What are the most common ethical dilemmas organizations face today?
CHRISTENSEN An often encountered dilemma is the consideration of conflicting performance metrics around cost and time, on the one hand, and safety and quality, on the other. This ethical conflict can manifest itself in many ways — deferral of scheduled maintenance, outsourcing to low-cost/low-quality suppliers, shortcutting on quality standards, unbalanced reward systems, and blind obedience to authority, leading to conflict avoidance and group think. It is ironic that those at the top often are quick to blame those who are on the firing line making the critical decisions, even though the leaders have primary responsibility for the very culture that drives the pressure points incentivizing inappropriate decisions.
O’LEARY As the global business landscape becomes more complex, companies are facing a more diverse array of ethical dilemmas, even compared to just five or six years ago. Traditional ethical issues around bribery, corruption, money laundering, human resource matters, inappropriate financial reporting, or earnings management continue to exist and clearly need important education, awareness, monitoring, and prevention investments from organizations — especially given increased regulatory scrutiny. However, with the rapid investment and growth many organizations are focused on in emerging markets well beyond just Brazil, Russia, India, and China, added complexity permeates ethical considerations. Additionally, the continued expansion of the digital agenda across organizations, sectors, and markets adds a complex array of issues to contend with, including cybersecurity, data privacy, and social media.
What impact do generational attitudes and cultural standards have on expectations of an ethical environment?
O’LEARY Generational attitudes and cultural standards can have a significant impact on expectations around ethics in an organization. As acceptable or common cultural and business practices can vary across diverse populations, it is important that organizations recognize this variability when strategizing around education, awareness, company policy, monitoring, and prevention techniques. For example, millennials’ attitudes and expectations around social media introduce much greater complexity to how organizations handle the possible unintended or purposeful consequences that may be associated with information that is released into the cyber world.
CHRISTENSEN Generational attitudes and different cultures have a huge impact on sustaining an ethical environment because each generation and culture may have to be approached differently to achieve executive management’s objectives. For example, because every generation was raised in a different environment, each has different attitudes, behaviors, expectations, and motivational touch points. Likewise, different countries and regions have distinctly different cultures, as do different organizations that merge. It is imperative to understand generational and cultural differences when communicating with employees in diverse organizations.
What are best practices for promoting ethical behavior within an organization? What is the best approach to ethics training?
CHRISTENSEN Promoting ethical behavior in an organization begins with an effective code of ethics linked to the organization’s code for effective corporate governance. A code of conduct should be communicated, reinforced, and integrated into how executive management “walks the talk.” With respect to ethics training, it is important that everyone participates, including executive management, and that the training is real, meaning it focuses on ethical dilemmas that are relevant to the organization and is tightly linked to its core values.
O’LEARY Best practice is to start with a well communicated tone from the very top. When the CEO, board, or other executives actively and routinely promote the company’s values, culture, and ethical policies, it goes a long way in helping everyone consistently align with expectations. From there it’s all about discipline and detail in having well-orchestrated communications, change management practices, and training programs that are embedded within the business or function for each employee. When companies help employees recognize that the ethical standards are not only important for compliance but also for the success of the organization’s business imperatives and personal advancement, it has a much more profound impact.
What is internal audit’s role in ensuring an ethical work environment?
O’LEARY Internal audit can play many roles helping companies ensure an ethical work environment. Certainly, traditional audit activities to monitor compliance continue to be relevant. Additionally, leveraging the power of data analytics and other innovative strategies helps add vigor and real-time relevance to those efforts. But going beyond pure assurance or compliance auditing, internal audit can help companies assess the alignment of their ethics programs and evaluate the metrics companies have in place to measure effectiveness and whether those metrics help promote ethical behavior.
CHRISTENSEN Internal audit can play a key role in ensuring an ethical work environment. Internal audit should, for example, focus on the control environment and culture, look for the warning signs of dysfunctional behavior, and watch for incongruities between the tone at the top and tone in the middle. Internal audit should ensure that employee working conditions, both internally and upstream with key suppliers, are fair, safe, and free of human rights abuses, and that discriminatory hiring practices are avoided. The auditors should evaluate the balancing of costs of preventive maintenance, work shifts, safety controls, and training with the health and safety interests of employees. Finally, they should ensure an open, transparent environment that provides upward communication to people who listen.
What should internal auditors assess when looking at a whistleblower program?
CHRISTENSEN Internal auditors should evaluate the organization’s risks, culture, management operating style, internal resources, and existing procedures regarding reporting of audit and accounting irregularities and fraud when assessing the design effectiveness of the program. In other words, the auditors need to understand the unique risks relating to fraud within the organization, industry, and geographies in which the company operates. Additionally, internal audit should ensure the program is communicated effectively and often within the organization; ascertain whether the appropriate level of objectivity is emphasized with respect to the reporting and investigation of complaints; ensure that laws and regulations for protecting whistleblowers are being addressed (e.g., Sarbanes-Oxley and Dodd-Frank in the U.S.); and understand and consider the implications of the U.S. Federal Sentencing Guidelines.
O’LEARY Internal auditors should assess the rigor of the program, technology enablement, and alignment to the sector- and geography-specific risk and compliance considerations the organization faces. Additionally, internal audit functions can help companies consider whether the whistleblower program is effectively communicated and whether awareness campaigns, education, training, and policies are fully aligned to enable the program to be optimally relevant.
Why do whistleblower programs fail?
O’LEARY Invariably, whistleblower programs fail when the communication, education, awareness, and executive tone are not fully aligned with the intent of the program. Even if the technology and content are strong, without adequate awareness and promotion, the program will not be fully effective. It’s also incredibly important that multinational companies consider pragmatic issues around language, technology access, and diverse cultural implications when designing programs to succeed globally.
CHRISTENSEN Four ways a whistleblower program can fail are: 1) By taking a program developed for another company and blindly implementing it within the organization without ensuring cultural fit and management support. 2) By failing to determine who will conduct investigations of sensitive matters to ensure appropriate objectivity, how activities will be documented and complaints tracked over time, and how adequate records of meetings, accomplishments, and decisions will be maintained so the organization can defend its process and actions. 3) By developing overly complicated solutions that are burdensome and create unnecessary expense and redundant internal reporting disproportionate to the risk. And, 4) by neglecting to emphasize prevention and deterrence, for example, through appropriate internal controls, entity-level monitoring procedures, effective reporting systems, and state-of-the-art protective safeguards.