ETHICS AND INTEGRATED ASSURANCE: THE CHALLENGE OF BUILDING ‘TRUST’

BY KLAUS MOOSMAYER, NOVARTIS

For many years, corporations (both private and state owned) have struggled to build long-lasting trust with society. Next to general scepticism of globalisation, and generation and distribution of profit, there is the perception that corporations lack ethical standards or are unable to consistently adhere to them.

Corporations are perceived from the outside as ‘monolithic’, but in fact consist of a group of diverse human beings working under a common brand. As an integral part of society, corporations must acknowledge the constant tension between the human element and unified corporate behaviour. This means that building trust will always be a challenge – but that is no excuse to avoid addressing the root causes of corporate misbehaviour.

So, how can leaders best prepare their corporations to maintain compliance with laws and regulations, and manage reputational risks in areas of concern to society?

The answer, especially for multinationals in recent decades, has primarily focused on building a compliance programme around the three pillars of preventing, detecting and responding to misconduct. These programmes were typically implemented in regulated areas with a higher risk of significant fines, loss of business licence or debarment. Examples include anti-bribery, antitrust, anti-money laundering, health, safety, the environment and, more recently, data privacy compliance. In some corporations, implementation followed a thoughtful risk assessment process; in others, it happened reactively, driven by a public scandal or a major investigation by enforcement authorities.

In the event of a major compliance crisis, there is no remedy other than to quickly build a compliance programme to tackle detected deficiencies, including a solid control system. As an analogy, when you suffer a severe road accident, you need immediate intensive care. But what comes afterwards? Is the corporation committed to investigate deeper into why the ‘accident’ happened and whether existing compliance measures are sustainable and effective over the long term?

Recent decades have seen massive investments into compliance programmes, the creation of a compliance advisory industry, an abundance of guidance papers on how to build and maintain an effective compliance programme and development of audit standards. Yet corporations are still struggling to meet the growing expectations of regulators and other stakeholders. An example is the enactment of laws on how to conduct due diligence across corporate supply chains, including a broad range of human rights and environmental, social and governance (ESG) standards.

A traditional compliance organisation that focuses primarily on topics such as anti-bribery compliance will be unable to cover such a broad spectrum of risk areas or create the necessary process and systems. Firefighting one problem also carries the danger of creating a siloed compliance approach that could miss related risks. If a company’s system for third party anti-bribery due diligence is not effective, it is hard to believe it will work any better for human rights, quality, trade sanctions or cyber security, for example.

A new organisational model

To address this complex situation, a small number of corporations have combined ethics, enterprise risk management and compliance into one function. The aim is to get the often isolated and fragmented risk and compliance functions out of their organisational and process silos, thereby providing executive management and supervisory boards with an integrated solution for how to address and manage regulatory and reputational risks across the enterprise.

To ensure this approach has an impact across all business units and functions, the board of directors needs to take the initiative and ensure that the function is empowered and sufficiently resourced. As a member of the executive leadership team, the function head should attend all relevant board sessions, especially of the audit, compliance and (if separate) risk committees.

Another prerequisite is organisational separation from the legal department. Its role and responsibility as legal adviser to and defender of the corporation is distinct from an ethics, risk and compliance function that addresses and manages regulatory and reputational risk.

As the Office of Inspector General of the US Department of Health and Human Services recommended as part of its seven elements of an effective compliance programme, “the compliance officer should not lead or report to the entity’s legal or financial functions, and should not provide the entity with legal or financial advice or supervise anyone who does. The compliance officer should report directly to the CEO or the board”.

This is even more relevant in the case of a comprehensive ethics, risk and compliance function that goes beyond a ‘traditional’ compliance setup. Indeed, what we are talking about here is an ‘integrated assurance’ concept.

The concept of integrated assurance

Assurance is often used too narrowly in the context of audit and accounting. Integrated assurance means a comprehensive and consistent taxonomy and accountability across the four dimensions of governance, risk management, compliance and internal controls. This is because these four areas are interconnected. Good governance sets the framework for an integrated enterprise risk management, which educates an effective risk-based compliance programme based on internal controls with clear accountability.

Governance provides assurance that accountability within the enterprise is clearly defined and that policies, controls and technology are well structured and linked.

Risk management provides assurance that organisational risks are being identified and managed effectively, and that a crisis and business continuity system is in place.

Compliance provides assurance that the organisation is complying with relevant laws, regulations and policies by applying a comprehensive ‘prevent, detect, respond’ approach to all compliance risks.

Lastly, internal controls provide assurance that an organisation’s internal controls are effective within the risk and compliance framework.

Collaborating with the internal audit function is key to achieving a joint taxonomy and root cause analysis to enable management to exercise its duties and to keep the board informed to maintain proper oversight. Leveraging insights from data analytics, increasing efficiency out of centralised monitoring, audits and remediation, and a continually screening new assurance topics (especially regarding evolving ESG regulations) are essential elements of an agile, developing assurance system.

The ethical component of integrated assurance

It is important to note that the success and impact of such a function depends on much more than solid organisational and process setup. It also requires courage to address ethical challenges and dilemmas with the humility to acknowledge that no single function within a corporation ‘owns’ ethics. It is the courage to take up the role of a ‘catalyst’ to foster an environment that supports doing what is right, based on principled decision making and behavioural science rather than too much control or regulation.

Bringing ‘assurance’ into the context of ‘ethics’ makes it clear that this is not a mechanical operational excellence exercise, but a focus on company culture and societal expectations. For example, the responsible use of artificial intelligence requires both ethical standards and a solid risk and compliance framework.

Additionally, during these times of change and disruption, the need for reliable, consistent and clear ethical principles as part of crisis response and business continuity management is imperative. Having an ethics and integrated assurance framework in place helps corporations to respond quickly and responsibly to a crisis, based on pre-defined principles and clear accountability. For example, when corporations engage in humanitarian support or make donations, speed is of the essence.But even the best intentions may be tainted down the line if fraud or corruption is detected.

Conclusion

When designed and implemented correctly, with support from senior management and the board, an ethics, risk and compliance function can drive an integrated assurance system that removes siloes in governance, risk management, compliance and internal controls, without creating unnecessary bureaucracy.

This function can also foster a cultural mindset within the enterprise that encourages discussion of ethical dilemmas in a structured way. Ethical dilemmas are part and parcel of every business, and are often complex. It is the duty of leadership to support their employees in knowing how to behave ethically.

The concept of ethics and integrated assurance’ does not provide insurance against every setback, challenge or crisis that a corporation may face. But it does have the potential to make corporations far more resilient in dealing with adversity and building trusting relationships.

Apr-Jun 2024 Issue

Klaus Moosmayer | Executive Committee Member & Chief Ethics Risk and Compliance Officer, Novartis