Developing a Culture of Compliance: How Ethics and Risk Management Intersect


Despite the oft-invoked title of “ethics and risk management” for anti-fraud initiatives and professional roles, it’s occasionally difficult to put modes of compliance into practice that explicitly draw links between ethics and risk as symbiotic symptoms of each other. While it may be easy to identify potential risks within an organization, it’s harder to trace those risk opportunities back to an ethical aspect of the company’s culture that may be the foundational cause for a risk.

As part of the virtual 2021 ACFE Fraud Conference Europe, Dr. Attracta Lagan, co-principle of Managing Values, spoke with Dr. Klaus Moosmayer, the executive committee manager and chief ethics, risk, and compliance officer for Novartis, to discuss techniques for promoting an office culture that enhances ethical accountability as a means of reducing risk.

Lagan began the session by outlining four focus areas to structure their conversation:

  1. Leadership culture: How do leaders design for a leadership culture that influences employee behavior?

  2. Organizational culture: Do you design culture, or does culture design you?

  3. Fraud, ethics and compliance: Are ethical risks the systemic sources of fraud and corruption?

  4. Organizational justice: Do you know and understand the backstory to why people behave the way they do at work?

By breaking down the conversation into these four parts, Lagan hoped to tease out actionable items that session attendees could put into practice in their own organizations to make it as easy as possible for employees to know and do the right thing. As Lagan elaborated, she sees many fraud and risk opportunities as products of an unmanaged corporate culture, and she challenges leaders to develop values-led workplace cultures that balance what is right for business with what is good for society.


The line that connects ethics and risk
When discussing the leadership culture at Novartis, Moosmayer focused on championing individual accountability. “In a very down-to-earth statement,” he said, “I believe it’s simply much more fun to work in a company which has cultural diversity and inclusion and ethics on the agenda.” He suggested that leaders move away from a blaming culture to a listening culture and made note of the fact that a leader asking for help can be a very powerful and encouraging action for everyone in an organization. Moosmayer described his organization’s commitment to data-driven measurement and benchmarking. Lagan agreed, “It’s very hard to manage culture without the data, and yet people are reluctant to do that.”

For Lagan, one purpose of an organization is to get employees engaged, and there’s an opportunity to leverage that purpose. In the case of leadership, Lagan explained, an effective ethics department has to get middle management leaders on board since the vast majority of employees are taking their direction from them. Part of this challenge is simply to teach middle managers the necessary skills.

Lagan elaborated, “It’s always been one of my biggest frustrations that we spend millions on leadership training, but it’s usually on the executive level, not at the middle manager level, which is usually what is the backbone of the organization. So spending equal dollars on skilling them up, because they are organizational leaders also, and then holding them accountable not just as role models but as advocates. They have to actually be talking about the ethical dimension, the risk dimension on a daily basis, because they are setting the context — either an enabling context for their people, or they’re not addressing the existing barriers.”

Developing a shared vision
How do leaders create a shared vision that everyone in the organization can buy into, especially in a multinational company? Moosmayer offered one of Novartis’ initiatives as an example: Move from a code of conduct, which enforces discipline culture, to an operation structured around guiding principles. This can be a difficult transition, especially since everything in Novartis’ industry is geared toward regulation, but Moosmayer remained optimistic. “Our belief is you can’t come to a good culture only through good controls.”

According to Moosmayer, hosting company-wide discussions to get insight from employees regarding their own principles and concerns inherently gets more people involved and helps tailor the principles to fit the company’s needs. Novartis has remained largely dependent on feedback from employees and leaders, and this feedback often serves as a helpful benchmark to think about one’s own biases.

Lagan cited Novartis’ history of being fined for unethical conduct prior to Moosmayer’s joining the company and asked Moosmayer to elaborate on some lessons learned from studying that experience. Moosmayer responded, “The most interesting times are in the years immediately after the legal settlements.” At Novartis, this meant moving forward by operating with trust as a guiding principle. As Moosmayer put it, “To be transparent, you have to be data-driven, courageous and vulnerable.”

Lagan elaborated on Moosmayer’s discussion of transparency, noting, “We live in an internet world, where transparency is knocking at the door of every organization. It’s very hard to build walls around anything anymore. It used to be a closed system, but today one disgruntled employee can expose the organization. So, more and more, the forces outside organizations are pushing toward transparency.”

In Lagan’s experience, some companies in Asia have begun sitting down with their governmental regulators and sharing the results of their culture audits. This practice hasn’t quite made it to mainstream, but it’s a radical new method to build up trust between organizations and governments.

Organizations will always be vulnerable because they’re filled with human beings, and nobody is perfect. But, as Lagan and Moosmayer underscored in their discussion, building an organization based on justice, where people know they’ll be treated fairly if they raise a concern, is crucial for the entire anti-fraud profession. Especially as the industry faces new challenges, ranging from the pandemic to the new frontier of teaching ethics to AI, employees need to feel like they belong in an organization and that their organization will listen to them. When organizations pay more attention to developing ethical workplace cultures, risk opportunities and occurrences of fraud are more successfully mitigated.