In the Association of Certified Fraud Examiners biannual Report to the Nations (2016), the cases studied in the Report to the Nations indicated that small organizations experienced fraud at a rate of approximately 30% with a median loss of $150,000 Interestingly, the median loss at small organizations is comparable to those at large multi-national organizations, with 10,000+ employees. A key difference in the two ends of the spectrum is the frequent implementation of fraud related internal control.
For instance, in small organizations, a Code of Conduct was implemented approximately 54% of the time compared to 91% in larger organizations.
Small business owners, board members of not-for-profit organizations, and senior leadership within small organizations should consider maintaining and monitoring internal control over financial reporting as an essential component to protecting the organization’s assets. This may present challenges because internal control is an area that needs constant monitoring to ensure that the control activities keep pace with the business processes. One method that has proven effective in the cases studied in the Report to the Nations is to establish a Code of Conduct. For small organizations, this can result in the following benefits; demonstrating a commitment to high standards to business partners and stakeholders, assisting the organization in compliance with applicable laws, and potential mitigation of governmental fines through the demonstration of a good faith effort to prevent illegal acts. A Code of Conduct sets the tone for the employees and middle management that senior leadership has a deep commitment in regards to ethical business practices.
Each organization is unique and the method used to communicate vital information is either done in a formal or informal manner. The ultimate purpose of developing a Code of Conduct is to nurture an ethical culture. However, just because a Code of Conduct is developed does not mean individuals will magically become ethical. Therefore, it is imperative to take the task of creating a Code of Conduct while also embedding the ideals into the organization’s culture.
At a point you may be asking yourself, “How do I create an ethics program for my company?” Let us start with a few definitions.
The study of right and wrong conduct. Alternately, it can be defined as:
- The decisions, choices, and actions (behaviors) we make that reflect and enact our values.
- The study of what we understand to be good and right behavior and how people make those judgments (from “What is the Difference Between Ethics, Morals and Values?” Frank Navran).
- A set of standards of conduct that guide decisions and actions based on duties derived from core values (from “The Ethics of Non-profit Management,” Stephen D. Potts)
There are many definitions as to what ethics encompasses:
- The discipline dealing with what is good and bad and with moral duty and obligation;
- Decisions, choices and actions we make that reflect and enact our values;
- A set of moral principles or values;
- A theory or system of moral values; and/or
- A guiding philosophy.
(From “Creating a Workable Company Code of Conduct,” 2003, Ethics Resource Center)
Conforming or adapting one’s actions to another’s wishes, to a rule or to necessity. A compliance code would be intended to meet all legal requirements.
Potential for harm to an organization caused by misconduct that goes undetected and persists due to lack of management awareness and action
Developing an Ethics Program: Risk Assessment
Developing an effective Ethics Program requires that the development team understand risk that the organization faces. For example, the risks that are present in a manufacturing company are vastly different from that in an insurance company, which are vastly different from what you might see in health care organizations. When performing a risk assessment, an assessor must consider the entire organization and the potential risks applicable to the business line. For instance, commissioned based salespeople may be incentivized to close on improper sales. Department heads may underreport expenses for profitability motivators. Human resources may hire unqualified individuals as a favor or nepotism. By examining the potential risks, an organization can create a Code of Conduct that mitigates the organization’s key risk factors.
As defined above, Ethics involves guidelines for employees to make the right decision that is in alignment with the organization’s core values and beliefs. By having a living, breathing document that addresses general scenarios, that employees can refer to may mitigate an employee’s rationalization of an unethical decision.
Developing an Ethics Program: Writing the Policy
After assessing the risk your organization, it is time to put pen to paper. The goal of the Ethics program is to:
- provide a mechanism to prevent, detect and respond to fraud
- provide a framework for enhancing and monitoring compliance
- promoting an organizational culture that encourages ethical behavior
The Ethics Resource Center recommends the following outline when structuring an ethics policy:
- Memorable Title
- Leadership letter
- Core Values of organization
- Code provisions – substantive matters
- Information and resources
With a formal policy developed, it is important to not let it gather dust on a desk or bookshelf. It should be used and referenced often in addition to being pulled out annually when an employee “certifies” they have read and understood the entire document. The policy has to be something that becomes a part of the organization; this can be achieved through effective training and communication. Employees and stakeholders have to be aware of the existence of a formal Code of Conduct and its importance. For instance, the Code of Conduct can be published on the company intranet, provided during the hiring process, or publishing posters in the break room discussing the existence. Now that the Code of Conduct is in the appropriate hands, constant training needs to occur. A risk that companies often face occurs once a Code of Conduct is developed, but after the initial publishing, it isn’t revisited until it is too late. Therefore, it is imperative to have a constant dialog surrounding the Code of Conduct, this can be addressed in departmental meetings, staff meetings, or through company e-mail. In these communications, provide examples of how a stakeholder has implemented the concepts contained in the Code of Conduct. In practice, we are seeing this type of dialog in monthly staffing meetings where the facilitator of the meeting will recognize an employee who faced an ethical dilemma and was able to use the guidance laid out in the Code of Conduct.
Laying the Foundation
Recently the Committee of Sponsoring Organizations of the Treadway Commission and the Association of Certified Fraud Examiners released the Fraud Risk Management Guide. The guide provides a framework for developing a comprehensive fraud risk management process. Establishing a Code of Conduct is a foundational piece, setting an organization on the path of preventing potential frauds by instilling ethical decisions and business processes into the culture of the organization.
If your organization would like assistance implementing or modifying a Code of Conduct, let us know below.