Now that the year is winding down, CCOs can reflect on a few compliance trends that emerged over the last 12 months — including ill-advised practices and bad habits that compliance officers would do well to leave behind. Four major trends come to mind.
1. Non-disclosure Agreements That Stifle Awareness of Misconduct
This bad practice was finally forced into the corporate sunlight with the dawn of the #MeToo movement. For too long, corporations had hushed up allegations of sexual misconduct against senior executives and star employees by buying off the accusers, with an NDA included that kept those accusers from warning others about the wrongdoers.
Well, no more. As one corporation after another sacked executives this year for sexual misconduct allegations — allegations that sometimes went back many years, from many employees — NDAs relating to sexual misconduct came under ferocious criticism. California, New York, and Washington, among many other states, banned such confidentiality clauses. Various companies, including Google and Microsoft, say they will no longer use or enforce them for harassment issues.
Good riddance to bad rubbish. Misconduct NDAs undermine that which ethics and compliance officers should desire most: an ethical corporate culture where employees talk about misconduct. Companies can terminate those clauses with one policy update, and should.
2. Ignoring Vendor Data Security Risk
Every year, more companies allow more third parties access to their confidential data — and far too many don’t have a clue about how much risk they are inviting.
The Ponemon Institute publishes an annual report exploring data security risks with third parties. Consider these stats from its 2018 survey of more than 1,000 security professionals:
- Only 35% of respondents rate their third-party risk management program as highly effective
- Only 34% of respondents say they have a comprehensive inventory of all their third parties
- Only 29% of respondents say a third party would contact them about the data breach
That is not good. Strengthening vendor risk management is not easy, but ignoring the problem will not accomplish anything. Even simple fixes like contract clauses requiring third parties to report a breach of your data are a start.
3. Uniform Due Diligence Reviews
Along similar lines, a stubborn number of companies still apply uniform standards of due diligence to all third parties for anti-corruption. That’s better than no due diligence at all (see data security risks, above), but it still spawns two other headaches. Either you perform too little due diligence on a high-risk party and open the door to misconduct, or you perform too much due diligence on a low-risk party, and waste precious compliance resources.
Neither one does a company any favors. The goal should be a strong, versatile risk assessment process, so companies can have a credible defense should some third party indeed create a misconduct risk that contaminates your company’s reputation.
4. Thinking Only About What’s Legal, Not What’s Ethical
Numerous times in 2018, we saw prominent corporations sharply rebuked in the court of public opinion for transactions that might have been legal, but still didn’t pass the ethical smell test. Outlandish contracts with unqualified consultants; data sharing with shady third parties; bloated executive compensation. We won’t name names here, but examples abound.
Fundamentally, employees and customers are gaining more power to force difficult questions about companies’ ethical principles, and they’re willing to do so. On the other hand, boards are downright terrified of heightened reputation risk.
That means standing behind the fig leaf of “Well, legally we did nothing wrong!” no longer works. Share prices can still be battered; boycotts can still take flight on social media. Companies must stop relying on what’s legal, and start defining what’s ethical.