Your Quick Guide To Managing Ethics & Compliance

Compliance function best practices

Zero tolerance has been a staple of compliance function best practices for many for a long time. But it doesn’t work. A brief sample of searches around zero tolerance vs news headlines highlight the disjoint.

“We have a zero-tolerance policy for…” is a familiar refrain in many corporate codes, websites and documents. Yet the briefest glance at the news – or just experienced reality – suggests we’re collectively far from this utopian zero-criminality world.

For some, the intention is a noble one (a stated aim); for others, it’s “what everyone else says”, and it can also be window-dressing. How did we get here?

Like all good intentions… compliance function best practices must adapt

The desire to create environments free of nasty things is laudable, but (many of us) hit problems when intention meets reality. We all make grand proclamations, many of which falter; why?

  1. Not realistic
  2. No definition, plan or structure
  3. Insufficient commitment
  4. Overestimation of ability and underestimation of the daily grind
  5. Hypocrisy

None of those words scream compliance function best practices.

Setting yourself up for failure

No police force (that I am aware of) or judiciary promises a zero crime rate, so why are companies doing so? It’s unrealistic. This fantasy can create resentment, cynicism, or incredulity from employees who see the folly. I came to the world of ethics & compliance (E&C) via investigations. That journey taught me how depressingly hard it is to achieve zero tolerance.

Sometimes the circumstantial evidence is solid but not the documentary (especially where offshore jurisdictions and other obfuscatory measures come into play). People won’t talk in other cases (fear, loyalty, etc.). You also can’t compel cooperation, especially now in the WFH era. In workplace disputes – including discrimination and harassment – few are willing or able to make definitive rulings in cases where only the reporter and the accused know what happened. Upholding an investigative doctrine that says we always get the bad guy is best kept for movies starring dudes on ‘roids. Such loft goals are not compliance function best practices.

Compliance function best practices

Fail to plan, plan to fail

What is it we have zero tolerance for? Intention or action? If you’re wondering why I’m straying into the philosophical, consider these scenarios:

🔎 A senior director asks a direct report to lunch to discuss their career plans. The employee declines and tells colleagues they feared the director’s intentions were personal (and could stray into sexual harassment). This suggestion spreads as a rumour. A few months later, the director requests the company reallocate the employee to another team.

🔎 Your anti-corruption policy has zero-tolerance for facilitation payments, and third-parties have to agree to these terms to work with you (compliance function best practices, right?). Your logistics – including shipping of time-critical raw materials – is handled by third-parties, as are visas, travel, and applications for business licenses. You don’t understand each of these processes; that’s why you outsource. You, therefore, don’t know if the fees on their invoices represent legitimate payments or not; the suppliers assure you they do (not compliance function best practices).

🔎 A dangerous chemical spills inside an enclosed area of your facility, leading to a fire threatening the health and lives of your employees. Your fire marshals act quickly, dousing the fire and then using water to flush the acrid chemicals out of the facility (and inadvertently into a waterway used by nearby communities for bathing, cleaning, and drinking). The marshals’ approach isn’t company policy, but they did prevent harm to your people.

It’s tricky. Some topics are hard to define with the precision that allows a binary Y/N decision around the intention. Others require serious homework to describe and maybe recognise that they’re not entirely within your power. And then there are unintended consequences or mistakes.

Compliance function best practices – It sounded good

“I’m going to learn [insert language, musical instrument, martial art, craft, etc.] this year.” Easy to say, damn hard to do. That’s the best case, as perhaps the intention was genuine, but the commitment was lacking. Sadly, the more likely possibility is companies say zero tolerance as it sounds good, thereby massively undermining it. In the same way that paradigm shift, epic, legend, and icon have been used so liberally to render them largely BS (or is that just me?).

I am going to pick on banks here. Not the compliance folks inside, who are often lovely and fighting a brutal rearguard action – the moral equivalent of Thermopylae. Zero tolerance is ubiquitous in the large investment banks’ policies (compliance function best practices, again, right?) yet it’s not true. The image below is a sample and could be replicated many times over.

Compliance function best practices - what we say and what we do

It’s a LOT of work

It might be apparent by now, but to effectively implement zero-tolerance, it requires:

😇 A 360 perspective of all possible interactions your organisation might have.

😇 Watertight definitions of all possible violations (including how we should judge intention).

😇 The ability to compel cooperation truth from any human we interact with.

Simple then. It’s even less realistic than that January I decided I’d take over the world with my rock band. A sound plan, were it not for the lack of any sense of rhythm, not playing any instrument competently, having no bandmates, writing awful lyrics, and an abject failure to address any of these deficiencies with intentional work. It was 1996, and I had adequately rank and lank hair, so I got one bit right. Ah, to be 18 again.

Do as I say, not as I do

Zero tolerance doesn’t travel well – laterally across geographies or down hierarchies. I recently spoke to an American serial entrepreneur, now back in Vietnam (after a career spanning much of the globe). He works with local tech disruptors on various things, including “compliance function best practices”. The work got to the integrity piece and a standard definition of corruption, “Benefit to which you are not entitled”. My friend told me that one of the Vietnamese CEOs, working in a healthcare startup, replied, “There are over 12,000 lobbyists registered with Congress, and your drugs cost multiple of those in other countries. Is that unfair benefit?”

I did some research – of rather I read [this RAND study]() and saw this headline:

Compliance function best practices - inconsistency

It’s hard to inculcate zero tolerance as an ideology when the moral fabric of your argument is the emperor’s new clothes.

Getting back to the intention

What should we do instead? We can’t just say, “we’d prefer you didn’t…”. We could say, “We’re working towards zero tolerance”, as some do. But that’s not very tangible; it’s like working towards enlightenment.

Maybe we should look at what (I think) zero tolerance is intended to address:

🙈 Abuse of power – No one is above the law.

🙈 Inconsistently enforced rules – linked to abuse of power, but often also to varying interpretation and application in globalised businesses, where the cop-out, “culture was a factor,” can be used.

🙈 The tropes, “it’s always been this way”, “he’s just a bit touchy”, “it’s how things are done in…” etc.

🙈 Weasel words, where we try and dodge a firm commitment to behaviour that improves humanity because we want a bit more money, control or power.

What are we talking about?

Would it make more sense to create statements that include a prohibition of the act – defining clearly what that act is, what the threshold of evidence will be, and how you will arbitrate? That looks to me more like compliance function best practices, although I appreciate this simplifies something very complex, and the statements are just the paper bit. But if what you proclaim isn’t realistic, then all that follows – training, communication, systems, processes, frameworks and culture – is on a shaky foundation. I wonder if a simple ABC framework might work:

🔤 ACTIVITY – What is covered. There’s a balance here. For example, for non-retaliation, it can help to spell out all the ways someone can face retaliation (noting they are not exhaustive). Whereas, for asset misappropriation (theft), you probably don’t need to spell out all the sorts of things that people can steal but focus more on the scale and scope (e.g., office stationery to IP).

🔤 BEHAVIOUR – How do we expect people to treat each other (including broader stakeholders)? What behaviours will not be tolerated (use clear examples, ideally borrowed from past issues or near misses)?

🔤 CONSEQUENCE – Here is where your zero tolerance might find its home. Explain that certain red line violations (if proven) will result in severe consequences and spell them out (termination, criminal prosecution, etc.).

Ending on punishment can make people a little nervous, as we’re always supposed to “end on a high”, but consequences for bad things build trust, which is the foundation on which effective E&C can flourish.

Your Quick Guide To Managing Ethics & Compliance