I recently came across a discussion between Markkula Center for Applied Ethics’ Executive Director Kirk Hanson and Craig Nordlund, former general counsel of Agilent Technologies. Nordlund believes the concern for ethics must be shared by everyone in the organization, but suggests ethics programs will be ineffective without leadership from the company’s top executives.
It is hard to argue with his comment stating “ethics programs will not work unless there is leadership on ethics from the company’s top executives”.
However, lessons learned and incidents seem to clearly reveal that leadership from the company’s top executives is not enough.
So why is creating an ethics culture so difficult for organizations? Perhaps ethics training is not enough or not even part of the solution?
The definition of training is a process to teach or learn a skill or job…and like the title of the article (Creating an Ethical Business Culture), I would agree that ethics is more of a culture than a job or skill.
Training is typically a once-a-year task on a learning management system with a one-size-fits-all general training module that everyone clicks through aimlessly because it is on the checklist of items that their organization thinks they need to do.
The definition of awareness seems to be a much better fit if an organization is serious about creating an ethical business culture. Awareness is to be aware of the difference between two versions, watchful and wary and having or showing realization and perception or knowledge. Awareness is not taught once-a-year, awareness (especially situational awareness) is an ongoing process that must be specific to the organization’s culture and supported by top executives.
Every individual is part of the ethical business culture so organizations must also make sure they have a platform to manage, update, communicate, document and measure situational awareness at the indiviidual level…because most everyone knows if you can’t measure it, it doesn’t exist.
A review of security practices and investments at 46 global organizations finds that compliance with industry security standards actually saves money over the long-term. A recent Ponemon Study revealed that companies that consistently comply with security requirements and standards save three times more in security-related expenses annually than non-compliant companies.
Lessons Learned: Compliance does not equal security, but security can benefit from compliance. Organizations investing in comprehensive compliance programs are better prepared to prevent expensive breaches, lawsuits, fines, etc. and save money and resources over time.
Recent attacks continue to show that spear phishing is quickly emerging as one of the society’s greatest threats. Technology alone is NOT going to solve this problem. It is critical for consumers to be more vigilant and aware of what they are clicking on, sites they are visiting, e-mails they are responding to, etc.
Lessons Learned: Financial insitutions should make consumer education a higher priority. Awareness training, handouts, seminars, etc. can be a great way for organizations to connect with their customers, improve trust, enhance reputations and help prevent potential incidents, breaches, lawsuits, etc. down the road. Security awareness training and education can become a competitive advantage for those institutions willing to lead the way.
OCEG recently announced poll results from a One Minute Poll about Policy Management. In their poll, 429 members replied to the following question:
How do you primarily manage lifecycle of internal policies, procedures and guidelines?
Lessons learned: Bad guys already know what the results from this poll clearly reveal…People are an organization’s weakest links. As long as 86% or more of organizations continue to use status quo methods that provide little or no accountability and little or no auditability to ensure situational awareness at the individual level, organizations will be vulnerable to attacks, mistakes, lawsuits, fines and disconnects that have a negative (potentially significant) effect on their bottom line.
Miami-based Pacific National was fined a $7 million penalty for violations to the Bank Secrecy and USA Patriot acts.
Lessons Learned: Fines for gaps in AML practices are becoming more severe. Financial organizations must ensure they have the appropriate policies and procedures in place and ensure their people are aware and accountable for their decisions to meet ongoing compliance requirements. Organizations also need legal-ready and audit-ready documentation to avoid expensive fines, lawsuits, and embarrassing headlines.
The Department of Education and Office of Civil Rights sent out a “Dear Colleague” letter in October 2010 outlining schools’ responsibilities for being aware of, responding to and preventing future incidents of bullying, discrimination and harassment. In response to the National School Board Association’s letter questioning a school’s responsibilities, the Department of Education response clearly states it did not overreach in its original guidance to school officials— it only reiterated existing laws and policies and gave examples of how school districts can help combat bullying and harassment.
Lessons Learned: Schools have been put on notice and must develop comprehensive programs to respond to incidents of bullying and they must take actions to prevent future bullying incidents. Schools who fail to take appropriate actions risk losing educational funding and expensive lawsuits at a time when a funding cliff is looming large. Lessons learned also demonstrate that status quo approaches are not effective in preventing bullying so it will be critical for school boards and school leaders to implement more effective prevention and intervention programs immediately and document all incidents of bullying and harassment on an ongoing basis.
Virginia Tech was fined the maximum fine allowed under the Clery Act of $55,000 for waiting almost two hours before warning students, faculty and staff of an active shooter on campus.
Lessons Learned: Colleges and Universities must develop, implement and follow clearly defined policies and procedures for notifying students and staff in emergency situations. School Administrators may want to create customizable, organizational and situational specific templates prior to an incident so the warning messages are already defined and the appropriate processes are understood by all appropriate personnel. Organizations must also have customized emergency and crisis management plans and ensure all individuals (students, faculty, staff, administration, law enforcement, etc.) understand their roles and responsibilities before, during and after an incident occurs. Lastly, lessons learned clearly teach schools that proactive and prepared prevention efforts are much less expensive than the incidents, fines, lawsuits and reputational damages.
The U.S. Department of Education released the Handbook for Campus Safety and Security Reporting providing step-by-step procedures, examples, and references for higher education institutions to follow in meeting campus safety and security requirements.
Lessons Learned: College and University administrators are overwhelmed with responsibilities for HEOA, FERPA, HIPAA, Clery Act, OCR ‘Dear Colleague’ Letters, and much more and therefore guidance from the Federal Government can be helpful. It is critical for School Administrators to utilize resources and develop comprehensive campus safety programs and create a culture of compliance and preparedness that is ongoing. Traditional methodologies are clearly not working based on new handbooks, new regulations and mounting obligations and traditional tools are not capable of keeping up with all the new changes, so School Administrators must be open to new tools and new ideas to ensure better safety in schools.
A recent survey revealed that HIPAA is the most challenging regulation to businesses today.
Lessons Learned: Regulatory requirements are updated regularly…Hackers, risks, threats, etc. are constantly changing. Staying up-to-date and within compliance is challenging, but critical. Organizations must ensure all employees (and third-parties) understand their responsibilities to protect sensitive information.
OCR is offering HIPAA Enforcement Training to help State Attorneys General enforce the HIPAA Privacy and Security Rules and file federal civil lawsuits for HIPAA violations.
Lessons Learned: HHS and OCR are serious about Privacy and Security in Health Care. Policies and procedures play a critical role in an organization’s culture of privacy and security and need to be updated as requirements, risks, regulations, etc. change. Health care organizations will need to conduct internal audits and assessments rather than waiting for the OCR or AGs to arrive. All employees and business associates must understand how to safely handle patient information and maintain a culture of privacy and security.