How Ethics and Compliance Applies to the Employee Experience

You don’t have to misuse (or even, have) a million dollar slush fund to violate anti-bribery laws like the Foreign Corrupt Practices Act (FCPA). Nor do you need to be a high rolling corporate exec or a diplomat to be embroiled in a conflict of interest. Federal enforcers don’t care whether you have a fancy title if you violated insider trading laws. Nor do they care whether you’re the chief executive or an account executive if the feds find evidence of antitrust violations.

These laws and ethical standards apply to every employee in their everyday experience. In other words, ethics and compliance applies to you.


Avoiding bribery takes more than just common sense. For example, the FCPA defines a bribe as an offer, payment, or promise of “anything of value” to a foreign official in order to obtain or retain business.

The “offer” and “promise” parts mean that just offering or agreeing to bribe someone is illegal — nothing of value needs to change hands.

The “anything of value” part is also complicated; it means that a bribe includes not just money, but things such as gifts, employment, entertainment, and travel. Also, whether the bribe is “of value” depends on the economic standards in the foreign country, not the US.

What might be a modest dinner by US standards could be considered lavish in the foreign country. In that situation, an employee paying for a foreign official’s dinner after talking up your business could be a bribe in violation of the FCPA.

Employees should avoid even the appearance of bribery for the sake of organizational morale and avert the possibility of a federal inquiry.

Conflicts of Interest

Conflicts of interest can arise for any employee who has a private interest that makes it difficult to act in their organization’s best interest. Even employees who think they can set competing interests aside may still be subconsciously influenced to favor their own interests.

Conflicts can include competing financial incentives (e.g., a second job or side business), workplace romances, favoritism in the hiring process, improper business gifts, or the improper use of confidential information (e.g., insider trading). Although conflicts of interest can violate the law, they are just as often ethics violations that don’t rise to the level of illegal conduct.

Insider Trading

Insider trading means trading in the stock of a company while being aware of inside information about the company. Employees at any level can gain inside information about a company, whether it’s your organization or another company that your organization does business with.

When employees become aware of confidential information, they have a duty not to trade in the company’s stock. The law also prohibits them from disclosing the information to someone else so that person can make a trade. This is called “tipping.”

In our “Insider Trading” course we recount a legal case against a railyard worker that the Securities and Exchange Commission (SEC) vigorously pursued. The worker bought as much company stock as he could afford after observing evidence of a pending acquisition, and later profited handsomely when it went through. Although the SEC did not ultimately win a jury verdict against the worker, this case illustrates that any employee can face legal action on insider trading charges. [SEC v. Steffes, Case No. 1:10-cv-06266 (N.D. Ill. Verdict Jan. 27, 2014)]

The US Supreme Court also recently upheld the criminal conviction of a Chicago grocer for insider trading (he had traded based on tips from an investment-banker friend), once again illustrating that you don’t have to be a high-flyer to have your wings clipped for violating the law.


Outside of the finance and legal fields, if the average employee has heard of antitrust law, they probably know that it has something to do with the rarefied realm of mergers and acquisitions. But antitrust law is much broader than that. It prohibits all anti-competitive conduct that unreasonably restrains free trade.

Because the law prohibits anti-competitive agreements, words matter. An antitrust investigation would not bode well if it uncovered sales people emailing one another an intent to “dominate the market” or having discussions with competitors about key aspects of the business such as prices, current bids, customer quotes, marketing plans, or geographic territories.

An unwary employee may jump to the conclusion that cooperation is good. But since antitrust law and the ethical duty of organizational loyalty prohibit collusion with competitors, employees who have the power to make deals on behalf of your organization need training to avoid this kind of costly mistake.

Not Just Common Sense

Yes, common sense helps, but it’s not enough. Applying complex legal mandates and ethical maxims to the often gray areas of the everyday work world is far from intuitive. It takes training — that includes practice navigating situations based on real scenarios — to prepare employees to respond appropriately to nuanced circumstances they may encounter.

Effective training takes ethics and compliance beyond a “gut feeling” something is wrong, and teaches employees to determine the most ethical course of action in the face of conflicting options. Feeling that “something is wrong” is a good start when faced with an ethical or compliance challenge. Knowing the ethical and compliance standards can help translate the feeling into understanding what is wrong, why it is wrong, and what to do about it.

Learn More About Ethics and Compliance Training

EVERFI delivers online ethics and compliance training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, EVERFI delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

How Ethical Conduct Leads to Compliance

Compliance, as it has been traditionally known, is dead. Training mandates, accepting statements like “that’s how it’s been done,” and keeping up appearances to avoid scrutiny are unsustainable practices. Look at any major scandal that has hit the news lately, be it fraud, data security, gender discrimination, and you will find echoes of the old way of doing compliance.

Compliance practitioners should be aware of this by now. “Culture of compliance,” “tone at the top,” and “ethics” are oft-used terms to describe effective compliance programs. However, just saying these words doesn’t mean the workplace understands effective compliance, and even more, doesn’t mean it helps the workplace become compliant.

Ethics Must Be the Foundation for Compliance

Ethics is a necessary foundation for modern compliance programs. Ethics means a lot of things. Merriam-Webster clarifies: “While ethics can refer broadly to moral principles, one often sees it applied to questions of correct behavior within a relatively narrow area of activity.” For organizations, ethics is especially narrow. The “moral principles” to follow are the values of the company, which are further defined by the organization’s mission.

When employees (including executives) do their jobs according to an organization’s moral principles, and do “what’s right,” they effectively “comply” with ethical standards. This also makes for an ethical culture. To be sure, social expectations and mores can impact how ethical a company appears. For example, a company that reveres and follows the value of “making money at all costs” would not be viewed as ethical to millennials. For the purposes of compliance, organizations should focus on the values they believe in.

How Ethics Leads to Compliance

The above explains the “what,” but it doesn’t explain the “how.” First, compliance means adhering to external laws, internal policies and practices, and of course ethical standards. Some practitioners may wonder how being ethical translates to following specific laws, such as the Foreign Corrupt Practices Act (FCPA), or a company’s conflict of interest policy.

Employees must know about the law. For example, being a bastion of “honesty and integrity” pursuant to an organization’s values may not prevent an employee from violating record keeping and internal control requirements under the FCPA. At the same time, mere knowledge about the law doesn’t change behavior. To be effective, knowledge of the law must be incorporated into a larger ethical framework. “[I]n a specific type of culture, characterized by specific values such as openness, trust and honesty, employees are more likely to engage in compliance behaviours which collectively will contribute to organizational compliance,” says Lisa Interligi in the Journal of Management & Organization.

Finally, compliance must resonate with employees not just on a professional level (“company policy tells me to do X”) but on a personal level (“doing X is the right thing to do.”) “Research has shown that when the organization and employees [sic] values are in sync and when there is trust, employees view other employees’ transgressions as a personal affront – an affront against themselves,” states researcher and University of Miami law professor Michele DeStefano. When employees intrinsically believe in their organization’s purpose and values, ethical behavior should drive their everyday actions.

It Starts With Training

Where to start? Effective ethics training. “By most accounts, compliance begins with education: effective communication so that agents within the firm understand the firm’s commitment to compliance and enough about the law to spot issues that arise within their own scope of authority and know how they are expected to respond,” according to Donald C. Langevoort in his formidable law review article, Monitoring: The Behavioral Economics of Corporate Compliance with Law.

Dry technical language found in statutes and company policies must be transformed to resonate with employees. Sure, companies need to avoid writing in legalese, but communicating ethical principles goes way beyond that. EVERFI Lead Instructional Writer Carmen Poole explains her research:

Using case studies to facilitate learning has long been celebrated as one of the best ways to encourage critical and experiential thinking skills. Case-based learning in ethical training contexts is advantageous because case studies can be tailored endlessly, giving rote content the potential to get up and walk around, while giving the learner an opportunity to experiment, to explore, to evaluate.

When done right, and adapted to fit a company’s values, the result on employees could be transformational. Training is not the end-all, but it is a critical part in communicating, informing, and building an ethical culture.

Learn More About Corporate Compliance Training

EVERFI delivers online ethics and compliance training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, EVERFI delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

How to Detoxify Your Work Environment to Promote Diversity

A toxic workplace is deadly for diversity and inclusion. Even when there is diversity in form, a diverse workforce that occupies only the lowest rung of the organization’s hierarchy in an otherwise homogenous work environment is identified as a risk factor for discrimination and harassment by the Equal Employment Opportunity Commission.

But even if workers are not subjected to illegal harassment, some work environments are the opposite of inclusive. The good news is that by fostering a supportive corporate culture, your organization can not only detoxify a toxic workplace, but also build a diverse and inclusive organization.


Two Main Types of Toxic Work Environments

By “toxic,” I mean a workplace that would fall under either one or both of the following:

  1. A traditional “hostile work environment” in which employees face discrimination due to their membership in a protected class
  2. A work environment in which employees face bullying, intimidation, or abuse — even when the abusive conduct does not rise to the level of illegal harassment.

This is what workplace bullying prevention expert Professor David C. Yamada calls a “status-blind hostile work environment.”

The first kind of toxic work environment obviously impacts diversity and inclusion. Even when you have a diverse workforce, it may not stay that way if workers feel they are targeted for their protected characteristics. This is not only illegal, but counterproductive from a business standpoint.

The second kind of toxic work environment may have a less obvious impact on diversity, since discrimination is not directly implicated. But more nuanced forms of abusive conduct may still mask illegal discrimination. Bullies tend to target workers with less power, who in turn tend to be historically underrepresented workers in the workforce — e.g., women and minorities.

Even when illegal discrimination is not implicated, toxicity in the workplace is often based on rigid expectations that all workers must act and think the same, which kills diversity of thought and innovation. A climate of fear is the opposite of an environment of inclusion that welcomes dialogue and differences in point of view — often stemming from variations in life experience and culture.


Toxic Employees Thrive in Toxic Environments

A workplace does not get toxic by itself. It’s created by “toxic” employees and a workplace culture that supports them. A workplace bully, according to a 2015 Harvard Business School (HBS) study, is “toxic” because the worker is not a problem just to the individuals they target, but to the entire workplace. And toxicity spreads.

But it’s not just employees that create a toxic environment that can erode inclusion efforts. Senior leadership plays a large role in setting tone at the top so that work culture doesn’t foster toxicity. Sometimes the worst bully is a manager, leader, or even the CEO. In the latter case, the board of directors may need to implement restraints up to and including termination.

On the other hand, numerous studies show that “establishing workplace cultures that cultivate respect and trust will elevate the standards of behavior expected, and consequently place a higher value on the health and well-being of all workers.”


Diversity and Inclusion Thrives in Supportive Workplaces

It turns out that many of the leadership and organizational culture qualities that discourage bullying also encourage inclusion. Inclusion is more than just a head-count affirming that a company is “diverse” — inclusion is creating a supportive environment that tells employees that they are valued. It’s the opposite of a toxic work environment.

According to research by the Center for Talent Innovation and summarized in the Harvard Business Review, there are “four levers” that drive inclusion:

  1. Inclusive leaders who welcome team members to express opinions and innovative ideas while still providing actionable feedback and team-oriented results
  2. Authenticity in demeanor and style (for example, no workplace advantage should accrue to workers who “act like a man,” regardless of gender, or “compromise” their ethnic identity)
  3. Networking and visibility, including sponsorship of talented employees (especially women and minorities) by senior leaders who advocate key assignments and promotions for the junior employees (the authors warn that “lack of sponsorship increases someone’s likelihood of quitting within a year”)
  4. Clear career paths that are available to everyone, so that qualified workers aren’t blocked in their tracks for inexplicable reasons, leading to suspicions of discrimination (rightly or wrongly).



Detoxifying your work environment may not always guarantee diversity and inclusion. But striving for more than just a non-toxic environment, and going beyond that to foster a supportive and inclusive workplace, can help promote diversity in the same move. Results may not be guaranteed — but consider the alternative: a toxic environment that sticks to the very air and spreads like a virus over the organization for years to come.

EVERFI can help support your corporate culture with online compliance training for employees and supervisors. Additionally, EVERFI will deliver a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including diversity and inclusion, anti-harassment, data security, ethics, and much more. Contact us today for a free demo.

5 Employment Law Basics Managers Need to Know

From the individual employee’s standpoint, managers and other company leaders are your organization. Executives and compliance personnel make policies to reflect the legal and ethical standards workers are expected to measure up to. But managers must apply, interpret, and execute the policies and legal standards pragmatically based on concrete contingencies employees encounter.

Yes, the law holds employers (that is, organizations) responsible for ensuring employee rights are protected. However, employers can only act through responsible human beings — your leaders and managers.

Managers in particular are on the front lines of making sure employers appropriately follow employment laws. This means that managers need to have at least a high-level awareness of the essential employment law concepts.

That’s why it’s important to make sure your managers know the employment law basics.


1. Discrimination & Harassment

Managers may not fire or refuse to hire, limit employment opportunities, benefits or pay, or otherwise discriminate based on:

The takeaway is that managers need to focus on helping employees to do their jobs, not on characteristics or activities that the law protects. Nor may managers retaliate against workers for complaining about discrimination or harassment. Managers must treat all employees fairly and equally.


2. Protected Leave Laws

Employees who are eligible for leave under the Family and Medical Leave Act (FMLA) may take time off from work for the birth of their child, to adopt a child, or to care for their own or a specified family member’s serious health condition. If the family member is called to active duty in the armed forces, the employee may also be entitled to qualifying exigency leave under the FMLA.

The Uniformed Services Employment and Reemployment Rights Act of 1994 (USERRA) protects veterans and reservists from discrimination and retaliation for taking time off to serve in the armed services.

Managers should treat employees who have taken or plan to take any kind of protected leave no differently from employees who have not taken such leave. This also means that managers may not penalize employees in any way for taking protected leave.


3. Compensation & Overtime

Managers may require employees to work extra hours at times, especially when facing a deadline or time-sensitive project. Managers often need to keep track of how many hours employees work, and make sure they permit employees to take any break times mandated by state and federal law.

The federal Fair Labor Standards Act (FLSA) sets the federal minimum wage and requires that covered employees are paid time-and-a-half if they work overtime (more than 40 hours per week). But not all employees are covered by the FLSA (or state law equivalents).

These workers are “exempt” employees. HR and other compliance personnel are usually responsible for determining which employees are exempt, according to specified legal criteria. This means that managers need to be in-the-know as to which employees are not exempt from these laws before assigning extra work hours or modifying break times.

4. Safety

Managers need to ensure that workplace safety is a top priority. The Occupational Health and Safety Act requires employers to provide a safe workplace, including any necessary training for managers and employees.

If workers are injured during work despite all the best safety precautions, they may be eligible for worker’s compensation, which could include time off to recover or even permanent disability.

Managers must not discourage workers from using proper safety precautions or penalize workers for refusing to work in unsafe conditions or for exercising their right to worker’s compensation. No matter what other production goals or quotas managers may have, there’s no excuse for cutting corners when it comes to worker safety.


5. State and Local Laws

This article has focused on the major federal laws that managers need to be familiar with. Since this article is short, we weren’t able to discuss all the important federal employment laws, nor go into much detail about the ones we did cover.

But it’s still important to point out that many states and cities have similar laws, several of which are stricter than the federal laws. For example, several states list additional protected characteristics and activities and have stricter wage and hour laws. Managers need to understand that they are responsible for complying with federal employment laws, in addition to state and local laws.


What Managers Need to Know

What’s important here is that managers are aware of the major employment rights workers have. Experts agree on the need for legal awareness and legal literacy for managers. If managers know the basic concepts (for example, that there are protected characteristics and activities), they are more likely to take care when a workplace situation implicates these rights. Managers do not need to memorize every protected characteristic or know the intricacies of FMLA law.

What they do need to know is that employees must be treated fairly and equally based on their work; that certain workplace absences are protected; to be mindful when assigning work outside of regular work hours; to foster a safe work environment; and not to retaliate or appear to retaliate when workers do exercise their rights.

EVERFI can help support your managers with online compliance training for employees and supervisors. Additionally, EVERFI will deliver a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including diversity and inclusion, anti-harassment, data security, ethics, and much more. Contact us today for a free demo.

How Promoting Diversity Helps Prevent Discrimination

Diversity and inclusion are important themes in today’s workplace. In June 2017, 175 CEOs pledged publicly to promote diversity and inclusion at their companies. Deloitte reports that the majority of Millennials, who are expected to reach 75% of the workforce by 2020, want to work for companies that actively foster inclusion. Public outcry about organizations that fail to meet these growing expectations has been persistent.

Like any worthwhile initiative, diversity and inclusion is made up of many parts. Discrimination is one of those parts. This post describes how diversity and inclusion overlap with discrimination, and what companies can do to promote diversity and inclusion while stamping out discrimination.

Lack of Diversity Can Cause Discrimination

Research suggests that a lack of diversity and inclusion in the workplace can promote discriminatory behavior. After reviewing considerable literature and drawing from practical experience, the Equal Employment Opportunity Commission (EEOC) concluded that harassment (a form of discrimination) is more likely to happen in the workplace with a lack of diversity, and explains:

Workers with different demographic backgrounds than the majority of the workforce can feel isolated and may actually be, or at least appear to be, vulnerable to pressure from others. They may speak a different language, observe different customs, or simply interact in ways different from the majority. Conversely, workers in the majority might feel threatened by those they perceive as “different” or “other.” They might be concerned that their jobs are at risk or that the culture of the workplace might change, or they may simply be uncomfortable around others who are not like them.

Imagine a worker who feels “different” bringing up personal issues of exclusion, self-doubt, or even discrimination to a group of homogenous senior leaders who the worker believes may not understand. The dynamic is likely not intentional. Nonetheless, certain groups of people can be shut out.

Discriminatory dynamics may be ingrained in a company’s culture, making quick fixes or surface-level changes ineffective. Tristin Green argues as much in her law review article, “Work Culture and Discrimination.” Informal socializing among coworkers, appearance norms, and managerial expectations of what success “looks like” can all contribute to a culture that excludes people of varying backgrounds. Diversity and inclusion has a lot to do with this.

Take hiring, for example. A company that hires people with similar ethnicities, professional backgrounds, and education from the same talent pool sets a tone that a certain make and model is required for success. Those that feel “different” from the pack are less likely to be chosen for informal gatherings, less likely to speak up, and less likely to be satisfied.

While Green argues that diversity efforts in practice may not be enough to meet the remedial promise of Title VII, they do have the potential to help companies fight discrimination. Diversity is not a “nice to have” but rather an important element of a company’s duty to prevent discrimination and harassment in the workplace.

Diversity Raising Allegations of Discrimination

Many practitioners worry about running afoul of state and federal anti-discrimination laws when implementing a diversity and inclusion program. There is some merit to the concern. Title VII explicitly prohibits unequal treatment of employees according to their protected characteristics, like race, gender, religion, or disability. Companies cannot show a preference by treating one group differently than another.

That is, unless they have a really good reason for it. For private companies, preferential treatment has been accepted if it’s created to remedy past discrimination specific to the particular workplace, according to the U.S. Supreme Court and subsequent case law.

Additionally, contractors with big enough contracts with the federal government are required to implement affirmative action policies. Unless a company falls under these two exceptions, they generally cannot give preference to certain groups over others.

This shouldn’t be a problem for modern companies, however. The diversity and inclusion trend is moving away from a “compliance” justification to more of a “business” justification, explains Stacy L. Hawkins in her Spring 2017 law review article. Those justifications usually include (1) responding to culturally diverse markets, (2) improving innovation, and thus performance, and (3) building a reputation internally and externally that the company is “open.”

Common Diversity/Discrimination Scenarios

So how is diversity and inclusion done? It is done through positive programs, as well as by mindfully handling common practices that may involve discrimination. Some common diversity/discrimination scenarios are below.

Employee Resource Groups

The Human Rights Campaign recommends inclusivity when building employee resource groups. “Make it clear that group membership is open to all employees, and thus complies with your organization’s anti-discrimination policies and applicable law.”

Additionally, Jonathan A. Segal, writing for the Society for Human Resource Management, suggests organizers tell group participants they must still follow company policy in regards to reporting issues like harassment or discrimination. Doing so avoids excluding people while legitimizing company policies.


Companies should be deliberate in creating job descriptions that only include necessary and major job functions. Doing so supports inclusion because it focuses on what’s “needed” and not what’s “wanted.” The latter could be laden with the implicit (or honestly, explicit) bias of managers.

Additionally, hiring can be discriminatory if large swaths of people are left out. Watch the language used in job descriptions. Language like “must be able to run a mile a minute” and “vibrant energy” could prevent whole swaths of persons with disabilities or older workers, respectively, from applying or being considered.

And finally, the source of potential applicants must be scrutinized. It is good practice to diversify a job search. Some ideas are conducting job fairs in low-income communities, historically black or women’s colleges, and taking a deliberate, second look at any employee referral (we tend to consider people who think, look, and have experience just like us).


Businesses should establish a system for promotion, especially if they aren’t stellar on diversity and inclusion efforts. Green warns that “relationally dependent” work environments where “recommendations for promotion are made on an informal, ad hoc basis” and where “performance reviews are conducted by coworkers, group leaders, and even subordinates” and “determinations of skill competence are ongoing” could deny the “outsiders” of a homogenous work culture from ever reaching upper management. The latter could be, and has been found in lawsuits to be, discriminatory.


Diversity and inclusion is closely linked with discrimination. Thoughtfully combining diversity and inclusion with the anti-discrimination thrust of Title VII aids “in securing the long sought ideal of workplace equality,” according to Hawkins. Companies should consider diversity and inclusion as a duty, not only for its own sake, but also as one of many ways to prevent harassment and discrimination from occurring in the workplace.

EVERFI can help support your managers with online diversity training for employees and supervisors. Additionally, EVERFI will deliver a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including diversity and inclusion, anti-harassment, data security, ethics, and much more. Contact us today for a free demo.

Why Code of Conduct Training is Essential for an Ethical Culture

What is Ethical Culture?

Terms like “corporate culture” or “business culture” are usually descriptive, but they don’t necessarily imply an aspiration to do good. By contrast, the concept of “ethical culture” is aspirational in the best sense of the word.

While a reference to culture points to the overall environment in a particular company, a reference to ethical culture focuses on “the best” kind of environment — the way things “ought to be.” In other words, culture is about who we are (the good, the bad, the ugly) in the world of work, and an ethical culture is about putting our best selves forward in that world. 

Informal and Formal Systems

Business research platform observes that an organization’s ethical culture “can be thought of as a slice of the overall organizational culture” that’s supported by informal and formal systems.  Informal systems include leadership role modeling, behavioral norms, and organizational rituals.

For example, an organization may informally support senior managers who exemplify trustworthiness by their actions, or team-building that encourages stakeholders to freely exchange ideas in a mutually respectful setting.

Formal systems include resources that support ethical structures and programs, “selection systems, policies and codes, orientation and training programs, performance management systems, authority structures, and formal decision processes.”

An ethical culture doesn’t arise out of nothing. While the informal systems piece is outside the scope of this article, the rest of this article will discuss two essential elements of formal systems — policies and training.

Codes of Conduct Codify Ethical Culture

Specifically, an uncodified ethical culture is unsustainable. It’s nearly impossible to navigate consistent ethical judgments long-term without a compass in the form of a code of conduct.

The effective development and implementation of a code of conduct makes it a living document that sustains ethical culture, not just another dead piece of paper. To effectively formalize ethical culture, codes of conduct need to be readable and relatable to employee’s day-to-day experiences.

They should be written in a language employees understand and speak — both literally and figuratively. This means a code of conduct needs to be engaging, including by avoiding legalese and using emotive language (yes, even in corporate policy).

Training Communicates Codes of Conduct

After developing a code of conduct, how can everyone at your organization gain a strong understanding of how it applies to their day-to-day ethical decision-making? Training is what communicates policy.

Just as effective codes of conduct need to be engaging and clearly relevant to employees’ experiences, effective code of conduct training must also engage workers with real-life examples, interactive design, and applicability to everyday ethical situations.

Powerful, well-designed training does this by thoughtfully reinforcing important material in successive sessions, and by involving multimedia, micro learning, and gamification. Since training does not take place in a vacuum — and learners can tell when organizational practices are inconsistent with training messages — the efficacy of training rests on the organization’s explicit commitment to ethics. The sum comprises ethical culture. 

Sustaining & Maintaining Ethical Culture

Ethical culture can neither be sustained without formal systems, such as codes of conduct, nor can it be maintained without periodic — sometimes even frequent — reinforcement in the form of training. After all, ethical culture is made up of the humans that form organizations, in addition to the policies and codes of conduct that codify organizational ethics.

Reinforcement and maintenance of these systems requires communication and engagement. Training, as an important and potentially engaging means of communicating policies and codes of conduct, is an essential part of the formal systems side of ethical culture. 

Don’t Settle for Mediocre Corporate Culture

Every company has an organizational culture. The difference is that not all companies have formal and informal systems in place to support an ethical culture.

An ethical culture does not happen accidentally. Once leadership commits to fostering an ethical culture, long-term sustainability requires formal systems, including documentation in a code of conduct that reflects core company values, and in training that reinforces and clearly communicates those values at all organizational levels.


Learn More About Our Code of Conduct Training

EVERFI can help support your managers with online compliance and ethics training for employees and supervisors. Additionally, EVERFI will deliver a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more. Contact us today for a free demo.

How Data Security Training Mandates Impact Private Companies

In the wake of the WannaCry incident where the National Security Administration (N.S.A.) was hacked and exploited, both public and private companies recognize the crucial need to continue evaluating their cybersecurity programs. Incidentally, state governments are passing laws that require data security training, sending a signal to private companies that they should do the same.

Current Cybersecurity Threats Out There

Many data security risks arise from the hands of insiders, which include employees, contractors, and third parties. Verizon’s 2017 Data Breach Investigations Report shows that social engineering attacks, such as phishing and pretexting scams, are the most common data security risks created by insiders. The data suggests that only 20% of insiders who do fall prey to social engineering attacks would report them to their employer.

Human data security risks also implicate ransomware, which Wired explains as “malware that locks your keyboard or computer to prevent you from accessing your data until you pay a ransom.” According to the Verizon Report, social engineering scams were found in 21% of all recorded ransomware attacks. Even worse, ransomware attacks have steadily risen from the 22nd most common attack to 2014 to the fifth most common attack in 2016.

Finally, gaining unauthorized access to sensitive information is a data security risk created by insider actions, especially employees. “The insider threat, while not as common in breaches as external actors, is still very significant, accounting for 15% of breaches,” the Report maintained.

Regardless of intention, employees are getting access or allowing others to access sensitive information, leading the Report to recommend security awareness training as an essential control.

Cybersecurity Awareness Training Mandates

Perhaps as a result of the risk of insiders, states are mandating cybersecurity awareness training for state government employees. For example, three states—Oregon, Illinois and Nevada—passed laws that require the employees and staff of each state’s agencies to take cybersecurity awareness training, among other requirements. As will be explained, private-sector businesses should do the same.

Oregon – S.B. 90

Oregon law now requires the state’s executive agencies “[c]onduct and document the completion of annual information technology security awareness training for all agency employees.” The law is part of a large effort to overhaul the entire information technology program of Oregon agencies and became effective on July 1, 2017 as an “emergency” measure.

Illinois – H.B. 2371

Illinois law directs the Illinois Department of Innovation and Technology to provide employees of the executive branch to take cybersecurity training at least once a year. The training content must include (1) detecting phishing scams, (2) preventing spyware, infections, and identity theft, and (3) preventing and responding to data breaches. The bill expressly mentions that the training may be delivered online. The law is effective on January 1, 2018.

Nevada – A.B. 471

The bill creates the Nevada Office of Cyber Defense Coordination and requires it to coordinate cybersecurity awareness and training for state agency employees. The law has been in effect since July 2017 and requires the Office to publish its report by January 1, 2018.

Why State Data Security Training Mandates Impact Companies

While the laws do not affect private employers, they may affect them in the near future. The New York State Department of Financial Services is requiring all banks under its stead to provide cybersecurity awareness training to bank employees by March 2018.

The cybersecurity regulation impacts a large portion of the banking industry that is already under considerable data security regulation given the Gramm-Leach-Bliley Act, FFIEC examination protocol, and international laws such as the General Data Protection Regulation and the UK Privacy Shield.

Following the law is necessary. However, laws and policies do not always regulate human actions. As my colleague Steve Treagus explains,

Insider negligence is the leading cause of data loss or theft, and unauthorized data sharing can undermine your best efforts at data security — even if employees are otherwise trained in cybersafety protocols. Training in cybersecurity awareness is extremely important — but no training can stand alone. Employers need to also shore up cybersecurity policy, balance security with productivity needs, and bolster their security infrastructure to secure data in whatever form it takes and wherever it’s stored and used.

Data security awareness training is a critical facet of a company’s cybersecurity program. While many companies are not required to provide cybersecurity training, new laws and data security trends show the benefits of doing so regardless of requirement.

Learn More About Our Data Security Training

EVERFI can help support your managers with online compliance and ethics training for employees and supervisors. Additionally, EVERFI will deliver a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more. Contact us today for a free demo.

What Data Says About Ethical Behavior in the Workplace

Ethisphere and Convercent recently collaborated to release a survey about aligning business goals with ethics and compliance programs. The report provides many insights about ethical behavior at work.

The two most interesting include the different kinds of data metrics companies are using to measure compliance program effectiveness and the role managers play in creating successful ethics and compliance programs.

Different Types of Compliance Data Metrics

“Activity” Data Versus “Performance” Data

Companies are sitting on enormous mounds of data, much of which can help “to detect and anticipate ethical issues in real time before they become a real problem.” According to the report, the most common data companies collect is:

  • Training Completion Rates (78%)
  • Hotline Statistics (74%)
  • Investigation Statistics (70%)
  • Likelihood and Severity of Top Risks (60%)

However, while important, the report calls this data more or less “activity” data, which is less valuable than “performance” data. Performance data is an “excellent measure” of ethical behavior and culture, is tracked marginally well, and comes in the form of:

  • Audit Results
  • Risk Assessment Results
  • Third-Party Due Diligence
  • Conflicts of Interest Disclosures
  • Culture Surveys

Difficult to Track “Desired” Metrics

The report also identifies “desired metrics” that chief ethics and compliance officers (“CECOs”) want to track, but find doing so difficult:

  • Open-Door Reporting
  • Behavioral Root Cause Analysis (behavioral factors that lead to an incident, such as the effect of incentives on an unethical sales decision)
  • Campaign and Engagement Effectiveness
  • Benchmarking
  • Ethics and Compliance Value

Additionally, even if compliance and ethics professionals have this data, they may not use it:

  • 65% of CECOs struggle to aggregate and analyze data due to lack of time and resources
  • 55% indicate that data are housed in disconnected and unintegrated systems
  • 44% say the data simply isn’t available to them.

Apparently, many CECOs feel are not properly equipped to measure the effectiveness of their compliance programs. But one major resource CECOs have for information is their managers.

How Managers Help Ethics Programs Succeed

Managers hold a lot of power over people in an organization. According to the report, 73% of employees indicate they raise concerns primarily with their manager, their manager’s manager, or human resources.

On one hand, this is good news — the vast majority of employee survey respondents are comfortable addressing at least some issues with management (known as “Open-Door Reporting”).

On the other hand, it puts a lot of responsibility on managers, some of whom may not know it’s their responsibility to collect and capture data from their teams. They may be given lukewarm instruction to keep track of complaints or issues, or not given any instruction at all.

According to the report, gathering data begins with good policies. Employers must hold their managers accountable to company policies and values. Accountability is one sign of an ethical manager.

Academic research and experts agree that examples set by senior and local management are strongly influential on the actions and attitudes of employees. The stakes are high.

Second, managers should receive training on best practices to not only address real problems, but work with ethics and compliance teams to fully use data and information that’s reported to them.


The report concludes with the observation that successful companies are built not only on financial goals, but also on fundamental values and ethics. In other words, good ethics are good for business. Utilizing real data, and supporting managers, are important ways that companies can improve their ethics and compliance programs.

EVERFI can help support your managers with online compliance and ethics training for employees and supervisors. Additionally, EVERFI will deliver a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more. Contact us today for a free demo.

Why CEOs with Personal Integrity Are Better for Business (Ethical Leadership Series, Pt. II)

In the era of 24/7 news coverage, viral social media posts, exposure to global compliance risks, and an increasingly skeptical public make it hard to hide serious leadership misconduct.

As Part I of this series discussed, CEOs face termination more frequently than ever for ethical lapses ranging from shady business dealings to personal indiscretions.

Global companies are increasingly penalizing leaders for reported misconduct:

  • Interest rate manipulation and money laundering
  • Abusive sales practices
  • Sexual harassment
  • Improper relations with employees
  • Résumé fraud

Sometimes it’s hard to draw the line between personal and business-related misconduct. For example, an inflated (but not fraudulent) résumé, or a relationship between a supervisor and their employee.

But when the line is clear, does a leader’s personal misconduct have a detrimental effect on business?

Researchers at three U.S. universities asked this same question, and, after reviewing a sample of 219 unique instances of personal indiscretions, concluded that it does.

How Does a CEO’s Personal Integrity Impact Business Integrity?

The resulting study, published in the Journal of Financial Economics (JEF) (and summarized in the Harvard Law School Forum on Corporate Governance and Financial Regulation) crunches the numbers to determine whether leadership misconduct is also bad for business.

Specifically, the authors wanted to know whether a CEO’s personal indiscretions (as opposed to wrongdoing directly connected with the company) negatively impacted businesses in a measurable way.

The underlying assumption was that personal indiscretions signaled a lack of personal integrity. Building from there, the study sought to discover whether there’s a link between a CEO’s personal integrity and a firm’s value.

How Researchers Defined Personal Indiscretions

The study defined personal indiscretions to include “allegations of dishonesty, substance abuse, sexual misadventure, or violence.” Because personal indiscretions don’t generally expose firms to the same level of legal liability that firm-related misconduct does, some scholars have claimed that personal indiscretions have no significant economic impact on corporations.

But the scholars who conducted the JEF study thought that personal indiscretions could cause significant enough reputational harm to the firm that market forces would “discipline personal misconduct.”

Ethical Indiscretions Cost Millions of Dollars

It turns out that when an incident of CEO personal indiscretion comes to light, shareholder value declines $266 million (4.1 percent). These indiscretions also resulted in:

  • The acquisition of fewer customers and joint partnerships
  • A decline in profit margins and return on assets
  • An increase in CEO malfeasance related to the business, such as manipulating earnings.

Following an indiscretion, CEOs are 41 percent more likely to be fired; those who still hold the reins face an average cut of $400,000 in salary and bonuses as punishment.

But it’s not just the CEO who suffers. When a manager other than the CEO commits an ethical indiscretion, shareholder value declines 1.6 percent ($110 million). The study also found that corporate directors at firms with unethical managers lose shareholder votes at a comparable magnitude to votes lost at firms targeted by litigation. The damage increases when the wrongdoer is a board member.

Unethical Leadership Negatively Affects Company Culture

Not only does unethical leadership cost millions of dollars, but it also signifies a dysfunctional corporate culture. This increases the risk of litigation and enforcement actions as well as loss of reputation and trust in the business community.

The study’s authors observe that a leader’s “indiscretion could signal a shift in the firm’s culture to one that now implicitly condones opportunistic behavior.” Business partners, they continue, “might infer from a managerial indiscretion that the firm does not penalize opportunistic behavior as strictly as previously anticipated and re-evaluate their business relationship with the company.”

Firms are Holding Leaders Accountable for Ethics

CEOs are often evaluated on hard data, such as the economic performance of the business and shareholder value. But some firms have also begun to pay CEOs based on “soft factors” related to ethics, according to the Harvard Business Review.

Some skepticism may come from a belief that ethical conduct cannot be measured by hard data. But as my colleague Karen Peterson observes, the effectiveness of ethics and compliance programs can be measured by triangulating multiple data sources, including:

  • Culture surveys
  • Internal audits
  • Ethics hotline use and response data
  • Investigations completed
  • Outcomes of ethics complaints

Many firms are learning that profit is inextricably linked with ethical conduct, and that there’s no need to sacrifice the bottom line for an ethical CEO and business. In fact, studies show that good ethics are good for business.

On the flip side, the most recent studies show that CEO misconduct is in no one’s interest (for example, see Part I of this series). Companies that fail to see the link between ethically bad and economically bad business decisions need only look to the data.

Note: This is Part II of a three-part series on the consequences of leadership misconduct. Part I discussed the implications of research showing that the world’s largest publicly held companies have been terminating CEOs more frequently for ethical lapses. Part III will wrap up by looking at situations in which leaders and workers are more likely to cheat, through the lens of recent enforcement actions and empirical data.

Ethics and Compliance Training for Leadership

EVERFI delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, EVERFI delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more.

CEOs Increasingly Scrutinized for Ethical Lapses

A study by PwC business consulting firm Strategy & found that the world’s largest publicly held companies have been terminating CEOs more frequently for ethical lapses. Globally, the years 2012-2016 saw a 36% increase over 2007-2011 in CEO misconduct-related terminations.

The larger the company, the more likely a CEO would be fired for ethical lapses (from a rate of 7.8% of all dismissals in the largest quartile of market share, to a rate of 3.2% in the smallest, in 2012-2016).

Examples of Ethical Lapses

Ethical lapses don’t necessarily signal that leaders or companies lack integrity as whole, but they do indicate serious and harmful errors in ethical judgment. Examples of ethical lapses include business-related misconduct such as fraud, bribery, insider trading, and environmental disasters involving negligence or recklessness.

They also include personal ethical misconduct, such as inflated résumés and sexual indiscretions. (We’ll zero-in on the economic consequences of personal misconduct in Part II of this series.)

Increased Accountability for CEOs

As the study’s authors are quick to point out, this does not necessarily mean that CEOs are less ethical now than they were in the past:

Our data cannot show — and perhaps no data could — whether there’s more wrongdoing at large corporations today than in the past. However, we doubt that’s the case . . . our data shows that companies are continuing to improve both their processes for choosing and replacing CEOs and their leadership governance practices — especially in developed countries.

What it does mean is that boards of directors hold CEOs more accountable now, largely due to these 21st century factors:

  • Increased public suspicion of corporate behavior;
  • The amplifying effects of the 24/7 news cycle and of wrongdoing’s digital footprint on social media;
  • Increased legislative, regulatory, and enforcement actions; and
  • Greater global exposure to supply chain and emerging market-related risks.

All of this points to what the study’s authors call “a sea change in accountability” over the last 15 years. In the late 20th century, by contrast, corporate misconduct almost never resulted in CEO turnover: “criminal prosecutions of corporate officers were extremely rare . . . financial penalties tended to be modest . . . and media attention was often limited to the business press,” the study’s authors observe.

Systemic Recommendations for Ethical Leadership

The study concludes with systemic recommendations for ethical leadership. After all, CEOs don’t turn “bad” in a vacuum. They are both influencers in, and influenced by, the social and corporate cultural circles they are part of.

So, the recommendations focus on what leaders can do on a company-wide level to avoid unethical behavior by any employee and by the corporation itself:

1. “Organizational and external influences.”

Social pressures such as unrealistic performance targets create bigger problems than financial incentives. Leaders should make sure that they have appropriate structural checks on misconduct. This includes an open-door policy that encourages employee dialogue about both good and bad news (such as difficulty meeting targets). That way, problems can come to light before they turn into ethical lapses.

2. “Business processes.”

Minimize opportunities for bad behavior by assessing your company’s risk exposure, by shoring up compliance programs for effectiveness, and by ensuring that employees have ways to report misconduct and know how to do so. [Our research shows that employers should give workers multiple avenues for internal reporting, not just a whistleblower hotline.]

3. “Individual ethical decision making.”

People convince themselves to act unethically by telling themselves that it’s okay to break the rules (rationalization). Leaders who seem to implicitly or explicitly condone rule-breaking influence company culture and make it easier for employees to rationalize cutting corners themselves.

Ethical leaders should clearly and effectively communicate their company’s ethics and compliance policies through employee training. They should drive ethical engagement from the top by example (including by holding themselves accountable and admitting mistakes) and seek out expert guidance when facing ethical dilemmas.

In addition to these recommendations, I would add that ethical managers value evidence over opinion (expert or otherwise) in assessing whether their company’s ethics and compliance program is working. Although it’s human nature to hold our own opinions in high esteem, doing so often leads to ethical lapses. Ethical leaders rely on the facts first.

Note: This is Part I of a three-part series on the consequences of leadership misconduct. Part II will examine the economic impact of personal indiscretions by corporate leaders. Part III will wrap up by looking at situations in which leaders and workers are more likely to cheat, through the lens of recent enforcement actions and empirical data.

Ethics and Compliance Training for Leadership

EVERFI delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, EVERFI delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of compliance training courses, including code of conduct and ethics, anti-harassment, data security, and much more.