Is your supply chain ethical as well as efficient?

The Sarbanes Oxley Act became law in July 2002 and introduced major new requirements for companies listed on a US Stock Exchange.

The changes introduced are numerous and range from the composition and remuneration of the board to the need attest to the adequacy of internal controls - section 404 requires companies to: "state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting."

Not surprisingly, the majority of attention has been focused on the accounting accuracy and transparency of company results, but attention is being placed increasingly on the company's total corporate governance.

There are many different definitions of corporate governance. In essence, however, corporate governance is about management mitigating risks to shareholder value. It should therefore include: managing operational risk and reducing accounting surprises; compliance with laws and regulations; promoting and assuring ethical business conduct in order to protect the "brand value" of the business.

In other words, corporate governance means managing risks that could damage shareholder and stakeholder value. Standard and Poors, which undertakes corporate governance evaluations, states in its Criteria, Methodology And Definitions : "Increasingly, the debate on corporate governance extends beyond a company's own shareholders to include other stakeholders such as creditors, employees, customers, the environment and the local community."

The United States Sentencing Commission issued proposed changes last December to the Federal Sentencing Guidelines. The effect of these proposals is to "emphasise the importance of expanding the compliance standard to better address a corporation's ethical culture; establish the governance and oversight responsibilities of the board and senior management; frame the need for appropriate resources and authority; and recommend that companies conduct ongoing risk assessments to form the basis for continuous improvement of their compliance programmes."

The proposed amendments also address the responsibility of the company beyond the actions of its own employees. They expand the scope of the objective of a compliance programme by defining the term "violation of law" more broadly than in the current guidelines, which refer only to violations of criminal law and prevention of criminal conduct. They also expand the objective of a compliance programme more broadly to include prevention and detection of "violations of any law, whether criminal or noncriminal (including a regulation), for which the organization is, or would be, liable".

The proposed changes retain the requirement that an organization exercise due diligence to prevent and detect violations of law, and add the requirement that an organization shall also "otherwise promote an organizational culture that encourages a commitment to compliance with the law". This is intended to reflect the emphasis on ethics and values incorporated into recent legislative and regulatory reforms, as well as the proposition that compliance with all laws is the expected behaviour within organisations.

In its white paper2 aboveIntegrity-Driven Performance, PwC stresses the importance of ethics: "Culture. Integrity. Ethics. Many have the impression that these soft elements are nice concepts but are not hard-hitting topics having any real bearing on risk, performance and value. The reality is that they are the foundation for both sustainable value and an integrated approach to Governance, Risk and Compliance."

These values are of course not new but as companies have striven to survive the recent economic downturns their attention has been more focused on "harder" measures such as revenue growth and profitability. However, the accounting scandals have acted as a wake-up call. It is the potential impact of failures on the total value of the business that is highlighting the need to re-think the importance of ethical business practices and processes.

While the immediate financial impact of a failure to comply with Race/Diversity regulations may be small in terms of the fines imposed, the total impact on the business can be much greater. Private customers may decide to buy elsewhere, business customers worried about their own supply chain may take their business elsewhere, employees may move to more ethical companies and investors will look for more secure places for their money.

Responsibility for the culture and ethics has long been seen as the province of the HR department and the good news is the HR software has evolved significantly in the last few years. Although most companies have computerised their HR systems, Payroll was often one of the first systems companies computerised and until recently these systems have not been fully integrated with the other enterprise resource planning components. The quest for greater efficiency and increase in control has highlighted the need for HR systems to be fully integrated.

A knowledge of who the employees are, their grades/positions and the hierarchy into which they fit is essential to developing and deploying systems such as:

• Employee self-service applications, e.g. Expenses, Procurement.

• Employee Portals, e.g. Business Intelligence appropriate to role/grade/function.

• Workflow, i.e. the system that automatically routes the approvals according to hierarchy or limits procurement choices based on grade/role.

Of course there is the need to define and monitor skills against grade/role, ensuring that employees have received the appropriate training both as required to perform their duties and, of course, in the organisation's ethical and business practices.

In the context of enterprise risk management, one of the largest risks many companies face, especially those who have "outsourced" their manufacturing or service, is how similar assurances can be obtained from suppliers and other parts of the supply chain. As Nike and others have proved, your brand is just as much at risk by the actions, or inactions, of your agents and supply chain partners.

Of course the degree and seriousness of the risk will vary greatly depending on the nature of the goods or services being provided. In general, the more complex the goods or services being outsourced together with the amount of direction the supplier is taking from you, the greater the degree of risk. Call centres, manufacturing and selling of financial products are examples of potential high risk.

However, for major relationships you should be able to answer some very basic questions:

• Do they understand and share your ethical and business practices?

• Have they appropriate systems in place to monitor staff knowledge and capability?

• When did you last update them on changes to your internal guidance and policies?

• Are their compensation policies compatible with your ethical practices?

This is not easy, but appropriate computer systems can significantly ease the problem.

How? First, look at the systems that you would or could use to achieve this for your own employees.

Can you answer Yes to these questions:
• Have you fully documented your business processes?

• Have you defined and documented your business and ethical practices?

• Do you have a process for monitoring staff skills and capabilities and linking these to the grades and roles?

• Are you able to view the current skills and training of all your staff and identify those that require updates?

• Are you using blend learning to best match training requirements with appropriate training methods?

If you can say Yes to these in respect of your own staff then you are in a good position to extend this to your supply chain.

Characteristics of the systems:
• Web-deployed documentation that clearly links processes, policies and actions with people and their responsibilities.

• HR system that allows you to record and monitor skills and competencies.

• A blended learning approach that includes web-delivered training and links the results back to the HR system.

Some companies are already extending learning beyond their own employees. For example Amadeus, the major travel company, has created Amadeus Learning City (ALC) using Oracle iLearning. ALC is an interactive online learning web site that provides customers and employees with a new way of learning, enabling them to increase their skills and knowledge on a variety of Amadeus products.

The world is changing. Accounting scandals have led to the realisation that companies must assess and manage their total risk. PwC states in its white paper 2:

Organisations face an abundance of issues that have technology implications, including:

• Information accuracy issues and a significant rise in overall GRC costs, due to additional manual processes to meet new GRC burdens and a lack of linkage across disparate IT systems

• Lack of a simple, efficient method to capture data critical to managing GRC programmes

• Failure to achieve real-time compliance, resulting from the organisation's inability to gather disparate information on a timely and accurate basis

• Inability to view GRC status on an enterprise-wide basis

It is clear that those companies that embrace appropriate technology will manage their risks more efficiently.

They need to be evaluating not only how they can ensure that their own employees have the appropriate skills, training and knowledge of the ethical and business practices and the legal and regulatory requirements to which they must adhere, but also how to extend this beyond the company to the supply chain.

No longer can an organisation believe its ethical processes stop at the factory gate. Today, the ethical supply chain extends the whole length of the physical supply chain.