Is your company prepared to face the emerging compliance challenges of 2018? As the pace of globalization quickens and the reach broadens, business opportunities abound, but so do the risks of doing business in this brave new world. In 2018, companies face compliance challenges to problems old and new. Whistleblowers are newly emboldened and reporting misdeeds in record numbers. Employees are speaking up in the face of workplace injustice, violence, harassment, corruption, and cyber-breaches. Companies must respond to this trend by setting up systems and procedures to manage the groundswell of accusations, ensuring employees have enough faith in the processes to come forward without fearing retaliation. This requires companies to have robust compliance programs in place to respond to the chorus of discontent without delay. Their brand survival depends on it.
On December 2, 2015, 14 people were killed in a mass shooting at the San Bernardino County Department of Public Health training event by a male employee. A few years later in April of 2018, a woman opened fire at YouTube headquarters injuring three people and killing herself. These weren’t the first mass shootings in the workplace and tragically won’t be the last. Homicide is the fourth-leading cause of fatal occupational injuries in the U.S. Nearly two million American workers report having been victims of workplace violence each year and many more cases go unreported.
How can companies mitigate workplace violence hazards? In most workplaces, the risk of assault can be minimized if employers encourage a zero-tolerance policy toward violence. A well-crafted workplace violence prevention program with controls and training can reduce the incidence of workplace violence. Workers must know the policy, understand the warning signs and how to report incidents, and trust that all claims of workplace violence will be promptly investigated and remedied.
Cyber-insecurity plagues companies on a global scale. In 2016 there were more than 1,200 data breaches and over 1.1 billion exposed identities. The following year, Equifax, a credit agency, suffered a breach widely considered to be one of the worst in modern history. Cyberattacks will continue unabated despite best efforts to prevent them. Companies must prepare to respond swiftly to these sophisticated attacks. Leaders should take into account both the cost of breaches and the loss of customer trust. These breaches can damage company reputations and lead to tens of millions in remediation and legal costs. The Equifax breach spawned lawsuits in more than 100 courts across the U.S., many citing the company’s slow response in reporting the breach.
Companies should use the latest security technologies to protect themselves from new threats as users transfer sensitive content over mobile voice, messaging apps, and collaboration tools like Skype, WebEx, and GoToMeeting. Attackers constantly devise new ways to breach companies, and these tools top their hit list. Other strategies for bolstering cyber-security include establishing cyber-risk management requirements for third-party vendors—a major source of cyber-attacks and sharing information from cyber-breaches with external entities.
General Data Protection Regulation (GDPR)
When the EU’s General Data Protection Regulation (GDPR) goes into effect in May, companies that fail to report breaches involving personal data will be fined of up to 4 percent of global annual revenue or €10 million, whichever is higher. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. Organizations interfacing with EU citizens must comply or face fines. An Ernst & Young poll indicates that only 33 percent of affected companies have an established plan for GDPR compliance.
Bribery and Corruption
The Kroll Report, a global fraud and risk report, found that as compliance professionals focus on cyber-security and regulation, bribery and corruption are still widespread. Companies conducting business internationally must bolster their anti-bribery and anti-corruption initiatives, especially when doing business in areas prone to corruption. In 2016, the International Organization for Standardization (ISO) released standards designed to assist organizations in preventing and detecting bribery. The standard, which can be stand-alone or integrated into a management system, is an important benchmark for assessing and managing anti-bribery and corruption systems.
Another risk topping the list of compliance risks for 2018 is sexual harassment in the workplace. Long down-played or ignored, the issue is finally getting the attention it deserves. A Washington Post poll indicates that 47 million women in the U.S. have either been sexually harassed or sexually abused at work. Sexual harassment cases can cost businesses millions in settling with victims and damage to the company brand. Given the prominence of the #MeToo movement in the media, management must set the correct tone at the top and create a culture where reports of harassment are taken seriously.
Even though the media has primarily focused on the high profile sexual harassment cases, companies in most industries face the same issues. Before the issue rose to prominence, sexual harassment was tolerated, especially in cases of high-performing employees and people in high-level positions. According to Cheryl Yeoh, Founding CEO of the Malaysian Global Innovation and Creativity Centre, “When an incident is reported, HR almost always starts from a place of disbelief. They request evidence and ask for proof. But if HR is investigating a sexual harassment case within the company, it is their duty as HR to protect their employees. That is the sentiment that has to shift.”
A zero-tolerance policy establishes that no matter who the grievance is against, companies must take immediate action. The policy should cascade down from upper-level management to all levels in the organization. Training and education on sexual harassment policy must ensure employees know how to identify the misconduct, respond to, and report it.
Mitigating Risks through Compliance Initiatives
How can companies plan for so many risks? Simply conveying the rules and regulations to employees is not enough. Compliance initiatives that are mere facades rarely succeed. Examining the problems and designing programs and policies with a deep understanding of the root causes shifts mindsets and change behaviors. Unethical, discriminatory, and negligent behaviors, may arise from rare bad actors, but they more often stem from a lack of empathy and understanding.
Gartner research discovered that what distinguishes a strong corporate culture from an anemic one is climate—the procedures employees must follow and the messages conveyed about the behaviors that are valued and rewarded. Sixty-nine percent of employees in strong climates report trust in their colleagues, as opposed to an average of 25 percent among all employees. People working in strong climates are much less likely to observe misconduct. Gartner found that a majority of employees work in organizations with weak climates.
Your organization can’t build a robust climate if employees only understand how to avoid misconduct. In other words, knowing what’s considered bad behavior doesn’t necessarily translate into good behavior. It’s also important to consider that compliance isn’t a one-time thing. Compliance awareness training should be conducted throughout the year with on-going refreshers and awareness campaigns.
To build a strong culture of compliance, you must do several things:
- Demonstrate good behaviors to employees and enable them to practice the behaviors. Sharing stories of employees doing the right thing encourages positive behavior and incentivizes employees to emulate the behavior.
- Reward positive behavior while also disciplining bad behavior.
- Establish a speak-up culture in which employees feel comfortable speaking up about everything from sexual harassment to unethical behavior. In such a culture, employees will report internally first, giving companies the chance to resolve issues before they result in damage to their brands.
- Ensure managers model ethical behavior. Words and deeds must be consistent; if behavior doesn’t match the message, it will speak more loudly than words.
- Measure the effectiveness of compliance programs. If programs aren’t measured, companies will simply guess at the effectiveness with no feedback mechanism for improvement.
Compliance threats have never been so widespread and varied, but the good news is that this has generated countless effective solutions that mitigate threats and risks. Climates with zero-tolerance policies and speak up-cultures allow for issues to surface quickly, enabling the compliance system that’s in place to address and mitigate threats to the company’s culture and ultimately to the brand.
For more information contact [email protected]
By Jim Bachert (Director, Compliance Learning, Interactive Services)