Who is Responsible for the Ethics of an Organization?
Posted In Human Resources, Legal, Regulatory Compliance on June 30th, 2011 Tags: Agilent Technologies, Business Ethics, Ethics Program, Ethics Training, Markkula Center for Applied Ethics
I recently came across a discussion between Markkula Center for Applied Ethics’ Executive Director Kirk Hanson and Craig Nordlund, former general counsel of Agilent Technologies. Nordlund believes the concern for ethics must be shared by everyone in the organization, but suggests ethics programs will be ineffective without leadership from the company’s top executives.
It is hard to argue with his comment stating “ethics programs will not work unless there is leadership on ethics from the company’s top executives”.
However, lessons learned and incidents seem to clearly reveal that leadership from the company’s top executives is not enough.
So why is creating an ethics culture so difficult for organizations? Perhaps ethics training is not enough or not even part of the solution?
The definition of training is a process to teach or learn a skill or job…and like the title of the article (Creating an Ethical Business Culture), I would agree that ethics is more of a culture than a job or skill.
Training is typically a once-a-year task on a learning management system with a one-size-fits-all general training module that everyone clicks through aimlessly because it is on the checklist of items that their organization thinks they need to do.
The definition of awareness seems to be a much better fit if an organization is serious about creating an ethical business culture. Awareness is to be aware of the difference between two versions, watchful and wary and having or showing realization and perception or knowledge. Awareness is not taught once-a-year, awareness (especially situational awareness) is an ongoing process that must be specific to the organization’s culture and supported by top executives.
Every individual is part of the ethical business culture so organizations must also make sure they have a platform to manage, update, communicate, document and measure situational awareness at the indiviidual level…because most everyone knows if you can’t measure it, it doesn’t exist.
No Comments
Email This Post
How are Organizations Managing Policies Ongoing?
Posted In Business Continuity, Financial, Financial, Human Resources, Regulatory Compliance, Research, Validations on May 3rd, 2011 Tags: Accountability, auditability, OCEG, policy management, status quo
OCEG recently announced poll results from a One Minute Poll about Policy Management. In their poll, 429 members replied to the following question:
How do you primarily manage lifecycle of internal policies, procedures and guidelines?
- 32% use an internally developed database or intranet system
- 24% have no formal structure
- 18% use file folders or centralized network drive
- 14% use document or policy management software
- 8% track changes in Word
- 4% use other methods
Lessons learned: Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links. As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.
No Comments
Email This Post
The Payback of Compliance: Organizations Save When They Focus on Security
Posted In Financial, Financial, Information Security, Regulatory Compliance, Research, Validations on May 3rd, 2011 Tags: Compliance, Ponemon, Security
A review of security practices and investments at 46 global organizations finds that compliance with industry security standards actually saves money over the long-term. A recent Ponemon Study revealed that companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than non-compliant companies.
Lessons Learned: Compliance does not equal security, but security can benefit from compliance. Organizations investing in comprehensive compliance programs are better prepared to prevent expensive breaches, lawsuits, fines, etc. and save money and resources over time.
No Comments
Email This Post
AML Fine Sends a Message to Banks
Posted In Financial, Information Privacy, Legal, Regulatory Compliance, Validations on May 3rd, 2011 Tags: AML, Bank Secrecy Act, bank security, Pacific National
Miami-based Pacific National was fined a $7 million penalty for violations to the Bank Secrecy and USA Patriot acts.
Lessons Learned: Fines for gaps in AML practices are becoming more severe. Financial organizations must ensure they have the appropriate policies and procedures in place and ensure their people are aware and accountable for their decisions to meet ongoing compliance requirements. Organizations also need legal-ready and audit-ready documentation to avoid expensive fines, lawsuits, and embarrassing headlines.
No Comments
Email This Post
Va. Tech Gets Max $55K Fine for Late Warning
Posted In Campus Safety, Education, Legal, Regulatory Compliance, School Safety, Validations on April 19th, 2011 Tags: Clery Act, Clery Act Violation, Virginia Tech
Virginia Tech was fined the maximum fine allowed under the Clery Act of $55,000 for waiting almost two hours before warning students, faculty and staff of an active shooter on campus.
Lessons Learned: Colleges and Universities must develop, implement and follow clearly defined policies and procedures for notifying students and staff in emergency situations. School Administrators may want to create customizable, organizational and situational specific templates prior to an incident so the warning messages are already defined and the appropriate processes are understood by all appropriate personnel. Organizations must also have customized emergency and crisis management plans and ensure all individuals (students, faculty, staff, administration, law enforcement, etc.) understand their roles and responsibilities before, during and after an incident occurs. Lastly, lessons learned clearly teach schools that proactive and prepared prevention efforts are much less expensive than the incidents, fines, lawsuits and reputational damages.
No Comments
Email This Post
Fighting Bullying with Lawsuits
Posted In Campus Safety, Education, Education, Incident Reporting, Regulatory Compliance, Research, School Safety, Validations on April 19th, 2011 Tags: bullying, Bullying Lawsuits, OCR "Dear Colleague" Letter
Lawsuits targeting school districts for allowing students to be bullied by other students are escalating.
Lessons Learned: With new guidelines outlined in an OCR “Dear Colleague” Letter and an increase in bullying, harassment, discrimination and school violence, schools need to be aware of the potential risk of lawsuits. School leaders must ensure all individuals (staff, faculty, parents, students, counselors, etc.) understand their roles and responsibilities for preventing and responding to bullying and how to report incidents of bullying. Schools must implement comprehensive and ongoing protocols for responding to ALL incidents of bullying and cyber bullying with legal-ready documentation to avoid “deliberate indifference” claims and lawsuits.
No Comments
Email This Post
Health Net Breach Exposes 1.9 Million Records
Posted In Health Care, Information Privacy, Regulatory Compliance, Validations on April 19th, 2011 Tags: Health Net, HIPAA compliance
Health Net exposed as many as 1.9 million customer records in a breach after its IT vendor misplaced nine server drives. This is the second breach in two years for Health Net when a portable hard drive containing medical and financial information on 1.5 million customers disappeared from a facility in Connecticut.
Lessons Learned: Technology is not the problem..People are the weak link and the solution. Devices are often lost and misplaced due to People not being aware of or not being accountable for the policies and procedures that have been put in place by the organizational responsible for protecting customer information. Organizations must ensure all appropriate personnel, including business associates, third-party vendors and contractors, are aware of and have acknowledged their accountability for appropriate policies and procedures and requirements for protecting sensitive patient data.
No Comments
Email This Post
State Attorneys Generals Trained to File Federal Civil Lawsuits
Posted In Health Care, Regulatory Compliance, Validations on April 19th, 2011 Tags: HIPAA, HIPAA compliance, HIPAA Violations, HITECH
OCR is offering HIPAA Enforcement Training to help State Attorneys General enforce the HIPAA Privacy and Security Rules and file federal civil lawsuits for HIPAA violations.
Lessons Learned: HHS and OCR are serious about Privacy and Security in Health Care. Policies and procedures play a critical role in an organization’s culture of privacy and security and need to be updated as requirements, risks, regulations, etc. change. Health care organizations will need to conduct internal audits and assessments rather than waiting for the OCR or AGs to arrive. All employees and business associates must understand how to safely handle patient information and maintain a culture of privacy and security.
No Comments
Email This Post
HIPAA is Most Troublesome Compliance Regulation
Posted In Health Care, Health Care, Regulatory Compliance, Research, Validations on April 19th, 2011 Tags: HIPAA, HIPAA training
A recent survey revealed that HIPAA is the most challenging regulation to businesses today.
Lessons Learned: Regulatory requirements are updated regularly…Hackers, risks, threats, etc. are constantly changing. Staying up-to-date and within compliance is challenging, but critical. Organizations must ensure all employees (and third-parties) understand their responsibilities to protect sensitive information.
No Comments
Email This Post
First HIPAA Civil Fine $4.3M
Posted In Health Care, Information Privacy, Regulatory Compliance, Validations on April 18th, 2011 Tags: Cignet Health, HIPAA, HIPAA Violation, HITECH Compliance
Cignet Health is facing a $4.3 M civil penalty after violating the HIPAA Privacy Rule and failing to cooperative with HHS’s subsequent probe. This is the first civil money penalty for a violation of HIPAA.
Lessons Learned: The Feds mean business and there will be more fines and lawsuits and more embarrassing headlines for health care organizations that do not take compliance, risk assessments and incident management seriously. Is your organization meeting all HIPAA/HITECH compliance requirements? Do you have the necessary documentation in place to provide HHS with information in the event of an audit? Does your documentation help your organization demonstrate all appropriate employees and business associates were aware and accountable for making the right decisions in different situations?
No Comments
Email This Post
