The Chief Ethics and Compliance Officer (CECO) role is about being the Chief Integrity Officer of the organisation. With the Environmental, Social and Governance (ESG) accountability handed to corporate compliance and ethics teams, this role of integrity is becoming more critical.
Integrity underpins defensibility
Integrity is a mirror. What the organisation communicates to others – stakeholders, investors, regulators, clients, employees – is what it truly is in its behaviour, transactions, conduct, and interactions. A reflection that the organisation's values, ethics, and commitments are being followed.
Integrity requires defensible compliance. What is documented in an organisation's code of conduct, policies, procedures are communicated, enforced, and monitored in the environment.
When issues of integrity arise, they are investigated and appropriately addressed. The organisation needs a robust system of record of all compliance and ethics-related activities to demonstrate integrity and provide for defensible compliance.
This starts with clearly written policies and procedures, starting with the code of conduct into the array of the organisations supporting policies. However, having a well-written policy is not enough. To be an organisation of integrity requires that the policy be communicated and enforced in the environment.
The organisation needs a robust communication and training/learning programme to educate employees and the extended enterprise on the organisation's policies.
I spoke at length on this subject at Skillcast's Transforming Compliance Summit.
Organisations need centralised policies & training
There should be a single portal for each organisation's policies and related training activities. All policy and training interactions and tasks are recorded, creating a strong audit trail that provides a defensible record of compliance interactions in the context of policies and training.
Defensible compliance in an era of integrity starts with policies being communicated and understood throughout the organisation. From there, a defensible compliance program has a strong system of record of other compliance-related activities such as compliance assessments, monitoring of controls, meeting requirements and obligations, and responding to issues and incidents.
This system of record for defensible compliance should record all activities, interactions, and activities around compliance.
- What version of each policy was communicated?
- On what day and time was the communication?
- Did the employee complete the training?
- What issues of compliance were found?
- How were they responded to?
- Were processes followed?
The organisation needs to not only know what has happened today but be able to go back to a point in time to see the activities and system of record of compliance when an issue first arose. When the issue of corruption arose 18 months ago, what policies were in place and what training had been completed?
Defensibility requires strong audit trails
Defensible compliance requires that the organisation have an information and technology architecture that can support a strong audit trail and system of record of compliance activities and interactions.
Policies cannot just be haphazardly distributed as file shares or on SharePoint sites. The organisation needs RegTech tools that can record and demonstrate the integrity of compliance processes and interactions.
In the context of integrity, it is important to guide and nurture the culture of integrity for compliance. The attitudes and behaviour of employees shape the organisation's culture, which then has a symbiotic effect, further shaping the attitudes and behaviour of individuals. It takes years to develop and nurture a culture of integrity.
Maintaining a culture of integrity
A culture of integrity can be destroyed instantly with a significant compliance issue and take years or even decades to repair.
Defensible compliance ensures that the organisation is doing everything it can to nurture and shape the organisation's culture in the context of integrity to its values, ethics, ESG commitments, and regulatory obligations found in the organisation's policies.
Having the right audit trail and system of record for compliance provides assurance that the organisation stays on the straight and narrow road of integrity and stays only it even when it slips.
About our guest author
Our guest author is Michael Rasmussen of GRC 20/20 Research. An internationally recognised authority on Governance, Risk Management, and Compliance (GRC). His expertise covers enterprise GRC, GRC technology, corporate compliance, and policy management.
Using his 28+ years of experience, Michael helps organisations improve GRC processes, design and implement GRC architecture, and select effective, efficient, and agile technologies. Sought-after as a keynote speaker, author, and advisor, he has been called the "Father of GRC", having been the first to define and model the GRC market in February 2002 while at Forrester.
Want to learn more about compliance?
If you'd like to stay up to date with compliance best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 80+ free compliance training aids, including best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations, webinars and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!