The Red Flag Group®
ongoing due diligence

Selective disclosure: public information on compliance programmes

Selective disclosure: public information on compliance programmes

When a compliance programme is thought of as an insurance policy, the company is generally trying to “tick the boxes” by meeting the basic legal requirements. These compliance programmes often haven’t been updated for ten or more years and are therefore out of date. Typical characteristics of these programmes include a tangled network of policies and procedures and a hotline phone number that goes to an answering machine in some forgotten corner of a head office. Insurance-policy type compliance programmes may look good on paper, but they mainly serve as a way for companies to cover themselves if things go wrong, and they don’t add any business value.

By far the worst way for a programme to come across is as a hurdle. It is hoped that no companies look at compliance programmes as roadblocks to success, but unfortunately this is sometimes the case. Those companies have compliance programmes in place purely because they legally have to, but the programmes are by no means comprehensive, and employees can easily avoid the associated checks and monitoring.

A new form that compliance programmes are starting to take is as “showrooms”: via corporate social responsibility marketing, companies can show off the fact that they conduct business the right way. In the past, this compliance information was only viewed by members of the internal team, but many organisations are starting to understand the merit of making some information available to the public.

As the public is scrutinising the way that companies do business, compliance programmes are becoming more transparent. Legislations such as the California Transparency in Supply Chain Act have accelerated the efforts of companies to share information about their programmes. The compliance showroom is open not only to employees, but also to the public, including investors, consumers, communities, non-government organisations and the media. Companies can show what they are doing with their programmes, share how their programmes are changing with shifts in industries, publicly state their goals and challenges, and demonstrate that they are adapting to best practices.

So what are companies sharing about their compliance programmes? How many compliance showrooms are open to the public?

For this study, Fortune 100 companies were examined to see what compliance-programme information they were readily sharing with the public. Reports were gathered in the first quarter of 2014, and only the most recent reports were utilised.

There were some limitations to this study. Not every piece of documentation was examined. The search was also limited to the companies’:

  • corporate social responsibility procedures
  • sustainability initiatives
  • annual reports
  • corporate citizenship
  • suppliers.

Availability of information

Of the 100 companies that were examined, only 59 disclosed information about their compliance and ethics programmes. It is somewhat discouraging to see so many Fortune 100 companies lacking compliance disclosure.

There could be a number of reasons why so many companies are not providing details of their programmes to the public.

They may think that information about compliance and ethics is proprietary. To some extent, this can be true. Certain aspects of compliance programmes, such as misconduct, on-going internal investigations or insight into expansions of products or operations, do not need to be shared with the public. However, certain elements of the programme are generally positive and deserve to be shared. These elements can include:

  • codes of conduct
  • training efforts
  • programme awareness efforts
  • updates to policies
  • actions of senior leaders and managers
  • board activities surrounding ethics and compliance
  • a summary of findings of recent ethics and compliance programme assessments
  • due diligence efforts
  • awards to employees for ethical behaviour
  • hotline statistics.

The depth and robustness of the information shared on each of these topics will vary greatly. In the area of ethics and compliance programme assessment, for example, a full disclosure of all results would be excessive. However, letting readers know that an assessment took place and providing a summary of the results (highlighting the strong areas) can be advantageous as it allows stakeholders and readers to know that the company cares about the ethics and compliance programme and is working to improve it.

Companies could also be holding back from sharing information about their compliance programmes because they do not have any good news to share. A company might understand the merits of disclosure, but if they haven’t trained employees in three years, their programme assessment showed serious gaps, and a large-scale investigation has been started about corrupt activities, they don’t exactly have the best information to put out to the public. In this situation, they think that no press is better than bad press. Even in situations where companies have less-than-ideal programmes, it is better to mention the few successful parts of the programme than nothing at all.

Again, 41 of the Fortune 100 companies did not disclose information about their compliance programmes. The ethics and compliance programmes of these companies should be frequently updated, assessed and brought in line with best practices. They should be a source of pride. It should not be a question of resources, but rather initiative.

No company that was examined had a standalone compliance report; all of the information was obtained as a part of another report, such as a corporate social responsibility or sustainability document. This represents an area where improvement in transparency is required for large public companies in the United States. As some organisations outside of the Fortune 100 have standalone compliance reports, this is not an area where the largest companies are in front.

Written standards and policies

The most popular method of sharing information about compliance was in codes of conduct. This is disappointing overall because a code of conduct is a document that is already public. If a company is publicly traded in the United States it is a legal requirement that its code be made available to the public. For a company to make a document public because it is legally-bound to do so is hardly making a great stride in transparency.

Much of the public information regarding companies’ codes simply acknowledged their existence or how they played a part in the success of each company. Other code-related information touched on training and certification. More useful information about the written standards of each company would concern policies, communication efforts and what role those standards play at a company.

Whistleblowing and reporting

While it is quite easy to mention a code of conduct in a public report, something more difficult to do is to share information about how often employees are making reports and using the company hotline. Only 12 of the 100 companies expressly mentioned the number of reports that had come through. These companies included Pepsi, Apple, General Electric, Hewlett-Packard, Dell and United Postal Service. General Electric deserves a special recognition for their transparency, as its reports were broken down by topic and location as well as the frequency that disciplinary action was taken.

A common theme about disclosure of compliance information was that it was provided at a very general level. Even when companies shared whistleblower statistics, the figures were not broken down by type of misconduct, location or avenue used to make the report.

Supply chain

Companies frequently discussed many aspects of the supply chain in their corporate social responsibility reports, and tended to focus content on working with local suppliers as well as supplier diversity. This information is surely worthy of being publicly disclosed, but it is not very relevant to the ethics and compliance programmes.

The information more prevalent to this study was the due diligence of third parties, audits, inspections and other similar elements to ensure integrity in the supply chain. Only 26 of the companies noted the due diligence of their suppliers in their reports, and the information provided was still quite sparse. Many companies only noted that some due diligence was done or gave vague statements about checking suppliers.

With the California Transparency in Supply Chain Act companies are facing new requirements for public disclosure. This necessary disclosure focuses mainly on forced labour, human trafficking and other human-rights standards. The Act has also provided an increase in the amount of disclosures made by companies regarding their supply chains.

Much has been written lately about the precautions that companies are starting to take with conflict minerals. Much like the California Transparency in Supply Chain Act, the Dodd-Frank Act has also had a ripple effect into other areas of a company’s programme. As companies are starting to improve their conflict-minerals programmes they are putting some highlights into public documents. In the examined documents, 19 companies mentioned conflict minerals (if only briefly). The technology industry had the most language surrounding conflict minerals, with more than three-quarters of the technology companies mentioning conflict minerals. As the operations and products of these companies could frequently contain minerals from areas of conflict, their adaptation to conflict-minerals laws and public announcements of programmes is not surprising.

Training and communication

Nearly half of the companies examined mentioned employee training on ethics and compliance. Most often the information that was shared was very imprecise, mentioning that training was taking place but offering no further details. Some companies provided more specific information including the topics of training (most commonly code training), the number of employees that were trained and which platforms they had used. Four companies discussed the types of communication used to deliver compliance messages, and two companies mentioned training for the board of directors.

Compliance and risk monitoring

This is another key area that was not readily reported on by the companies – only six companies shared any information about recent ethics and compliance audits or assessments. Details such as who conducted the audit, when it was conducted and any details on the findings were found in a couple of companies’ reports (Apple and Hess), but again, most of the information that was presented was very general. As companies more readily understand the merits of conducting a compliance audit and consequentially share the positive aspects of the findings, disclosure in this area should rapidly increase.

There were some common trends in the areas that companies were likely to disclose.

Risk assessment was mostly discussed in terms of a broad organisation-wide risk assessment, not necessarily a compliance/ethics risk assessment. The public data relating to risk assessments was typically vague and related to operation and reputations risks, without details such as likelihood and severity of risk factors.

Anti-corruption programmes were discussed in 18 percent of reports and the scope of information disclosed varied widely. In some reports anti-corruption language was limited to a couple of sentences of corporate speak, extolling a commitment to operating in a global environment with integrity and respect. While this is a good notion to have, specific details on the programme’s goals, results and audits and on the systems in place to prevent, detect and stop corrupt acts would be more appreciated. More detailed reports shared information about working with agents, addressing obstacles in new markets and improvements made to compliance systems.

Some companies also disclosed information about employee surveys and questionnaires. The information shared ranged from job satisfaction, to sources of pressure, to the effectiveness of health and wellness programmes. As was the case with many other areas of disclosure, the information shared publicly was mostly non-specific.

A great deal of companies in the Fortune 100 did not share information about their ethics and compliance programmes. Those companies that were brave enough to display information for public scrutiny should be commended. Although much of the information shared was not particularly detailed, what was available shows that companies are headed in the right direction. The amount and quality of information disclosed by companies will grow as consumers and the public continue to scrutinise the companies they do business with.