I have worked with CFOs who leave the issue of ethical conduct to the HR and legal functions. But others have taken a different view -- they take a significant interest in ensuring that management and employees always behave in an appropriate fashion, consistent both with laws and regulations and the expectations and standards of the organization. They realize that not only can inappropriate behavior lead to compliance failures, fraud, and theft, but the consequences can adversely affect employee morale and the firm?s reputation. The bottom line is that ethical failures can affect operational and financial performance and share price.
These CFOs engage with HR, legal, and other functions to ensure the company is communicating its standards and expectations, training employees, and providing an effective mechanism for employees and others to report suspected wrongdoing, investigate potential violations, and monitor the ethics program.
The Ethics Resource Center recently a business ethics report, based on a survey of 4,800 employees. I was surprised by some of the statistics and suspect most CFOs will be too:
-45% of employees have witnessed misconduct at work. While this figure is down from 49% in 2009 and 55% in 2007, it is still remarkably high.
-Nearly two-thirds have reported misconduct, the highest level on record. Unfortunately, 22% of those who reported misconduct suffered retaliation as a direct result.
-The number of companies with ?weak ethics cultures? rose from 35% in 2009 to 42% last year. However, 42% said ?their company has increased efforts to raise awareness about ethics.?
-More people (now 13%) are feeling pressure to bend the rules, or even break the law.
-Just over one-third of employees said their managers do not display ethical behavior (up from 24% in 2009). That can have a cascading effect through the organization, resulting in a company of employees who are more likely to violate the code of ethics.
The report recommends that executives:
-Invest in ethics and compliance programs, and view ethics as a business priority.
-Make ethical leadership part of all managers? evaluations. And communicate their personal commitment to ethical conduct.
-Focus on their own behavior, because their actions and responses to reports of misconduct are at the heart of the matter.
I suggest CFOs go further and ask these questions: Is it time to revisit the HR-preferred ?talk to your supervisor? approach to potential problems, and replace it by encouraging employees to report independently of their supervisors? Shouldn?t an ethics program be risk-based, looking at the areas of greatest potential harm, ensuring policies and controls are sound, putting metrics in place, and then monitoring at regular intervals?
I also recommend bringing in internal audit to assess all or part of the program and assure the CFO and the rest of the executive team that the program is meeting expectations.
CFOs cannot, in my opinion, leave the issue of ethics to human resources, legal, compliance, or audit. CFOs can add great value by taking the lead. They should ask the questions that cut to the heart of the ethics program, being alert to any signs of inappropriate behavior, and setting an example for all to follow.
Norman Marks CPA is a vice president with SAP and a long-term internal audit and risk-management practitioner.
A couple of weeks ago, my dishwasher started leaking. I needed a new machine.
At Sears, dozens of dishwashers and one salesperson awaited me. The dishwashers were not bolted into their displays. When I opened a machine's door, it tipped forward, shelves sliding and rattling. The salesperson, who did seem bolted to the floor, shrugged. Not his problem. (Sears's problems, of course, have been well documented.)
Meanwhile, the salesperson was eyeing his iPad. He wanted to give me print-outs; he wanted my e-mail address. What he didn't seem to want was to sell me a dishwasher, and he didn't.
Our devices fascinate us. Last week, Apple's Q2 results testified to the mind-boggling popularity of its products. Since January, it's sold 35 million iPhones and almost 12 million iPads worldwide, representing the phalanx of the inescapable bring-your-own-device trend (BYOD). Even new RIM CEO Thorsten Heins admitted recently that BlackBerry -- long the preferred device of the traditional, centralized IT enterprise -- needed "a very, very strong play in the bring-your-own-device" segment.
Heins has to address the consumer because the consumer is also an employee and is increasingly defining the way work will (or, in the case of the Sears salesperson, won't) be done.
BYOD can help CFOs raise worker productivity while reducing capex for device procurement and support. But it also raises the risk of reducing worker productivity if their devices distract them. And, of course, these gadgets, if not properly governed, can compromise the security of business data.
All Internet-connected devices are vulnerable, but a recent Symantec "Internet Security Threat Report" notes that employee-owned devices, used for non-work activity, are exposed "to more malware than a device strictly used for business purposes only." According to the report, 28% of that malware collects data from phones, and Symantec expects that percentage to increase, as it expects mobile malware to proliferate.
Resisting the BYOD trend is quixotic; ignoring it is plum dumb. According to Steve Durbin, Global Vice President of the not-for-profit Information Security Forum, CFOs need to look at the iPads they're handing out and allowing to access their networks from the point of view of their business impact. "Don't focus on the gizmo," says Durbin. "We know they're sexy, cool. Focus on the data. If you protect the data, then it won't matter how it's being accessed."
Durbin believes that BYOD can be a spur to encourage enterprises to "focus on what's important, what could cause financial loss," and define "what's not so critical."
Smart phones and tablet increasingly are targets for cyber attacks precisely because their security is not being well managed. That state of affairs, says Durbin, can't continue. "Security is moving out of the realm of some geeky guy fixing the firewall to a real business issue integrated into the C-level risk portfolio," Durbin says. Finance executives, says Durbin, know how to do that, but until now have not viewed security in that way. Once they do, "it's about good corporate management. Correct implementations. Having good disaster recovery policies in place. Knowing what to do when things go wrong. Having a cyber response team team that knows what to do when there's a breach.
"This problem," Durbin concludes, "is not going away."
Certainly not as long as there are jerks with iPads.
Asketh Juliet of Romeo, ıWhatıs in a name?ı Well, a lot. Those two committed suicide, you know, after the question was posed and answered and all hell broke loose.
An image of the tragic lovers invaded my brain today after I got a pitch from a digital-media firm that provides resources for businesswomen looking to advance their careers. Mostly it offers tips: How to ask for a raise. How to ıcommunicate up.ı How to invest in your career. Success secrets for women CEOs. Stuff like that.
This firm calls itselfı Little Pink Book.
Thatıs so easy to make fun of, I donıt think Iıll bother.
A press release accompanying the pitch suggested that the firm has a self-conscious ıI am woman!ı identity that extends beyond its name. The first line spoke of ıambitious, intelligent womenı who are actual or aspiring entrepreneurs. Would anyone ever characterize men in such pandering fashion? The phrase seemed to contain a subtle but unmistakable (to me) and somewhat defensive message that women too (!) can be ambitious and intelligent. Iım afraid I viewed that as demeaning to the very population that Little Pink Book means to support.
The release says ıhundredsı of women will convene in Atlanta next month for Little Pink Bookıs third annual ıSpring into Ownershipı event, and that among its many sponsors are noteworthy names like FedEx and Southwest Airlines. Thatıs great. But I ask you, might the made-for-women event be even more successful if the organizer were marketing a less-sexist brand name? Reasonable minds may disagree, but I believe it might.
The point, dear readers, is not about sexism but rather that what you call yourself matters. It matters to potential customers, business partners, your bottom line, and even your conscious or unconscious understanding of what youıre trying to accomplish.
Quick story: A number of years ago, there was an organization called the American Society of Association Executives ı to me a great name in that it clearly expressed what the group was all about. It then merged with another entity called the Center for Association Leadership, whereupon the combined organization took for its name ı its official name! ı ıASAE and the Center.ı All of a sudden the association community and the convention industry were abuzz, not over how the merger could improve services for association executives, but rather how confusing the new moniker was. A marginally better solution was later settled on, with the name changing to simply ıASAEı and ıThe Center for Association Leadershipı used as a tagline. An outsider may still reasonably wonder, ıWhatıs an ASAE?ı
Companies, too, might want to consider calling themselves something that suggests what they do. If it doesnıt insult anybody, so much the better.
Nearly half of corporate directors started using tablets or smartphones over the past year for reading their materials, according to PricewaterhouseCoopers' most recent survey of board members. And an additional 38% wish that their board would use them. At the same time, directors have been complaining that the information they receive is insufficient for them to provide effective oversight of both risk management and strategy-setting.
Some companies have chosen to send the directors the same information they have always received, but on a tablet. (I donıt believe it is practical to expect directors to read board materials on a phone.) The directors will be grateful that they wonıt have to carry a heavy board briefing book, and the technology exists -- and has for some years -- to ensure that the information is secure and only delivered to the directors' devices.
But is that practice sufficient? Will it meet the directors' needs for information so that they can not only provide oversight but share their wisdom when it comes to setting objectives and strategies, managing risk, and optimizing performance?
Executives can now obtain real-time information on their mobile devices, especially tablets, with ıdrill-downı capabilities to explore the reasons for trends and unexpected variances. CFOs may want to provide directors with similar, real-time financial, operational performance, and risk information that lets directors explore the details behind the data to satisfy their information appetites.
Balance is required. If I were CFO, I would first recognize that if they donıt already have tablets, all my directors will have the devices very soon and will expect to receive board documents on them. They will want the ability to search and drill down, and I would want them to do so - within reason. As it is, board meetings are usually strapped for time, and you'll want directors to focus on the data that matters most, away from the minutia of a few data points. So I would go further than simply sending board materials electronically and think about how to change the formatting of this information.
To begin, consider meeting with the board members and have a frank discussion about what they want, what the management team can provide and when, and agree on a plan for action. Have periodic follow-up meetings to discuss what is working and what is not, as well as options for further improving board effectiveness.
Norman Marks CPA is a vice president with SAP and a long-term internal audit and risk-management practitioner. He has been honored for his thought leadership by the Institute of Risk Management (honorary fellow) and the Open Compliance and Ethics Group (fellow). He regularly blogs and provides updates on Twitter, @normanmarks.
Today, as the week draws to a close, the world seems a little riskier than it did Monday.
Yesterday, President Obama signed the new JOBS act which, among other things, will give new-ish companies with less than $1 billion in annual revenues a pass on a variety of SEC regulations, specifically a temporary waiver on outside audits of their internal financial controls. The thinking is that such Sarbanes-Oxley-derived auditing requirements are onerous and can inhibit emerging growth companies from, well, emerging and growing. While that may be true, the passage of the law, coming hard on the heels of the much-publicized revelation of Groupon's "weakness in its internal controls," has to give one pause, especially if one is an investor, auditor, or accountant.
Not that most finance practitioners like regulation. Indeed, as Brian Tankersley, a CPA and associate with K2 Enterprises, a provider of continuing accounting education, warns, if the profession doesn't get serious about monitoring itself, and about information security, far from giving anyone a pass on regulation, the government will add to its list of "Thou Shalts" -- HIPAA, SOX, Dodd-Frank -- and, says Tankersley, "that will cost money. If we as a profession don't wake up, we're going to get one-size fits all regulation."
Meanwhile, the BYOD trend continues to accelerate. A recent Forrester Research Forrsights Workforce Employee Survey of almost 10,000 information workers in 17 countries found that 74% of them use two or more devices for work; 52% used three or more, and 60% of those devices are used for both work and personal purposes. (And it's not like these workers are lugging PCs; we're talking phones and tablets.) Now CFOs may love outsourcing device support to their employees at minimal cost, but there's still a price to be paid. That price is that BYOD equals mobile, and mobile means those employees are accessing data remotely, communicating with co-workers via e-mail and text, and syncing their devices in the cloud. Therefore, critical company and customer data is stored and being passed around outside your corporate firewall, outside your control. As Tankersley says, accountants "send e-mails, unencrypted, un-password protected, all the time. And e-mail is as secure as a postcard." (Tankersley uses iTwin in his practice -- a paired set of USB keys that create a secure connection between two machines, essentially creating an instant virtual private network, or what Tankersley calls "stupid easy VPN.")
Speaking of stupid, last night Google co-founder Sergey Brin went out to a charity event wearing Google's new "smart" glasses that display maps, photos, Tweets, you name it, right on the inside of the lens. You can see what that experience might be like here. As if people aren't already distracted enough.
Well, apparently, they're not. Intel and Nissan just brought a new concept Infiniti to this week's New York Auto Show that will let drivers receive real-time traffic information, watch movies, and order ham sandwiches from the nearest deli recommended by Yelp, all at the same time! And, no doubt, the car will automatically contact the driver's insurance agent when he or she rear-ends you.
We live in amazing times. Look around. Everything is bright, shiny, and new. I think that's good reason to be especially careful with how we use all this new stuff, and how we do business.