Monitoring and Reporting
Enforcing responsible business practices needs meaningful and specific assurance and monitoring processes. The responsibility for monitoring the implementation of an integrity program rests with the integrity and compliance function, whereas the responsibility for monitoring whether employees adhere to integrity standards and compliance criteria rests with the respective functional or departmental management. The latter cannot be delegated to the integrity and compliance department since it would otherwise disconnect responsibilities, behaviors, and rewards, effectively rendering the rewards tool described earlier ineffective.
The monitoring of the implementation status can, for example, be done with a Web-based self-assessment tool that generates a data set about risk areas and potential gaps in the implementation processes of certain standards. These data can also be used for benchmarking to identify best-practice activities, which then can be replicated by others across the organization. Another monitoring instrument is the use of an integrity survey that monitors the ethical climate and the specific risk areas within an organization.
Further, reporting to internal and external stakeholders is an important task in order to generate transparency and for organizational self-governance purposes. For this reason it can make sense to build a direct reporting line from the chief integrity and compliance officer to the CEO and a member of the senior management or the board of directors. Regardless of how the structure is built, it is critical that the chief integrity and compliance officer have sufficient decision-making power without being suppressed by speak-up problems in an organization, especially to senior management.
For external communication purposes a company should use specific sections in the general annual report. In addition, a specific annual integrity report, or a report on progress for the UN Global Compact, which focuses on principles in the areas of human rights, labor, the environment, and anti-corruption, could further boost the effectiveness of integrity and compliance efforts, especially with external stakeholders. The purpose of such reporting should be to provide reasonably transparent insights into the most material topics, integrity management processes, and into their objectives and results. This reporting has the potential to create structural changes to entire industries. For example, Apple now frequently reports on the environmental impact of its products during product launch events, and almost all competitors followed this example.
Whereas many of the processes mentioned earlier are preventive in nature, an organization also needs instruments to reveal, investigate, and sanction integrity and compliance violations. It is of utmost importance for the success of an integrity and compliance program to give sufficient weight and focus to the elements that have the potential to influence—one of those is making misconduct explicit. Employees should be able to report actual or suspected cases of misconduct without repercussions. This process is often referred to as "whistle-blowing." Such a process must guarantee confidentiality, anonymity, and protection from any form of retaliation.
In order to demonstrate credibility of the whistle-blowing process, the process needs to be made explicit and easy to use. Further, all employees should understand how the process works, including how incoming reports are being handled and how investigations are conducted. Further, the number of reports that have been received and investigated as well as the results and learning from the investigations should be made public across the organization. We suggest not making the whistle-blowing mechanisms a responsibility of the integrity function. The reason is that the role of an integrity and compliance officer should be much more that of a trainer and advisor in cases of ethical doubts. If the prosecution function is combined with the training and advisory functions, conflict of interests could arise and trust could be reduced, which will make both essentially ineffective.
Independent, Internal Assurance
The final activity required for an integrity and compliance program is an independent internal check of the effectiveness of the internal control systems and the spotting of voids along the processes. As with all audits the responsibility for all compliance audits should be with the audit department as it is typically independent from the operational management. It also usually reports directly to the chairman of the board of directors instead of the CEO. The integrity and compliance department would then be responsible for advising the audit function about potential risk factors that need to be considered during the next audit cycle.