Regulators are also setting ever-higher standards of integrity management oversight, while compliance and ethics professionals pursue continuous program improvements. But there is an inherent challenge in moving hundreds or thousands (or hundreds of thousands) of employees, agents and suppliers from principles and ideals to practice.
The media continually covers new scandals, ethical breaches and compliance failures, from trader misconduct to money laundering, bribery and corruption. And long and complex supply chains can increase the risk of a firm’s entanglement with modern slavery, child labor, environmentally harmful production methods or worker exploitation.
“Risk can never be entirely eliminated, but it can be reduced if a company measures its progress and tracks how risk dynamics change over time,” says Jon Feig, Partner, Ernst & Young LLP United States, Forensic & Integrity Services.
Risk can never be entirely eliminated, but it can be reduced if a company measures its progress and tracks how risk dynamics change over time.
The Integrity Agenda is a four-part framework, which can help a company connect its aspirations to its real-world performance, with concrete questions to ask and metrics for gauging success.
Chapter 1
Governance
The Integrity Agenda entails multiple actions across the "governance model".
Governance refers to the structure of integrity, ethics and compliance management (encompassing board, line management and corporate functions), and the policies that guide organizational behavior. Its importance can scarcely be exaggerated.
The actions and words of management shape the company and direct the actions of its staff. Weak governance may allow situations where certain employees enjoy immunity from stringent policies that are normally enforced because they are high-performers in the business, well-connected or part of the senior management team. Organizations demonstrating a culture of integrity apply the same rules equally to all employees irrespective of their position or success, and this is known as organizational justice.
Management can also be an indirect culprit; by issuing excessive incentives for sales targets or unrealistically high margins, the management serve to promote fraud or increase risk through encouraging the manipulation of figures or the engagement of lower-quality contractors or suppliers.
Putting the Integrity Agenda into practice
The Integrity Agenda entails multiple actions across the "governance model": management, compliance, and internal audit. This model helps define roles and responsibilities:
- Frontline operating management, for instance, should own and manage risk and control. For example, is a business unit that is responsible for sales adhering to policies and procedures?
- The management tier can be assigned responsibility for risk, control and compliance functions.
First, ask yourselves: what action would be a counter to how you see yourself as an organization? Second, where are people’s incentives aligned?
Internal audit can provide independent assurance to board and senior management on the effectiveness of risk management and control protocols.
In today’s business landscape, in which corporate structures and global influence are broad in reach and complex in structure, good governance also requires having a line of sight into small, outlier business units and newly acquired companies that can create disproportionate risk.
One example of risk might be buying a company and leaving management or commercial personnel in positions that could compromise the new owner’s ethical policies.
As the new owner announces its protocols (from not giving gifts to bookkeeping norms), they must ensure these are adhered to and not merely just verbally advised. More subtle challenges can also occur as companies move across cultural and political borders. Acquiring a firm in China, for instance, means governance norms over issues, such as state relationships and competition law cannot be assumed to be the same. Good governance also stretches out into the extended enterprise, including contractors, suppliers and representatives; compliance and ethics professionals and regulators know that these “third parties” create significant risks.
Boosting your company’s ethical performance.
To ensure governance systems support rather than undermine the integrity, companies need to integrate integrity management into the executive tier (for example, the board, and the overall risk management and financial governance processes).
This means achieving a high level of board effectiveness, with checks and balances on the executive — covering everything from conflicts of interest to personal professional conduct — and the ability to spot ethical or legal risks inherent to the business model (for example, compensation systems that drive bad behavior or encourage unethical practices). To understand how current governance norms or structures might be influencing the organization’s ethical performance, Maryam Hussain, a Forensic & Integrity Services Partner for Ernst & Young LLP (United Kingdom), encourages corporate management to step back and ask certain questions.
“First, ask yourselves: what action(s) would be counter to how you see yourself as an organization?” Hussain says. “Second, where are people’s incentives aligned such that they encourage behavior as a counter to this principle? And if that happens, what would the signs look like in the data internal or external to the organization?”
Companies also need to ask whether integrity risk exposure is changing in light of new products, markets or acquisitions and whether managers are accountable for ensuring effective operational controls.
Key organizational questions
- Is our integrity risk exposure changing with new products, new markets, acquisitions and ventures?
- What are the latest enforcement trends in the countries and industries where we operate?
- Have we identified and prioritized our integrity risks?
Metrics
- Integrity risk assessment — inherent risks and controls maturity, risks within tolerance, risk increases and reductions, and risks within and outside the tolerance
- Inherent and residual risk increases and reductions, program improvement plans implemented, and new ones launched
- Annual program assessment versus strategic plan and government guidelines, as well as the adequacy of the budget
Chapter 2
Culture
Research shows our behavior is far less elaborate and rational as we have traditionally assumed.
Culture is hard to pin down to a specific trait or attribute. But there is no doubt that ethical breaches result from the way a company’s internally “lived values” have shaped decisions and how people’s actions are influenced by what they see around them.
The culture of a successful enterprise fosters behaviors that spur growth and innovation, as well as behaviors to manage strategic, operational and financial risk. But it is a cultural commitment to integrity that will more likely secure an enterprise’s long-term success.
White-collar crime research by Professor Eugene Soltes of Harvard Business School shows how fraud can start with small acts that then escalate. One example is the backdating of contracts to the date of initial agreement, rather than signature, to meet quarterly financial objectives. Soltes finds that people responsible for massive corporate frauds often do not recognize the harm that they do to investors or the public1.
An effective integrity program should therefore foster a culture of transparency and consultation where diverse teams consider whether their actions are in line with organizational principles.
These findings should inspire an organization to approach culture from a fundamentally different way. It needs to understand the more widely accepted concept that our behavior is far less elaborate and rational than we have traditionally assumed, and place more focus on humanistic approaches, such as open dialogue, consultation and critical reflection.
How small acts build into larger ones
Our investigation experience has shown that flawed mental biases, fast and automatic thinking, and rationalization strategies make people engage in small acts of moral misconduct without recognizing them as such. The human brain can perpetuate a positive self-image of being a good and honest person while actual behavior deviates from this, and this is the so-called self-concept maintenance.
One group of psychologists articulates a “slippery slope” effect, in which small ethical infractions increase in increments, meaning unethical behavior unfolds over time rather than emerging suddenly or consciously. The EY Forensic & Integrity Services network has observed that such small unethical acts lead to bigger ones.
Maryam Hussain says a range of environmental cues also influence actions. She explains that at one firm hit by a major fraud scandal, a share price ticker was displayed throughout the office premises, even in the restrooms. The overall effect of this was to normalize, and encourage, all actions in support of its financial objectives, which over time led to fraudulent business practices.
“From social science we know that behavior is a function of a person’s interaction with their environment. It’s not about you and me in isolation, but about you and me in a particular context,” adds Katharina Weghmann, a Forensic & Integrity Services Partner, Ernst & Young GmbH (Germany).
We know that behavior is a function of a person’s interaction with their environment. It’s not about you and me in isolation, but about you and me in a particular context.
Building a better culture
In contrast, culture can also promote ethics and integrity. Weghmann believes that how a company responds to whistle-blowers and whether it creates a “speak-up” and “active listening” culture, is a vital indicator of how deeply embedded integrity truly is. Does the company perceive individuals who raise concerns as troublemakers, or do organizations normalize the process of critical and upward feedback?
Whistle-blower support mechanisms are powerful in a world where not everything can be scripted and managed centrally.
“We can train people in fraud and corruption, and inject the expectation of ethics, but ultimately you want people to raise their hands if they see something that is not right,” says Ted Acosta, EY Americas Vice Chair and Regional Managing Partner – Latam South (and former EY Americas Vice Chair – Risk Management). “This could be to their supervisor or, if that is sensitive, through other mechanisms, such as apps or toll-free numbers.”
The challenge with fostering a pro-ethics culture is that the culture itself is not a homogenous factor — there can be different cultures in each business unit and region. This shows the importance of implementing mechanisms through which a company can understand how culture dynamics are playing out throughout the network.
Key organizational questions
- Do we measure culture? And if so, how?
- Do our products or services pose inherent ethics risks, for example, safety, sustainability and privacy? Do we understand the impact of our integrity risks on our brand?
- Do our leaders “understand” and live integrity authentically? What are the management team’s capabilities to identify and resolve ethical dilemmas?
- External stakeholder perceptions of ethics risks, as well as regulatory, litigation and media trends relating to safety and sustainability
- Perceptions of tone at the top and the middle, performance evaluations against leadership criteria, and assessment of compensation plans on behaviors
- Tracking of ethics issues raised, resolved or ignored at various levels of the organization, as well as monitoring of outcomes, consideration of circumstances and decisional methods (people involved, criteria used, time urgency and stakeholder communications)
Metrics
- External stakeholder perceptions of ethics risks, as well as regulatory, litigation and media trends relating to safety and sustainability
- Perceptions of tone at the top and the middle, performance evaluations against leadership criteria, and assessment of compensation plans on behaviors
- Tracking of ethics issues raised, resolved or ignored at various levels of the organization, as well as monitoring of outcomes, consideration of circumstances and decisional methods (people involved, criteria used, time urgency and stakeholder communications)
Chapter 3
Controls and procedures
These embed integrity into a company’s daily operations, and they deter and detect violations of regulations or policies.
Companies cannot rely only on culture and executive-level good governance. They also need, and can benefit from, controls and procedures that embed integrity into the daily operations of the company. Control systems can prevent or mitigate legal and ethical violations and the criminal prosecutions, loss of market value, and reputational harm they bring.
Adopting the Integrity Agenda requires multiple linked interventions in this domain. One is the development of systems for tracking and implementing new industry regulations and embedding them in operating controls. Third-party due diligence and oversight systems are also key to ensure that a company can trust its supplier and partner ecosystem.
When appropriately designed, controls can provide more than just functional support for the business. They can help to integrate compliance into operations and discreetly guide users toward more effective risk management outcomes.
“For instance, as procurement personnel consider the experience and pricing of suppliers or third-party intermediaries, the systems can also guide them to assess integrity risks, such as prior legal violations, lack of compliance policies, or inadequate documentation of company ownership,” advises Andrew Reisman, a Forensic & Integrity Services senior manager with Ernst & Young LLP (US).
Relying on technology
Technology can also help facilitate compliance alongside controls and procedures. It is possible to provide real-time guidance for staff. For example, robots can identify where an individual is entering a noncompliant expense into the system and then provide that individual with a warning notification and a reference to the clause in the policy that they may be about to violate. This type of intervention can significantly impact the types of claims that get entered into the system.
Similarly, chatbots can now offer guidance to employees with the aim of making compliance as easy as possible for them.
Besides guiding behaviors and making them easier for people to understand, systems of control can also enforce compliance. For example, a control can deny permission to business users to proceed to a subsequent step in a process unless certain compliance reviews have been completed, with appropriate evidence provided.
However, there is a fine balance between implementing checkpoints that ensure people follow procedures and creating operational friction, which can trigger significant frustration. A poorly designed control can often lead business users to bypass the system and rationalize to themselves that this is acceptable.
It is also important to be cautious about how much reliance is placed on control frameworks. The objective of using controls to completely prevent unethical behavior is flawed because, by their nature, humans are creative and controls can be gamed.
Maryam Hussain recalls a control system that successfully reduced the use of expenses to pay bribes, but the funds were simply funneled into bonus payments instead. Management had effectively created a system that continued to allow the bribes to be paid but through a different channel.
Key organizational questions
- Are our integrity policies supported by effective implementation procedures?
- Do our operational procedures, both manual and automated, incorporate compliance controls?
- Are we delivering compliance services to customers who depend on us — to know their customers, protect personal data or move goods across borders?
Metrics
- Presence and implementation of compliance controls in business processes
- Testing of controls, operation and effectiveness
- Ease of use within the business context — user perceptions, time and cost of usage
Chapter 4
Data-based insights
Data can provide insights and analytics on emerging individual, cultural and organizational risks and track integrity performance.
The recent popular interest in data is warranted, because advancements in computing power and the significant expansion of information available to businesses today offer the opportunity to scrutinize corporate behaviors and actions in far greater detail than ever before.
Leading practices are currently characterized by a shift away from checklist-oriented compliance programs toward a deeper understanding of corporate risk and how it evolves over time. This can only be achieved where there is strong visibility over transactional and operational activities.
According to Emmanuel Vignal, Asia-Pacific Leader, Ernst & Young (China), Forensic & Integrity Services, “Some of the stronger examples that we see include analysis around interactions and transactions with Government officials, relationships with commercial partners, anomalies in behaviors amongst the workforce or commercial advantages provided to third-party intermediaries other organizations where the business rationale is not immediately clear.”
However, there are still only a minority of businesses taking full advantage of these opportunities. In one article for Harvard Business Review, for instance, the authors highlight that tracking and measurement often lag policies and protocols, undermining the latter’s effectiveness2. They emphasize that, despite spending millions of dollars a year on compliance, and even more in highly regulated sectors, the “ubiquity of corporate misconduct” continues to surface in the media, almost continuously. They argue that this growing expense, and the frustration it can create for many executives, is not only tragic but also avoidable, and the answer lies in better measurement.
Significant investment is made into the development and execution of training programs and high completion rates are used to evidence success, but very few organizations look at whether the training is tangibly influencing corporate behaviors, reducing policy breaches or strengthening integrity within the organization.
Measuring and analyzing available information can offer robust evidence as to whether a compliance program is protecting the organization and therefore whether it is providing a suitable return on investment.
Many of our clients wish to understand how they can build out a successful analytics program. Todd Marlin, EY Global Forensic Technology & Innovation Leader, advises: “In our experience, the strongest analytics programs are built on a thorough understanding of three critical elements: the business context, the risks that arise out of the business activities and how these appear in the data. The importance of spending time digesting business processes before developing and then testing hypotheses should not be underestimated.”
It is equally important to ensure that hypotheses have been rigorously validated against real data, especially if they are based on anecdotal evidence. Maryam Hussain recalls one company that sought to explore the relationship between the length of staff tenure and fraud to test a hypothesis that staff who had worked at the firm for longer were lower risk because they were embedded in, committed to and identified with the organization. Conversely, new hires were theorized to be higher risk warranting more intense scrutiny.
After testing this hypothesis, the data showed the length of tenure increased risk in a subset of people who had not progressed in their positions, says Hussain. That information is invaluable in building risk profiles and creating a defensible approach towards this type of analysis.
In terms of the techniques that can be adopted to explore the data and test hypotheses, there is a significant variety, ranging from simple and rapidly deployable algorithms to highly complex and rigorously refined models.
Instances of some of the more basic techniques include straightforward business analysis to cut the data in different ways or ordering data into sequential timelines that highlight where, for example, a payment has been made to a third party before mandatory due diligence checks have been completed.
More advanced practices might involve graph analysis to understand the connections between different individuals or undertaking pattern analysis to profile behaviors, enabling outlier identification.
Key organizational questions
- Does the program work to our satisfaction? What are the key performance indicators (KPIs) and key risk indicators (KRIs) we should use to define and measure effectiveness?
- What Integrity Agenda outcomes should we measure? Should it be the number of violations, discipline actions, audit deficiencies, business ventures enabled or ethics attitudes?
- How do we measure return on investment and make wise resource allocations?
Metrics
- KPIs — risk-specific controls (for example, third-party diligence and audit — implementation, timeliness, quality of decision support) and compliance office processes (policy deployment, training, code certification, incident response and management reporting)
- KRIs — predictive analytics from risk-specific controls (for example, third-party diligence and audit findings) and changes in business operations and enforcement trends
- Governance operations — number and quality of business unit compliance and ethics committee meetings and compliance-staffing levels
The strongest AI and analytics-driven compliance programs are built on a thorough understanding of three critical elements: the business context, the risks that arise out of the business activities and how these appear in the data.
Conclusion: know your data and be prepared
The business case for ethics is beyond question, and companies know the standards to which they are held are rising daily, as are the risks to which they are exposed. Yet, despite the millions of dollars spent on compliance programs, executives still report difficulty in bridging the gap between intentions and reality. This continues to be the case even as every new geography, product or industry creates yet new risks.
Integrity cannot be left to policy documents and checklist trainings. It must be embedded in the mindsets, and daily choices and decisions of all staff, including the network of partners and suppliers. The EY Integrity Agenda seeks to operationalize integrity with the help of four mutually supportive pillars: governance, culture, controls and data-based insights.
This provides a structure for integrity management, encompassing board, line management and corporate functions, and informs policies that guide organizational behavior. It fosters a shared culture in which integrity is supported and promoted. It manifests in smartly designed controls and procedures that embed integrity into operations and deter and detect violations. And finally, it provides data-driven insights that can reveal risk flash points and monitor performance over time.
Taken together, this multi-part approach can help companies close the gap between intentions and reality.
Summary
The EY Integrity Agenda provides a structure for integrity management, encompassing board, line management and corporate functions, and Despite the millions of dollars spent on compliance programs, executives still report difficulty in bridging the gap between intentions and reality.