An ethics breach can be difficult to bounce back from, but is much less so when Chief Ethics and Compliance Officers (CECOs) have taken the time to establish relationships and put a worst-case-scenario plan on paper before a breach ever occurs.
Kathleen Edmond, partner at Robins Kaplan LLP, and The Network’s own Vice President of Training & Communications, Julie Moriarty, discussed in a webinar earlier this year what a CECO should do in the aftermath of an organizational ethics breach. Kathleen built and ran Best Buy’s Ethics Office from 2004-2014, and is known for her groundbreaking initiatives in using communication and social media to create connected, ethical cultures.
In Part 1 of this series, we laid out the expected responsibilities of the CECO beyond prevention that make recovery and rebuilding after an ethics breach less difficult. Part 1 also includes Kathleen’s suggestions for a few boxes CECOs should check off while planning a map of post-breach actions, but before such an event occurs, to help strengthen relationships and establish trust.
Here is Kathleen’s plan for actions to take after an ethics breach, and how to build a stronger program.
Post-Breach Action Steps
Step 1: Investigation
After the event itself occurs, attention is turned away from prevention and towards recovery. The first, and somewhat obvious, step to take after an organizational ethics breach is to begin an investigation. Unfortunately, the simplicity stops here. There are a lot of decisions to be made concerning the investigation. Will you investigate in-house or leverage outside counsel? Do you have a standard process for inside investigations? Do you need an independent investigator? Do you have someone previously vetted on speed dial? Can you use regular outside counsel, or will they lack the ability to remain impartial? Which department should oversee the investigation? When do you inform the board?
Make Your Decision Tree Ahead of Time
As the questions begin streaming in, causing stress and confusion to skyrocket, it’s important to remember to simply follow the standard investigation process. The answers to these questions are dependent upon many factors, making decisions unique to each event. Relying on previously established criteria for making the decisions can bring a little clarity amidst all the confusion. For example, escalation criteria can help in deciding when to inform the Board. Establishing a short list of criteria pre-breach for determining who should investigate and who should oversee (was an officer involved? is it in the newspapers yet?) is crucial.
CECOs are responsible for communication throughout the process, especially with interested internal departments like PR and HR. Talking about the problem with employees is important. Kathleen noted, from experience, that when people within the organization are left uninformed, they start to fill in the blanks themselves – usually assuming the worst. The CECO is the facilitator in the process of investigation. As decisions are made, make sure they are adhered to; in other words pick a seat, and then sit in it.
Step 2: Remediation
Questions surround the topic of remediation. People disagree on the CECO’s role in this process. CECO involvement varies by organization and can depend on the event and its circumstances. The extent of CECO involvement could be assessing whether or not the ethics and compliance program’s controls worked properly and answering questions. In some situations, an independent review may be necessary.
When disciplinary action is needed, the CECO role is questioned yet again. Some argue that CECOs should have a voice in the decision because it’s an ethics violation, while others argue that remediation is HR’s responsibility. CECOs can moderate the process to ensure it’s being conducted ethically – for example, making sure that whistleblowers and witnesses don’t experience retaliation, or making sure officers and high-performing employees don’t receive a punishment lighter than what company policy dictates. These are all decisions that need to be made before facing a breach, when you’d be forced to make them out of necessity, and likely in a state of panic. Decide who will bear responsibility now to avoid making a harried decision later.
Another decision needs to be made regarding when remediation begins. Some question whether remediation should begin before the investigation is closed. Kathleen advocated beginning remediation as soon as the issue arises, remembering that the goal is to remediate, not to cover up. She noted it is important to document what remedial steps are taken. Whether you begin remediation upon learning of the issues or after completing the investigation, make sure the process is understood up front, so you don’t waste critical time making that decision when time is of the essence.
Step 3: Rebuilding Culture
A major organizational ethics breach can break down the culture the CECO worked so hard to build. Employees may lose trust in the company’s ethics program and question company values. Rebuilding culture is a daunting task that requires specific effort.
Teamwork Makes the Dream Work
HR, PR, the CEO and the CECO should all participate in establishing and rebuilding culture. Some believe that culture is under HR’s purview, but considering that the breach, for purposes of our discussion, was related to ethics, CECOs should have some part in the process of rebuilding. The role varies by organization and by circumstance; the CECO can be a leader, partner or follower in the effort. Regardless of what role the CECO will play, it is important that roles are clarified from the start so everyone knows where to focus their efforts.
An imperative part of this process is re-engaging the employees in the company’s values. Trust is likely to be damaged, especially for employees who were close to the epicenter of the event. How can they trust the ethics program and each other again? Questions will rise; a huge part of a CECO’s job following an ethics breach is listening. A lot of time should be spent meeting with employees, hearing out questions and concerns and meeting with managers.
Step 4: Post-Breach Transparency
CECOs should expect an increasing demand for transparency both pre- and post-event. Is post-event transparency too risky? Should the event be viewed as a critical learning opportunity? The topic is extremely controversial. Both sides of the debate have valid, logical arguments.
It’s Just a Matter of Time
Some organizations will, by nature, be forced into more transparency. Highly regulated industries, such as food service and manufacturing and finance, are more obligated to be transparent after an ethics breach. Lack of knowledge can also influence the decision regarding post-event transparency; it’s hard to be open and answer customers’ questions when the company can’t yet answer its own.
To successfully rebuild the culture, transparency will ultimately be a must. The real question is not a matter of if the organization should be transparent, but how transparent the company should be. The answer will depend on what works best for your organization based on various factors.
Step 5: Deciding What Fits Your Organization
Recovery from an ethics breach is not a one-size-fits-all program. The organization’s risk-tolerance and the publicity of the event are major factors in the CECO’s decisions.
Getting Back on the Horse
At some point, the CECO has to decide when enough is enough. While you wouldn’t want to spend too little effort and time on it- the breach presents a valuable learning opportunity which should be seized before it gets away, too much of a good thing can become a bad thing. After reviewing the event over and over for an extended period of time, eventually the review will no longer add value. No one should live in the past. At that point, everyone needs to move on.
Not everyone will agree with the CECO, and the CECO won’t always have the final say. CECOs should base their decisions on pre-event patterns and shared values, but be prepared to meet opposition: be at the ready with pros and cons, a timeframe and a purpose. Genuinely try to understand and evaluate others’ points of view, and see if their solutions can be incorporated into your decisions.
Kathleen urges CECOs not to disregard the opinions of those who resist and oppose the their decisions. Opposing opinions are a valuable resource – two people with the same opinion have the same “gaps,” as Kathleen calls them. Combining differing opinions can combine strengths and eliminate weaknesses. She also recommends keeping a Plan B in mind – Plan A loses sometimes.
Kathleen’s Closing Thoughts: Talk About It
Kathleen offered a recommendation to keep in mind when recovering from a breach – “If you don’t actively participate in the conversation, it will happen somewhere without you – or it may not happen at all.”
It can be awkward and uncomfortable to talk about mistakes at first, especially if the pattern of doing so isn’t established pre-event. Nonetheless, it’s something a CECO must be able to do well.
To get Kathleen’s tips for building a culture before an ethics breach is even on the radar, read Part 1 of this blog series.
To hear more anecdotes about her time at Best Buy to get some specific examples of challenges Kathleen had to learn from, you can download Kathleen’s slides and the recording of the webinar here.
This post was contributed by our Research Intern, Kendrick Addaman.
Share Your Thoughts With Us
What is your organization’s ethics breach plan? What potential challenges do you foresee with laying out a plan and learning from your mistakes? You can join the conversation by commenting on the blog or messaging us on JDSupra.