The Importance of Education Technology in the Workplace

Despite Progress, Compliance Problems Still Exist

Most companies are making progress with compliance — they have codes of conduct, are working to improve their cultures, and are hiring staff including compliance, diversity, privacy and ethics officers. These companies should be credited for laying down necessary, ethical infrastructures.

Yet, despite these efforts, terrible things happen in the workplace. Companies rocked by scandals, such as the fraudulent sales practices at Wells Fargo and the Yahoo data breach, found “unethical behavior” and “failures in communication, management, inquiry and internal reporting,” respectively, despite both parties having knowledge of the potential for harm.  Fraud and conflicts of interest continue to plague organizations and governments.  Sexual harassment continues to be a problem, devastating its victims and demoralizing the workplace, according to a recent report by the EEOC. Discrimination, diversity, hiring bias:  these are not just buzzwords, but real problems that exist across the globe.

We believe that almost all organizations care about their employees’ well-being, but sometimes the link between attitude and action gets lost in the shuffle. The potential is there, it just needs to be unlocked. Education technology can help unlock that potential.

Using Technology to Educate, Not Regulate, Humans

Technology for Managing Ethics and Compliance

Employers now have access to powerful technological tools to help manage their ethics and compliance programs. A 2017 report by KPMG finds technology, like automation and data analytics, to be “necessary investments” for compliance to conduct risk assessments, monitor, and report data points. Fast Company highlights many companies throughout the US that are using artificial intelligence to “spot nuanced biases in workplace language and behavior” to improve human behavior that favors certain groups of people over others. Technology has no boundaries, and it’s easy to rely on it to help solve real workplace issues.

We cannot forget, however, that people are, and must continue to be, the focus of technology. We are not going so far as saying that technology is going to overtake the human race but we do believe that companies should think deeply about who they are ultimately serving with technology and not just use technology for technology’s sake.

Education in the Corporate Workplace

Education has been called the “social continuity of life” and an overall social good. Education also happens in the workplace through skill-building programs, mentorships, and of course, training. We can’t forget, however, that humans are at the center of it. Employees are both the perpetrators and victims of harassment.  Employees make decisions.  Employees are responsible for driving diversity and inclusion, refusing bribes and reporting violations. We can monitor, track and report all we want. If employees do not have the necessary knowledge to do what’s right, a concept that reaches well beyond the corporate cloister, we place our companies at greater risk of harm.

Not all education is equal. Research shows that merely understanding a code of conduct does little to change unethical or illegal behavior. Words on a page do not translate into action. Instead, focus should be on how and what an employee can learn. For example, knowing that bribery is illegal and to “stop it” is much less valuable than a case study prompting an employee to watch out for red flags in everyday actions, then reinforcing that learning with post-training assessments and additional training. True learning leads to impact, because it develops real world skills that help stamp out social ills like corruption, cultural tone deafness, and discrimination. In this way, it can be said that workplace education, or training, fulfills a greater social good.

When implemented thoughtfully, workplace education is a way to help organizations, each other, and society. And when combined with technology and a focus on our roles as humans, it can scale to reach people regardless of the borders we constrain ourselves with.

The Solution: Education Technology

National problems need a national solution. Education is necessary, but by no means a silver bullet. And while some companies may balk at being responsible for social problems in addition to shareholder value, that attitude is dying fast.

It is estimated that Millennials will make up 75% of the workforce by 2025. They, unlike any other generation before, support private business but also expect companies to represent something bigger, and truer, than just corporate profits, according to a 2017 Deloitte survey. Millennials want to work for and consume from ethical and diverse companies. Incorporating these concepts into a company’s everyday business strategy and operations can help them achieve long-term sustainability. Combining technology with education about intractable issues like discrimination and abuses of power can help build a sustainable company, if not society.

Conclusion

It’s about time that private and public organizations come together. That is why EVERFI is bringing together regulators, prevention experts, educators, legal/compliance professionals and scientists to tackle some of the most intractable social issues through education technology. The acquisition of online compliance training leader Workplace Answers makes us “the world’s largest company committed to empowering learners at every stage of their lives, from the classroom to the boardroom.” Make no mistake, we are a for-profit company. But we believe we can do both. And we believe that every other company can too.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably.

Note: This post was previously published by Corporate Compliance Insights.

Does Data Validate Online Compliance Training?

Many large enterprises provide compliance training to their employees. A 2017 report by KPMG provides survey data and analysis of compliance best practices, including employee communication and training. This post pulls out data points that allow us to better evaluate the value of effective online compliance training.

KPMG’s The Compliance Journey (“the Survey”) surveyed organizations across seven industries with compliance teams that run the gamut between fewer than 25 professionals to more than 250. While the survey did not indicate the number of respondents, which impacts the sample size, the range of organizations and departments surveyed indicates a good amount of validity.

Summary of Results

The Survey found that organizations are making “substantial progress” in their ethics and compliance programs, particularly in governance, culture, policies and procedures, and communication and training. But, organizations can do better in compliance monitoring and testing. In addition, CEOs can instill accountability across their organizations by considering adherence to compliance policies and procedures as a factor in employees’ performance ratings and compensation.

And sure, compliance scandals have rocked sophisticated companies over the past couple of years. But these setbacks shouldn’t prevent companies from trying to do better to ensure that their compliance programs are fulfilling their goals of keeping companies and, most importantly, employees safe.

Compliance Training is Used, But Not Maximized

The report provided specific stats on training and communication in particular. Virtually all organizations (98%) require employees to take compliance training on key compliance policies and procedures and most (84%) train about applicable key laws, rules, and regulations. Companies have realized the importance of training, and implement it consistently across the board.

Yet, it is apparent that companies are not fully utilizing training. Many survey results provide opportunities that good training can accomplish. For example, only

  • 31% of Chief Compliance Officers (CCOs) do not know, or do not communicate, lessons of conduct and culture across their organizations
  • 29% of organizations report that they assess compliance skills of their staff on an ongoing basis
  • 23% do not engage in open communication about compliance issues, lessons, and practices (or do not know if they have such an approach)
  • 69% say their organization leverages technology to support its compliance initiatives

Training is a vehicle to communicate lessons of conduct, culture, compliance, and to assess skill building. Online compliance training allows it to be implemented across the entire company and leveraged for data.

Compliance Training Best Practices

If training was as simple as just providing it, we would see immediate results. It doesn’t work that way. Understanding does not signify learning or action. In the land of compliance, research shows that merely presenting a law or policy to a learner is ineffective. In fact, it can make people more likely to violate compliance standards. This may be why “CCOs recognize that adult cognitive learning theories support offering shorter trainings that are more memorable, engaging, and that contain real-life vignettes.” Engagement is important to learning, but again, it’s not enough. To learn more about effective adult learning theory, check out EverFi’s white paper, Value of Conduct Training.

Fortunately, the Survey provides many examples of how companies, or their training vendors, can make compliance training more effective. Here are some highlights.

  • Identify what needs to be trained on based on internal risk assessments
  • Use storytelling, “refreshers,” and real examples from the company’s workplace
  • Train middle managers to “enhance accountability” and “develop ethical leadership skills”
  • Deliver “compliance training content to employees who may historically only been
    reachable via live/in-person training using advances in technology”
  • Leverage technology to monitor and follow up on the results of regulatory testing
  • Utilize technology to “track training results and content distributed to employees, as well as to enable more targeted training for employees based upon their roles and responsibilities”

Top Compliance Challenges for CCOs

Indeed, when asked about their top compliance challenges, CCOs responded that enhancing accountability in compliance, improving data quality, and making compliance effective and sustainable were the top three. Online compliance training, when developed effectively and rolled out to a willing audience, can help organizations meet their biggest compliance challenges.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

Data Security Risks: The Bad News and The Good News

The Bad News. 

Data breaches are on the rise. The Identity Theft Resource Center (ITRC), which has been tracking data security risks since 2005, released a report in which it counted 430 data breaches between April 2016 and April 2017. This shows a 37% increase from 2015-2016, according to Credit Union Times. This is a scary thought when we consider that ITRC found 2016 to be a record year for data breaches, according to Bloomberg.

It gets worse. A cybersecurity survey conducted by EiQ found that small to medium-sized businesses (SMB) were not prepared for a cybersecurity breach. Out of approximately 150 IT security personnel, 86% responded that their company has underfunded security initiatives, and 56% said their organizations are unprepared to identify and respond to cyberattacks. EiQ states that cybersecurity is a small fraction of many companies’ IT budgets, indicating that cybersecurity isn’t as big a priority as other technological initiatives. The National Center for the Middle Market, out of Ohio State University, has a Cybersecurity Resource Center tailor-made for midsize companies, which may feel the harm of inadequate resources to counter data security breaches.

It would appear that larger organizations fare better, as they tend to have more resources to maintain effective data security programs. However, data security breaches constantly spatter news headlines, like the ones at Yahoo and the US Internal Revenue Service. Additionally, laws like the GDPR, UK Privacy Shield, and New York’s Cybersecurity Regulations require adequate third-party data security management, including vendors and outside law firms. The Association of Corporate Counsel’s Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information is a guide that can help companies prepare.

Ultimately, companies of all sizes and resources should be investing in enhanced cybersecurity.

The Not-so-Bad News. 

Some industries did better than others. In fact, the ITRC survey found that healthcare and financial services experienced declines in data breaches compared to the prior year. Meanwhile the educational industry, the government/military, and the “business” industry (which includes all other industries, like retail and professional services) experienced more. This should not be surprising to some folks, as both the financial services and healthcare industries are highly regulated by federal data privacy laws like the Gramm-Leach-Bliley Act and HIPAA, respectively.

Even though financial services’ data breaches dropped by more than 50% (4.1% to 1.9%), a global study by Capgemini showed that only 21% of 183 surveyed senior data privacy and security professionals at financial services companies were “highly confident” in their organization’s ability to detect a data breach, creating data security risks. This uncertainty wasn’t relegated to the SMB group, either. Forty percent of the surveyed professionals came from companies with revenues of $10 billion or more. To help with these issues, the Federal Financial Institutions Examination Council (FFIEC) offers a variety of cybersecurity resources for financial institutions.

Further, the lower occurrence of data breaches in healthcare does not mean that they don’t occur. The US Department of Health and Human Services fined a hospital that ignored the security risk to patients’ ePHI. It had knowledge of data breaches, but did little, if anything, to counter them over a course of many years. Data breaches can have unforeseen consequences for healthcare companies’ business and customers, such as botched business deals and vendor pull outs in addition to decreased consumer confidence in an affected company’s reputation.

The Good News. 

Nonetheless, many companies should be applauded for their efforts at minimizing data security risks. Many have chosen to invest in training.

Conduct training can be an effective way to mitigate data breaches, as human error is a huge risk to cybersecurity. A Ponemon Institute report on closing data security gaps shows that insider negligence is the leading cause of data loss or theft. The National Center for the Middle Market explains:

Employees are your biggest cybersecurity risk–and also, potentially, your biggest asset. Cybersecurity is everybody’s job and mistakes by employees, contractors, and vendors – using weak passwords, opening attachments from an unfamiliar source, misconfigured settings – lead to the overwhelming majority of successful attacks.

Scams are becoming more sophisticated; common sense isn’t enough to protect employees anymore. As long as employees have access to personal or sensitive information, they can be a risk even in the most sophisticated data security program. They need training to teach them to recognize the more subtle forms of persuasion, like phishing scams. Attacks like these are known as social engineering — trying to trick people into doing something that they would never do if fully cognizant of their actions. Data security training can mitigate these real data security risks.  

Reduce Your Data Security Risks.

Learn more about Online Data Security training or read a white paper on what makes effective data security training.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

Anti-Bribery Law Basics: FCPA and the UK Bribery Act

The Foreign Corrupt Practices Act and the UK Bribery Act are two of the most important anti-bribery laws that seek to prevent corruption globally. Their broad scope and long reach mean that organizations of all sizes that do business overseas or have foreign partners should consider offering online FCPA training to their employees as well as their agents and partners when appropriate.

Brief History of the FCPA & UK Bribery Act

In the early 1970s, with public trust already shaken by the Watergate Scandals, investigations conducted by the Securities and Exchange Commission revealed that many US corporations were maintaining special cash slush funds for bribing foreign officials. According to a Congressional report, over 400 corporations admitted to making illegal or questionable payments to foreign officials, totaling more than $300 million (or $1.2 billion in 2015 dollars).

In response to these shocking revelations, Congress passed The Foreign Corrupt Practices Act (FCPA) in 1977, prohibiting US businesses or persons from bribing foreign officials to get, keep, or direct business. In its report on the FCPA, Congress explained:

The payment of bribes to influence the acts or decisions of foreign officials, foreign political parties or candidates for foreign political office is unethical. It is counter to the moral expectations and values of the American public. But not only is it unethical, it is bad business as well. It erodes public confidence in the integrity of the free market system.

Today the Securities and Exchange Commission (SEC) and Department of Justice (DOJ) jointly enforce the FCPA. Together, they have brought an increasing number of FCPA enforcement actions charging violators with both civil and criminal offenses. The year 2016 “produced what arguably is the most significant year of enforcement in the statute’s 39-year history” according to attorney F. Joseph Warin. The SEC and DOJ brought 53 enforcement actions against companies and levied more than $2 billion in corporate fines against companies.

Since the passage of the FCPA in 1977, the global marketplace has become governed by an increasing number of laws and regulations that aim to prevent corruption. In addition to the FCPA, organizations doing business overseas may find themselves governed by other nations’ laws.

Of particular note is the UK Bribery Act 2010, applying to UK businesses and persons. The UK Bribery Act imposes more severe penalties and is broader in scope than the FCPA, covering bribes to private parties as well to foreign officials. The UK Bribery Act also prohibits being bribed, not just giving bribes. Because of the close ties between the United States and the United Kingdom, US businesses should pay special attention to all forms of potential bribery abroad, regardless of jurisdictional technicalities.

Penalties for Breaking Anti-Bribery Laws

The penalties for violating either the FCPA or the UK Bribery Act are significant. Both individuals and corporations can be held liable. While this shouldn’t form the basis of prevention, it highlights the enforcement bite of legal noncompliance.

Individuals who violate the anti-bribery provisions of the FCPA may face criminal and civil fines, up to five years in prison, and ineligibility for future activities such as doing business with the federal government or the securities business, according to the FCPA Resource Guide.

Businesses may face criminal fines up to $2,000,000, civil penalties, and ineligibility for future activities such as doing business with the government, securities activities, or export licenses as well. There are additional hefty penalties for violating the FCPA’s accounting provisions. It’s worth noting that under the Alternative Fines Act individuals and businesses may face fines much higher than those suggested by the FCPA: up to twice what the defendant gained by making the corrupt payment.

Under the UK Bribery Act, individuals or businesses may face up to 10 years in prison or unlimited unlimited fines.

The Importance of Training on Anti-Bribery Laws

Given the intricacy and potential consequences of violating anti-bribery laws, it is crucial that your organization has compliance programs in place to prevent corruption whenever it has dealings overseas. This is why companies should invest in FCPA Training. It’s more than avoiding legal liability. It’s really about doing what’s right.

Both the DOJ and SEC take into consideration an organization’s compliance program when deciding whether to open an investigation or bring charges under the FCPA.

According to the FCPA Resource Guide, “In appropriate circumstances, the DOJ and SEC may decline to pursue charges against a company based on the company’s effective compliance program, or may otherwise seek to reward a company for its program, even when that program did not prevent the particular underlying FCPA violation that gave rise to the investigation.” Similarly, companies can defend themselves against charges related to the UK Bribery Act if they can show that they had adequate procedures in place to prevent bribery.

Further, the DOJ’s Fraud Section issued the “Evaluation of Corporate Compliance Programs” (ECCP), a litany of “important topics and sample questions” to help companies evaluate their compliance programs. My colleague Karen Peterson correctly points out that measuring compliance program effectiveness goes beyond checking a box. Data, culture, and ethical managers are critical facets that companies must validate, support, and foment.

Training is a hallmark of an effective compliance program. It helps reinforce an organization’s values, distribute its anti-corruption policies, inform the organization’s workers of the relevant laws and best practices, and ensure that workers understand how to act on those values, policies, and practices.

This post was informed by considerable research and analysis by my former colleague, Pax Hehmeyer.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

Compliance Training Requirements in EEOC Settlement Agreements

When the US Equal Employment Opportunity Commission (EEOC) announces a settlement with an employer, the press release generally says that the employer agrees to provide certain kinds of compliance training in the future. In EEOC settlements announced in March 2017, the EEOC announced that it had required an Illinois sheet metal company to train its employees on harassment and discrimination, required an Illinois food service company to train its managers on the requirements of the Americans with Disabilities Act, and required a janitorial cleaning services company to train all employees about unlawful discrimination.

What are the Typical Compliance Training Requirements?

But the compliance training requirements can be much more onerous than the brief descriptions in EEOC press releases might lead a reader to expect. Consent decrees that employers and the EEOC enter into, which are public documents, go into much more detail about required compliance training. For instance, in February 2016 the Vail Run Community Resort Association agreed to settle a sexual harassment, national origin discrimination, and retaliation lawsuit brought by Mexican female employees who were harassed by the Association’s male housekeeping manager. The EEOC press release announced that the Association would have to implement “substantial semi-annual training for managers on sexual harassment and the responsibilities of managers once a report of sexual harassment is made.”

The five-year consent decree provides more details, specifying that the Association was required to hire outside vendors to provide the following training on federal antidiscrimination laws:

  •         Nonmanagerial Employees: At least three hours of training on discrimination law
  •         Supervisory and Managerial Employees: Twelve hours of training annually (provided at least semi-annually) on antidiscrimination laws and on how to receive and investigate complaints of harassment and retaliation
  •         Senior Management: Training similar to that of supervisory and managerial employees, and training on how to document and preserve evidence of discrimination
  •         Employees Designated To Receive Discrimination Reports: At least four hours of annual training on accepted professional standards for receiving and investigating complaints, including witness interview techniques, other evidence-gathering techniques, maintaining investigative notes and records, legal analysis of the evidence, and methods for eliminating and ameliorating violations of anti-discrimination law
    .

Not every consent decree will require third-party compliance training or even new training. As labor mediator Amy L. Lieberman said in a Bloomberg BNA interview with Lydell C. Bridgeford:

Depending on the employer’s current training, sometimes the parties can agree to continue with what the employer already provides. In cases where the employer does not already do training, I have often seen the EEOC and the company agree that the company’s employment counsel or in-house counsel can provide the training, as opposed to forcing the employer to hire a third-party provider.

So an employer with a compliance program might be able to continue with its own training, especially if the employer didn’t have widespread problems that were caused by a deficient compliance program. Companies should be sure to monitor their compliance program effectiveness if they want to be able to argue that an issue was confined to one circumstance or individual.

Companies should also examine the EEOC’s publications, such as its 2016 retaliation enforcement guidance, which the EEOC believes is a good resource for employers.  

Monitoring Consent Decrees

The EEOC monitors consent decrees and will file a lawsuit against a company that doesn’t comply. As the EEOC notes in its manual on Monitoring and Enforcing Consent Decrees, in 2001 it successfully sued a retailer for contempt for failing to comply with consent decree provisions. The penalty imposed was $750,200 ($100 per day of noncompliance, for each of 22 stores) in addition to attorney fees and other costs. The EEOC also extended the original consent decree by 18 months.

In an article by Gloria Gonzales for the Business Insurance website, EEOC trial attorney Richard Mrizek commented that consent decrees are meant to help companies deal with the issues that got them into trouble with the EEOC. “We’re not just settling it for money to make things go away,” said Mrizek. “We’re also looking at what can we do that we think will solve the company’s problems such as compliance going forward.”

Employers Should Assess Compliance Risks

Twelve hours of training may seem excessive, especially to employers who don’t have compliance problems, but some sort of regular training is a good idea. Employers should assess the risk of compliance issues in their workplace. For instance, in this case,  the Association’s housekeeping manager was in charge of employees who were fearful of being reported for their immigration status. This resulted in a risky situation for the Association, because the housekeeping manager took advantage of the employees’ fear.

Accordingly, the consent decree required the Association’s compliance training for managerial and supervisorial employees to emphasize that “due to their position of power,” such employees must be particularly vigilant not to discriminate, must be sensitive of how their actions or words might be perceived by subordinates, and must avoid the temptation to retaliate against an employee who makes or might make a complaint.

The more at-risk an employer is, the more they’ll want to improve programs, bolster implementation of their compliance programs, and communicate the programs by training. The more risk, the more training.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

How to Measure Compliance Program Effectiveness

Having an ethics and compliance program with no implementation plan is akin to implementing the program without measuring its effectiveness. There are plenty of resources expended but no one is sure what, if anything, is gained. This post continues our discussion of ethics and compliance programs, which has covered the hallmarks of a compliant program, tone at the top, hotlines, and now we’ll address how to measure the fruits of those efforts.

DOJ Guidelines: “Evaluation of Corporate Compliance Programs”

The Fraud Section of the U.S. Department of Justice (DOJ) has indicated that its Foreign Corrupt Practices Act (FCPA) enforcement efforts will remain unchanged under the new administration. In the month after the inauguration, the DOJ’s Fraud Section issued the “Evaluation of Corporate Compliance Programs” (ECCP), a litany of “important topics and sample questions” to help companies evaluate their compliance programs. In addition, Trevor McFadden, the deputy assistant attorney general now overseeing the Fraud Section, gave a speech in which he reportedly said that FCPA enforcement and prosecution of individuals will continue to be priorities, and compliance efforts and cooperation with investigators will continue to be rewarded.

The ECCP provides a blueprint for internal reviews of compliance programs by asking questions to determine if a program is working. And if it’s not working, to determine what needs to be fixed. Hui Chen, the Fraud Section’s compliance counsel, is given credit for drafting the recent guidelines, which rely heavily on the “Filip Factors” that DOJ prosecutors use to guide their criminal investigations of corporate entities. The questions are aimed at gathering specific information about how a company implements its code of ethics or other corporate compliance program, and what steps are taken to measure its success or examine the root causes of violations.

The ECCP’s 119 questions drill down to find answers to the three basic questions we have written about before, that guide how the DOJ/SEC evaluates ethics and compliance programs, as set forth in their FCPA Resource Guide:

  • Is the company’s compliance program well designed?
  • Is it applied in good faith?
  • Does it work?

.Data Metrics: The “Hidden Gem”

The ECCP guidelines identify what companies need to ask themselves about their compliance programs, but they don’t tell companies how to go about getting the answers. As with many business operations issues, the answers are found in the data. In fact, data is called the “hidden gem” that provides a factual basis for measuring and assessing the effectiveness of ethics and compliance programs.

And the FCPA Blog says, “Data lies at the core of the [DOJ] guidance.” The author provides these examples of “compelling metrics” that reveal a program’s effectiveness:

  • How many transactions or deals were subjected to greater scrutiny because of compliance concerns?
  • Have requests for resources for compliance and control functions been denied?
  • How many internal audits have been performed in response to transactions that bore signs of bribery and corruption?
  • Where misconduct was identified, was there an investigation to find its root cause?
  • Were third parties or acquisition targets evaluated or audited for compliance issues?

This brings us to the next question: where do you find this information? Conducting employee climate surveys can help identify program strengths and weaknesses. If surveys are conducted at regular intervals they can also provide benchmarking data. For example, the data can help identify trends and determine if changes to compliance functions and controls have resulted in increased effectiveness.

In a presentation, “Ethical Culture: Defined and Measured,” the results of a company’s culture (essentially broader than climate) survey were used to compare the perceptions of its non-supervisory employees with those of its managers and executives, providing valuable insight into whether perceptions about the company’s ethics and culture are aligned throughout the company.

Data Triangulation: Test the Validity of Information

However, using one source of information may leave out important data points or allow bias to skew the data. Data triangulation involves using multiple data sources to test the validity of information. For example, other sources of information besides culture or climate surveys may include internal audit, or hotline and training data that verify or challenge the survey findings.

Under the U.S. Federal Sentencing Guidelines, one of the factors that mitigates the ultimate punishment of an organization is the existence of an effective compliance and ethics program. The DOJ/Securities and Exchange Commission (SEC) FCPA Resource Guide reinforces the need for risk-based compliance programs and an appropriate evaluation of them for continuous improvement and sustainability. For example:

  • Hotline use, response to reports, and outcomes
  • Progress of any new initiatives or compliance program enhancements
  • Training frequency and completion rates
  • Culture survey results.

Among other things, conducting culture surveys reveals how employees perceive their workplace environment and if they believe individuals at all levels of the organization are held accountable for misconduct. Additionally, surveys can measure the strength of internal controls, identify best practices, and detect new risk areas.

Research has found that culture, leadership, and values-based ethics and compliance programs increase employee reporting of misconduct and decrease retaliation. To address these issues, a list of recommended metrics includes:

  • Reviewing and updating ethics and compliance programs
  • Conducting culture surveys and knowledge assessments
  • Measuring training program reach, medium, frequency, and completion rates
  • Tracking reporting and retaliation trends by location, department, or employee
  • Identifying emerging risks through enterprise-wide risk assessments.

Make Informed Decisions Based on Data

Besides helping to create an effective compliance program, data forms the factual basis for making decisions about where resources can have the most impact. Making decisions about resource allocation based on verifiable data can move the dial from response and remediation to prevention by detecting potential problems before they happen, thereby creating a compliance program that is an effective prevention tool.

Data provides impact by measuring both the effectiveness and compliance of corporate ethics programs, and by assessing programs for outcomes and identifying problem areas such as:

  • Is the program being properly implemented?
  • Are the company’s values and ethics modeled by senior and middle management?
  • Are there sufficient control functions to detect misconduct?
  • Is there a shared commitment to ethical conduct among the company’s different components?
  • Do the company’s values and ethics play a role in making strategic and operational decisions?
  • Is there sufficient autonomy, empowerment, funding, and resources provided to the compliance function?.

As we’ve written before, “good ethics are about making good decisions, and good decisions are good for business.”

Continuously Measure Your Compliance Program 

Whether it is improving procedures to fill gaps or gathering information to perform risk assessments, data plays an important role in preventing misconduct and demonstrating a company’s commitment to effective ethics and compliance programming. Above all, data informs decision-making and provides ROI in more ways than the bottom line.

Surveying employees, conducting focus groups, analyzing existing data sources, and continuously tracking these metrics over time is a critical part of an effective ethics and compliance program.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

What Makes Corporate Compliance Training Effective?

Corporate compliance training educates employees and staff about how to comply with external laws and internal policies, like company values and codes of conduct. According to Professor Donald C. Langevoort in his article Monitoring the Behavioral Economics of Corporate Compliance with Law, “By most accounts, compliance begins with education” and “effective communication.” Staff, employees, and agents should not only understand the law enough to spot issues in the workplace, but also internalize “the firm’s commitment to compliance and . . . how they are expected to respond.”

However, building understanding and influencing behavior is not a simple process. Research has shown, time and time again, that training which merely presents the law or a policy to a learner is ineffective. In fact, it can make noncompliance worse. One study showed that “the more frequently organizations engage in formal communication regarding the corporate codes of conduct, the more unethical behavior is exhibited in organizations.”

Reinforce Important Material

Reinforcing important material in successive sessions may be effective. Take another study, for example, cited by Professor Maurice E. Stucke in his article In Search of Effective Ethics & Compliance Programs. Researchers conducted behavioral experiments involving students from Yale, MIT, and Harvard and each institution’s ethics and/or honor code. One group of students didn’t see their policies, another group saw their policies once, and a third group saw the policies at the beginning of the study period and again right before taking a test. The study found that seeing the policy once had no effect on the instances of cheating, whereas students who saw the policies right before taking the test did not cheat. Companies must be thoughtful about not only what is taught, but how and when it is taught and communicated.

Involve Multimedia, Microlearning, and Gamification

Of course, not all corporate compliance training, whether ongoing or not, is the same. “Valuable conduct training begins and ends with a willing learner and training that is guided by their needs,” according to Carmen Poole in her white paper Value of Conduct Training. For example, engaging the millennial learner should involve multimedia, microlearning, and gamification. Instructional design theories (like affordance and the usability-aesthetic effect), are additional considerations for effective conduct training, particularly e-learning. Companies should ensure their core compliance training is valuable in its own right.

Incorporate Company Culture

Additionally, to be most effective “all policies, procedures and training must be part of a larger culture that instills compliance as a fundamental value,” according to Professor David Hess in his article Ethical Infrastructures and Evidence-Based Corporate Compliance and Ethics Programs: Policy Implications from the Empirical Evidence. Compliance programs that incorporate culture can better achieve organizational and regulatory goals compared to more problematic “check-the-box” compliance programs that merely fulfill legal or external obligations without due consideration for employee motivation or learning.

No business is ever “done” implementing a compliance program; thoughtfully implementing ongoing training can keep an organization’s culture moving in the right direction.

Learn More About Corporate Compliance Training

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

FCPA Anti-Corruption Training: Why It’s Worth the Investment

Multiple enforcement actions against acts of bribery and corruption help strengthen the need for businesses to implement employee FCPA anti-corruption training as part of an effective ethics and compliance program.

Educate Your Employees with Anti-Corruption Training

Compliance training is a critical component in both preventing and remedying alleged acts of corruption and bribery, as shown by recent enforcement actions. For example, the US Securities and Exchange Commission (SEC) decided not to charge Harris Corporation based on its “efforts at self-policing . . . prompt self-reporting, thorough remediation, and exemplary cooperation with the SEC’s investigation.” Specifically, Harris trained staff after it had acquired a subsidiary in China and implemented an anonymous complaint hotline. These two self-policing efforts allowed employees to discover that the CEO of the Chinese subsidiary had authorized the bribing of foreign officials.

With this in mind, anti-corruption training allows employees to be aware of bribery, and hotlines can give employees the ability to complain about it. Hotlines, such as anonymous telephone or online complaints, “enable the organization to solve a concern while it is small, well before it escalates into a large problem,” according to a report by Santa Clara University and confirmed by a recent study showing that whistleblowing deters wrongdoing.

Use Compliance Training After an Incident

Compliance training can be used to clean up questionable or corrupt conduct after the fact. For example, the SEC decided not to prosecute company Nortek when the company discovered that employees in its Chinese subsidiary were bribing foreign officials. Once it discovered the bribery, Nortek “provided extensive mandatory in-person and on-line trainings on the FCPA and anti-corruption policies to its employees around the globe.” This is significant, as beforehand “Nortek failed to establish procedures to ensure its Linear China employees were trained in anti-corruption compliance.”

Nortek and Harris Corporation’s approaches follow US Department of Justice (DOJ) recommendations for “periodic [FCPA] training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners,” in its guiding principles of FCPA enforcement.

Why FCPA Training is Especially Important

FCPA training, in particular, is important, especially in the wake of record enforcement actions by the SEC and the US Department of Justice (DOJ). The year 2016 “produced what arguably is the most significant year of enforcement in the statute’s 39-year history” according to attorney F. Joseph Warin. The SEC and DOJ brought 53 enforcement actions against companies and levied more than $2 billion in corporate fines against companies.

While Matt Kelly at the FCPA Blog accepts the possibility that SEC and DOJ enforcement may drop under the Trump administration, he and expert Mr. Warin do not expect such a dramatic FCPA program change. Incidentally, it’s also important to remember that the FCPA is one US law in a complex web of international anti-corruption efforts. For example, Mexico passed its National Anti-Corruption System and the International Organization for Standardization (“ISO”) published the long-anticipated anti-bribery standard ISO 37001. There’s also a collective international effort to combat bribery and corruption, as Rolls-Royce found out in January 2017 after being caught by the US, UK and Brazil (all of whom make bribery illegal).

The Human Costs of Corruption

Beyond the world of laws and enforcement, we should remember that corruption involves a number of very human elements. “Corruption corrodes the fabric of society. It undermines people’s trust in political and economic systems, institutions and leaders. It can cost people their freedom, health, money – and sometimes their lives,” according to Transparency International. In analyzing corruption in Latin America, we found that it wasn’t so much legal prohibitions but:

Demographics, beliefs, culture and familial obligations all appear to affect the propensity for people in Latin American countries to engage in corruption . . . these factors are often related to social trends regardless of nationality.

This is where anti-corruption training, when done effectively, can help. To learn more, Carmen Poole identifies a number of factors that make conduct training valuable.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethicsanti-harassmentdata security and employee conduct courses.

Diversity Training: A Behind the Scenes Look at Our Course

We live in a vast, diverse world. There is no denying and no escaping it–instead, we can choose to be open and adapt to it. Though workplace diversity training has been met with its fair share of skepticism, a strong approach and strategic implementation techniques are key to making a successful impact. With the release of our new Diversity: Inclusion in the Modern Workplace course, we want to clue you in on what you can expect in the course and why this one stands out from the rest.

Our Humanistic Approach to Diversity Training

Keeping diversity training pitfalls in mind, this course was created as an introduction to the topic of diversity, inclusion, and equity via the human experience. We conducted interviews with real individuals and incorporated their stories and experiences into our content, gathered data on a number of topics that we used to provide the most current and relevant statistics, designed an entirely new course template while taking a new approach on interactive graphics, and so much more. With our clients, users, and diversity in the forefront of our minds, we hope our efforts shine through and make a positive impact in your workplace.

Incidentally, in order to have a meaningful and lasting impact, one’s commitment to diversity needs to extend into the everyday operations of their organization. This course uses the stories of real people to explore concepts such as identity, power, and privilege, to help us communicate more effectively and promote mutual respect in the workplace.

Each team involved in this project had a unique opportunity to make something special with this course. With prejudices and biases running rampant in and out of the workplace, we recognized the importance of this immense topic and were excited (yet nervous) to tackle it. Next, we will explore how the design and content teams put their visions into action.

Design Invites Users In

Taking a humanistic approach to how this course would be planned out, the design team altered their usual strategy to make a statement, allowing photography, graphics, videos, and color to act as a foundation in executing the important message they wanted to send about diversity, inclusion, and equity. “In previous course designs, we tried to stay away from representing specific human characteristics, by obscuring facial features and graying out skin tones in our illustrations,” said graphic designer Kris Shogren. “For the Diversity course, we wanted to do the complete opposite. We have upgraded the way we will handle illustrations, infographics, and color palettes to mirror the message and knowledge we are trying to provide our users.”

Stemming off of Shogren’s comment, animator Jenna Strange remarked on the difference in their design plan. “Usually we will make generalized figures that anyone can relate to,” said Strange. “This time, we wanted to be as clear and direct about as many facial features, skin tones, age ranges, and cultural backgrounds as we possibly could while using a wider rich color palette.” The variance in the aforementioned graphics achieves a more diverse collection of people to look at in the interactions, which is one way we as a company want to include our users. What better way to practice what we are trying to teach?

When asked about the team’s motivation, art director Drew Hard expressed that the design team was affected and motivated by the content team’s research into studies that reported the little, or even negative, impact that many diversity training courses had in the workplace. “With this in mind,” said Hard, “we made a dedication to try to remove the feel of a compliance course from our compliance course. Highlighting the content while not feeling like the content is forced onto the learner.”

The ultimate goal was to craft a course that invited users in, something that exposed them to the reality of diversity and could even have users relate to the images. The design team utilized a neutral color palette and elegant, modern design page themes in an attempt to make the course feel more like a microsite experience and less like a compliance training course that could potentially isolate the user.

Research and Content Focused on Interpersonal Communication

Our goal with content was to be as open and informative as possible, while maintaining sensitivity to the issues we’d be discussing. This course was written by people, for people, and taking a humanistic approach geared toward social justice seemed like a good route to guide our research journey.

A social justice approach–what does that really mean? It’s a broad interpretation, and for this course, we wanted to focus on framing social justice meaningfully, linking to interpersonal communication in an instructive way (as best we could). Our research supported these thoughts: “Interpersonal communication is critical to social justice, both in the form of engagement (social interaction) with people who are underresourced and as advocacy (communication with those who control the resources that are lacking) for these people.”

Lead Instructional Writer Carmen Poole said that her team “wanted to approach diversity from an inclusion and equity standpoint, and since social justice theory speaks directly to the importance of human interaction and value of using privileges to become a diversity ally, we felt a more conceptual approach would be successful.”

Interviews with Real People, Not Actors

Topics like diversity and privilege are sensitive, and can be uncomfortable to talk about, especially if the approach is highly academic or far removed from our day-to-day experiences. So we felt it was important to interview real people instead of actors, and film them in settings they felt comfortable in. Participants were asked thought-provoking, tailored questions to best allow their experiences and expertise in this subject matter to be reflected through their stories and thoughts.

Instructional Writer Jayinee Basu noted that the writers “wanted to ground this course in the lived experiences of real people so the human element wasn’t lost–humans are social animals and we care about each other’s stories.”

Our Hope for the Diversity Training Course

This project was groundbreaking for our company, as it is not only a significant and sensitive topic to navigate, it is also the first course LawRoom powered by EverFi has created together post-acquisition. The marriage of two compliance training companies has only strengthened our mission by combining even more people who care about these issues and by fusing their talents and perspectives into what we hope is one cohesive and successful course.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethicsanti-harassmentdata security and employee conduct courses.

How to Develop a Company Code of Conduct

Simply having a company code of conduct is not enough. Research has found that the process an organization follows to develop a code of conduct can impact its effectiveness (Schwartz, 2008). Researchers have also suggested that the implementation process is an important factor in creating an ethical culture.

“Code of conduct” and “code of ethics” are terms that are used interchangeably and, in fact, they are called many different things, which Schwartz collectively defines as follows:

A business code is a distinct and formal document containing a set of prescriptions developed by and for a company to guide present and future behavior on multiple issues of at least its managers and employees toward one another, the company, external stakeholders and/or society in general.

In a previous post, we described the “hallmarks of an effective compliance and ethics program” as outlined by the US Department of Justice and Securities and Exchange Commission. In this post, we’ll look at how to develop code content that reflects your organization’s values and risk tolerance, and ways to implement its provisions to increase their effectiveness.

Code of Conduct Development Process

Establish the Purpose

The first step in developing a company code of conduct is to establish the purpose of the codes and why they matter. In a KPMG survey of Fortune Global 200 companies, the three most common reasons for adopting business codes were to comply with legal requirements, create a shared company culture, and protect and improve the organization’s reputation. KPMG’s survey also found that the most commonly cited core values of Fortune Global 200 companies are integrity, teamwork, respect, innovation, and client focus. Schwartz also recommended that code provisions should be consistent with “six universal moral values” (trustworthiness, respect, responsibility, fairness, caring, and citizenship), which should prevail over financial objectives.

Understand Your Risks

Once the purpose is established, the framework for developing a code requires a full understanding of the operational and reputational risks an organization faces. These issues define the organization’s objectives when developing code content, policies, communication, and training that address individual and collective responsibilities regarding risk management.

To achieve the organization’s risk management standards it is important to draft a code that clearly states expectations and guidelines for acceptable behavior, and provides options for seeking advice and for reporting concerns or suspected misconduct. In his research on the many dimensions of code development, Schwartz found that employees, managers, and ethics officers consider codes more effective when they are readable, relevant, and have a positive tone.

Chose Your Language

In addition, choosing your language carefully is important, as the authors of an article analyzing Lehman Brothers’ Code of Ethics concluded: “finding the right words to express ideas and behaviors is a key strategic action for an organization.” The authors studied Lehman Brothers’ code using the Competing Values Framework (CVF) to reveal the rhetorical elements of the message, and the Erwin method to rate the code’s tone, readability, and style. They found that Lehman Brothers’ code’s strengths were on the relational (trust) and informational (facts) side, as opposed to the transformational (change) and instructional (action) side, of the CVF. This led to their conclusion that:

The Lehman code of ethics and internal code of conduct do not offer much vision or guidance to the reader. . . . While it lays out the basic rules expected of all Lehman employees, executives missed the opportunity to create a unique code expressing strong ethical principles. A more transformational code might have identified their unique strengths and values, but this would have to be coupled with transformational leadership and a culture of strong communication. The Lehman code did a basic job of protecting the organization against illegal actions by employees, but it did little to advance an ethical culture that might have sustained them.

Additional Guidance for Employees

One of the things the authors found lacking was guidance for employees who are faced with difficult decisions. The American Management Association proposes using the code of conduct to guide employees who are conducting business and making decisions in business dealings and relationships around the globe, by simply recommending that employees ask themselves two questions:

  1. Does this comply with the law, the Code of Conduct and the company’s policies?
  2. How would customers, shareholders, general public and co-workers view it?
    .

Best Practices for Drafting Codes of Conduct

The best practices for drafting codes of conduct that emerge from these studies include:

  • Obtain buy-in across the organization with input from a multidisciplinary team
  • Include the organization’s mission statement, vision, and values that reflect its commitment to ethics, integrity, and quality
  • Clarify that the organization expects individuals to act with honesty and integrity in addition to compliance with legal requirements
  • Describe expected behaviors rather than stating prohibitions
  • Cover relevant risks, employment practices, protecting corporate assets, and managing third-party relationships
  • Make it user friendly and applicable to all individuals covered by the code
  • Use simple, concise, and easily understood language (and provide translated versions as needed)
  • Describe enforcement and disciplinary procedures
  • Solicit feedback on the code from all levels of the organization
  • Update to improve content and address new issues or risk areas
    .

But the mere existence of a code of ethics, without more, will not create a sense of shared values and commitment to ethical behavior.

Implementing Your Company Code of Conduct

Based on their analysis of the effect that Lehman Brothers’ code of ethics had on its corporate culture, the authors concluded that “silence can be deadly,” “codes fail when poorly communicated,” and “codes themselves cannot create ethical organizations.”

In fact, their research found that these two actions are key to code implementation:

  • Communicate codes through the right channels and explain why they’re important
  • Integrate codes into the organization’s practices and back it up with enforcement

Once drafted, an organization needs to embed the code into its culture. The KPMG report recommends that the code become a “living” document to guide and create ethical behavior throughout the organization through:

  • Communication and training
  • Personnel and other policy measures
  • Monitoring, auditing, and reporting

At the companies KPMG surveyed, training courses were commonly used to:

  • Explain the importance of the code
  • Reinforce ethical behavior
  • Strengthen the moral compass
  • Identify and deal with dilemmas
  • Provide guidance on how to implement the code more effectively

At Lehman Brothers, the ethical code contained the phrase “compete aggressively in furthering the interests of the firm.” However, the authors raise the question of whether explaining to employees the level of acceptable risk in “competing aggressively” would have avoided leveraging the company “into a lethal situation.”

Effective implementation requires ethical leadership and support, training, and continuous reinforcement and updates to keep the code current. Ongoing administration and reinforcement of code standards embeds an organization’s values into its culture, which stimulates ethical reflection and action, and encourages compliance so that employees speak up when they see others engaging in unethical behavior. And for the skeptics who question whether an effective company code of conduct is worth all this effort, the bottom line is that good ethics are good for business.

LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.