I'VE LONG HEARD it said in public-safety circles that if a broken window in a building is left unrepaired, the rest of the windows will soon be broken as well. In other words, neglect is a signal that no one cares and will ultimately only invite more disorder.
Case in point: Remember during the early '90s when Rudy Giuliani was able to celebrate a significant reduction in crime in New York City? Putting to the test a theory of "order maintenance" that had driven scores of smaller community policing efforts for nearly two decades, Giuliani sent a message loud and clear that even seemingly innocuous misdeeds would not go unpunished. He showed New York that its police force was never too busy fighting "real crime" to ignore toll jumpers, pickpockets or graffiti artists.
I'm sure the notion of order maintenance could apply to the way we police our businesses. But instead of broken glass or graffiti, our private-sector indicators are unclear expectations, a lack of accountability and a willingness to simply look the other way. Yet shareholder and employee "residents" have the right to expect a safe, predictable environment that malfeasance and poor ethical hygiene sometimes threaten.
Imagine, if you will, a particularly talented software engineer engaged in a high-visibility project that has CEO interest and strong financial support. A routine audit of his travel reveals several months of false expense claims involving entertaining fellow employees at bars and adult clubs. For fear of derailing the project, his manager tells audit, "it has been taken care of," and merely scolds the employee. Or what if an investigation confirms a clear case of embezzlement by a high-level finance employee who eventually admits to years of theft involving a half million dollars. Management declines to prosecute to avoid adverse press and merely fires the employee after partial restitution. The employee is hired by another company in a similar position shortly thereafter.
What's the big deal, you ask? These aren't instances of great corporate crime or front-page scandal. Neither the shareholders nor the company's standing in the market has been damaged much. In larger companies especially, the damage is lost in the rounding. Has anyone really been hurt?
How many names do you want? How 'bout we start with the savings-and-loan fiasco? I could get specific and remind you about Adelphia, Barings Bank, Drexel-Burnham Lambert, Enron, Global Crossing, Tyco and WorldCom. In the past two decades, US businesses have been involved in numerous scandals and high-level wrongdoings. And those are only the most recent examples. At first glance, you might think they were fat cats playing it fast and furious with the books — that their problems weren't caused by trivial matters. Kind of like comparing a bank robbery with stealing books from the library, right?
Well, don't kid yourself. These stories of shame started with broken windows, and that's why these big companies are in trouble today.
Getting Skin in the GameNow, I believe that there's no greater risk than that of the knowledgeable, empowered insider. Still we tolerate our minimally communicated business conduct policies, little or no background vetting, a standards-absent virtual office, and a passion for outsourcing our most sensitive business processes to companies (in countries) we know precious little about and that have no clue or buy-in to our notion of corporate integrity.
Since the implications of shareholder and public perception of corporate ethical lapses are increasingly obvious, reputational risk is front and centre on the minds of many directors and nervous shareholders. State and federal legislation followed up by criminal and regulatory sanctions have incrementally raised the bar on consequences. Capital markets, shareholders and the public are rightfully demanding accountability.
Board members, directors and some corporate officers apparently are responding to the increased limelight and potential for personal liability with a harder line on assurances that the organisations they serve have safeguards and controls in place that will identify prospective problems. Previously held norms of corporate governance are being tested for adequacy to their shareholders. Corporate ethics and a culture of doing the right thing are very much "in" topics. Investor confidence, already hammered by a significant downturn in the economy, now wonders aloud how to vet trust in a company's integrity in addition to its financial opportunity.
One way to do that is to have a comprehensive security program, grounded in accepted policy, visibly supported by senior management and led by a highly competent CSO who is connected to the business by effective relationship management. Within that charter is a clear mandate to manage a system of controls and safeguards that measurably contribute to the ethical hygiene of the organisation.
The chief security officer can be a key player in the corporate governance team and in the reputational risk management of the organisation. But how do we build the program to make that connection? The devil is in the details.
Let's assume you and I are on a team to review and recommend a business conduct policy framework for our organisation. We've been asked to build the framework within an established set of corporate values that has integrity as its centrepiece. The chairman and the board have made it clear that we are an ethical company where our shareholders and employees can be assured that we will do "the right thing."
Having been on that team, I'll tell you that you don't start by thinking about felonies and misdemeanours. You don't ask the difference between naughty misconduct and outright bad behaviour. At its core, it's about good hygiene and individual accountability. Companies are selective in deciding what is right or wrong. If a top executive pads his expenses once in a while, it might be overlooked, but if a temporary employee or some hourly worker did it, I bet she'd be gonzo in a heartbeat.
Yet it shouldn't be about big shots and blue collars, plaques on the wall and speeches about values. It's about a culture where accountability for doing the right thing is the way things are done. Period.
Of course, it makes a great sound bite, and it's easy to say. But it's very, very difficult to implement.
To make integrity a cornerstone of a company's culture, you need to make a clear business case. That starts with a commonsense acceptance that, without the trust of the shareholder, the customer and the employee, there is no business. In other words, trust has an economic — as well as an altruistic — value.
Who Ya Gonna Call?Ultimately, who is responsible for setting the standard of ethical behaviour? For looking for the broken panes in the various corporate windows?
First and foremost, of course, are the board and CEO, who together set the tone and reinforce the values at every opportunity. They demonstrate the commitment to integrity in daily business conduct. The policy infrastructure becomes a constant reference point for business conduct.
My company has more than 30 core business conduct policies published on its intranet and scores of related, more technical policies within various elements of the company. A critical element in the program is a module in the various manager training and development programs.
The local business executive, preferably the first-line manager, is also paid to know the neighbourhood and work the streets. He becomes the agent of the culture and the behaviour model. Show me a manager who demonstrates the wrong values and I will guarantee his work group has other problems that would interest security and others.
After the first-line manager comes a team of governance, oversight and administrative resources — security, audit, ethics, compliance, legal, human resources, finance and others who are in unique positions to see anomalies, failures or flaws in controls, lessons from various incidents, opportunities for improvement and feedback to management.
Once employees see management's commitment to a system of processes, procedures and safeguards that assure their concerns will be protected, you'll start to see order restored. Security, legal and HR departments are keys to that element of the integrity infrastructure.
Once you connect the dots, you start to realise that it isn't that you have a bad guy in production, it's that he has a bad manager who set a bad behaviour standard that created a problem in the first place.
And it doesn't stop there. Why didn't that manager's manager realise the emerging issue? Where was human resources in the exit interviews, in the daily interactions? What about the internal audits? After a significant internal incident, when you peel the layers back, you find evidence everywhere. The postmortem has to find the root causes so that you're not destined to repeat those mistakes.
If the CSO has unique linkages to his governance peers and proper access to the top, he can put the disparate pieces from the multidepartmental findings together and end up with a picture of internal risk dynamics that's not available elsewhere. You might say that CSOs have the means to eliminate plausible denial.
Effectively connected CSOs have a bird's-eye view of those and other disparate pieces of data on corporate hygiene. They connect the dots that others don't even see. As such, they are critical to corporate integrity. CEOs and other senior executives need to make room for this perspective if they hope to positively affect corporate strategy.
This column is written anonymously by a real CSO at a major US corporation.