Compliance and Ethics Group Formed
by Sandford Liebesman
Recently I learned about a new organization, the Open Compli-ance and Ethics Group (OCEG). I immediately found its website (www.oceg.org) and was impressed.
When I contacted Scott Mitchell, president and CEO of the organization, he invited me to join the steering committee responsible for editing and finalizing the guidelines under development. I would be the first quality professional on the committee. Later, Paul Palmes and John Walz joined me.
OCEG is a not-for-profit coalition that seeks to provide a framework of guidelines and related tools for integrating governance, compliance, risk management and integrity into the tangible practice of everyday business. OCEG is driving adoption of the framework through its multi-industry, multidisciplinary coalition. Its mission also includes the provision of a community of practice for exchange of information, tools and feedback for the continual improvement of the framework.
The executive advisory board includes executives from universities, stock exchanges, major corporations, nongovernment organizations such as the Conference Board, major business consulting firms and professional societies. Jack Kemp, former U.S. congressman, member of the president’s cabinet and vice-presidential candidate, is a member of the board.
The OCEG framework aims at improving organizational values and business operations by providing guidelines that enhance integrity and ethical culture; incorporate effective governance, compliance, risk management and integrity into all business practices; and measure effectiveness and performance against an external benchmark.
The framework addresses an im-provement cycle consisting of planning, implementing, managing, evaluating and improving the organization’s integrated compliance and ethics program. The guidelines are defined in the framework document.
The OCEG framework identifies legal and regulatory risks in laws, rules and regulations and describes actions organizations should take to reduce risk. The framework is comprised of two components:
- The foundation includes all the key elements common to compliance and ethics programs.
- Domains provide guidelines specific to compliance topics within industries, functions, geographic locations or the organizations of particular sizes and structures.
The framework has four sections:
The four sections contain a total of 24 high level topics an effective compliance and ethics program should address. Excellent quality management support for the framework is provided by the eight quality management principles and requirements of ISO 9001 and the guidance for excellence in ISO 9004.
1. Culture addresses the need to identify an organization’s internal environment that results in an effective compliance and ethics program. The four topics in the guidance for an effective culture cover ethics, governance, risk and human capital.
From the standpoint of quality management principles, the leadership principle is closely related to these topics. Also, clause 5 of ISO 9001 and ISO 9004:20001 provide guidance for this section of the framework.
2. Plan includes four topics: scope/objectives, event identification, risk assessment and strategy. Strategy is related to the continual improvement quality management principle and subclause 8.5.1, continual improvement, in ISO 9001.
3. Respond covers the active functioning of the organization. The quality management principles are related to this section of the framework. An organization that implements ISO 9001 should have a head start on satisfying the intent of the respond section of the OCEG framework.
Respond covers 13 topics: organization, code of conduct, policies/procedures, training, reporting, human capital, communications/messaging, managing issues/anonymous reporting, investigations, crisis management, information management, technolo-gy/infrastructure and vendors.
4. Evaluate includes evaluating the plan, performing the evaluation and communicating the evaluation results. This section of the framework is also related to the continual improvement quality management principle and clause 8 of ISO 9001, specifically, subclause 8.5.1.
The Brown Book
The first draft version of the foundation guidelines, referred to as the OCEG Brown Book,2 was released for public comment in May 2004. The steering committee has modified that version substantially, based on public and committee member input.
This January, OCEG released the application version of the foundation guidelines, including a narrative description of the four sections of the framework and the associated 24 topics, for beta testing. Each topic includes an explanation, detailed guidelines, business objectives and identification of critical success factors and considerations for application of the topic guidelines.
As an example, the ethical culture section starts by stating, “An entity should build a culture that encourages a commitment to the law and should seek to ensure employees are convinced the organization has that commitment.”3
A second paragraph describes in general terms why this should be accomplished. The topic page then lists detailed guidelines for how to build an ethical culture:
- Define principles.
- Communicate principles.
- Assess and enhance ethical climate.
- Foster ethical leadership.
Each guideline page contains a narrative description of the guideline, external requirements and citations related to the guideline, core practices and advanced practices.
As an example, the “define principles” guideline begins by advising an organization to define the entity’s current overall principles and those to which it aspires.
It continues, “Though an entity must define its own principles, they frequently fall within the concepts of respect, responsibility, honesty, fairness, compassion and integrity”; and as a “minimum they should include a commitment to integrity and legal compliance.”
Finally, the guideline says the principles should be articulated and supported by the board and senior management.
The second part of the guideline, “external requirements,” is blank because no required compliance standards or government regulations have been identified to cover this subsection.
An example of external requirements, “foster board structure/responsibilities” under the section on governance culture, says there are three practices required by the New York and NASDAQ stock exchanges and the federal sentencing guidelines:
- Establish a board with a majority of independent outside directors.
- Establish corporate governance guidelines that satisfy all applicable requirements, including annual performance evaluation of the board.
- Establish mechanisms by which the board exercises reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
Returning to “define principles,” three core practices are recommended:
- Develop a statement that clearly articulates what the entity principles mean and how they support the entity’s mission.
- Involve appropriate internal stakeholders from all levels in development of the statements of entity and program principles.
- Document and communicate the statements of the entity’s principles and the program principles, either separately or as part of the code of conduct.
Finally, “define principles” identifies three advanced practices:
- Document a methodology for defining entity principles.
- Consider the views of external stakeholders in the development of the statement of principles.
- Systematically review principles to consider appropriate revisions based on cultural, management, legal or business environment changes.
I was specifically asked to use my quality management expertise to expand the guidance in the foundation guidelines. I focused on the requirements of ISO 9001 and the guidance of ISO 9004.
There are 11 areas and subsections in which the requirements of ISO 9001 support the OCEG guidance. With the ISO 9001 subclause in parentheses, these are:
- Define program objectives (5.3).
- Define commitment to competence (6.2.1).
- Review entity/business objectives (5.6).
- Define strategic plan (4.1 and 5.4.2).
- Training (6.2.2).
- Implement and manage reporting (4.2.4).
- Technology/infrastructure (6.3 and 6.4).
- Define evaluation scope/objectives (8.2.2).
- Define evaluation team (8.2.2).
- Evaluation reporting/response (8.2.2).
- Modify program for improvement (8.5.1).
The improvement loop described in subclause 8.5.1 was of particular value in the development of the “modify program for improvement” section.
The following information was added:
An entity should continually improve the effectiveness of the compliance and ethics
management system through the use of mission/
vision, measurable objectives, audit results, analysis of data, corrective and preventive actions and management review.
The end result will be a continually improving compliance and ethics program used in the organization.
The next step will be to develop domain supplements based on the foundation. Quality management systems will play a continuing role in the development of the OCEG guidelines. The most current information on the guidelines and other activities will be posted on the organization’s website.
- For this article, all references to ISO 9001 imply use of the additional guidance of ISO 9004 to expand the framework.
- OCEG Brown Book, www.oceg.org.
SANDFORD LIEBESMAN has more than 30 years experience in quality at Bell Laboratories, Lucent Technologies and Bellcore (Telcordia) and is currently a quality management system consultant with the Kohl Group and an auditor with KEMA Registered Quality. He is the author of TL 9000, Release 3.0: A Guide to Measuring Excellence in Telecommunications, second edition, and Using ISO 9000 To Improve Business Processes. Liebesman is a member of ISO Technical Committee 176 and the ANSI Z-1 Committee on Quality Assurance. He is certified by the ASQ Registrar Accreditation Board as an ISO 9000 lead auditor.