IA Behaviour doc by Mark Clubb

Itâ&#x20AC;&#x2122;s All About Behaviour How boards are tackling behaviour and ethics

With the support of

We know that our members, particularly those at board level, understand that an ethical culture is essential for protecting reputation, recruiting and keeping good staff, and long term business success. They know that good ethics is good for business. Boards want their companies to behave ethically. Given the importance, it is surprising that there is little research into what they actually do to ascertain whether or not they have the ethical culture they desire. It is worth remembering that the UK Corporate Governance Code preface says that corporate governance is about what the board of a company does and how it sets the values of the company. The first supporting principle of the Code says the board should set the company’s values and standards. ACCA has long held that boards should explain, as part of their governance report, how they ensure that they, and their staff, live up to the values they set. This study is one of the first to shine a light on this issue, and we warmly support its publication. It shows that while most boards are thinking about ethics and culture, there are relatively few who take active steps to assess their company’s ethical health or ensure the desired values are maintained and that behaviour is consistent with these values. Good governance is so much more about ensuring the right behaviour than about compliance, and we know one can comply with the letter of a requirement but not its spirit. There is clearly more that could, and probably should, be done. We hope this study will encourage boards to consider if they want to do more to ensure they have the right culture. Assessing culture is not easy. Relatively few have experience of it and there is little in the way of good practice to follow. We would be delighted if this study generates active debate and provides a catalyst to developing experience and good practice. ACCA will certainly be playing its part in those discussions. Paul Moxey, Head of Corporate Governance and Risk Management

It is always heartening to read that boards are starting to realise how important ethics and culture is in their organisation, and to discuss these matters together as part of their oversight of their company. The most important question that a board can ask is “Are we living up to our values?” If they can be assured that the answer is yes, then they can feel confident that their company is protected against the financial and reputational risks which can destroy a company. This excellent and timely report from Independent Audit offers some insight into the ways boards are tackling ethics and offers some guidance for boards in making sure they have appropriate oversight of the issues. But it also offers a stark statistic, that only three in ten companies offer ethics training for their directors. It is in setting the tone of the organisation that directors can have the most impact on the ethical culture of their company. Members of the board must behave with integrity if they wish their executives and employees to do the same. And if they hope to lead an ethical organisation, they should consider the ethical aspects of the corporate strategy they set and what dilemmas it may create for staff. Philippa Foster Back OBE, Director, Institute of Business Ethics

IT’S ALL ABOUT BEHAVIOUR: what’s inside It’s easy to agree behaviour is important but it’s a lot trickier to pin down. We’re hoping that this report will do more than provide insight into what boards are doing to get comfort on behaviour, attitudes and ethics in their organisations. We also hope it will help boards and management think through: Why do we need to shed light on behaviour? What do we need to do to get some assurance on it? What can help us get there?

Contents Behaviour Matters

Page 1

What boards are doing: a summary of the survey results

What a board can do

Getting Comfort: Ten Golden Rules

Indicators of Behaviour

What boards are doing: the survey results in more detail

Appendix: survey approach

Acknowledgements We’d like to thank: G

All the respondents to the survey for their thoughts and time

Carmen Carmona of the London School of Economics who undertook the survey and quantitative analysis

ACCA for their generous support and deep interest in raising the profile of the “behaviour question”

The Institute of Business Ethics for their thoughts on the questions to be asked, their comments and, more generally, their long-standing and energetic commitment to promoting sound corporate ethics.

BEHAVIOUR MATTERS Boards should be making sure that employee behaviour and attitudes are what they think they are – and what they want them to be. Corporate strategy won’t work if corporate behaviour isn’t aligned with it. It’s inseparable from good risk management, and from any other aspect of good management. Neglect of behavioural issues – which include attitudes, ethics and culture – can all too easily damage both reputation and share value. “The behaviour and ethics of any organisation, however large or small, are the two defining characteristics, obvious to all the key stakeholders: shareholders, customers, managers & staff, and regulators. A clear understanding by the Board of the true position in these key areas is critical both to their successful leadership and long-term sustainability.“ Rodney Baker-Bates Chairman, Stobart Group plc

A consensus on the importance of attitudes is starting to emerge, due partly to a financial crisis that to a great extent grew out of inappropriate cultures and behaviour. Hard-nosed senior directors and executives interviewed for our 2009 survey1 about risk governance surprised us by immediately connecting risk to culture and values. By the time we’d finished it was those few who didn’t who stood out as glaring exceptions. Getting a picture of how people actually think and behave helps resolve that age-old conundrum: ‘how to know what you don’t yet know about’. If the board can be confident that behaviours are right, there’s far less chance of being hit by an unforeseen crisis. But what are boards actually doing about it? Do they give behaviour enough time and a clear enough focus? This survey reports what’s going on in 46 FTSE 350 companies2. The results provide detailed insights into current practice plus a firm foundation from which directors can think through what they should be doing.

are starting to look more seriously at corporate behaviour, many of them deal with it in passing rather than subjecting it to structured and rigorous enquiry. In all too many cases “behaviour” barely makes its way onto board agendas. It’s easy to understand why boards haven’t gone further; we all find it easier to get assurance about processes than about attitudes. But many directors and senior managers are telling us that behaviour and ethics are at the heart of good risk management. It follows that every effort needs to be made to overcome the practical challenges and ensure that behaviours support sound risk taking instead of creating unwanted exposures. So we thought it would be helpful to go beyond the survey findings and set out what boards could actually do to strengthen their confidence in the organisation’s behaviour. As well as conclusions from our study the following pages set out: G

What boards can do: a list of practical steps to take and attitudes to adopt

Getting comfort: how boards can learn more about behaviour in the business, and use that knowledge to strengthen risk management

Indicators: some examples of KPIs that help build a picture.

“I have all the usual ways of knowing if my systems and controls are working well. But, in addition, I need to know that they’re underpinned by a solid control culture. People have got to know why controls are important for business performance, and that this comes down to their personal responsibility and attitude. Management has to set clear standards and expectations about how our people must behave towards each other and how they work, and how they interact with people outside. And we have to live to these standards, not just talk about them.” Nick Luff Finance Director, Centrica plc

The picture is not altogether reassuring. While boards Getting It Right: A report by Independent Audit Limited on risk governance in non-financial services companies (The ICAEW Foundation, October 2009) www.independentaudit.com/publications 2 See Appendix for a description of the approach. 1

WHAT BOARDS ARE DOING: a summary of the survey results The good news: boards are starting to look more seriously at corporate culture and whether their organisations have the right ethics. A quarter of boards have specifically discussed the values, ethics and behaviours they expect, rising to 40% when committee-level discussions are included.

The values, ethics and behaviour which the board expects to be maintained In the last year the Board has discussed this... Fully as a specific item on the Board agenda 24% Other 4% As a procedural item for approval only 8%

Fully in committee but not by the full Board 16%

Covered but not as a specific item 48%

For instance, you’d expect the Code of Conduct to be discussed seriously by the board. After all, it’s the starting point for setting the tone and a framework for expected behaviour. But this often gets left to the audit committee – there are few ethics committees – or it isn’t discussed as a defined issue at all. Very few boards give any close consideration as to how the Code of Conduct is communicated, let alone to the directors’ role in ensuring effective communication. Boards discuss behavioural risks and recognise the need for oversight. But it’s not clear how they get a clear view of the nature and source of those risks... Yes, most boards talk about the ethical dilemmas their employees might face. But only a quarter do so in a formal and focussed way. Even fewer consider employee feedback on behavioural issues and challenges. Moreover…

Add in “discussed but not as a specific item” and the level of discussion shoots up to near 90%.

And while “behaviour and ethics” may not be appearing as a specific item on agendas, it does look to be an active component of board discussions. But the picture looks less reassuring when you consider what a majority of boards are actually doing. While there is extensive awareness and plenty of general discussion, it is short on discipline. And the approach to assurance is lacking in structure too. Few boards get down to the nitty gritty of standards and programmes. Fewer than half tackle the subject specifically – even at committee level. Behavioural and ethical issues are far more likely to get picked up in general discussion rather than focused deliberation.

...the financial crisis might have put bonuses in the headlines, but boards aren’t spending much time thinking about how reward systems shape corporate behaviour…

...nor do they take much account of signals from external stakeholders on corporate behaviour and ethics… ...and few adopt a structured approach to ethical due diligence for M&As or joint ventures. It’s not that boards don’t talk about the need for standards and assurance about behaviour. It’s just that too many of them stop right there… Discussion on how to get assurance usually only happens at the committee level and (from what we see in practice) tends to be brief even there.

Reports on speak-up lines play an important part, as do independent reporting lines. But even though many boards say they rely on internal audit, the internal auditors themselves paint a contrasting picture about the extent to which they are asked to provide assurance in this area. They’re seldom asked to give a view on the prevailing culture and only half have been asked to report on compliance with the Code of Conduct or ethics programme. See the chart overleaf. Only 8% of boards make serious time to discuss ethical training.

The ethics training programme for employees Actual results from assurance programmes are seldom considered by the full board. This matters: attitudes and behaviour affect strategic performance and risks – they are not just a risk management and control issue. Only a minority of boards receive regular reports on serious lapses in compliance or ethical behaviour. Only a handful discuss how training programmes can help embed expected standards. And few at the top themselves take part in training in ethics and behaviour. Less than a quarter of boards schedule time to ask whether ethics programmes are actually working.

In the last year the Board has discussed this... Fully as a specific item on the Board agenda 8% Other 8% Not at all 16%

Fully in committee but not by the full Board 32% Covered but not as a specific item 28% As a procedural item for approval only 8%

Boards are missing out on a range of other indicators:

The effectiveness of the ethics programme and the need for any changes

...there’s only patchy use of self-certification…

In the last year the Board has discussed this...

...scant attention is paid to ”people-based” indicators such as staff surveys and exit interviews…

Formally

23%

Informally

35%

Not at all

...little attempt is made to draw on customer and supplier surveys for insights into corporate attitudes…

33%

Other

9% 0

35 %

...and few boards develop KPIs in order to provide a rolling view of behaviour and culture.

And there’s a heavy reliance on conventional sources of assurance. Directors tend to rely on their contact with management. 3

To what extent has internal audit been asked to provide assurance to the Board on the following? Fully

Informal discussion

Compliance with ethical standards and Code of Conduct The way in which the ethics and values, which the Board expects to be maintained throughout the organisation, are being upheld in practice

24%

Implementation of the programme for communicating the ethics policy to employees

14%

The level of take-up of the ethics training programme for employees

14%

The content of external communication about the organisationâ&#x20AC;&#x2122;s approach to upholding its ethical standards and policies

14%

38%

19%

60 %

WHAT A BOARD CAN DO This outline may give some ideas and provide an approach for the board to work within.

Understand why behaviour matters

Set out what’s expected

3 Communicate expectations

Ensure standards are embedded

5 Identify key influences

Conduct regular assessments

7 Get assurance

8 Set an example

Ask whether existing attitudes are what you need to succeed

Consider how undesirable attitudes could cause damage

Agree on why and how behaviour and culture need to fit into the board agenda

Give behavioural issues a regular slot on the agenda

Review programme objectives at full board level

Mandate ongoing further work at committee level, including oversight of effectiveness

Ask management to prepare a communications plan

Refine and agree the plan and oversee its implementation

Get regular feedback from employees on what it means to them

Study, and if need be reform, management and staff training

Look at how management are involved and are setting an example

Adapt to the challenges of communicating in different cultures and languages

Consider how reward mechanisms might influence behaviour

Look at how the board and top management set the tone and shape behaviour

Assess how growth, change and uncertainty impact culture

Develop regular reporting on staff attitudes and behaviour

Establish KPIs to track performance

Find out how management informs itself about staff attitudes and breaches of standards

Monitor the assurance programme and be prepared to change focus over time

Use a wide range of indicators to assess behaviour

Ensure significant lapses in behaviour are reported to the board, along with examples of the good as well

Senior managers and directors take part in training and periodic refresher courses

Publicise board support and involvement in the programme

Highlight cases of employees “doing the right thing” 5

GETTING COMFORT: Ten Golden Rules Even executives find it difficult to get a handle on attitudes and behaviour. It’s trickier still for nonexecutive directors who have only limited contact with the organisation and can sometimes end up seeing what people want them to see rather than acquiring genuine insight. And, of course, behaviour isn’t easy to measure, monitor or evaluate. Who can be surprised that this is an issue which makes directors and senior management feel uncomfortable? But all is not lost: it just needs a bit of a different approach. A well-structured assurance programme will provide a more reliable picture and improve the quality, even if a certain fuzziness is bound to remain. Boards can acquire a significant degree of comfort over ethics and behaviour. This makes for stronger oversight

of risk taking and risk management, and reduces the danger of being hit by an “unknown” coming around the corner. Here are ten “golden rules” for boards and for the internal audit (or other independent) function that is likely to do the detailed work on their behalf. It’s not like a conventional assurance programme with rigorous evidence-based assessment against set standards, policies and rules – and this can make the assessors uncomfortable, as well as the Board. It’s more a question of building a picture of attitudes and behaviour which, when put together, provides indications of the state of play and, hopefully, comfort in a tricky area.

“Integrity is one of our core values and as the CEO I consider it my responsibility to ensure we are building a culture of trust with all of our stakeholders. We communicate openly and transparently across the organisation and have a very clear and easily accessible code of ethics, a whistleblowers’ helpline and I am accessible by totally confidential email 24/7. 93% of employees participated in our employee survey and I received over 2600 comments and suggestions – it’s clear that our Trust Agenda is very important to them. Our Board receive regular and timely updates from myself and the Head of Audit on any issues that occur, as well as seeing the detailed feedback from our employees through the survey. Our Board members also have an active programme of site visits and dinners and visit unaccompanied by any of the Executive Directors to pulse firsthand morale and the state of the business. They also mentor some of our up and coming leaders so again have direct contact into the heart of the organisation. Business has to take this issue seriously and everyone has to know that, irrespective of who you are, the same standards of behaviour are expected and enforced.” Harriet Green CEO, Premier Farnell plc

The “rules” grow out of ten vital questions that boards need to ask in order to build an assurance programme that works. Why are we doing it?

Make sure you – and they – know why you are doing it and who you are doing it for

A behaviour and ethics assurance programme can suffer from serving too many masters: the Board, the audit committee, the remuneration committee, the executive, the regulator... So you have to ask ‘what are our goals?’ and rank them in order of importance. Governance oversight? Legal compliance? Strategic management? Securing post-merger integration? Managing the risks of growth? It might be possible for one programme to meet all these objectives, but your goals need to be very, very clear at the outset or else confusion will kick in.

What are we looking at?

Know what you are trying to build a picture of

What’s it going to focus on?

Pick a few themes to hang it on

“Ethics” is a wildly popular yet vague term. Standardsetting demands clarity about what you mean by desirable behaviour. You need to know just what you are talking about. In the box overleaf, we discuss the different aspects of business ethics that could be looked at. Thinking them through is important in working out the assurance approach.

Spend too much time on generalities and your review will lose focus. Employees will find it difficult to understand what you are getting at and their responses will become vague. Identify a few themes that are fundamental to the kind of behaviour you expect e.g. “integrity”, “treating customers well”, “unfailing quality”. Then you can ask people what this means to them and whether they are living up to these standards. But don’t choose too many.

“Good governance is so much more than having the right systems and processes in place. To give hand-on-heart reassurance to shareholders that their company is in safe hands you need to look beyond the procedures to the bedrock of the company – to its culture and its values. This is what makes the company tick, which is why it’s important to our Board.” Philip Hudson, Director of Corporate Affairs, Drax Power Limited

What are we looking at? Our Contract What we tell the world we’ll do

The Social Contract The environment Ethical production Fairness of reward Societal principles and morals

The Business Contract Host country practices Rules of doing business The regulators’ rules Licence to operate

The Personal Contract Company rules Code of Conduct

The Basics Human respect Obeying the law

“Ethics” means different things to different people in different contexts. So pinning down what you are actually looking at, and looking for, is key to getting assurance. It can help to think of “behaviour and ethics” as existing at different levels, with companies operating within a framework of written and unwritten contracts. The definition of each is not set in stone, and these overlap and merge, as well as changing over time. Those towards the outer edge are usually ‘softer’ and harder to define, but matter just as much as those at the core in terms of protecting the brand. Some rules making up The Basics require that any divergence must be met with a zero tolerance policy: companies must obey the law, and all staff no matter their level or the culturespecific societal norms, must follow certain basic tenets of behaviour towards other people. An employee’s Personal Contract with the organisation then builds on these foundations: it means that “breaking our rules means you don’t work here”. The Business Contract may provoke more debate but still leaves minimal wriggle room. Operating in a country, or raising funds in a market, obliges you to follow social as well as legal expectations: that’s what gives you a “licence to operate”.

This includes an implicit agreement to treat your staff fairly and with respect. Then follows the Social Contract, an area still largely governed by commonly-held moral expectations. They include fairness, not exploiting people, and long term commitment to society and the environment. Increased NGO campaigning, constant media attention and rising investor awareness means they need to be factored into corporate standard setting. And this is then encompassed by Our Contract. It’s not only what we have to do, or feel obliged to do, it’s what we say we will do. It’s about the commitments we give to others: shareholders, creditors, customers, suppliers...basically anybody who needs to be able to trust us. Once you’ve told the world you are going to do something, there is a reasonable obligation to follow that path or explain the reason why not. Unsatisfactory behaviour can cause considerable damage even when there are few legal risks. Your brand rests on trust and this can only be damaged if you fail to behave as you said you would. The “contracts” aren’t defined layers, some being disposable or optional. And they change over time, requiring organisations to be alert to the need to respond. But they provide a structure within which different aspects of behaviour and ethics can be analysed when looking for a level of comfort which might otherwise seem elusive.

What can we achieve?

Aim for a picture not a verdict

Aim for a picture, not a comprehensive assessment. This will either provide assurance or highlight what needs to change. Don’t be over-ambitious. You may only cover part of the business, some of the behaviours, a proportion of the indicators, or just get a snapshot of the business as a whole. Gaps are likely to remain, but that doesn’t matter as long as a clear overall picture emerges and you know where to find the missing pieces and how big they might be.

Who should be doing it?

Make sure it’s clear who’s taking the lead and why

Whose language are we using?

Different parts of the business (HR, Compliance, Risk Management, Internal Audit) will want to be involved in and/or benefit from assurance on different aspects of behaviour. They may want direct involvement or even ownership. This can stop the review getting off the ground. Tackle this issue up front and be ver y firm that the review cannot serve everybody’s objectives.

International companies face a vast range of linguistic nuances. Ethical concepts can be understood differently by native English speakers, never mind those with a different mother tongue. Culture has a big impact too and differences can arise even within a single country.

Beware cultural and linguistic diversity Take special care: keep language simple and clarify issues with vivid examples. Discover how far a culture endorses your home country standards, taking behaviour, religion and history into account. And identify where traditions might conflict with company policy.

What can we draw on?

Draw on multiple sources to add substance and colour to the picture

There are many sources of comfort out there though they often fall outside the conventional assurance plans offered by auditors and external consultants. Think about how you can use indicators such as exit interviews, staff turnover, expense report compliance, and Health & Safety failures. None of these will be definitive in isolation but put them together and a clearer picture will emerge.

How can we pin down “attitudes and behaviour”?

Make the questions relevant to people’s day-to-day work

People need to see the relevance of your questions, so link these with day-to-day activities. For example: “how does integrity matter in what you do each day?” Explain the impact of behavioural goals and how high standards can benefit them as individuals. Get people to talk about the behaviour they see around them and ask how they feel about it. Note the kind of anecdotes which interest them, and pay careful attention to any factors which seem to influence their actions.

“Making the right judgments in the area of compliance is not an option but a necessity – it’s an area my Board take very seriously. The first thing is to be clear about the standards you expect and then help people understand how to meet them in their day to day duties, ensuring that they know where they can turn if they face a dilemma or need support. And when they don’t, the consequences have to be clear and transparent so no one is in any doubt what is expected”. Stephen Bolton, Head of Global Audit & Risk, Diageo plc

How can we report on it?

Be comfortable with ambiguity and impressions

What next?

Make the story part of the way you work and manage

Don’t look for definitive conclusions, let alone clear results. Pay close attention to deviations from the norm because these are likely to highlight significant risks. Good reporting takes account of how people absorb information and learn. Build in anecdotes, “war stories” and examples to amplify your findings. These techniques will lend colour to hard facts such as HR statistics, disciplinary proceedings, speak-up line reports and survey data. Use these to start building a set of KPIs which can be used to track progress.

Tell management – at all levels – what you have found and get them to think about what it means. Ask them to spread the word, identify problems and develop a response. Consider how the picture you have painted can provide reassurance to external stakeholders such as investors. Come back to the issues periodically, track the indicators, ponder fresh angles – and extend the assurance exercise to other parts of the business.

INDICATORS OF BEHAVIOUR When we talk of “behavioural KPIs” we’re not suggesting there are simply one or two measures that should be tracked to gauge how far a desirable level is being reached. But a range of indicators can be put together to form an overall impression. This won’t give any definitive answers and no one indicator will by itself be of particular value. But the integrated picture may well highlight a problem or provide reassurance. It’s more like a “behavioural scorecard”. Each organisation will need to work out what makes sense for them. But it’s a question of looking out for signals that might indicate changes in behaviour and for signs that raise questions or possibly ring alarm bells. Usually they will be based on data that should already be available – and may already be reported – but put together in a different context with a different objective and they could well add a new perspective on a key issue.

Some examples are given below. Other useful indicators will exist which can be added to the “scorecard” to enrich the picture and give pointers. And very often, specific cases or “war stories” can tell those at the top of the organisation a lot about attitudes: they may be isolated cases or indicative of a wider problem. Either way, they shouldn’t be ignored and need to find their way up the line with rigorous evaluation of their significance at each stage. And striking “success stories” reflecting the right behaviour need to come up the line too. Overall, the key has to be to act on the impression the indicators are giving. If a few alarm bells are ringing, even if faintly, management need to act and the board needs to ask what the response has been.

Some examples Some indicators will be controls or quality-related such as:

Trends in audit issues

A shift in the mix of red/amber /green findings or in the number of outstanding actions, indicating changing attitudes.

Compliance incidents

An increasing number in a particular area (eg H&S) or recurring penalties and fines may suggest slackness.

Claims and legal cases

An increase may indicate inappropriate attitudes or actions or poor attitudes to controls.

Bad debts

A deteriorating record may suggest poor salesforce behaviour, inappropriate incentives or sloppiness in applying controls.

Others will be connected to how our staff are behaving towards those outside:

Customer comments

Deteriorating customer satisfaction or complaints data may indicate poor interaction with staff or quality problems in products or service levels reflecting weak attitudes.

Supplier feedback

Negative feedback might be reflecting treatment by individual buyers, attitudes more widely held in purchasing, or the tone set by the company.

Some will be staff-related and be indicative of morale:

Staff turnover/ absenteeism

Trends indicating low morale in general or in specific areas – maybe due to a poor atmosphere or bad unit management – or suggesting a problematic culture or weak leadership.

Staff surveys/ focus groups

Deteriorating responses to direct questions about attitudes, morale and others’ behaviour (including management’s) should ring alarm bells.

Training records

Low take-up of ethics training is a direct indicator – but wider problems around training levels may suggest poor management or disillusionment.

Expense reports

Changing trends in spending or in rejected expense claims might suggest changes in the control culture or attitudes to the organisation.

WHAT BOARDS ARE DOING: the survey results in more detail Thinking about what oversight is needed Boards actively consider how ethical lapses can cause reputational damage…

Risks to corporate reputation from ethical lapses. Boards are quite active when it comes to considering the impact of behavioural issues. Nearly half make this a specific full-board agenda item. Almost all the rest at least ensure informal discussions on this theme.

The organisation’s potential exposure to reputation damage arising from ethical lapses In the last year the Board has discussed this... Formally

46%

Informally

49%

Not at all

5% 0

50 %

…but the sources of behavioural risks may not be wellunderstood

The nature of the ethical dilemmas that Sources of risk. There’s less employees may face and how they are expected interest in how those risks can to respond arise and how to deal with them. A third of boards don’t even In the last year the Board has discussed this... have informal discussion of the Formally 26% ethical dilemmas which might confront their employees. Only Informally 37% a quarter consider the issues Not at all 32% on which staff are seeking guidance. All this casts doubt Other 5% on how directors are evaluating 10 15 20 25 30 35 40 % 0 5 the implications of behaviour for risk-taking and risk-mitigation. Legal risks appear to be an exception: for instance, nearly 60% have considered the implications of the Bribery Act for board oversight of ethical compliance.

Only a minority look closely at how reward systems shape behaviour

The impact of reward systems. The wave of concern about the links between reward, behaviour and risk-taking appears to have stopped short of a lot of board agendas. Only two out of five discuss the subject specifically. Nearly a third don’t discuss it at all.

The potential impact of reward systems on behaviour and compliance with ethical standards In the last year the Board has discussed this... Formally

43%

Informally

21%

Not at all

31%

Other

5% 0

50 %

Most boards give little consideration to stakeholder opinions on ethical issues

Stakeholder concerns. There’s a tendency to neglect signals from external stakeholders (including shareholders) on behavioural matters. A third of boards and committees have specific discussions on this issue, a third pick it up in general discussions, the final third ignore it altogether.

Boards rarely insist on ethical due diligence

Risks from major initiatives and The Board requires ethical due diligence to be performed when entering into any M&A or mergers. Only 26% of boards JV situation insist on full ethical due diligence being performed in How far does this statement apply to you? either merger & acquisition or Fully 26% Partially 16% joint-venture situations. A third of respondents admitted to not knowing whether their Board had a policy in this area – and nearly half don’t do it at all or Not at all 28% only partially. This appears to be a good example of where, when Don’t know 30% it comes to practicalities, board awareness and good intentions don’t feed through to good practice.

There is a heavy dependency on audit committees

Delegating oversight. Two-thirds of boards delegate behavioural issues to the audit committee despite its already extensive responsibilities, (although we rarely see this reflected in terms of reference). Hardly any have a separate ethics committee and only 12% operate one at managerial level. This dependency on audit committees isn’t surprising: it fits with their overall responsibilities for oversight of assurance, and often risk management. But boards need to be careful to make sure that the more strategic angles around risk, leadership and branding are not neglected – and that behaviour and ethics isn’t seen just as part of the control environment rather than a management and strategic issue.

Discussing behaviour Only 24% of boards talk specifically about expected standards of behaviour

The values, ethics and behaviour which the board expects to be maintained. Only a quarter consider this as a specific agenda item for the board, i.e. including all directors, while another quarter deal with it in a partial fashion. The rest touch on it if it comes up.

The picture is significantly worse when it comes to discussing specifically the role of ethical standards and policies in securing effective risk management – only 32% do this, even when including committee discussions. It’s disconcerting to find that one in twelve boards don’t discuss this at all.

Only half of boards discuss specifically their Code of Conduct

A structured and documented Code of Conduct should be fundamental to communicating a board’s expectations. It’s not clear how boards can have any meaningful view on a Code without talking about it in some detail as a specific agenda item. But only a quarter set aside time for a full discussion at the board itself, with another quarter talking about it in committee. Around 10% relegate the Code of Conduct to a mere procedural item ‘for approval’.

Fully in committee but not by the full Board 16%

Covered but not as a specific item 48%

The role of ethics standards and policies in securing effective risk management In the last year the Board has discussed this... Fully as a specific item on the Board agenda 12%

Not at all 8%

Fully in committee but not by the full Board 20%

Covered but not as a specific item 60%

The Code of Conduct (or equivalent) which is used to communicate these standards In the last year the Board has discussed this... Fully as a specific item on the Board agenda 24%

Other 8% As a procedural item for approval only 8%

Fully in committee but not by the full Board 24%

Covered but not as a specific item 36%

Fewer than half of boards focus on how standards should be communicated

The programme for communicating the ethics Communicating expected policy to employees standards of behaviour. Publishing a Code of Conduct In the last year the Board has discussed this... doesn’t make it understood, let Fully in committee but not alone followed. This requires by the full Board 28% Fully as a specific effective communication. But item on the Board agenda only 12% of boards discuss this Covered but 12% specifically as an agenda topic – not as a specific and still only 40% if you include item 36% committee work. There are Other 8% more who have a “general As a procedural item Not at all 8% discussion” though it’s not clear for approval only 8% how this subject lends itself to that approach. One in five boards don’t discuss communication at all, or make it a procedural item. Maybe the reason for this is that some boards are unclear on their role in communicating standards and reinforcing positive behaviour. It would appear so: an insignificant 4% say they discuss that aspect of their role, rising to only 20% even when committees are included.

Most boards don’t discuss ethical training

Securing buy-in. It’s not just a question of communication: support and follow-up are needed too. Training is vital because it’s about relating ethics to everyday activities. A board that takes buy-in seriously will make time to discuss this, and to understanding what the training is achieving. How does the sample measure up? Only 8% discuss ethics training at the full board, increasing to just under 50% if you include the committees. It’s hard to see how the others can have any certainty whether the standards they have set have really become part of corporate life, given the importance of training in generating or preserving the right attitudes and behaviour.

Few directors or executives take part in ethics training

Board-level training. Only three out of ten companies provide their executives with ethical and behavioural training and related assurance activities. And only one in ten do this for directors. It may be that most people at that level don’t feel it’s an area where they need training – and that may be the case. But taking part in the training provided for staff is an important signal in setting the tone, and also gives an opportunity to find out how they are thinking. And external expectations and regulations are changing all the time and thinking around ethics, assurance and how organisations behave and respond is developing: setting aside time to understand the risks and the oversight implications can help.

Boards are not debating the advantages of a public pledge to uphold standards

Reinforce standards by communicating them to stakeholders. Making a public commitment can strengthen culture by helping stakeholders hold the organisation to account. But there’s little interest in doing this – an extremely low 4% of boards have this on their agendas (and still only 20% if you include committee-level discussion).

Working out how to obtain comfort Consideration of where to obtain comfort is focussed on assurance programmes

Evaluating employee attitudes. How far can you rely on your employees’ personal values to ensure compliance with corporate standards? It’s hard to know what your firm needs to do without having an answer to this question. Yet only one-third make it an agenda item at either full board or committee. And nearly a quarter don’t touch on the subject at any time.

How far the Board can rely on the employees’ values and attitudes to ensure compliance with ethics policies In the last year the Board has discussed this... Formally

35%

Informally

35%

Not at all

23%

Other

7% 0

35 %

There is more activity when it comes to considering the more specific question of the need for an assurance programme. Some 30% of boards discuss this specifically, with another 40% doing so more generally. But that is largely where it stops: general discussion of how, overall, the Board might obtain comfort on ethics and compliance from a wide range of sources is limited almost entirely to committees (40% of cases). Only 4% have structured discussions at main board meetings.

Few boards discuss either the outcomes or effectiveness of their assurance programmes

More discuss the ethics programme effectiveness but only a quarter formally

Reviewing outcomes. Surprisingly, very few boards discuss the results of their assurance programme. Where it happens, this is left to committees but even then only happens in 25% of cases. No company makes any provision for full board-level consideration – and only 8% discuss it at the board, and only then “in general”.

The situation gets a little brighter when it comes to considering the effectiveness of the ethics programme. Yet even here only one in four boards engage in a formal discussion while about a third gives it no consideration at all.

The approach and results of the assurance programme In the last year the Board has discussed this... Covered but not as a specific item 8% Fully in committee but not by the full Board 25%

Not at all 46%

Other 17%

The effectiveness of the ethics programme and the need for any changes In the last year the Board has discussed this... Formally

23%

Informally

35%

Not at all

33%

Other

9% 0

As a procedural item for approval only 4%

35 %

Most boards donâ&#x20AC;&#x2122;t ask whether ethical training is working

Confirming that ethical standards are supported by effective training is a basic goal yet two boards in three make no attempt to find out.

The approach and results of the ethics training programme In the last year the Board has discussed this... Covered but not as a specific item 17% Fully in committee but not by the full Board 13%

As a procedural item for approval only 4%

Not at all 36%

Other 30%

Significant ethical lapses are usually reported to the Board

Discussing compliance levels and significant ethical lapses. Most boards take an interest in this, usually via a committee. Itâ&#x20AC;&#x2122;s encouraging to see that three-quarters discuss serious cases formally and also that nearly all boards discuss how to respond to significant incidents of non-compliance. Despite this just over a third of boards receive regular reports about such lapses in a comprehensive way â&#x20AC;&#x201C; most report that the approach is only partial.

Regular reports are provided to the Board which keep them informed of serious lapses in compliance or ethical issues How far does this statement apply to you? Fully 37%

Partially 55%

Not at all 8%

So what sources of comfort do boards mainly rely on? Boards tend to rely on briefings from management …but speak-up lines are important

Contact with management: some 30% rely ‘mainly’ on their interaction with management to give comfort on the ethical environment, while a further 60% rely on this in part.

There’s heavy reliance on internal audit

Most boards rely on internal audit findings, with 80% saying they do so “a lot”. Heads of Internal Audit (HIAs) say that in three-quarters of cases, boards rely on their function alone for comfort over behavioural issues.

Getting feedback from speak-up lines is commonly relied on with 90% of boards saying this contributes to the picture.

But despite this apparent reliance only half of HIAs have been asked to provide assurance on compliance with the Code of Conduct. And when it comes to assurance on implementation of the ethics programme, it’s the same picture, with the extent of board requests or discussion varying considerably; not far off half (43%) don’t seek independent assurance at all on this.

Internal audit findings To what extent does the Board rely on these to obtain comfort over the ethics and control culture? A lot

80%

To a limited extent

20% 0

80 %

Implementation of the programme for communicating the ethics policy to employees To what extent has internal audit been asked to provide assurance to the Board or a board committee? Informal discussion only 14% Fully as an ad-hoc request 5%

Not at all but another function provides assurance 19%

Fully as a regular report 9% Not at all 43%

Other 10% It appears that internal audit’s role is usually restricted to reporting on incidents of non-compliance rather than providing assurance on the success of the ethical behaviour programme.

External audit and compliance reports provide comfort for all

Other conventional sources of assurance. Nearly all boards place some reliance on external audit and compliance reports to secure comfort around behaviour.

Reports on disciplinary and legal cases help

Over 80% use information from disciplinary systems, and 88% draw on material from legal disputes or court cases.

Only a third of boards rate self-certification systems as providing “a lot” of assurance.

Staff-based indicators are often neglected…

“People-based” indicators. Only one board in three places strong reliance on staff surveys, although 41% use them “to a limited extent”. Only one-third draw to any extent on staff focus groups and only half make use of information from exit interviews, which seems a wasted opportunity.

Staff surveys To what extent does the Board rely on these to obtain comfort over the ethics and control culture? A lot

32%

To a limited extent

41%

Not at all

27% 0

50 %

Staff focus groups

Employee exit interviews

To what extent does the Board rely on these to obtain comfort over the ethics and control culture?

A lot

To a limited extent

34%

Not at all

64% 0

…as are customer and supplier surveys

Not at all

70 %

Customer and supplier surveys/ complaints get surprisingly little use to help build the picture of staff or corporate attitudes and behaviour. Less than a third of boards look a lot at the results of customer surveys and one-third don’t study them at all.

44% 51% 0

Customer surveys or complaints To what extent does the Board rely on these to obtain comfort over the ethics and control culture? A lot

27%

To a limited extent

39%

Not at all

34%

Half make some use of supplier 10 15 20 0 5 surveys, but only 15% do so to any great extent even though they can tell you a lot about staff interaction with key counterparties.

Only a tiny minority of boards use KPIs to build a picture of attitudes and behaviour

Key indicators. Only 10% of boards use indicators of behaviour ”a lot” and half don’t use them at all. They are tricky to formulate and will only ever be indicative, but using a collection can build a picture: see the examples in the earlier section.

60 %

40 %

Ethics compliance – specific KPIs To what extent does the Board rely on these to obtain comfort over the ethics and control culture? A lot

10%

To a limited extent

39%

Not at all

51% 0

60 %

APPENDIX: SURVEY APPROACH The survey was conducted in Q3 2010. Responses were received from 46 companies from the FTSE 350. Of these, 24 were FTSE 100 companies at the time, of which 4 were in the financial services sector. Of the 22 FTSE 250 companies, 6 were financial services companies. In terms of size the breakdown was: Numbers of staff Fewer than 10,000 10,000 - 19,999 20,000 - 39,999 40,000 - 99,999 100,000 or more

Frequency 18 9 5 11 3

% 40 20 11 22 7

100

Market capitalisation ÂŁ Less than 1 billion 1 to 2.99 billion 3-9.99 billion 10-19.99 billion 20 billion or more

Frequency 13 12 12 3 6

% 28 26 26 7 13

100

Questionnaires were completed online by 25 Company Secretaries and 21 Heads of Internal Audit. The content of the questions was the same for both groups. Some additional questions were asked of the internal auditors around their work for the Board. Inclusion of both groups allowed the results to be based on a larger sample. We judged this to be sound as, in this particular field i.e. of the Boardâ&#x20AC;&#x2122;s activity around ethical compliance and control culture, Heads of Internal Audit are likely to be aware of board level discussions and also are present at audit committee meetings. There was no discernable difference between the responses from the two groups i.e. there was no pattern of the internal auditors suggesting less board activity in this area than that suggested by the company secretaries. Analysis of the responses based on industry classification and size did not show any clear differences in board activity.

The author Richard Sheath +44 (0)20 71687220 richard.sheath@independentaudit.com Richard Sheath is a co-founder of Independent Audit. In working with boards, he specialises in risk governance and the work of audit and risk committees. He has practical experience of working with boards in securing comfort on behaviour and ethics and this experience underpins the thinking set out in this report. Richard is also a director and the audit committee chairman of Eurochem, a global fertiliser company. He was previously a risk management partner with PricewaterhouseCoopers. Richard would like to acknowledge the particular help of his colleague Hanif Barma in this area (hanif.barma@independentaudit.com).

About Independent Audit Limited Independent Audit Limited is a specialist board and governance consultancy. We help boards know that their governance is working well. We understand what boards need and how businesses work, so we get to the big issues without fuss and suggest straightforward, practical solutions. We can review your overall governance systems, assessing how different parts of the governance structure are working and how well they link up, or look in detail at specific governance and assurance issues. Our new web-based governance self-assessment service, Thinking Board, provides an alternative approach to assessing effectiveness. We work with organisations of all shapes and sizes and in all sectors. When it comes to behaviour and ethics...whether it’s around risk management and oversight, brand and reputation protection or the internal control culture, we work with boards, audit & risk committees and internal audit helping them, for example: G

Think through how it matters and their objectives

The sort of comfort they want to get – and how to get it

Design and put an assurance programme in place

Conduct independent reviews through interviews, focus groups and surveys

Undertake their own assessment using Thinking Board™, our web-based governance evaluation service

If you’d like to know more, contact the author or our Chief Executive: Jonathan Hayward +44 (0)020 7618 7721 jonathan.hayward@independentaudit.com

ACCA is a global professional accountancy body with over 140,000 members and 400,000 students in 170 countries. It works to achieve and promote the highest professional, ethical and governance standards and advance the public interest around the world. www.accaglobal.com