Compliance Training Requirements in EEOC Settlement Agreements

When the US Equal Employment Opportunity Commission (EEOC) announces a settlement with an employer, the press release generally says that the employer agrees to provide certain kinds of compliance training in the future. In EEOC settlements announced in March 2017, the EEOC announced that it had required an Illinois sheet metal company to train its employees on harassment and discrimination, required an Illinois food service company to train its managers on the requirements of the Americans with Disabilities Act, and required a janitorial cleaning services company to train all employees about unlawful discrimination.

What are the Typical Compliance Training Requirements?

But the compliance training requirements can be much more onerous than the brief descriptions in EEOC press releases might lead a reader to expect. Consent decrees that employers and the EEOC enter into, which are public documents, go into much more detail about required compliance training. For instance, in February 2016 the Vail Run Community Resort Association agreed to settle a sexual harassment, national origin discrimination, and retaliation lawsuit brought by Mexican female employees who were harassed by the Association’s male housekeeping manager. The EEOC press release announced that the Association would have to implement “substantial semi-annual training for managers on sexual harassment and the responsibilities of managers once a report of sexual harassment is made.”

The five-year consent decree provides more details, specifying that the Association was required to hire outside vendors to provide the following training on federal antidiscrimination laws:

  •         Nonmanagerial Employees: At least three hours of training on discrimination law
  •         Supervisory and Managerial Employees: Twelve hours of training annually (provided at least semi-annually) on antidiscrimination laws and on how to receive and investigate complaints of harassment and retaliation
  •         Senior Management: Training similar to that of supervisory and managerial employees, and training on how to document and preserve evidence of discrimination
  •         Employees Designated To Receive Discrimination Reports: At least four hours of annual training on accepted professional standards for receiving and investigating complaints, including witness interview techniques, other evidence-gathering techniques, maintaining investigative notes and records, legal analysis of the evidence, and methods for eliminating and ameliorating violations of anti-discrimination law
    .

Not every consent decree will require third-party compliance training or even new training. As labor mediator Amy L. Lieberman said in a Bloomberg BNA interview with Lydell C. Bridgeford:

Depending on the employer’s current training, sometimes the parties can agree to continue with what the employer already provides. In cases where the employer does not already do training, I have often seen the EEOC and the company agree that the company’s employment counsel or in-house counsel can provide the training, as opposed to forcing the employer to hire a third-party provider.

So an employer with a compliance program might be able to continue with its own training, especially if the employer didn’t have widespread problems that were caused by a deficient compliance program. Companies should be sure to monitor their compliance program effectiveness if they want to be able to argue that an issue was confined to one circumstance or individual.

Companies should also examine the EEOC’s publications, such as its 2016 retaliation enforcement guidance, which the EEOC believes is a good resource for employers.  

Monitoring Consent Decrees

The EEOC monitors consent decrees and will file a lawsuit against a company that doesn’t comply. As the EEOC notes in its manual on Monitoring and Enforcing Consent Decrees, in 2001 it successfully sued a retailer for contempt for failing to comply with consent decree provisions. The penalty imposed was $750,200 ($100 per day of noncompliance, for each of 22 stores) in addition to attorney fees and other costs. The EEOC also extended the original consent decree by 18 months.

In an article by Gloria Gonzales for the Business Insurance website, EEOC trial attorney Richard Mrizek commented that consent decrees are meant to help companies deal with the issues that got them into trouble with the EEOC. “We’re not just settling it for money to make things go away,” said Mrizek. “We’re also looking at what can we do that we think will solve the company’s problems such as compliance going forward.”

Employers Should Assess Compliance Risks

Twelve hours of training may seem excessive, especially to employers who don’t have compliance problems, but some sort of regular training is a good idea. Employers should assess the risk of compliance issues in their workplace. For instance, in this case,  the Association’s housekeeping manager was in charge of employees who were fearful of being reported for their immigration status. This resulted in a risky situation for the Association, because the housekeeping manager took advantage of the employees’ fear.

Accordingly, the consent decree required the Association’s compliance training for managerial and supervisorial employees to emphasize that “due to their position of power,” such employees must be particularly vigilant not to discriminate, must be sensitive of how their actions or words might be perceived by subordinates, and must avoid the temptation to retaliate against an employee who makes or might make a complaint.

The more at-risk an employer is, the more they’ll want to improve programs, bolster implementation of their compliance programs, and communicate the programs by training. The more risk, the more training.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

How to Measure Compliance Program Effectiveness

Having an ethics and compliance program with no implementation plan is akin to implementing the program without measuring its effectiveness. There are plenty of resources expended but no one is sure what, if anything, is gained. This post continues our discussion of ethics and compliance programs, which has covered the hallmarks of a compliant program, tone at the top, hotlines, and now we’ll address how to measure the fruits of those efforts.

DOJ Guidelines: “Evaluation of Corporate Compliance Programs”

The Fraud Section of the U.S. Department of Justice (DOJ) has indicated that its Foreign Corrupt Practices Act (FCPA) enforcement efforts will remain unchanged under the new administration. In the month after the inauguration, the DOJ’s Fraud Section issued the “Evaluation of Corporate Compliance Programs” (ECCP), a litany of “important topics and sample questions” to help companies evaluate their compliance programs. In addition, Trevor McFadden, the deputy assistant attorney general now overseeing the Fraud Section, gave a speech in which he reportedly said that FCPA enforcement and prosecution of individuals will continue to be priorities, and compliance efforts and cooperation with investigators will continue to be rewarded.

The ECCP provides a blueprint for internal reviews of compliance programs by asking questions to determine if a program is working. And if it’s not working, to determine what needs to be fixed. Hui Chen, the Fraud Section’s compliance counsel, is given credit for drafting the recent guidelines, which rely heavily on the “Filip Factors” that DOJ prosecutors use to guide their criminal investigations of corporate entities. The questions are aimed at gathering specific information about how a company implements its code of ethics or other corporate compliance program, and what steps are taken to measure its success or examine the root causes of violations.

The ECCP’s 119 questions drill down to find answers to the three basic questions we have written about before, that guide how the DOJ/SEC evaluates ethics and compliance programs, as set forth in their FCPA Resource Guide:

  • Is the company’s compliance program well designed?
  • Is it applied in good faith?
  • Does it work?

.Data Metrics: The “Hidden Gem”

The ECCP guidelines identify what companies need to ask themselves about their compliance programs, but they don’t tell companies how to go about getting the answers. As with many business operations issues, the answers are found in the data. In fact, data is called the “hidden gem” that provides a factual basis for measuring and assessing the effectiveness of ethics and compliance programs.

And the FCPA Blog says, “Data lies at the core of the [DOJ] guidance.” The author provides these examples of “compelling metrics” that reveal a program’s effectiveness:

  • How many transactions or deals were subjected to greater scrutiny because of compliance concerns?
  • Have requests for resources for compliance and control functions been denied?
  • How many internal audits have been performed in response to transactions that bore signs of bribery and corruption?
  • Where misconduct was identified, was there an investigation to find its root cause?
  • Were third parties or acquisition targets evaluated or audited for compliance issues?

This brings us to the next question: where do you find this information? Conducting employee climate surveys can help identify program strengths and weaknesses. If surveys are conducted at regular intervals they can also provide benchmarking data. For example, the data can help identify trends and determine if changes to compliance functions and controls have resulted in increased effectiveness.

In a presentation, “Ethical Culture: Defined and Measured,” the results of a company’s culture (essentially broader than climate) survey were used to compare the perceptions of its non-supervisory employees with those of its managers and executives, providing valuable insight into whether perceptions about the company’s ethics and culture are aligned throughout the company.

Data Triangulation: Test the Validity of Information

However, using one source of information may leave out important data points or allow bias to skew the data. Data triangulation involves using multiple data sources to test the validity of information. For example, other sources of information besides culture or climate surveys may include internal audit, or hotline and training data that verify or challenge the survey findings.

Under the U.S. Federal Sentencing Guidelines, one of the factors that mitigates the ultimate punishment of an organization is the existence of an effective compliance and ethics program. The DOJ/Securities and Exchange Commission (SEC) FCPA Resource Guide reinforces the need for risk-based compliance programs and an appropriate evaluation of them for continuous improvement and sustainability. For example:

  • Hotline use, response to reports, and outcomes
  • Progress of any new initiatives or compliance program enhancements
  • Training frequency and completion rates
  • Culture survey results.

Among other things, conducting culture surveys reveals how employees perceive their workplace environment and if they believe individuals at all levels of the organization are held accountable for misconduct. Additionally, surveys can measure the strength of internal controls, identify best practices, and detect new risk areas.

Research has found that culture, leadership, and values-based ethics and compliance programs increase employee reporting of misconduct and decrease retaliation. To address these issues, a list of recommended metrics includes:

  • Reviewing and updating ethics and compliance programs
  • Conducting culture surveys and knowledge assessments
  • Measuring training program reach, medium, frequency, and completion rates
  • Tracking reporting and retaliation trends by location, department, or employee
  • Identifying emerging risks through enterprise-wide risk assessments.

Make Informed Decisions Based on Data

Besides helping to create an effective compliance program, data forms the factual basis for making decisions about where resources can have the most impact. Making decisions about resource allocation based on verifiable data can move the dial from response and remediation to prevention by detecting potential problems before they happen, thereby creating a compliance program that is an effective prevention tool.

Data provides impact by measuring both the effectiveness and compliance of corporate ethics programs, and by assessing programs for outcomes and identifying problem areas such as:

  • Is the program being properly implemented?
  • Are the company’s values and ethics modeled by senior and middle management?
  • Are there sufficient control functions to detect misconduct?
  • Is there a shared commitment to ethical conduct among the company’s different components?
  • Do the company’s values and ethics play a role in making strategic and operational decisions?
  • Is there sufficient autonomy, empowerment, funding, and resources provided to the compliance function?.

As we’ve written before, “good ethics are about making good decisions, and good decisions are good for business.”

Continuously Measure Your Compliance Program 

Whether it is improving procedures to fill gaps or gathering information to perform risk assessments, data plays an important role in preventing misconduct and demonstrating a company’s commitment to effective ethics and compliance programming. Above all, data informs decision-making and provides ROI in more ways than the bottom line.

Surveying employees, conducting focus groups, analyzing existing data sources, and continuously tracking these metrics over time is a critical part of an effective ethics and compliance program.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

What Makes Corporate Compliance Training Effective?

Corporate compliance training educates employees and staff about how to comply with external laws and internal policies, like company values and codes of conduct. According to Professor Donald C. Langevoort in his article Monitoring the Behavioral Economics of Corporate Compliance with Law, “By most accounts, compliance begins with education” and “effective communication.” Staff, employees, and agents should not only understand the law enough to spot issues in the workplace, but also internalize “the firm’s commitment to compliance and . . . how they are expected to respond.”

However, building understanding and influencing behavior is not a simple process. Research has shown, time and time again, that training which merely presents the law or a policy to a learner is ineffective. In fact, it can make noncompliance worse. One study showed that “the more frequently organizations engage in formal communication regarding the corporate codes of conduct, the more unethical behavior is exhibited in organizations.”

Reinforce Important Material

Reinforcing important material in successive sessions may be effective. Take another study, for example, cited by Professor Maurice E. Stucke in his article In Search of Effective Ethics & Compliance Programs. Researchers conducted behavioral experiments involving students from Yale, MIT, and Harvard and each institution’s ethics and/or honor code. One group of students didn’t see their policies, another group saw their policies once, and a third group saw the policies at the beginning of the study period and again right before taking a test. The study found that seeing the policy once had no effect on the instances of cheating, whereas students who saw the policies right before taking the test did not cheat. Companies must be thoughtful about not only what is taught, but how and when it is taught and communicated.

Involve Multimedia, Microlearning, and Gamification

Of course, not all corporate compliance training, whether ongoing or not, is the same. “Valuable conduct training begins and ends with a willing learner and training that is guided by their needs,” according to Carmen Poole in her white paper Value of Conduct Training. For example, engaging the millennial learner should involve multimedia, microlearning, and gamification. Instructional design theories (like affordance and the usability-aesthetic effect), are additional considerations for effective conduct training, particularly e-learning. Companies should ensure their core compliance training is valuable in its own right.

Incorporate Company Culture

Additionally, to be most effective “all policies, procedures and training must be part of a larger culture that instills compliance as a fundamental value,” according to Professor David Hess in his article Ethical Infrastructures and Evidence-Based Corporate Compliance and Ethics Programs: Policy Implications from the Empirical Evidence. Compliance programs that incorporate culture can better achieve organizational and regulatory goals compared to more problematic “check-the-box” compliance programs that merely fulfill legal or external obligations without due consideration for employee motivation or learning.

No business is ever “done” implementing a compliance program; thoughtfully implementing ongoing training can keep an organization’s culture moving in the right direction.

Learn More About Corporate Compliance Training

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

FCPA Anti-Corruption Training: Why It’s Worth the Investment

Multiple enforcement actions against acts of bribery and corruption help strengthen the need for businesses to implement employee FCPA anti-corruption training as part of an effective ethics and compliance program.

Educate Your Employees with Anti-Corruption Training

Compliance training is a critical component in both preventing and remedying alleged acts of corruption and bribery, as shown by recent enforcement actions. For example, the US Securities and Exchange Commission (SEC) decided not to charge Harris Corporation based on its “efforts at self-policing . . . prompt self-reporting, thorough remediation, and exemplary cooperation with the SEC’s investigation.” Specifically, Harris trained staff after it had acquired a subsidiary in China and implemented an anonymous complaint hotline. These two self-policing efforts allowed employees to discover that the CEO of the Chinese subsidiary had authorized the bribing of foreign officials.

With this in mind, anti-corruption training allows employees to be aware of bribery, and hotlines can give employees the ability to complain about it. Hotlines, such as anonymous telephone or online complaints, “enable the organization to solve a concern while it is small, well before it escalates into a large problem,” according to a report by Santa Clara University and confirmed by a recent study showing that whistleblowing deters wrongdoing.

Use Compliance Training After an Incident

Compliance training can be used to clean up questionable or corrupt conduct after the fact. For example, the SEC decided not to prosecute company Nortek when the company discovered that employees in its Chinese subsidiary were bribing foreign officials. Once it discovered the bribery, Nortek “provided extensive mandatory in-person and on-line trainings on the FCPA and anti-corruption policies to its employees around the globe.” This is significant, as beforehand “Nortek failed to establish procedures to ensure its Linear China employees were trained in anti-corruption compliance.”

Nortek and Harris Corporation’s approaches follow US Department of Justice (DOJ) recommendations for “periodic [FCPA] training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners,” in its guiding principles of FCPA enforcement.

Why FCPA Training is Especially Important

FCPA training, in particular, is important, especially in the wake of record enforcement actions by the SEC and the US Department of Justice (DOJ). The year 2016 “produced what arguably is the most significant year of enforcement in the statute’s 39-year history” according to attorney F. Joseph Warin. The SEC and DOJ brought 53 enforcement actions against companies and levied more than $2 billion in corporate fines against companies.

While Matt Kelly at the FCPA Blog accepts the possibility that SEC and DOJ enforcement may drop under the Trump administration, he and expert Mr. Warin do not expect such a dramatic FCPA program change. Incidentally, it’s also important to remember that the FCPA is one US law in a complex web of international anti-corruption efforts. For example, Mexico passed its National Anti-Corruption System and the International Organization for Standardization (“ISO”) published the long-anticipated anti-bribery standard ISO 37001. There’s also a collective international effort to combat bribery and corruption, as Rolls-Royce found out in January 2017 after being caught by the US, UK and Brazil (all of whom make bribery illegal).

The Human Costs of Corruption

Beyond the world of laws and enforcement, we should remember that corruption involves a number of very human elements. “Corruption corrodes the fabric of society. It undermines people’s trust in political and economic systems, institutions and leaders. It can cost people their freedom, health, money – and sometimes their lives,” according to Transparency International. In analyzing corruption in Latin America, we found that it wasn’t so much legal prohibitions but:

Demographics, beliefs, culture and familial obligations all appear to affect the propensity for people in Latin American countries to engage in corruption . . . these factors are often related to social trends regardless of nationality.

This is where anti-corruption training, when done effectively, can help. To learn more, Carmen Poole identifies a number of factors that make conduct training valuable.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethicsanti-harassmentdata security and employee conduct courses.

Diversity Training: A Behind the Scenes Look at Our Course

We live in a vast, diverse world. There is no denying and no escaping it–instead, we can choose to be open and adapt to it. Though workplace diversity training has been met with its fair share of skepticism, a strong approach and strategic implementation techniques are key to making a successful impact. With the release of our new Diversity: Inclusion in the Modern Workplace course, we want to clue you in on what you can expect in the course and why this one stands out from the rest.

Our Humanistic Approach to Diversity Training

Keeping diversity training pitfalls in mind, this course was created as an introduction to the topic of diversity, inclusion, and equity via the human experience. We conducted interviews with real individuals and incorporated their stories and experiences into our content, gathered data on a number of topics that we used to provide the most current and relevant statistics, designed an entirely new course template while taking a new approach on interactive graphics, and so much more. With our clients, users, and diversity in the forefront of our minds, we hope our efforts shine through and make a positive impact in your workplace.

Incidentally, in order to have a meaningful and lasting impact, one’s commitment to diversity needs to extend into the everyday operations of their organization. This course uses the stories of real people to explore concepts such as identity, power, and privilege, to help us communicate more effectively and promote mutual respect in the workplace.

Each team involved in this project had a unique opportunity to make something special with this course. With prejudices and biases running rampant in and out of the workplace, we recognized the importance of this immense topic and were excited (yet nervous) to tackle it. Next, we will explore how the design and content teams put their visions into action.

Design Invites Users In

Taking a humanistic approach to how this course would be planned out, the design team altered their usual strategy to make a statement, allowing photography, graphics, videos, and color to act as a foundation in executing the important message they wanted to send about diversity, inclusion, and equity. “In previous course designs, we tried to stay away from representing specific human characteristics, by obscuring facial features and graying out skin tones in our illustrations,” said graphic designer Kris Shogren. “For the Diversity course, we wanted to do the complete opposite. We have upgraded the way we will handle illustrations, infographics, and color palettes to mirror the message and knowledge we are trying to provide our users.”

Stemming off of Shogren’s comment, animator Jenna Strange remarked on the difference in their design plan. “Usually we will make generalized figures that anyone can relate to,” said Strange. “This time, we wanted to be as clear and direct about as many facial features, skin tones, age ranges, and cultural backgrounds as we possibly could while using a wider rich color palette.” The variance in the aforementioned graphics achieves a more diverse collection of people to look at in the interactions, which is one way we as a company want to include our users. What better way to practice what we are trying to teach?

When asked about the team’s motivation, art director Drew Hard expressed that the design team was affected and motivated by the content team’s research into studies that reported the little, or even negative, impact that many diversity training courses had in the workplace. “With this in mind,” said Hard, “we made a dedication to try to remove the feel of a compliance course from our compliance course. Highlighting the content while not feeling like the content is forced onto the learner.”

The ultimate goal was to craft a course that invited users in, something that exposed them to the reality of diversity and could even have users relate to the images. The design team utilized a neutral color palette and elegant, modern design page themes in an attempt to make the course feel more like a microsite experience and less like a compliance training course that could potentially isolate the user.

Research and Content Focused on Interpersonal Communication

Our goal with content was to be as open and informative as possible, while maintaining sensitivity to the issues we’d be discussing. This course was written by people, for people, and taking a humanistic approach geared toward social justice seemed like a good route to guide our research journey.

A social justice approach–what does that really mean? It’s a broad interpretation, and for this course, we wanted to focus on framing social justice meaningfully, linking to interpersonal communication in an instructive way (as best we could). Our research supported these thoughts: “Interpersonal communication is critical to social justice, both in the form of engagement (social interaction) with people who are underresourced and as advocacy (communication with those who control the resources that are lacking) for these people.”

Lead Instructional Writer Carmen Poole said that her team “wanted to approach diversity from an inclusion and equity standpoint, and since social justice theory speaks directly to the importance of human interaction and value of using privileges to become a diversity ally, we felt a more conceptual approach would be successful.”

Interviews with Real People, Not Actors

Topics like diversity and privilege are sensitive, and can be uncomfortable to talk about, especially if the approach is highly academic or far removed from our day-to-day experiences. So we felt it was important to interview real people instead of actors, and film them in settings they felt comfortable in. Participants were asked thought-provoking, tailored questions to best allow their experiences and expertise in this subject matter to be reflected through their stories and thoughts.

Instructional Writer Jayinee Basu noted that the writers “wanted to ground this course in the lived experiences of real people so the human element wasn’t lost–humans are social animals and we care about each other’s stories.”

Our Hope for the Diversity Training Course

This project was groundbreaking for our company, as it is not only a significant and sensitive topic to navigate, it is also the first course LawRoom powered by EverFi has created together post-acquisition. The marriage of two compliance training companies has only strengthened our mission by combining even more people who care about these issues and by fusing their talents and perspectives into what we hope is one cohesive and successful course.

LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethicsanti-harassmentdata security and employee conduct courses.

How to Develop a Company Code of Conduct

Simply having a company code of conduct is not enough. Research has found that the process an organization follows to develop a code of conduct can impact its effectiveness (Schwartz, 2008). Researchers have also suggested that the implementation process is an important factor in creating an ethical culture.

“Code of conduct” and “code of ethics” are terms that are used interchangeably and, in fact, they are called many different things, which Schwartz collectively defines as follows:

A business code is a distinct and formal document containing a set of prescriptions developed by and for a company to guide present and future behavior on multiple issues of at least its managers and employees toward one another, the company, external stakeholders and/or society in general.

In a previous post, we described the “hallmarks of an effective compliance and ethics program” as outlined by the US Department of Justice and Securities and Exchange Commission. In this post, we’ll look at how to develop code content that reflects your organization’s values and risk tolerance, and ways to implement its provisions to increase their effectiveness.

Code of Conduct Development Process

Establish the Purpose

The first step in developing a company code of conduct is to establish the purpose of the codes and why they matter. In a KPMG survey of Fortune Global 200 companies, the three most common reasons for adopting business codes were to comply with legal requirements, create a shared company culture, and protect and improve the organization’s reputation. KPMG’s survey also found that the most commonly cited core values of Fortune Global 200 companies are integrity, teamwork, respect, innovation, and client focus. Schwartz also recommended that code provisions should be consistent with “six universal moral values” (trustworthiness, respect, responsibility, fairness, caring, and citizenship), which should prevail over financial objectives.

Understand Your Risks

Once the purpose is established, the framework for developing a code requires a full understanding of the operational and reputational risks an organization faces. These issues define the organization’s objectives when developing code content, policies, communication, and training that address individual and collective responsibilities regarding risk management.

To achieve the organization’s risk management standards it is important to draft a code that clearly states expectations and guidelines for acceptable behavior, and provides options for seeking advice and for reporting concerns or suspected misconduct. In his research on the many dimensions of code development, Schwartz found that employees, managers, and ethics officers consider codes more effective when they are readable, relevant, and have a positive tone.

Chose Your Language

In addition, choosing your language carefully is important, as the authors of an article analyzing Lehman Brothers’ Code of Ethics concluded: “finding the right words to express ideas and behaviors is a key strategic action for an organization.” The authors studied Lehman Brothers’ code using the Competing Values Framework (CVF) to reveal the rhetorical elements of the message, and the Erwin method to rate the code’s tone, readability, and style. They found that Lehman Brothers’ code’s strengths were on the relational (trust) and informational (facts) side, as opposed to the transformational (change) and instructional (action) side, of the CVF. This led to their conclusion that:

The Lehman code of ethics and internal code of conduct do not offer much vision or guidance to the reader. . . . While it lays out the basic rules expected of all Lehman employees, executives missed the opportunity to create a unique code expressing strong ethical principles. A more transformational code might have identified their unique strengths and values, but this would have to be coupled with transformational leadership and a culture of strong communication. The Lehman code did a basic job of protecting the organization against illegal actions by employees, but it did little to advance an ethical culture that might have sustained them.

Additional Guidance for Employees

One of the things the authors found lacking was guidance for employees who are faced with difficult decisions. The American Management Association proposes using the code of conduct to guide employees who are conducting business and making decisions in business dealings and relationships around the globe, by simply recommending that employees ask themselves two questions:

  1. Does this comply with the law, the Code of Conduct and the company’s policies?
  2. How would customers, shareholders, general public and co-workers view it?
    .

Best Practices for Drafting Codes of Conduct

The best practices for drafting codes of conduct that emerge from these studies include:

  • Obtain buy-in across the organization with input from a multidisciplinary team
  • Include the organization’s mission statement, vision, and values that reflect its commitment to ethics, integrity, and quality
  • Clarify that the organization expects individuals to act with honesty and integrity in addition to compliance with legal requirements
  • Describe expected behaviors rather than stating prohibitions
  • Cover relevant risks, employment practices, protecting corporate assets, and managing third-party relationships
  • Make it user friendly and applicable to all individuals covered by the code
  • Use simple, concise, and easily understood language (and provide translated versions as needed)
  • Describe enforcement and disciplinary procedures
  • Solicit feedback on the code from all levels of the organization
  • Update to improve content and address new issues or risk areas
    .

But the mere existence of a code of ethics, without more, will not create a sense of shared values and commitment to ethical behavior.

Implementing Your Company Code of Conduct

Based on their analysis of the effect that Lehman Brothers’ code of ethics had on its corporate culture, the authors concluded that “silence can be deadly,” “codes fail when poorly communicated,” and “codes themselves cannot create ethical organizations.”

In fact, their research found that these two actions are key to code implementation:

  • Communicate codes through the right channels and explain why they’re important
  • Integrate codes into the organization’s practices and back it up with enforcement

Once drafted, an organization needs to embed the code into its culture. The KPMG report recommends that the code become a “living” document to guide and create ethical behavior throughout the organization through:

  • Communication and training
  • Personnel and other policy measures
  • Monitoring, auditing, and reporting

At the companies KPMG surveyed, training courses were commonly used to:

  • Explain the importance of the code
  • Reinforce ethical behavior
  • Strengthen the moral compass
  • Identify and deal with dilemmas
  • Provide guidance on how to implement the code more effectively

At Lehman Brothers, the ethical code contained the phrase “compete aggressively in furthering the interests of the firm.” However, the authors raise the question of whether explaining to employees the level of acceptable risk in “competing aggressively” would have avoided leveraging the company “into a lethal situation.”

Effective implementation requires ethical leadership and support, training, and continuous reinforcement and updates to keep the code current. Ongoing administration and reinforcement of code standards embeds an organization’s values into its culture, which stimulates ethical reflection and action, and encourages compliance so that employees speak up when they see others engaging in unethical behavior. And for the skeptics who question whether an effective company code of conduct is worth all this effort, the bottom line is that good ethics are good for business.

LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

4 Data Security Essentials You Need to Know

We talk a lot about data security. We do it partly because it’s a top compliance priority for companies. But we also want to make sure we inform professionals like you about legal updates and trends, because that’s what we do and we should all be a little literate in the essential things in life. Data security is one of those essentials.

  1. What is Data Security?

Data security, also known as cybersecurity, means “measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack.” Password protecting our laptops and work phones are examples of data security. People and businesses do this on a larger scale to protect sensitive personal and business information from being leaked.

  1. What’s the Difference Between a Cyberattack and Data Breach?

A cyberattack is intentional, unauthorized access. “Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services,” according to the Department of Homeland Security. It sounds scary because it is. The ‘Internet of Things’ cyberattack shut down parts of the internet (imagine if all the highways in California shut down at the same time) while technology company Yahoo had 500 million accounts stolen. Both were intentional.

In contrast, a data breach is unauthorized access of protected data, regardless of someone’s intent. For example, an employee who uses an unsecured home computer to access confidential company information, a form of shadow IT, can cause a data breach. Some call this insider negligence, which the Ponemon Institute found was the leading cause of data loss and theft in 2015. Phishing scams, spoof emails that trick people in granting system access to strangers, “has continued to trend upward” according to the Verizon 2016 Data Breach Investigations Report.

The important thing to understand is that an honest mistake can be just as serious as a cyberattack because both leak sensitive data to people who shouldn’t have it.

  1. Which Laws Govern Data Security?

A lot of laws govern data security, and the laws that apply to you depend on where your company is located, its industry, and what kind of data it handles.

Almost all states and most industries have their own data security laws. For example, if you’re a financial institution in New York, you must abide by the federal Gramm-Leach-Bliley Act and soon abide by the state’s cybersecurity regulation. Internationally, the EU Privacy Shield and the General Data Protection Regulation (GDPR), loom large for global businesses in their aims to protect EU citizen data.

All companies have to ensure they’re being honest about how well they protect data –the Federal Trade Commission has busted businesses for “unfair practices” under federal law after failing to protect data. Given this confusing patchwork, it’s best to focus on best practices that you can employ.

  1. What’s My Responsibility?

To be vigilant. Our actions are no longer singular; they impact our employers, customers, and each other. Being vigilant means educating ourselves, such as understanding the latest cybersecurity risks and actually reading our employer’s cybersecurity policy. It also means doing our part to protect someone else’s private information. For more information, you can read our white paper on what makes effective data security training.

LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

Hallmarks of Effective Compliance and Ethics Programs

The enactment of the Foreign Corrupt Practices Act (FCPA) in 1977, the Federal Sentencing Guidelines for Organizations (FSGO) in 1991, the Sarbanes–Oxley Act of 2002, and the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act all contributed to the perception that a code of ethics is solely a legal compliance and risk management tool. However, organizations that want more than check-the-box compliance know that compliance and ethics programs need to effectively promote a culture of honesty and integrity. This post will explain the “hallmarks” of effective compliance and ethics programs as set forth in the U.S. Securities and Exchange Commission’s (SEC) and U.S. Department of Justice’s (DOJ) FCPA Resource Guide.

Critical Components of a Code of Ethics

The FSGO made clear that a code of ethics must focus on changing behavior to create a culture in which individuals think and act according to the organization’s values. Specifically, to receive credit in sentencing, an organization’s ethics program must:

  •         include a code of conduct
  •         include a risk assessment process
  •         be promoted and enforced consistently throughout the organization
  •         provide appropriate incentives for compliance
  •         provide helplines for reporting suspected misconduct
  •         provide training on the program’s requirements
    .

When the SEC and DOJ review compliance and ethics programs, they are looking to answer these three questions:

  •         Is it well designed?
  •         Is it applied in good faith?
  •         Does it work?
    .

The SEC and DOJ’s guidance explains what it takes to meet these requirements, which we’ll summarize below.

How to Meet the SEC and DOJ’s Requirements

Well-Designed Ethics and Compliance Programs

As the FCPA Resource Guide points out, an organization’s compliance program needs to address its specific needs, risks, and challenges. In addition, the most effective codes are clear, concise, and accessible to all employees, agents, and consultants.

Periodic reviews are also important to make sure that the code of conduct addresses an organization’s changing needs and risk assessment. This approach allows resources to be focused on high-risk areas, increasing the effectiveness of the program and its compliance, since the “DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

For example, employee surveys have been used to measure an organization’s compliance and ethics culture and to identify new risks. As business needs and legal requirements change, so should compliance and ethics programs.

Training and Continuing Advice

Creating and maintaining an ethical culture requires a sustainable effort. Periodic training for all directors, officers, relevant employees, agents, and business partners should cover policies and procedures and applicable laws, as well as provide case studies to practice skills in real-life situations. Ethics training should be delivered to all levels of the organization in a manner and in the language that is appropriate for the targeted audience.

Resources also need to be available for individuals at all times, so they can seek advice when faced with difficult or unique decisions.

Incentives and Rewards

Stephen Cutler, former Director of the Enforcement Division of the U.S. Securities and Exchange Commission (SEC), said this about rewarding individuals for doing the right thing:

[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.

The SEC and DOJ warn that no one should be deemed above or below compliance, and that organizations should instead reward lawful and ethical behavior with financial or career advancement incentives.

Applied in Good Faith

Research shows that procedural fairness through objective and consistent application of an organization’s code of ethics encourages employees to act ethically and comply with the rules. When an organization enforces its code of ethics in a fair manner, employees trust the organization’s commitment to its values. This encourages compliance with the organization’s policies and is significantly more effective than punishing ethics violations.

Encouraging reports of suspected misconduct is important to show an organization’s commitment to preventing unethical behavior. A previous blog post discusses how employers benefit when they encourage early reporting by internal whistleblowers.

Ethical Leadership

We’ve also written about effect of ethical leadership on employees’ perception of their leaders’ personal character. Leaders’ deeds speak much louder than their words and have a significant effect on promoting a culture of honesty and integrity. For example, companies that self-reported to the SEC that their employees bribed foreign officials avoided steeper fines and harsher scrutiny, but they also earned their employees’ confidence that the organization acts on its values and does the right thing.

As Stephen Cutler put it, “Setting the right tone means letting employees know that no one at the company is above the law; that no matter how important or how senior, someone who has violated an ethical standard will be punished.”

In 2009, the National Business Ethics Survey: Ethics in the Recession found “[e]thical culture is the single biggest factor determining the amount of misconduct that will take place in a business.”

In 2013, the National Business Ethics Survey found that misconduct was down, with the percentage of workers reporting that they observed misconduct on the job falling to an all-time low of 41%. However, workers surveyed also reported that 60% of misconduct involved individuals in supervisory up to top management roles, and that retaliation against workers reporting misconduct is still a widespread problem. Much work remains to be done to build a strong ethical culture and reduce the risk of misconduct.

LawRoom (powered by EverFi) delivers online compliance courses to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.

This is How Workplace Diversity Improves Company Culture

To put it bluntly: workplace diversity is a crucial component to a successful business. This piece will explore the benefits of workplace diversity and how it can help improve a company’s culture.

The “What”: Four Layers of Workplace Diversity

Diversity and inclusion are pivotal economic and business imperatives, yet that understanding alone is not enough to implement them in the workplace. Dr. Edward E. Hubbard, author of Measuring Diversity Results and How to Calculate Diversity Return on Investment, believes that there are four layers of diversity:

(*)   Workforce diversity – Group and situational identities (race, gender, ethnicity)

(*)   Behavioral diversity – Work, thinking, and learning styles (including beliefs and values)

(*)   Structural diversity – Combining different cultures, communities, and hierarchies

(*)   Business diversity Markets, processes, creativity, and project management styles

The “Why”: Create Healthy, Compliant, and Inclusive Workplaces

We live in a diverse world, but that is not always reflected in our workplaces. To be diverse is to be inclusive, and to be inclusive is to create a healthy, compliant, and accepting environment for employees. Incidentally, research gathered for a Deloitte University Press report on diversity and inclusivity reveals that companies are beginning to shift their focus from diversity as a compliance obligation to treating diversity and inclusion as a business strategy. However, nearly one-third of companies surveyed globally claimed to be unprepared in that area.

Promoting diversity in the workplace is not the same as successfully executing it and all of the benefits it can offer. Consider diversity in the workplace the way you would workplace safety—fundamental to the betterment of a company and its employees.

At face value, diversity is an attractive feature for a workplace to have when scouting new talent and maintaining a reputation in the workforce. However, diversity goes beyond what employees and clients can see—it must be experienced and felt. Perhaps this is why only one in five companies that were surveyed for the Deloitte University report believe their company is fully “ready” to address the issue of workplace diversity. If most companies are still treating workplace diversity as a compliance obligation, it’s no wonder only 20% are ready.

Here are some diversity benefits 80% of companies surveyed may be missing out on:

(*)   Connecting with customers

(*)   Employee motivation

(*)   Employee recruitment and retention

(*)   Continuous quality improvement

(*)   Driving performance and innovation

(*)   Acquiring talent

A diverse workplace is profitable. In an article published on the American Bar Association website, statistics showed that business that deter women and minorities from exhibiting their full potential “not only expose themselves to liability, they prevent themselves from potentially multiplying their customer base and earning greatly increased profits.”

According to research cited by Cedric Herring in a 2009 article published in the American Sociological Review, the most racially diverse companies bring in nearly 15 times more revenue than the least racially diverse. Additionally, Herring found racial diversity to be a better determinant of sales revenue and the amount of customers than company size, age, or number of employees.

The findings for the advantages of women in the workplace are equally impressive. According to a 2011 research report conducted by Nancy M. Carter and Harvey M. Wagner, companies that have three or more women on the board “outperform companies with all-male boards by 60 percent in return on invested capital, 84 percent in return on sales, and 60 percent in return on equity. These numbers suggest that diversity and inclusion are not just profitable; they have a synergistic impact on profits.”

According to Hubbard, the presence of diversity impacts individuals, teams, organizations, customer markets, and communities at large. Consequently, the presence and promotion of diversity does not automatically eliminate the existence of harassment and discrimination in the workplace–but it can over time, if properly implemented and executed. As stated in a workplace diversity study published on the University of Florida website, “Managing diversity is more than simply acknowledging differences in people. It involves recognizing the value of differences, combating discrimination, and promoting inclusiveness.”

In and out of the workplace, harassment and discrimination are abundant. It’s not illegal outside of the workplace to lead with one’s prejudices and biases, but inside the workplace, those attitudes can be challenged with policies, the Employee Handbook, and Code of Conduct. Measures can be taken in the workplace to ensure harassment and discrimination are met with consequences, and the presence and implementation of creating diversity among personnel can help to eliminate those behaviors.

For example, earlier this year an employee who identifies as a woman was discriminated against when her employer told her that she must “dress in ways that express [her] biological sex,” which is male. The employee refused to follow her company’s restrictive dress code and was ultimately terminated for violating it. Because of this discrimination, the employee was on the receiving end of her employer’s bias and was unable to reach her full potential while working for the company. Had diversity been enforced by the employer, the employee may have felt more accepted and motivated.

The “How”: Transition From Workplace Diversity as a Compliance Obligation

Deloitte University published an article discussing their report. In it, they explore what they believe to be the two major themes that can help companies transition from diversity as a compliance obligation to “building an inclusive workplace that inspires employees to perform at their highest level.” These themes are making diversity of thinking a business imperative and focusing on inclusion as well as on diversity itself. 

Forbes magazine suggests the following be done in order to achieve a diverse workplace:

(*)   Remove unconscious bias  Tinna C. Neilsen, founder of Move the Elephant for Inclusiveness, said that “The core of inclusion is all about leveraging diversity of thought… a tough thing for a lot of people because sometimes they don’t know enough about group dynamics like group conformity…. You can have as much diversity and as many different kinds of people in a team, but if you allow group conformity to dominate, then you’re not going to leverage any of it anyway.”

(*)   Make change happen  Identify what needs to change, figure out how to change it, and make the change.

(*)   Replace antiquated practices  Dr. Patti Fletcher, Strategic and Solution Marketing at SAP SuccessFactors, states that “The processes, practices and architecture we have in place right now are antiquated. Nothing is going to change unless those things change . . . People don’t change because you tell them to. They change when you enable them to . . . we need to use choice architecture, meaning putting tools in front of somebody to enable them to do something totally different without them even realizing it. For example, blinding a resume where you don’t see a name or an address, and therefore not having that unconscious bias be able to kick in.”

By broadening the scope of workplace diversity from race, age, gender, and physical ability to also include diversity of thinking, companies can better understand their employees and discover additional ways to solve problems. Employees want not only to be heard, but truly listened to. In order to achieve that, a company must listen to every voice, to everyone who chooses to participate.

LawRoom offers online compliance training in managing bias, which aims to educate users about unconscious preferences and generalizations that often arise in the workplace. These biases may result in unfairly limiting career opportunities for existing and potential employees. We also offer training in anti-discrimination, harassment, and ethics–all of which promote prosocial behaviors that comply with the law and can help to make the workplace a better place. Please visit Lawroom.com for more information.

What is the Value of Building a Culture of Compliance?

Culture of Compliance: The Foundation of an Ethical Infrastructure

For many employees, a job is a job. They arrive for their shift, go through the motions, put in the work, satisfy the requirements, and clock out. Repeat the following day.

For other employees, going through the motions isn’t enough. Workplace fulfillment goes beyond liking—even loving—what you do. For those “other” employees, workplace fulfillment is about making their mark, believing in their company’s mission, and being part of a workplace that supports its employees, recognizes their potential, and rewards them for a job well done. Employers have to find a strong foundation to build up from in order to appeal to the masses. That can be done in two interconnected ways: culture and compliance. And in the end, you build a culture of compliance.

Corporate Culture

“Research shows that companies that focus on creating happy, healthier, motivating, and appreciative workplaces are onto something profound—,”an article published on the Forbes website states, “even, and maybe especially, during turbulent times.”

The workplace environment holds a high impact over employees. Productivity and engagement are at stake, so business leaders are expected to ensure that their company is providing employees with the bells and whistles. In that respect, however, there should be a main focus.

Mara Swan, the global leader of Right Management and executive vice president of ManpowerGroup, stated that “People are happy and engaged at work when they are inspired. Understanding employee career motivations and aspirations is key to creating a high performance that motivates individuals to do their best work.”

Research conducted by the Right Management’s Global Career Aspiration survey revealed that 45% of employees named work-life balance as their highest career aspiration, while only 17% ranked being the best at what they do as their top career aspiration. The survey findings go on to reveal that 53% of employees state that respect for their knowledge and experience is a top expectation for leadership within the company, followed by mutual trust (51%) and transparency (37%).

The same study revealed that 75% of employees do not feel engaged at work, which should be motivation for employers to rethink how they can incite individuals to meet performance goals—especially when only 1 in 10 employees defined workplace success as high performance. If that’s not the end goal for 9 out of 10 employees, what is? And outside of company culture, how can employers ensure their employees are happy and productive?

Commitment to Compliance

According to Tom Tyler’s The Ethical Commitment to Compliance: Building Value-Based Cultures, employees who feel respected and who receive fair treatment from their organization are more likely to reciprocate that behavior toward the company and its rules. In other words, the company gets what the company gives. The data shows that an organization that operates in a procedurally fair manner, “employees will believe in the legitimacy of management’s authority and believe that their values match the values of the organization.”

Based on the aforementioned data, employees are then more inclined to comply with their company’s rules voluntarily, which is “significantly more effective in eliciting rule compliance than an approach based on risk of punishment.”

Strong Compliance Culture, Necessary for Success

A strong culture isn’t just encouraged, it’s necessary for a company’s success. Check out Create a Compliance Culture for more information and guidance on how employers can achieve a culture of compliance.

The workforce is filled to the brim with diverse employees, each of whom want, expect, and aspire for something different in their professional career. In order to appeal to as many employees as possible, employers should consider what their employees want, what makes them satisfied with their role, and what gets them motivated to do good work. This helps build to a culture of compliance.

LawRoom provides online compliance training on ethics, FCPA and data security to thousands of companies and universities. To learn more, visit us here: LawRoom.com.