Making compliance work for you in three steps

Rupert Evill Founder, EthicsInsight

23 Oct 2020 · 1100 words, 4 min read

AusIMM members, upon admission, commit to the principles set out in AusIMM’s Code of Ethics and reconfirm that commitment each year when renewing their membership subscription. This commitment builds on the trust and positive reputation that AusIMM members have as a collective of industry professionals.

This article examines how resources businesses and professionals can ensure the highest levels of ethical practice and gives practical tips for benchmarking and implementing effective compliance programs.

Ethics in the modern workplace

Anti-corruption, fraud, harassment, conflicts of interest, anti-competition, and so on, are not new. Some other areas of ethics and compliance are. For example, the Modern Slavery Act 2018 (which entered into force in Australia on 1 January 2019) and an increased focus on environmental, social and corporate governance (ESG) from investors and lenders. Then there’s a backdrop of increased social (media) activism around diversity, equity, and sustainability. The potential for missteps and mistakes in the area of ethics and compliance seems higher than ever.

This is occurring as budgets are shrinking, with uncertain economic headwinds, soft commodity prices and geopolitical uncertainty.

Given these factors, how can resources professionals ensure the highest level of ethical practice?

Step 1: Context

Start by asking the below questions to help you determine the context for compliance and the key risks of your team or company.

Who:
1. Within your organisation: Which teams and functions face (higher) risk? Typical touchpoints are those managing external stakeholders and those managing lots of money (procurement, finance). But also look for indicators of harassment and discrimination. In our experience, they correlate with other violations (fraud, theft, etc.).
2. Outside: Who do you deal with along your value chain? Consider where you operate, client demands, funding, participation in government (or multilateral-funded) tenders, supply chain, use of agents, etc.
What: What do these people do for or with you? Note that a multinational providing drill parts will probably need less scrutiny than a consultant obtaining immigration permits.
How: Do you know how they do what they do for you? It may sound basic, but you’d be amazed how many people don’t know how their freight forwarder gets equipment through customs in a timely manner.
When: Frequency and criticality matter here. What interactions sit on your critical path? For example, do you need blast permits regularly? Do you have regular interactions with a scrap metal outfit?
Why: Leave this one until last. Why can sound accusatory. But it’s a great question. You’d be amazed how many times a question starting with ‘Why are we …?’ can’t be answered properly.

Answering these questions help to shape the controls you’ll need to manage the issues. So, now you need to assess those controls (and culture!).

Step 2: Benchmark

To find out where you currently stand, it’s important to set a benchmark of current practice and behaviour. Note that asking people binary questions generally doesn’t work. For example, avoid questions like:

Have you read the Code?
Have you attended ethics and compliance training?
Do you know how to report suspected misconduct?

Most of the time you’ll get an answer in the affirmative and then be baffled when problems keep occurring. So benchmark using the techniques below.

Focus on implementation: Ask questions about relevance and functionality. For example, instead of asking about attending training, ask if the training is customised for different functions, and if it includes testing and reminders. Ask these questions on a 4 or 5 point Likert scale (eg: ‘never’ through to ‘always’).

Consider culture: Some questions should assess trust, fairness, and leadership ‘walking the talk’. For example, asking if people trust that allegations will be properly investigated and disciplinary procedures fairly enforced.

Prioritise resources: The answers to these questions will quickly tell you which elements of your compliance program need help, and which teams need support. In my experience no organisation has issues across the board; typically it’s a few areas.

Step 3: Implement

Implementation needn’t be overwhelming. Break it down into:

Quick wins: There will be some very quick wins that come out of the former two steps. Steps 1 and 2 are effectively a risk assessment. If no one reads the Code, this can be addressed. Less is more; a 2-5 page Code with a few examples can be done (with some focus) in a few weeks.
Medium-term: Technology has an increasing part to play in accelerating what was once long-term into medium term. For example, if you’re struggling to train a workforce spread across multiple sites and with varying levels of access to laptops and company email, fear not. There are now some excellent remote-learning providers using mobile-enabled tech.
Long-term: There will some areas that are knotty and thorny. I’ll let you in on a secret: these areas tend to be –
1. reworking existing (IT) systems and processes that aren’t popular
2. culture, culture, culture. If people aren't entirely sold on your ethics and compliance program, it’s likely because they don’t see the values in action, especially in the actions of senior leaders. If this is the case, call a change manager!

When we were building the Ethics Insight platform (which focuses on steps 2 and 3), we developed 40-50 pieces of content to speed-up implementation. They ranged from plug ‘n’ play (Codes, disclosure forms, training scenarios), to tools (risk assessment, tracking tools), to guides (crisis management, investigative interviewing, dawn raid protocols). What we’ve found since is most organisations will only need between 10-20 of them.

Implementation isn’t the task it once was. The advice and support is out there, it’s been democratised by technology and disruptive business models.

Don’t waste time

These steps are achievable in 6 months. If that sounds lunacy, how’s this:

Set-up a call with members of each business unit this week. Ask them if they can answer the who, what, when, how, and why questions. If not, find those who can. Run a few risk-storm workshops to better assess the level of risk you face.
Use tech to benchmark with some targeted questions about your program efficacy. Allow nuance (not binary) to show variance in responses and get an accurate aggregate score.
Get the quick wins tucked away, then use the remaining three months (yes, three months is ample for the first two steps) to focus on the medium-term.

About the author

Rupert Evill has 19 years of global experience across more than 40 countries. He has deep expertise in managing frontline risks, risk assessments, benchmarking, delivering training, intelligence-gathering operations, investigations and managing acute crises. Before founding Ethics Insight he spent 13 years at a major risk consulting firm, having started his career in counter-terrorism and political risk.