties, prospective employees or customers, and others.

When determining if the Code is accessible, ask:

Can it easily be found by people inside and outside of the company?
Is it available in languages that our employees speak?
Is it compatible with disability aids, such as text readers?
Can it be read on a mobile device?

4. Design & Organization

Gone are the days of the dense, text-only Code of Conduct. Today’s Codes are a reflection of the company and should be aligned with brand identity, so it looks and feels like the company. Additionally, it should be organized logically, be easy to use and navigate, and support the reader’s experience and comprehension.

Design elements that make the Code more engaging and easier to read:

Use of white space
Varied font sizes and colors
Inclusion of shapes and images
Callout boxes with tips, helpful hints, or key definitions
Graphics that help the reader understand a process or workflow

5 Examples of Best-In-Class Codes of Conduct

1. Lincoln Financial

VIEW THE CODE

Lincoln Financial’s Code of Conduct is a web-based, interactive Code that is easily accessible on and response to any device. It is organized around the company’s core values and leadership attributes for individuals, the company, and those they serve and do business with.

The top corner of every page includes buttons for a glossary of key terms to aid in the reader’s understanding and a list of helpful resources, what they can help with, and how to access them with links, email addresses, and phone numbers. The Code includes comprehension aids like callout boxes with clear guidance for employees, videos, decision-making models, and Q&A examples.

2. ManpowerGroup

VIEW THE CODE

ManpowerGroup has made their Code of Conduct available in 23 languages, appropriate for their global footprint and employee base, making it highly accessible for readers and employees. The Code also includes an excellent example of an executive introduction from their Chairman and CEO that is highly personalized to the company, including details about its history, mission, and industry, emphasizes Speak-Up, and shares the company’s commitment to ethics and integrity.

The Code also includes concrete examples, scenarios, and explanations for topics addressed in the Code, as well as important definitions, graphics, images, and knowledge checks.

3. Rockwell Automation

VIEW THE CODE

Rockwell Automation’s Code of Conduct has exemplary use of comprehension aids that help employees understand concepts and provide guidance on how they should act. These include callout boxes with definitions of key terms, bulleted lists that detail how employees should behave, and scenarios that illustrate an issue and give guidance on how employees should respond.

The Code also includes engaging design elements like varied font sizes and colors, images to break up large bodies of text, sidebars, and more. Additionally, there are links to company policies throughout the Code and navigation buttons on the bottom of each page to the table of contents and the page that lists contact points for speaking up.

4. U.S. Bank

VIEW THE CODE

U.S. Bank’s Code of Conduct emphasizes the importance of Speak-Up, including a dedicated page at the beginning of the Code that has links to multiple reporting options, a clear and intuitive layout describing the reporting process, and details of the company’s commitment to non-retaliation. The header of every page also includes a button for the Ethics Line, reinforcing the importance of speaking up and reporting concerns.

The Code also includes other types of comprehension aids throughout the document, such as an ethical decision-making model, Q&A examples, callout boxes, and links to related resources. Additionally, the Code is aligned with U.S. Bank’s branding, with colors, images, and phrases that visually connect the reader to the company.

5. Snap, Inc.

VIEW THE CODE

Snap, Inc.’s Code of Conduct is a great example of a Code that is very aligned with and reflective of the company’s brand identity. The main brand color, yellow, is used throughout for emphasis. The Code also uses a mix of images reflective of company places and people, as well as illustrated avatars like the ones available in their main product, Snapchat.

The Code is also values-based, organized as a “Guide to Kind Business,” and details how employees should be kind to each other, their community, their partners, their investors, and the world. The emphasis on kindness is further reinforced in the callout boxes that give practical guidance as they are all headed with “How We Are Kind.”

BELA Members have access to Ethisphere’s library of sample codes, policies, and resources across ethics and compliance programmatic elements. Request guest access to the BELA Member Hub to check out the library today.