Ethics Hotlines, Risk, and Compliance
Does your ethics and fraud hotline program exist in a silo or is it an integrated part of an enterprise-wide risk and compliance program?
Ethics and fraud issues span many organizational risk and compliance areas of concern. As such, a hotline program can be effectively integrated with activities across an organization, although barriers may exist.
As reported a few years ago, few organizations have an integrated approach to risk and compliance activities, despite recognizing the likely benefits. It is common for organizations to have between three and fifteen different compliance silos. Why? Risk and compliance responsibilities tend to span a wide range of activities, including financial reporting, credit risk, IT security, health and safety concerns, regulatory requirements, and more. Different departments are responsible; they often establish their own policies and processes, with little connection to other internal efforts. In addition, as new compliance regulations emerge, organizations tend to create new initiatives to handle them, again often without integrating these initiatives with existing efforts. (Economist Intelligence Unit (EIU), 2011.
The EIU reported the following key findings:
- Companies may be underestimating the extent of risk and compliance failures. Knowledge about risk failures is not widely disseminated outside of the function that experiences the failure. This behavior serves as a barrier to company-wide awareness and improved policies and practices.
- Risk and compliance management processes may appear to work well – until something goes wrong. Survey respondents who had experienced failures were more likely to acknowledge they did not have a consistent set of principles and policies governing business practices.
- Related to the previous points, companies may not be learning the broader lessons from risk failures. The majority of such failures take place at the business unit level, which is often where the problems are addressed, outside the oversight of the wider organization.
- High performing companies are more likely to have a consistent level of risk tolerance across the organization. While it is typical to find a range of risk tolerances within an organization, with marketing and sales groups often having the greatest tolerance and finance and legal groups the least, high performing companies tend to be more consistent across functions.
The EIU report suggests that organizations begin their efforts to better integrate risk and compliance processes by conducting an audit to identify where all of the related functions and activities reside within the organization. Next, they should form a steering committee with representatives from the various functions, possibly under the auspices of the internal audit group. This steering committee would be responsible for discussing and recommending ways to improve risk and compliance processes, with a goal of creating a better-integrated approach. After identifying and refining existing business processes, organizations will be ready to evaluate technology for automating control systems and establishing central repositories for data and information. Such steps will move an organization closer to a “best practice” enterprise-wide system.
Ethics hotlines are an important component of ethics and compliance programs. They can be even more effective when they exist as part of an integrated, enterprise-wide risk and compliance program. If an internal audit reveals that your ethics hotline program is “siloed”, take steps to broaden its reach. Doing so can enhance the value of the hotline itself, as well as the overall risk and compliance program.
Ethical Advocate provides comprehensive ethics and compliance solutions, including confidential and anonymous hotlines. Contact us for more information.
References:
Economist Intelligence Unit. Ascending the Maturity Curve: Effective Management of Enterprise Risk and Compliance, March 2011.