Many Chief Ethics and Compliance Officers (CECOs) fail to recognize that preventative efforts aren't enough to protect an organization from an ethics breach incident. Since breaches will eventually occur at some point in the organization's life, it's important that CECOs have a post-breach action plan. This will allow the organization to manage not only the breach itself, but also rebuild corporate culture and maintain appropriate levels of organizational transparency.
The importance of a pre-defined strategy
Having a pre-defined strategy will help your organization be prepared when an ethics breach occurs. A set plan will provide your company with guidelines on steps to be taken to handle the incident post-event in a focused and organised manner. By not exploring pre-breach activities, you are placing your company at greater risk for poor-decision making.
CECOs must also address what needs to occur post-event - before a breach occurs. The two critical elements to be considered are establishing training programs and controls. The CECOs level of engagement and involvement in recovering from an organizational breach will ultimately determine how effectively the organizations can move forward. There are also five pre-breach considerations to determine how well an organization recovers from an ethics breach.
Five Pre-Breach Steps to Recovery
- Find ways to communicate good and bad news within your organization so members of your organization do not flinch when they spot the CECO coming into the office. Share your behind-the-scenes work by demonstrating ways your organization is adopting ethics and compliance best practices.
- Involve yourself in essential operating discussions to ensure better crisis resolution and working relationships. Also familiarize yourself with the company's corporate culture to better understand business needs and risk tolerance.
- If everything reaches the top, nothing looks important. Establish a default escalation process to remind the board and executives that you are following a set plan when a breach occurs.
- Set the tone for challenging conversations early on and learn to facilitate discussions with persistence and respect. Make sure that you are seen as level-headed and capable of remaining calm in heated discussions.
- Create a learning organization by introducing ethics & failure forums. Without a conversation of what went wrong you're unlikely to determine the root cause and learn from the mistake.
It is crucial that the CECO is aware when an ethics breach occurs, takes immediate action and learns from the organization's mistakes. The post-breach should be a time for the CECO to consider if current processes or controls were violated, whether or not the incident warrants an independent review, and if there were any overlooked red flags.
The following key components should be considered for your post-breach action plan:
- The CECO must make every effort to be transparent internally after an incident, within the boundaries of what is reasonable to the organization's industry. In order to help re-establish trust and build confidence within the organization, CECOs must communicate internally before the news reaches the public. This ensures breaches can be seen as shared learning opportunities, even if the event is very public. Also establish standards for post-event transparency for all incidents, regardless of the level of severity. This ensures transparency after larger incidents follow naturally.
- When a breach occurs it is crucial that you decide whether the investigation should be conducted in-house or vend out. Finding and vetting someone after an event has occurred is time-consuming. It's worth working with someone who has previously been your vetted investigator. Inside council can be beneficial to the organization's management team since council can keep the investigator informed. However, council must remain removed from the investigation to avoid anyone questioning the independence of the investigation.
- Set departmental roles to ensure the incident will be contained within a timely manner both internally (cultural recovery) and externally (brand management). CECOs must meet with communications, legal, human resources and any other departments that may be involved in post-breach recovery.
- While corporate culture often falls in the realm of human resources, ethics culture is solidly in the CECO's realm. If the ethics and compliance culture has been harmed due to an ethics breach, it's the CECOs responsibility to re-engage employees in the company's values. Specific re-engagement efforts should be established to ensure managers are able to overcome their employees' feelings of embarrassment, shame and mistrust, as well as rebuild the organization's culture.