After a short detour to the Business Roundtable’s Statement on the Purpose of a Corporation, we return to the recent set of articles in the Harvard Business Review (HBR) White Collar crime special section. Today, I want to look at an article by Eugene Soltes, entitled, “Where Is Your Company Most Prone to Lapses in Integrity?” Soltes begins with the belief that “Every sizable organization has integrity gaps—areas where what’s considered appropriate behavior diverges from the norms set by its leaders. Within these pockets, things like offensive language, overly aggressive sales practices, or conflicts of interest may be overlooked or even implicitly condoned. Such lapses not only endanger the reputation of the company but also pose regulatory and liability risks.” Unfortunately for most companies, they do not discover those gaps until there is a full-blown crisis causing a huge reputational hit, potential financial loss and even government sanction.

Fortunately, one of the components of any best practices compliance program is to detectas well as prevent andremediate. Soltes provides a framework to help the compliance professional think through a data-based mechanism to help an organization “get ahead of such risks”. He found that integrity gaps arise for multiple reasons. While it might seem universal that people should not lie, cheat, steal or pay bribes; Soltes research belies this basic maxim. Moreover, because corporations are made up of people, he believes there are two starting points.

The Problem

First is that there is some misconduct occurring at every company. Soltes found one report which led him to opine there was “a violation which could lead to a regulatory sanction (such as a bribe or financial fraud) one every three days”, [emphasis mine] in the company’s he reviewed. He went on to state, “these companies also have some of the most robust and effective controls that I have seen.” Not only is this extremely disheartening, but clearly alarming as it illustrates “that even companies that invest heavily in compliance will have some malfeasance within their ranks.”

Secondly, there is even more internal misconduct going on in organizations that is not being reported. Soltes believes that which is being reported is only “the tip of the iceberg—and that should make leaders nervous.” He goes on to opine that ignorance is not bliss, nor is it a sustainable manner in which to conduct business. He concludes by stating, “Allowing integrity gaps to grow is especially unwise in an era when employees are increasingly likely to bring allegations straight to the media or regulators if they feel ignored by their leadership.”

Gathering the Data

Here Soltes focuses on three basic questions which he considers can provide enough data for a compliance professional to provide a targeted focus. He believes that that answers to these three questions can be obtained by using a short (and simple) “pulse” survey. He does caution, and this may be the most important component, that “data collection should be conducted anonymously—that is, without capturing individuals’ names or identities—to encourage complete candor.”

The first question  to ask is something along the lines of “have you observed any of the following” and then provide a list of misconduct based upon the business model and risk of the organization. These areas can include sexual harassment, conflicts of interest, bribes or improper gifts, accounting irregularities, antitrust violations or theft, just to name a few. The key is not to focus simply on legal violations but more broadly integrity issues. Here Soltes provided a couple of examples, “a senior manager might regularly say things that wouldn’t legally constitute sexual harassment but that nonetheless make employees deeply uncomfortable. Or an employee might believe he witnessed a payment that would violate the U.S. Foreign Corrupt Practices Act when it was technically a facilitation payment permitted under the law.” Soltes notes such “issues are still worth identifying because anything employees perceive to be a violation can affect workplace morale. Moreover, they often can be leading indicators of more-serious misconduct that will develop into legal or regulatory exposure.”

The next question poses if you observed such conduct, did you report it? Many senior executives take the position that it is the responsibility of every employee to report misconduct and usually such obligation is enshrined in a Code of Conduct. Most interestingly, Soltes cited to a Gartner study which found significantly different reporting rates for different types of conduct, such as 46% reporting rate for theft of company property down to a 27% reporting rate for improper gift-giving.

The third and final question is if you did observe misconduct and did not report it, why not? Here the problem could be an institutional issue such as fear of retaliation, which is the highest reported concern. However, structural issues still occur where the reporting process itself is considered to be too cumbersome.

Learning from the Data

Soltes believes the survey provides three key pieces of information for the compliance professional to use going forward. The first is where to focus your efforts going forward. Obviously if you identify the gaps you can then bring a targeted solution to bear on the problem. He states, “By analyzing data on violations in these areas, companies can unearth the causes of misconduct and devise a strategy to address them—perhaps by redesigning incentives, creating new controls, or conducting training.”

The second area is around the reporting system. Whether the problem is institutional or even cultural, where employees fear reporting retaliation or if the issue is structural, that it is simply too difficult to report or once the report is made, it goes into a black hole and no further information is given to an employee; such information can be used to improve the system. Here he pointed to the example of Kimberly-Clark Corporation which asked employees who had reported integrity issues whether they felt the reporting process was fair. Based upon the feedback the company received, it refined out its communications to internal reporters and enhanced training on the reporting process.

The third area is in the true size of the problem your organization faces. These reporting statistics are a harbinger of what is below the surface, i.e. under the “tip of the iceberg”. Soltes believes the information generated “can help companies better estimate the actual amount of misconduct within the organization—and the amount that’s not being reported. Ultimately, this kind of modeling will help senior leaders get a clearer picture of the integrity issues and violations that otherwise would probably never come to their attention.”

Soltes’ article was very interesting and something every Chief Compliance Officer (CCO) and compliance practitioner should consider for your company. Rather than simply guessing at the status of many of these issues, collecting this information by monitoring allows you to assess whether your company is actually adhering to its espoused ethical standards. Soltes concludes by stating, “Sustaining a company’s cultural integrity requires constant vigilance—and measuring progress is the best way to manage it effectively. Data that allows leaders to proactively identify emerging gaps is a critical tool for staying one step ahead of problems that might land their companies in the next day’s headlines.”

Many compliance practitioners struggle with how to use data analytics to improve their compliance program. The three simple and straight-forward questions posed by Soltes is a direct and effective manner to assess the actual state of ethics, integrity and compliance in your organization. If you have not done so, I would suggest that you go down and meet your corporate communication team or your Human Resources (HR) folks who routinely engage in employee surveys such as the one discussed in this blog post. If not, there are multiple vendors in the compliance space who can assist you in this endeavor.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2019