image description

The Limitations of Corporate Compliance: Establish an Ethical Culture in an Era of Scandal

by Jordan A. Thomas
New York Law Journal |
With a strong ethical culture, an organization is able to instill in its employees a sense of stewardship and personal accountability that looks beyond the next quarter's earnings.

After more than 15 years in federal law enforcement, first as a Trial Attorney at the Department of Justice and later as an Assistant Director in the Enforcement Division of the U.S. Securities and Exchange Commission (SEC), one thing has become certain about corporate compliance: Many programs, well wrought, thoughtful and expensive as they may be, only address half of the equation. They focus largely on the mechanics of compliance and the practical response to misconduct. A more important and preemptory issue--establishing an ethical culture that deters misconduct--is often absent from the calculus.

Without a robust ethical platform, corporate compliance is a post-facto and tactical exercise. In a post-Dodd-Frank environment, the stakes are too high for tactics. Companies need ethical strategists. Any corporate leader who disagrees need only consider that, with the new SEC whistleblower provisions enacted by the Dodd-Frank Wall Street Reform and Consumer Protection Act, the federal government has deputized virtually every company employee, vendor, customer (and their second cousins) to serve as their eyes and ears. The scrutiny is, and will grow far more, intense. It's time to develop a new paradigm for corporate character. This is particularly important in an economic downturn, when executives send messages about profit-or-else and fears about job security can supersede ethical decision-making. It's time for corporate leaders, in-house and outside counsel included, to make principles like doing the right thing and fulfilling responsibilities to investors, customers, and employees a fundamental part of doing business. Given the unprecedented attention the whistleblower provisions of Dodd-Frank have generated, this is a moment of real opportunity.


Over the years, the field of corporate compliance has undergone a major and positive transformation. A long series of scandals beginning with Enron, regulatory reform under Sarbanes-Oxley, and favorable dispensation under the sentencing guidelines have all contributed to the growth of strong and independent compliance functions, often separate from an in-house law department, with direct reporting to the top. These functions, an important first line of defense, often have impressive arsenals: strong leadership; assorted corporate bodies like governance committees and peer review boards; and solid training programs. There are sophisticated internal controls and monitoring systems; ombudsmen, hotlines and investigation teams; and, voluminous employee manuals, policy statements and memoranda about conduct. Of course, these tools are a vital part of any company's fight against malfeasance. But do they work?

In 2007, surveying various indicia of misconduct, the Compliance and Ethics Leadership Council determined that, of 45 variables tested, the fear of speaking up is the strongest indicator of misconduct. The study found that "companies in which employees are uncomfortable speaking up or fear retaliation have significantly elevated levels of misconduct."(1) Recent related studies are equally troubling. Consider these findings from KPMG's 2008-2009 Integrity Survey:

  • 74 percent of employees surveyed reported that they had personally observed or had first-hand knowledge of wrongdoing during the previous 12 months;(2)

  • Only 57 percent of employees surveyed would feel comfortable using a hotline to report misconduct;(3) and

  • Only 53 percent of employees believed they would be protected from retaliation.(4)

In light of such statistics, we need to accept as a given that conventional reporting mechanisms are not working. Indeed, the best evidence of the inadequacy of traditional compliance programs is the long list of distinguished companies that have been the subject of significant SEC enforcement actions, from "white shoe" financial services firms such as Goldman Sachs and Bear Stearns, to corporate giants like Tyco, Siemens and General Electric. Surely these organizations had vigilant compliance officers and sufficient resources to establish state-of-the-art compliance programs. However, during the relevant times, what many of these organizations and others like them have lacked was a strong ethical culture.

Too many organizations ignore this fundamental area and focus their energies and resources on the latest compliance trends. With such a limited focus, we're doomed to a reactive Whack-a-Mole mentality: racing to respond to fraud only after it emerges, with no ability to prevent its occurrence. Apply this scenario to a large compliance department with oversight responsibility for tens-of-thousands of employees and it isn't hard to imagine how fraud escapes detection.

In the end, policies and procedures may create a standard for conduct, and outline penalties for wrongdoing, but they do not adequately prevent it.


Big misconduct often results from long chains of little mistakes; one breakdown in judgment cascades to another breakdown, and then another. It could be smoothing out revenue figures one financial quarter, and then creating nonexistent clients to cover up the prior misconduct the next. In time, isolated and seemingly random bad choices snowball into front-page scandals.

Former SEC Chairman Richard Breeden remarked that "it is not an adequate ethical standard to aspire to get through the day without being indicted."(5) We can take this a step further. It's not an adequate standard to have good compliance initiatives in place. We need to prevent or deter misconduct, with a better grounding in operational ethics, rendering compliance less necessary. With a strong ethical culture, an organization is able to instill in its employees a sense of stewardship and personal accountability that looks beyond the next quarter's earnings.

For some, the tricky part is determining who is responsible for creating and maintaining an ethical culture. Time after time, we have heard congressional and trial testimony of CEOs who, without apology, have shirked responsibility for misconduct in their organizations because they couldn't possibly know what their employees were doing all of the time. Similarly, many GCs and chief compliance officers believe that the realm of ethos is best reserved for parents, priests and professors. If an organization receives a Wells Notice from the SEC, will the organization be harmed and who will be held responsible? This is, intellectually and practically, a broad and shared responsibility. Oftentimes, disaster--from SEC fines and shareholder actions to public censure and reputational harm--could have been avoided if the company had operated within a culture where doing the right thing was the only standard.


Successful strategies for promoting ethical conduct involve creating a culture that maximizes an employee's ethical potential. The details will differ from company to company; some will take a more formal approach to training than others. However, at the end of the day, organizations with a strong ethical culture tend to have the following characteristics:

A Sense of Community. Ethics is a natural outgrowth of a healthy work environment where employees have a sense of belonging and are concerned about the well-being of their colleagues, customers, and the organization as a whole. Organizations can foster employee engagement in the workplace and studies have shown that "trust" and "integrity" were key drivers of employee engagement.(6) If employees do not have this emotional or intellectual connection to their work, they are more likely to engage in unethical behavior because they are not constrained by the potential impact of their misconduct on others. To more effectively promote ethical conduct, invest more time in laying the brick and mortar of the corporate community.

A Compelling Vision. Ethical organizations are driven by a common ethical vision that is clear, understandable and viable. Employees need a set of values, with a related body of rules or Code of Ethics, which they can buy into. This vision should appeal to each employee's own sense of reason and moral judgment. It will guide employees in making day-to-day decisions and assist them in managing the conflicting interests of multiple constituencies. Successful organizations earn employees' trust by convincing them that the company's ethical vision will help them to do the right thing and, at the same time, allow them to succeed in the workplace. Since all potential problems cannot be anticipated or prevented by internal policies and procedures, an organization's ethical vision is the best compass for employees to navigate the complex and dynamic corporate landscape. Shared Responsibility. An organization's ethical vision must apply, and be important, to everyone. Although there is no such thing as top-down ethics, leaders have the added responsibility of ensuring that their organization lives up to its ethical vision in everything it does. They must lead by example and be devoted cheerleaders of this vision, regularly and clearly communicating its principles to employees.

Empowered Employees. In order for employees to accept an organization?s ethical vision, they must be trusted to make decisions consistent with the company's Code of Ethics. Leaders must allow for, and entertain, questions and challenges by employees to earn their moral trust. Studies show that ethics systems which are perceived to be just "window dressing" do no good and actually may be harmful.(7) Of course, at every juncture, encourage employees to report possible misconduct and assure them that they will not be subjected to retaliation of any kind. Make such assurances credible with meaningful follow-up with employees who report misconduct.

Integrated Values. Doing the right thing has to be embedded in an organization's DNA through a deep integration of what it says and does. This ethical vision cannot be a remote, abstract thing that sits bound and dusty on a cubicle shelf. It must be a factor as important to daily decision making as other strategic priorities set by senior leadership. Organizations should develop values-based manuals, compensation structures and performance goals that establish and reinforce these principles within the workplace. All employees need to regularly incorporate this vision into their daily activities--everything from hiring to 360 evaluations to promotions to strategic partnerships.

Accountability. Since trust is an important factor in establishing employee engagement, organizations must endeavor to be fair and consistent regarding all ethical matters. Leaders should look for innovative ways to encourage employees to report possible unethical conduct?including public recognition and financial incentives. Organizations should be prepared to investigate, in a timely manner, reports of misconduct. When legal or ethical violations are discovered, violators should be held accountable, regardless of their position in the organization and in a manner consistent with others similarly situated. Any potential benefits for employees that report possible violations should also be dispensed in an equitable fashion.

Transparency. If "sunshine is the best disinfectant," in an organization, more transparency will generate more credibility and trust. To this end, it is critical that organizations communicate more often and more effectively. Too often companies bury in the corporate vault how they dealt with reports of misconduct. This practice significantly undermines employees? confidence in their organization's commitment to ethics, leads to unnecessary whistleblower submissions, and misses a crucial opportunity to stand against and deter misconduct. A key driver of ethical conduct is the perception of what is acceptable behavior--so shaping the normative view of conduct is important to establishing a powerful and lasting ethical culture. One powerful way to establish an organization's commitment to creating an ethical culture (and to earn cooperation credit) is to self-report significant violations to the SEC and other law enforcement organizations.

Ethics Training and Support Programs. Like any other skill set, an employee's ability to make ethical decisions is enhanced with ongoing training and support programs. Beyond avoiding corporate scandals, studies have shown that ethics training can lead to a boost in workforce morale, an increased work ethic, and a higher quality product or service. Savvy organizations make long-term investments in ethics training and support programs. For well-regarded training and other practice resources, consult the Ethics Resource Center or the Ethics and Compliance Officer Association.

Commitment to Continuous Improvement. Ethical organizations continuously seek ways to improve the manner in which they do business. Leaders challenge employees and themselves by asking: What more can be done to empower employees to make good decisions? Do we encourage employees to speak up and out against wrongdoing? Do the businesses we associate with operate with the highest ethical standards? Do we hold individuals and entities accountable when unethical conduct is discovered? What more can we do to protect investors? Equally important, and often overlooked, removing obstacles to desired behaviors--by modifying internal protocols--can be more effective than developing newer and more complex policies and procedures.

Some great examples of innovative and effective initiatives that build upon these common characteristics include:

  • The standards handbook and training programs of the AeroSpace Corporation;

  • Employee empowerment strategies at the Ford Motor Company;

  • The mandatory ethics component in annual performance appraisals at United Technology Corporation;

  • The Talent Sustainability and the "Internal Audit methodology" at the Pepsi Company;

  • The ethical partnership strategies at Starbucks;

  • The Best Buy ethics blog that is open to employees and the public; and

  • The monthly ethical surveys and Tone from the Top strategies at Xerox;

Read up on them. Mirror them. Become a model organization.


Never doubt that 10 years of financial scandals can ignite a crusade. From federal and state law enforcement to potential whistleblowers and the ordinary citizens who are disgusted by the greed and misconduct pervading the commercial marketplace, there are new and formidable armies poised and ready to root out bad behavior. Some are protesting on Wall Street and others are sitting in board rooms or working in offices down the hall. This new reality presents organizations and their leaders with a critical and urgent question: How committed are they to establishing an ethical culture? History will show that, with respect to the whistleblower provisions of Dodd-Frank, Congress and the SEC got it right. The genius of Dodd-Frank is that it recognized that law enforcement authorities cannot effectively and efficiently police the marketplace without the assistance of private individuals and entities. Now, for the first time, individuals have significant protections to come forward and report violations of the federal securities laws. In the coming years, whistleblowers will revolutionize securities enforcement and strengthen investor confidence in our markets. It would not be farfetched to predict that many of the SEC's most significant cases will be the direct result of whistleblowers.

Sophisticated organizations will embrace this change and look for innovative ways to recognize employees for exposing unethical behavior. Since the probability of detection has dramatically increased, legal and compliance officers will now have a compelling argument for increased resources and support in establishing strong ethical cultures and state-of-the-art compliance programs. As a result, their organizations will receive tips that they would not have otherwise received. More securities violations will be detected and stopped earlier. Investors will be protected. And their organizations? Invaluable reputations will be preserved.

Unsophisticated organizations will remain steadfast to a flawed status quo and treat employees who expose unethical behavior as disloyal or opportunistic, a costly mistake that will result in future SEC whistleblower submissions.


1 The Compliance and Ethics Leadership Council Identifies Leading Indicators of Misconduct at Large Organizations (Aug. 8, 2007),

2 Significantly, 46 percent of these employees reported that what they observed could cause a significant loss of public trust if discovered-with that number growing to 60 percent for employees working in the banking and financial services industries.

3 In practice, only 3 percent of reports of misconduct are made to hotline telephone numbers. Ethics Resource Center, 2009 National Business Ethics Survey.

4 Disturbingly, 15 percent of employees who observed and reported misconduct perceived retaliation as a result. Ethics Resource Center, 2009 National Business Ethics Survey.

5 "Managing for Organizational Integrity," Harvard Business Review, L.S. Paine, March-April 1994.

6 Employee Engagement: A Review of Current Research and Its Implications, John Gibbons, The Conference Board, Inc. (November 2006).

7 "Ethical Culture Building: A Modern Business Imperative," Ethics Resource Center (2009).