The Importance of Compliance and Ethics Programs

INTRODUCTION:

Compliance and the sense of ethics have been an integral part of human life, since the beginning of the human race in the world. Whether in the religious or secular world, human behavior has been governed by laws, precepts, codes, and guidelines upon which to conduct their behavior toward the divine or heavenly powers and humans. In either case, the ability to make correct decisions and adhere to these guidelines, to comply with them or not, already implies an action framed in morals and ethics.

In a world that has given free rein to the freedoms of prohibition, establishing laws to regulate their behavior, among others. However, rape, violence, non-compliance, and unethical relationships have been a constant, so it should come as no surprise, in 2020, these human feelings and behaviors that tend to do wrong persist. In other words, the human being must have limits within which he must move, which we see clearly, for example on sports fields, demarcated in addition to the rules for playing or competing.

I do not intend to make value judgments, but to show a reality that every day overwhelms companies and commercial relations, especially in the last decades, we have better laws, better technologies, better controls, and better Compliance and Ethics Programs, however, It has not been possible to reduce and/or minimize criminal activities, especially those that occur due to the direct or indirect action of corporate employees at all levels.

Part of what I will present is the result of my personal experience and the analysis of the reports of the Organization for Economic Cooperation and Development (OECD), the G20 and Audit and Consulting companies, of recent years, such as a factual information base, to establish an indication of corporate behavior.

1. WHAT IS IT?

A Compliance and Ethics program is made up of a series of Principles, Norms, and Procedures that are aimed at defining the behavior of the most important factor of the capital of a corporation that is Human Resources, within a framework of different principles and values of Honesty, Ethics, Compliance, Commitment, Respect for the Owners, Shareholder, Employees at all levels, interested persons, direct and indirect related and especially to the Legal Regulations of the country where the company operates, at a general level and in particular.

The Compliance and Ethics Programs, their validity, implementation, measurement, and evaluation, will allow showing the Society and the community or business guild to which it belongs, the level of health, in all the Administrative, Operational, Financial, and Labor aspects, Commercial and Image, which has been defined in recent years as Corporate Governance and the intention is that each company, Corporation, regardless of its size, can show behavior following the guidelines established internationally through the Organization for the Economic Cooperation and Development (OECD), the laws of each country as a formal - legal framework for conducting their business.

2. WHAT DOES IT CONSIST OF?

The Compliance and Ethics Programs are going to be the hinge between Corporate Governance and the company's activities. Through these programs, it is intended to regulate the governing and administrative unit of companies, such as Shareholders, the Board of Directors, Senior Management, their behavior and that of employees, and third parties related to the company.

This is achieved through the definitions of Policies, Norms, and Procedures, clearly defined in the Principles of the Organization for Economic Cooperation and Development (OECD), and the Legal Regulations have taken by the countries to define trade relations under a Framework Legal of Transparency, pillars of the modern relations of Globalization of the Commercial Relations between the countries.

3. WHAT IS IT FOR?

We can group the importance of Compliance Programs into the following objectives:

a) Regulate the power relations between the Owners, Shareholders, Board of Directors, Senior Management, and Administrative Council.

b) Regulate relations between these internal organizations and interested persons such as employees, suppliers, customers, and the general public.

c) Define, implement and develop the Control Structures for Compliance with Policies, Norms and Procedures, the Information Management structures to maintain their integrity, their availability, and certainty, the structures for Prediction, Prevention, Detection, Investigation, and Continuous Improvement.

d) Through this mechanism, the corporate health of companies and the quality of their Corporate Governance can be measured; the level of commitment and ethics of the interested people, inside and outside the company.

e) It allows to measure the Capacity to face the different attacks that occur within the company, either by internal or external attackers or a combination of both, detect them, mitigate them, analyze their internal processes that failed and implement the necessary mechanisms for the recovery of losses and restorations of affected operations.

f) It allows the different Internal Security Units, Human Resources, Corporate Investigations, Compliance, and Anti-Legitimation of Capitals and Terrorism Financing to be integrated.

g) To define the activities inside and outside the companies, presenting the limits: Rules and Procedures that govern them and on which compliance verifications (audits, reviews, and periodic exercises) would be carried out, individually or corporate, by each interested person, inside and outside the company, and the basis for determining the infractions committed (Corporate Compliance Investigations), regardless of the Criminal Investigations that are carried out in the cases established within the same Compliance Program and the Rules of each country.

4. WHAT IS THE FORMAL BASIS?

Since the creation of the world, man has received a moral law that was ratified on Mount Sinai (Around 1447 BC), by receiving Moses, from the hands of God himself, the Decalogue, or the ten commandments. Similarly, the Hammurabi Code of ancient Mesopotamia is old in history (1750 B.C.); the Code of Ur-Nammu, King of Ur (Around the 21st Century BC); the Laws of E?nunna (Around the 20th Century BC) and the Lipit-Ishtar Code of Isin (Around the 19th century BC), and the Islamic World is governed by the norms contained in the Koran (Around the years 650 - 656 AD) In the evolution of history, the human being has contented with the divine and human laws, in fulfilling them or not, in doing what is right or wrong.

At the beginning of the 20th century, after the Great Depression, which began in 1929 (October 29), the Government of the United States, as well as other European Governments, had to make a series of adjustments, in the economy, especially in the Sector Financial, due to the cascade bankruptcy of different Banking Institutions, defining new regulatory frameworks and separating the financial activities from the others.

Several decades after World War II, the concept of Corporate Governance began to be defined in Europe, the United States, Canada, and Australia originated by the need for minority shareholders to have information about the management of their investments within companies. This led the large shareholders to give more openness to information, as well as greater and better professionalism in administration, especially the transparency, becoming the trend to establish what was called Best Corporate Practices.

ENRON (October 2001), WORLDCOM - MCI (June 2002), TYCO (June 2002), business corruption operations that led the United States Government to generate strict legal regulations to hold employers accountable for financial manipulations within their companies. In these cases, there were operations not detected by the Internal and External Audits, they did not detect the fraudulent accounting movements.

These processes resulted in the issuance, by the Organization for Economic Cooperation and Development (OECD), of its "Principles of Corporate Governance", in 1999, subsequently revised in 2004. These Principles have defined the basic concepts that they shape the Corporate Governance that has been adopted by member countries and those that are in the process of becoming members and by many companies.

In the recent revision of 2016, the OECD expanded its Principles, together with the countries that make up the G20, and presents them in six chapters:

i) Consolidation of the basis for an effective corporate governance framework:

The corporate governance framework will promote transparency and fairness in the markets, as well as the efficient allocation of resources. It will be consistent with the rule of law and support effective supervision and enforcement.

ii) Rights and equitable treatment of shareholders and key ownership functions:

The corporate governance framework will protect and facilitate the exercise of shareholder rights and guarantee fair treatment to all of them, including minorities and foreigners. Everyone will have the possibility to effectively redress violations of their rights.

iii) Institutional investors, stock markets, and other intermediaries:

The corporate governance framework must provide strong incentives throughout the investment chain and make it easier for the stock markets to function in a way that contributes to good corporate governance.

iv) The role of stakeholders in the field of corporate governance:

The corporate governance framework will recognize the rights of the stakeholders that are established by the legal system or stipulated by mutual agreement and will promote active cooperation between them and societies to create wealth and employment, and to the sustainability of solid companies from the financial point of view.

v) Disclosure of information and transparency:

The corporate governance framework will ensure timely and accurate communication of all relevant issues relating to the company, including the financial situation, results, ownership, and its governing bodies.

vi) The responsibilities of the Board of Directors:

The framework for corporate governance must guarantee the strategic orientation of the company, effective control of management by the Board, and accountability to the company and shareholders.

In this last chapter, it defines in greater detail the actions that the Board of Directors, specifically “...Review and guide corporate strategy, major action plans, risk management strategies and procedures, annual budgets, and business plans; set targets for results; monitor the execution and compliance of the company….". These functions and others also described allowing the elaboration of Compliance and Ethics Plans, to be able to fulfill in a practical way, the adaptation, implementation, revision, and continuous improvement of the Principles within the dynamics of the company.

For more information on the OECD Principles see the following link: G20/OECD Principles of Corporate Governance https://www.oecd-ilibrary.org/governance/g20-oecd-principles-of-corporate-governance-2015_9789264236882-en

5. WHAT SHOULD WE EVALUATE?

We must keep in mind the experiences that have been had for so many centuries of economic history, and especially the successive and recent operations that have been used to defraud shareholders, investors, and the same employees of the aforementioned companies and others around the world, and we cannot leave aside the areas of Internal Audit or Control and the External Audit companies, which have had some relationship with these companies and which, in our opinion, have had the possibility of detecting these fraudulent operations.

We consider the following aspects that each company must initially evaluate:

a) The time elapsed between the execution of the incident and the detection;

b) The percentage of incidents, where it was possible to identify the attacker;

c) How the incident was detected: Internal Control, Security and/or Compliance Units, internal complaint mechanisms, other means.

d) In each incident, it is possible to determine the impact of the incidence and/or attack, both tangible values (Money), or intangibles that can be valued and intangibles that are difficult to value;

e) In what proportion, the employees have been involved in the incidents that have occurred, and at what level of the structure are these employees.

f) There are mechanisms for education, prevention, prediction, detection, containment, mitigation, and penalties, for incidents or attacks coming from inside or outside the company.

g) Risk Management is adequately carried out in all instances of the Business Units, clearly defining the risks such as Parallel internal structures with own profits hidden within the profits registered inadequately, Internal Corruption, Internal Fraud, Fraud to Clients, Fraud of Suppliers and associates, Theft of Information, Embezzlement of Assets, Cyber Attacks, Thefts and robbery of merchandise.

h) The Compliance and Ethics Program is reviewed, evaluated, updated, tested, and measured its inclusion within the Culture of the Company and especially in the Culture of Good Governance or Corporate Governance and in the participation and commitment of each employee.

i) The Internal Units that are dedicated to the processes within Risk Management, actually work together, such as Internal Security, Labor Safety, Compliance, Anti-money laundering, Internal Audit, External Audit, External Legal Advisors.

k) Employees in charge of the aforementioned Units in the areas of Compliance, Corporate Research, and Measurement of Compliance Rates of each employee and within each Business Unit are duly prepared. Every day highly trained personnel will be required not only from a theoretical point of view but with experience in Process Analysis, Corporate Investigations, Criminal Investigations, Internal Control, and Knowledge of Regulations that affect Corporate Activities and duly supported by the different Business’s units.

l) The level of Compliance and Ethics of the employees, within each of the activities, carried out by the Business Units, individually or personally, at the level of each Business Unit and throughout the Business itself.

m) If there are parallel structures within the company that generates profits for their interests. If there are groups with interests in covering up results of operations to obtain determining benefits based on results.

6. WHAT CAN WE ACHIEVE?

In surveys carried out by companies such as PwC, KPMG, in the areas of External Audit and the company Kroll, in the Consulting area, in their reports from the last two years, they emphasize the importance of having Internal Controls and developing a Culture of Ethics, which make it difficult to commit fraud within companies.

The primary purpose of the Compliance Programs, as the main element of Corporate Governance, is to achieve a climate where the Principles and Values are the norms, not only to protect shareholders, but also the employees themselves and beyond the documentary formalization of Employees' commitments to compliance is that, in reality, events and incidents are minimized with a tendency to not occur, or at least the impacts can be controlled and minimized.

As long as incidents occur where the participation of employees, and/ or interested persons such as suppliers, associates, etc., are present, it indicates that the Compliance Programs are not working properly, and it is very likely that these persons have signed documents committing themselves to comply with ethical principles and with the Codes of Conduct defined within the Compliance Programs and yet maintain an attitude and activity outside the Internal Standards, taking advantage of the gaps existing in those standards and I would dare say, given my experience, that the conduct of those in charge of the Control Units, are not in the capacity to detect the improper operations and in other cases, they are part of those improper operations and contribute to hide or disguise them.

In the same way, we must achieve, through Compliance and Ethics Programs, that the losses of companies are not caused by improper, improper, or illegal conducts by employees, interested persons or by gaps in processes not detected or caused by third parties, such as cyber-attacks facilitated by deficiencies in applications contracted to third parties or developed internally without due verification. On the other hand, the gaps identified by the same employees and used to seek and achieve individual benefits, well-hidden gaps in technicalities, which make it difficult to identify those gaps. Finally, the losses must be framed in incidents not due to lack of Ethics, embezzlement, and mismanagement of the assets and resources of the companies.

7. WHAT SHOULD WE PROJECT IN THE FUTURE?

a) A well-defined, clear, and transparent image of the level of Ethics that Owners, Shareholders, Directors, Employees, Suppliers, Clients, interested persons, and the General Public have.

b) This image of Ethics must be present in each of the processes, Products, whether they are goods or services. Although the company is an ethereal entity, managed by people, the name of the company must be safeguarded within that Ethics and Compliance Framework of its internal processes and external Standards.

c) The projection of the company should not only be a compliance with the Norms and Laws of a country if its internal processes are fraught with corruption, unethical, which is reflected in the levels of internal incidents that affect the assets of the company. Same company, of the owners and shareholders, of the employees and clients that affect interested persons and the general public. We see this dichotomy in the information that we can obtain from the same companies, whether they are reported to the authorities or not, in the sections for operating losses, by contracting insurance policies to cover employee infidelities, in the number of incidents detected by the Control and/or Audit Units, either internal or external, which implies that they exist and are damaging the image of the company. After each review period, detection must be equal to zero, that is, no gaps or deviations in the processes were detected or evidenced.

d) Being able to present the company as an entity that is governed by a Culture of Ethics and Compliance, that despite the existence of people and/or organizations willing to obtain benefits, attacking the company by searching for gaps in its systems and corrupting to the employees, this presentation of the company is reflected in the strength of its systems and the culture of the employees against corruption attempts, and that hinder those attempts, whether internal or external. In other words, a safe and reliable corporation.

e) Additionally, to be able to present a company with the capacity to show in an objective and tangible way, as a result of the application of scientific and systematic methods where the Ethics Levels and compliance of each Shareholder, Manager, Employee, Supplier, and Directly related, of individually, collectively within the Business Unit processes and doing this practice in all companies, a comparison between companies could be established, in other words, obtaining a Certification of Ethics and Compliance.

8. WHO SHOULD USE IT?

A good Compliance and Ethics program must be an integral part of the individual actions of each person, of the family as the basis of the Society and that is the framework of interpersonal relationships, from simple business relationships to compliance with the laws of each, in short, it is the country that governs the actions of the person who, when transferring them to companies, is not choosy so that compliance with regulations within companies is real and not just an Ok mark on the list of things to do.

In other words, starting from the attitude of the individual that must be projected in the company and not an obligation of the employees to work in a company or organization.

Just as the concept of "Internet on Things" was introduced, in the new era of achieving an interaction between things and man through technology under a human-thing interface, and having a better life; I believe that we must introduce a new concept that allows us to refocus the action of individuals and companies and institutions, governmental or not, which I would describe as "Ethics on things" (EoT). A concept that I will develop in another document, but essentially it would consist of, to put it in some way, placing within the DNA of the actions that we carry out, Ethics as the link element in the chains, that is to say as a kind of hydrogenated link that would hold together the basis of actions, re-consider the codes, precepts, and laws that we discussed above. The "Ethics on things" would be the active expression of Good Moral, Values, and Principles that are needed today.

Compliance and Ethics programs, the companies must use them, under the criterion that the most important resource is the people who make it up, who use their services and consume their products, and it is on those people who must direct efforts to "That Ethics" is the central axis of the Business culture framed in processes of Control, Review, Improvement and Training that leads to complying with the precepts, turning each employee into a Controller of their actions, whoever reviews, improves and grows them within the company and reinforce its conduct of Ethics.

If people are not taken into account and considered, a Compliance Program would not work, companies and Institutions without people would not work either, the economy would not work. Through the Compliance programs, the improper actions of people must be corrected through the confirmation of the culture of Ethics, in other words, Implement and continually improve the Training. The training aimed at the Culture of "Ethics on Things".

9. WHAT SHOULD WE DO AS AN INDIVIDUAL?

Begin to review our actions and frame it within what is correct, transparent, reinforce our principles and values of righteousness, and modify those actions that separate us from those principles and promote corruption and divert us from compliance.

This attitude we must transfer and project it in the institutions where we participate as an individual and become a real good worker and a really good citizen.

10. WHAT SHOULD WE DO AS A CORPORATION?

a) Evaluate the Compliance and Ethics Program and appropriate to the realities of the company, its internal and external environments.

b) Develop and implement a Selection and hiring Program for the right people, not only in terms of professional preparation (Theoretical and Practical) but also their ethical values, principles, and values of honesty. If you already have this program, submit it to a review to reach the mentioned objective.

c) Develop a Compliance and Ethics Certification Program, for employees and vendors and/or suppliers, that allows measuring the level of honesty at the beginning of the relationship, with annual, semi-annual, quarterly reviews, or as many times as necessary, depending on the activities carried out by these people within the Business Units. Through these programs, you can predict the tendencies of people to deviate from their principles and foresee the actions of attackers, the previous actions of providers to generate gaps, well hidden, but that can be activated at a certain time, and even to place people with a specific objective, which would be activated at a certain time. This Program would be a support to the Hire and Selection Program.

d) Develop and implement a Program for review, analysis and adaptation of local and International Laws, of local and International Norms that govern the activities of the company and that generate certifications, the Regulations developed on certain activities (For example those related to Information Security as GDPR, which in the absence of diligence, establishes large fines).

e) Develop and implement a Risk Analysis Program, which adapts within the Risks and their threats, those related to the actions of employees at all levels, not only based on their own experience, but also on the experience of other companies in the same field, and other branches. This program must include the threats that would be generated when a certain risk arises, foreseen or not, and whose origin is in the same company. This program must be reviewed every six months. The Prediction, Prevention, Containment, and Recovery actions must be updated, tested, and improved at least twice a year.

f) Develop and Implement a Training Program, focused on identifying the soundness of the Good Principles and Ethical Values (If the Certification Program has been implemented, the most exposed areas could be identified, the employees most exposed to being corrupted and the areas that must be reinforced to strengthen them).

g) Develop and implement a more detailed review program of the internal processes of the business units, beyond the internal review and control programs. In an initial phase, based on the information, that must exist on irregular, abnormal, or deviant situations. This would imply forming a work team that reviews the operations, in each of its processes, this will guarantee the discovery of gaps, responsibilities, and make the required improvements. In a second phase, it would carry out the reviews, based on the risk analyzes, based on the information received from irregular operations within other companies and the results obtained in the Certification Program. In a third phase, this group would review the information generated by the External Audit, Fraud Consulting, Compliance, and Security companies, where they share the results of incident impact surveys. This out of the task, would be similar to the one that companies must implement to review the occurrence of cyber-attacks outside the company and suggests changes and adjustments in protection processes in Security of Information systems. I define the phases in sequence, the company must define whether it does them in that order, or they carry them out in parallel. Lack of Ethics affects all processes.

h) Define within the Business Plans and their respective budgets, the necessary investments so that through the Compliance Programs, real benefits are obtained, and not only financially, but most importantly, more profitable benefits within the internal environment, an excellent work environment, and a real barrier against any attack.

I suggest reviewing my LinkedIn post “The Importance of Security in the Economy”, where we outline how investing in Security is very profitable and guarantees any investment. https://www.dhirubhai.net/pulse/importance-security-economy-gonzalo-j-guzm%C3%A1n-de-la-guardia-g-/?published=t

11. CONCLUSION: DOES IT REALLY WORK?

Consider the Compliance and Ethics Programs, within the framework defined as Corporate Governance; Consider Compliance and Ethics Programs as an essential part of Business Strategies; Consider the Compliance and Ethics Programs as the tangible expression of the company's Vision and Mission; Consider Compliance and Ethics Programs, as the delineator of personal behavior, of those who make life around the company, and as a transmission belt for this behavior in and out; Consider Compliance and Ethics Programs as the essential elements of Control, Prevention, and Protection of the Company; Consider the Compliance and Ethics Programs as the best investment of the company; If companies take into account all of the aforementioned recitals, we conclude that Compliance and Ethics Programs will really work.

12. COMMENTS, SUGGESTIONS, AND MORE INFORMATION:

Do not hesitate to contact us through our email [email protected]