By: Kathleen Edmond
Most companies have a plan for disaster recovery of IT, real estate and data – but what happens when you must respond to allegations of a violation of customer trust or compliance? Does your organization know:
* What steps to take?
* Who needs to be involved in the decisions?
* When to notify the Board?
* Who will conduct the investigation?
* How transparent you will be with shareholders? Employees? The media?
While the facts of the incident will vary, the need to respond quickly― and thoughtfully―is a given. To make that response effective, an organization must understand the key steps it needs to take after a serious compliance breach, as well as the most important issues it must consider. Only then can compliance officers and others charged with compliance responsibilities create an effective, executable plan for recovering from major ethics and compliance lapses, breaches and disasters.
An Ounce of Prevention . . .
For anyone with compliance responsibilities, all efforts focused on establishing effective compliance control and education systems are the best foundation to any disaster recovery plan. These efforts can not only help prevent compliance disasters before they occur, they also serve to establish the best possible environment for managing recovery efforts should a compliance breach actually happen.
A good pre-event compliance environment exists when those charged with compliance responsibilities do the following before anything goes wrong:
* Understand the business
* Understand their organization’s culture and risk tolerance
* Learn how corporate culture is sustained, mended, repaired, rebuilt
* Arrange for regular assessment of ethics and compliance programs
* Set the tone for difficult discussions now
* Don’t appear only with bad news. Learn to strike a balance between “Chicken Little” and smoothing things over prematurely
* If action is needed, be thoughtful, balanced and ready with a possible solution
* Learn to facilitate difficult discussions with respect and persistence
* Create a learning organization
* Work through discomfort and angst in discussing previous or smaller missteps and mistakes
* Consider establishing criteria and forums for examining ethics failures
And do not overlook the essential part pre-existing relationships between individuals in the organization can play. Understand who from the C-Suite, HR and the rest of the organization will play a critical role when compliance issues arise and then cultivate a solid working relationship with all of them. Avoid personal relationships or feelings that might interfere with your judgment or objectivity. Though it can sometimes add extra stress, also remember to keep your detractors close and involved.
Choose Your Poison
Perhaps the most important part of compliance disaster planning is setting an intention for how to respond to a crisis before one occurs. While the some of the choices below look less than wise, they often get made when the organization waits until something goes wrong to ask how it will handle a compliance breach. Instead, ask now if a serious compliance breach occurs, whether your organization wants to:
* Execute a pre-determined plan?
* Wait and react to specific facts?
* Put on the blinders?
* Go forward and don’t look back?
Establishing an agreed-upon response will help create a framework and boundaries for what to do if a compliance breach actually happens.
The Event: Uh-Oh, What Now?
Because organizations are made up of people, and people engage in the full spectrum of human conduct, compliance and ethics breaches will still happen despite organizational compliance best efforts. When a major breach occurs, an effective and timely recovery can be best achieved by addressing issues related to any needed investigations, remediation and rebuilding of culture. Issues to consider include:
* Have you previously vetted/engaged an independent investigator?
* Do you have established criteria to determine when the investigation is conducted in house?
* Which department should be overseeing the investigation?
* Who will coordinate interested internal departments and communications?
* Do established escalation criteria exist to guide informing the Board?
* Who in the organization owns the job of remediation?
* Did any existing ethics and compliance controls work as they should have?
* Were there earlier red flags that were addressed or ignored?
* If disciplinary action is required based on personal behavior, who should have a voice in the outcome?
* Does a need exist to assure non-retaliation toward the whistleblower or witnesses?
* How much has trust been damaged?
* Does the organization need to design specific efforts to re-engage employees in the organization’s values?
* Who are the various culture stakeholders? Who of them should lead, follow or partner in the process to engage with employees?
Post-Event Transparency: How Much is Right?
Finding the right amount of post-event transparency after an ethics or compliance breach presents deeply challenging issues. Is complete transparency simply too risky? Will keeping an event need-to-know only get in the way of critical learning opportunities? Or should all events be embraced for what they can teach?
The topic is controversial, and reasonable minds disagree, especially because no single answer can cover every organization, culture or occurrence. Finding the right level of transparency requires an understanding of the specific culture of your organization along with consideration of involved constituent expectations― and demands.
Factors to consider when deciding what amount of post-event transparency fits for you organization include:
* Risk tolerance
* How public was the event?
* How much review is good?
* When does review cease to add value?
If you are the one making the ultimate decision about the appropriate amount of transparency, base that decision on pre-event patterns and shared values. Then, if the decision you have made about transparency faces resistance, be prepared to discuss pros and cons, time frame and purpose. And remember: it never hurts to prepare a Plan B to leverage learning and close out the event.
Compliance disasters come fraught with heightened emotion and organizational risk. As a compliance professional, if you don’t actively participate in the conversation about what to do if and when a disaster happens, that conversation will happen somewhere without you. Or worse – or it may not happen at all.
Kathleen Edmond has spent the majority of her legal career in corporate ethics and compliance. As Chief Ethics Officer for a Fortune 100 company from 2004-2014, she built and subsequently led the company’s Ethics Office. Ms. Edmond is probably best known for her leading-edge communications initiatives in creating a connected, ethical culture within the organization that supported business strategy, vendor integrity, and customer engagement. She has won national awards for her innovative and exemplary leadership in her field, and her original use of social media in furthering a transparent, ethical business operation, is groundbreaking. Ms. Edmond’s current role is Partner at Robins Kaplan LLP and was most recently honored with the 2015 Lifetime Achievement Award from Women in Compliance in London.
Prior to practicing law, Ms. Edmond earned a Master’s of Business Administration with a concentration in Business Ethics, from the University of St. Thomas, and a Masters in Social Work from the University of Minnesota. Over the course of her career she has worked with a wide range of clients representing industries ranging from retail, healthcare, professional sports, and insurance, to nonprofit, public institutions.