Non-compliant, unethical, irresponsible and illegal behaviours all pose significant financial, operational and reputational risks to companies. Fraud alone is reported to cost over 5% of revenue, there are regular examples of hefty fines being imposed for anti-competitive activity and many companies face legal proceedings relating to harassment or discriminatory behaviour. As well as the legal threat, there is also an increasing focus on companies to play a larger global role in helping to create sustainable societies through the fight against corruption, condemnation of human rights abuse and preservation of the environment.

But decisions are often not so straightforward. Every day, managers are faced with situations that require judgement. Their ability to use judgement and make sound decisions that protect reputation and are in the long term interests of the company depends on their level of risk awareness, the local business climate, their personal motivation and the prevailing culture.

Directors in the UK have legal duties to “conduct a review of the effectiveness of the group's system of internal control” yet few directors can be completely confident in managers' judgement, or the reliability of control systems. To be effective, risk control systems must be proactive, preventative and must extend beyond the audit of financial systems and controls.

We complement traditional risk and compliance management by understanding the prevailing compliance culture and by evaluating the behavioural elements that influence it. Specifically we seek to answer the questions posed to directors under the Combined Code of Governance Guidelines of 2005:

•  do the company's culture, code of conduct, human resource policies and performance reward systems support the business objectives and risk management and internal control system?

•  does senior management demonstrate, through its actions as well as it policies, the necessary commitment to competence, integrity and fostering a climate of trust within the company?

•  are authority, responsibility and accountability defined clearly such that decisions are made and actions taken by the appropriate people? Are the decisions and actions of different parts of the company appropriately co-ordinated?   

We offer a range of services to help directors and executives fulfil their duties by providing independent opinion and advice to strengthen the effectiveness of compliance management.

It is acknowledged best practice that company codes and policies are:

•  periodically revised and adapted to cater for changes in legislation and the business environment (normally on    a 3-yearly cycle)
•  communicated as part of a carefully-planned communications programme
•  supported by on-line and face-to-face training
•  monitored for all of the above

We have extensive experience of writing, revising and communicating codes and policies to reach global audiences. Our approach is consultative, building an internal (and sometimes external) consensus for both content and the preferred means of communication. We work with internal communications to develop an effective roll out programme that includes both the immediate and longer-term monitoring of understanding and buy-in. There is significant value in using a launch or re-launch as a platform to develop a deeper understanding and we also support roll-out with a range of training material, sourced from a library of practical case studies and dilemmas.

In its 2007 global Economic Crime Survey, PWC identified corporate culture as equally important as systems and controls in preventing fraud. Given its importance to compliance, how are directors measuring and monitoring the company culture to ensure that the right tone is being communicated, and that employees are aligned with it ?

The Cultural Review supplements internal system-based risk management tools by evaluating the prevailing organisational culture, opinions and attitudes of employees in order to identify potential high risk areas. The review also identifies positive drivers for responsible behaviour and highlights areas of best practice that can be disseminated.

The outputs are designed to:

•  fulfil the Internal Environment component of an integrated Enterprise Risk Management programme
•  feed into the overall processes for risk identification to help focus compliance activities
•  form part of the annual review of internal controls, required of directors

An effective confidential reporting channel is essential to any compliance programme, acting as a deterrent and raising issues that would otherwise pass under the radar. A recent KPMG survey reports that 25% of fraud discoveries are made as a direct result of confidential reporting.

Where effective confidential channels are in place, an average of 2% of employees will use them each year i.e. 500 reported incidents per year for a company with 25,000 employees. Yet many companies receive far less reports than the average, often none at all. Is this a sign of a highly compliant culture, or indicative of a culture of complacency or fear? The answer to this question is pivotal for directors, for if the confidential reporting channel is not working it is highly likely that significant risks may go undetected.

Best practice channels contain the following elements:

•  a clear message from senior management that encourages an open culture and that guarantees reporting     employees confidentiality and protection.
•  provision of reporting mechanisms that are accessible and trusted by employees
•  regular and active reinforcement of messages and procedures
•  extension of channels to business partners
•  e central database for capturing and tracking all reported issues
•  clear procedures for raising concerns, handling reported concerns, carrying out investigations and for feedback     to the reporting employee
•  adaptation of processes and communications to local differences in legislation and culture
•  periodic monitoring of the overall effectiveness of the reporting process

We recommend that the effectiveness of Confidential Reporting Channels be externally reviewed every 3 or 4 years under conditions that ensure employee confidentiality. Our assurance service provides valuable feedback to directors and compliance teams on the following questions:

•  are channels accessible and adequately communicated?
•  are they generating the right information?
•  what messages are being received from senior management?
•  would reporters use the channels provided? What would they use them for, and when might they not use them?
•  are alternative, informal channels being used instead?
•  what is the level of trust in channels to secure confidentiality?
•  what is the level of trust in investigations? Do employees believe that their issue will be dealt with?
•  what is the level of training and capability of people receiving and investigating reported issues?
•  are the confidential reporting mechanisms compliant with local legislation?