Célia Mohimont

2022-2023

Business Ethics and Compliance

Management LLSMS2280 – Classes

Table des matières

INTRODUCTION ............................................................................................................................ 4

WHY IS IT AN IMPORTANT TOPIC IN MANAGEMENT SCHOOL?....................................................................... 4

WHY IS BUSINESS ETHICS BECOMING SO IMPORTANT FOR CORPORATIONS? .................................................... 4
CITIZENS EXPECTATIONS ..................................................................................................................... 4
INTEGRITY....................................................................................................................................... 4
ISSUES OF RIGHT OR WRONG ............................................................................................................... 5
THREE WESTERN ETHICAL THEORIES ...................................................................................................... 5
CASE STUDY: THE SHIPWRECK SITUATION ................................................................................................ 5
ETHICAL LEADERSHIP ......................................................................................................................... 6
TWO MODELS OF LEADERSHIP .............................................................................................................. 6
SOCIAL POWER MODEL....................................................................................................................... 6
PERSONAL VS CORPORATE ACCOUNTABILITY ............................................................................................ 7
CASE STUDY: TELLING THE TRUTH .......................................................................................................... 7
A LEADERSHIP ISSUE .......................................................................................................................... 7
DEFINITIONS.................................................................................................................................... 8
GLOBALISATION: ETHICS AND THE LAW................................................................................................... 8
EXAMPLE: IT IS LEGAL, IS IT ETHICAL? ............................................................................................................... 8
HOW DO YOU KNOW WHAT IS “THE RIGHT THING?” .................................................................................. 9
HOW DO RESPONSIBLE COMPANIES RESPOND TO IT? ................................................................................. 9
KEY COMPONENTS OF BUSINESS ETHICS MANAGEMENT ........................................................................... 10

MODULE 1: RISK MANAGEMENT ................................................................................................. 11

CREATING ENABLING ENVIRONMENTS .................................................................................................. 11

JUST CULTURE ............................................................................................................................................ 11
ETHICS AND COMPLIANCE PROGRAMS ............................................................................................................ 11
SUPPORTING ETHICAL ACTION THROUGH THE ORGANIZATIONAL CULTURE............................................................. 12
GSK FINED IN CHINA (2013) ........................................................................................................................ 12
GSK ......................................................................................................................................................... 12
RISK MANAGEMENT ........................................................................................................................ 13
INTRODUCTION........................................................................................................................................... 13
REPORTING LINE OF THE COMPLIANCE OFFICER ................................................................................................ 13
RESOURCING THE E&C FUNCTION ................................................................................................................. 14
INTERFACE WITH MANAGEMENT.................................................................................................................... 14
POTENTIAL ROLES OF THE COMPLIANCE FUNCTION ........................................................................................... 14
INTERNAL AUDIT ......................................................................................................................................... 15
EXTERNAL AUDIT......................................................................................................................................... 15
STEP BY STEP APPROACH INCIDENTS ............................................................................................................... 15
FRAMEWORK TO MANAGE RISKS .................................................................................................................... 15

1
Célia Mohimont
2022-2023

THE THREE LINES OF DEFENSE MODEL ............................................................................................................. 16

PURPOSE OF THE THREE LINES OF DEFENSE MODEL ........................................................................................... 17
ROLE OF THE BOARD AND SENIOR MANAGEMENT ............................................................................................ 17
UNDERLYING PRINCIPLES OF THE MODEL ......................................................................................................... 17
UNDERSTANDING THE COMPANY ................................................................................................................... 17
RISK APPETITE ? .......................................................................................................................................... 18
FIRST PASS ON POTENTIAL KEY COMPLIANCE RISKS ............................................................................................ 18
RISKS IDENTIFICATION .................................................................................................................................. 18
RISKS MEASURES......................................................................................................................................... 18
RISK EXPOSURE ........................................................................................................................................... 19
PREPARE YOUR RISK ASSESSMENT .................................................................................................................. 19
DESIGN YOUR RISK ASSESSMENT .................................................................................................................... 19
FACTORS TO TAKE INTO ACCOUNT .................................................................................................................. 19
FACTORS TO BE TAKEN INTO ACCOUNT............................................................................................................ 19
RISK MATRIX .............................................................................................................................................. 19
REMEMBER ................................................................................................................................................ 20
RISK SHEET................................................................................................................................................. 20
MAIN STRATEGIES FOR RISK MITIGATION ......................................................................................................... 21
UMICORE .................................................................................................................................................. 21
REFLECTING ............................................................................................................................................... 21
JOINT VENTURES ......................................................................................................................................... 21
WHAT ARE YOUR CONTROLS ?....................................................................................................................... 21
RISK REVIEW THROUGH A CASE .......................................................................................................... 22
INTRODUCING ASML .................................................................................................................................. 22

MODULE 2: CODE OF CONDUCT .................................................................................................. 26

PRINCIPLES ................................................................................................................................... 26
WHAT IS A CODE OF CONDUCT?......................................................................................................... 26
REVIEW THE CODE .......................................................................................................................... 26
SOME KEY PRINCIPLES ...................................................................................................................... 26
PREPARING A CODE OF CONDUCT ....................................................................................................... 27
DRAFTING YOUR CODE ..................................................................................................................... 27
EVERYONE GETS HIS CODE ................................................................................................................ 27
LAUNCH EVENT .............................................................................................................................. 27
CULTURE CHANGE ........................................................................................................................... 27
OTHER ASPECTS ............................................................................................................................. 28
WHAT ABOUT CONTRACTORS, AGENTS, SUPPLIERS, JOINT VENTURES,.. ........................................................ 28
JOINT VENTURES AND SUPPLIERS........................................................................................................ 28
WHAT WOULD YOU DO? .................................................................................................................. 28
INSURE YOU HAVE ROBUST PROCESS TO DEAL WITH QUESTIONS AND ISSUES .................................................. 28

MODULE 3: WHISTLEBLOWING ................................................................................................... 29

WHY AN INTERNAL SYSTEM? ............................................................................................................. 29

CREATING A SAFE ENVIRONMENT FOR STAFF .......................................................................................... 29
A CHOICE AMONG OTHERS ................................................................................................................ 29
IS IT GOOD TO KNOW? ..................................................................................................................... 29
ANONYMOUS REPORTS? .................................................................................................................. 29
ISSUE OF CONFIDENTIALITY ............................................................................................................... 30

2
Célia Mohimont
2022-2023

PROTECTING WHISTLEBLOWERS.......................................................................................................... 30
WHAT TO DO WITH WHISTLEBLOWERS CALLS ......................................................................................... 30
EFFECTIVE INVESTIGATIONS – THE ROI ................................................................................................ 30
GOALS OF AN INVESTIGATION ............................................................................................................ 30
UNDERSTANDING THE INVESTIGATOR’S ROLE ........................................................................................ 30
GATHER & EVALUATE INFORMATION ............................................................................................................. 30
STAGE 1: RECEIVING THE REPORT .................................................................................................................. 33
STAGE 2: PLANNING THE INVESTIGATION ........................................................................................................ 35
STAGE 3: CONDUCTING THE INTERVIEWS ........................................................................................................ 36
REPORTING AND DISCLOSURES ...................................................................................................................... 38
USING THE DATA FOR IMPROVING THE PROCESS ............................................................................................... 38
IS YOUR COMPANY HELPING ? ....................................................................................................................... 38
IMPLEMENT SYSTEM WHICH IS EASY TO USE ..................................................................................................... 39
INDIVIDUAL DIMENSION ............................................................................................................................... 39
ORGANIZATIONAL DIMENSION ...................................................................................................................... 39
LEGAL DIMENSION....................................................................................................................................... 39
OPEN YOUR WHISTLEBLOWING LINE TO EXTERNAL WORLD ? .............................................................................. 39
EXAMPLE ................................................................................................................................................... 40
SUPPLIERS ................................................................................................................................................. 40

3
Célia Mohimont
2022-2023

Introduction
Business Ethics is the study of business situations where issues of right and wrong are
addressed.
• Ethics: about values and beliefs that change throughout the world and evolve over
time.
• Compliance: based on norms and legislation.

Why is it an important topic in management school?

1. Power and influence of business in society
2. Potential to provide major contribution to society
3. Potential to inflict harm
4. Increasing demands from stakeholders
5. Lack of business ethics education or training
6. Continued occurrence of ethical infractions
7. Evaluating different ways of managing business ethics
8. Interesting and rewarding
(Crane & Matten 2009)

• In management schools? Business has more and more power and influence in society.
Potential to contribute but also inflict harm. There is increasing demand from
stakeholders to take into account ethics and a lack of education in the matter.
• For corporations? They have to meet the shareholders and customers expectations
which is not solely maximizing their value anymore. Business ethics has 2 goals:
maximizing shareholder value + creating additional value, which will increase the
company’s reputation.

Why is Business Ethics becoming so important for corporations?

Ex: GSK condamné à 380 millions d’euros d’amende pour corruptions en Chine; Wolswagen
Corporations
Is the sole responsibility of corporations to shareholders to minimise the tax they pay? Or is
part of their “licence to operate” paying tax on their activities within the territories in which
they operate?

Financial crime drives environmental degradation

Corruption and weak governance are key enablers of environmental crime, which in turn
exacerbates small-scale offences into devastating environmental degradation, existentially
threatening both animal and human populations.

Citizens expectations
Citizen will cleam for certain issue. That’s means that customers have impact on corporation
and on public (law/politics).

Integrity

4
Célia Mohimont
2022-2023

• The concept of integrity has been derived from the Latin “integritas” (wholeness). It is
defined as consistency between beliefs, decisions and actions, and continued
adherence to values and principles.
• Integrity is often used in conjunction with ethics, suggesting that the values and
principles that are adhered to should be ethical values. Some of the values that are
often mentioned in this regard are honesty, openness, accountability and
trustworthiness.
• Organisational integrity refers to the ability of individual organisations to develop and
implement an integrity management framework, and for employees to act in
accordance with the values of the organisation.

Issues of right or wrong

When we deal with difficult decisions, we often feel that there is no clear answer that is right,
but we sense intuitively that the decision is about the distinction between right and wrong.
Discussions about integrity and ethics address the fundamental distinction between right and
wrong. This type of decision is much more difficult than deciding whether we prefer one type
of food to another, or whether the answer to a simple mathematical equation is right or
wrong

Three Western ethical theories

Three Western ethical theories which have strengths and shortcomings:
• Utilitarianism: The basic premise of utilitarianism is that an action is moral if it
maximizes the overall social ‘utility’ (or happiness). Two of the most important
philosophers in this tradition are Jeremy Bentham and John Stuart Mill.
• Deontology: The basic premise of deontology, in contrast to consequentialist theories
like utilitarianism, is that an action is moral if it conforms to certain principles or duties
(irrespective of the consequences). → ex: If you decide to never be « corrupt », mais
si quelqu’un sort une arme et te demande de l’argent, si tu suis ton principe, tu
meurs.
• Virtue ethics: The basic premise of virtue ethics is that morality depends on perfecting
one’s character. A virtue is “an excellent trait of character, another term that is
important in virtue ethics is practical wisdom, the ability to do the right thing no
matter what the circumstance → You try to do the best, you try to have a decision
each time there is a problem.

Case study: the shipwreck situation

• Imagine that you are involved in a shipwreck situation
• A ship has started to sink in the middle of the ocean.
• Eleven people have jumped into a lifeboat that has been designed for a maximum of
ten people only, and the lifeboat is also starting to sink.
• Gather in teams of four or five
• What should the passengers do? Throw one person overboard and save ten lives? Or
stick to the principle of “do not kill”, which means that everybody will drown?

5
Célia Mohimont
2022-2023

• Which ones if you decide to throw one person overboard? There are two young
parents with two children, an elderly couple, four middle ages singles (two women
and two men) and a single boy.
• Other solutions ?

Ethical leadership
• Ethical leadership is important for two main reasons. First, leaders have ethical
responsibilities because they have a special position in which they have a greater
opportunity to influence others and, therefore, outcomes in significant ways. Most
people would agree that all of us have a responsibility to behave ethically, but it is
clear that leaders are held to higher ethical standards than followers.
• Examples of formal and informal leaders from around the world include Nelson
Mandela, Mahatma Gandhi, Malala Yousafzai, Peng Liyuan (First Lady of China), Sheikh
Hasina Wajed (Prime Minister of Bangladesh), Yvon Chouinard (the founder of
Patagonia), Melinda Gates and Angelina Jolie. However, the impact of a leader is not
always positive, as illustrated by Hitler’s leadership of Nazi Germany. The impact of his
leadership was disastrous for millions of individuals and the world in general.
• On a smaller scale, even team leaders can have profound effects on their team
members and the organization. All leaders, no matter how many followers they have,
exert power. To exert power over other people carries an ethical responsibility
• What is regarded today as a ‘good leader’ is someone who effectively leads towards
ethical results and not someone who is simply good at leading (as many ill meaning
demagogues can be). It has been argued that this development emphasizes the strong
links between ethics and effective leadership (Ng and Feldman, 2015).

Two models of leadership

• The interpersonal trust model (Schindler and Thomas) is based on five components:
integrity, competence, consistency, loyalty, and openness. Integrity refers to honesty
and truthfulness; competence is associated with technical and interpersonal
knowledge and skills; consistency is defined as reliability, predictability, and good
judgment; loyalty refers to willingness to protect and save face for a person; and
openness is the willingness to share ideas and information freely.
• This model reflects the idea that followers who trust a leader are willing to be
vulnerable to the leader’s actions because they are confident that their rights and
interests will not be abused.

Social power model

• The ‘social power’ model was developed by French and Raven , who identified five
common and important bases of power: legitimate, coercive, reward, expert, and
referent. Legitimate power refers to a person’s right to influence another person
coupled with the latter’s obligation to accept this influence; coercive power derives
from having the capacity to penalize or punish others; reward power is about having
the capacity to provide rewards to others; expert power is based on the followers’
perceptions of the leader’s competence; and referent power derives from the
followers’ identification with and liking of the leader. Each of these bases of power

6
Célia Mohimont
2022-2023

increases a leader’s capacity to influence the attitudes, values, or behaviours of

others.
• There are three ways in which a follower may react to these forms of power,
according to French and Raven (1959).
• First, when leaders successfully use legitimate or coercive or reward power
(collectively referred to as position power) they will generate compliance. Compliance
means that people follow the directions of the person with power, whether or not
they agree with those directions.
• The second way in which followers may react to the use of power, especially the use
of coercion that exceeds a level people consider legitimate, is to resist the leader’s
attempt to influence. Resistance means that employees will deliberately try to avoid
carrying out instructions or they will attempt to disobey orders.
• The third type of reaction to power is commitment, which is the response most often
generated by expert or referent power (collectively referred to as personal power).

Personal vs corporate accountability

• Milgram experiment https://www.youtube.com/watch?v=xOYLCy5PVgM
→ Expérience avec es chocs électrique.
• Standford experiment https://www.youtube.com/watch?v=oAX9b7agT9o
→ Expérience de fausse prison avec des étudiants – gardes / prisonniers.

Case study: telling the truth

One of your employees has just been diagnosed with a treatable form of cancer. He has
confided in you about the status of his health. He has also asked you not to say a word to
anyone because he considers his health to be a personal matter. Over the next few months,
this employee is absent frequently, especially during his radiation treatments. His absences
are not a major problem for the company because his duties involve direct computer work
which he can do while at home. However, some of your other employees have asked you
what’s wrong with him. You politely decline to discuss his situation. As a result, the other
employees think that their co-worker is getting special treatment and are ready to go to your
boss to complain. You are confident that if they only knew of the employee’s illness, they
would understand. But you promised him not to reveal the reason for his absence. At the
same time, it would create unnecessary and unhelpful problems for him if other employees
complain about him.
• Should you reveal to your employees the reason for their co-worker’s absence? Why
or why not?
• Should you explain to your boss what is really going on?
• How would you handle this situation

A leadership issue
• More CEOs were forced out for ethical lapses in 2018 than poor financial performance
(Washington Post May 15th,2019)
• https://www.washingtonpost.com/business/2019/05/15/more-ceos-were-forced-out-
ethical-lapses-than-poorfinancialperformance/?amp;utm_term=.abd07245db93&dlbk

7
Célia Mohimont
2022-2023

• Thirty-nine percent of the 89 forced CEO departures in 2018 were due to ethical
misconduct, which the study defines as the removal of a CEO following a scandal or
improper conduct; examples include fraud, bribery, insider trading, environmental
disasters, inflated résumés or sexual indiscretions. Meanwhile, 35 percent of ousters
in 2018 were a result of poor financial performance and just 13 percent were because
of conflicts at the board level or with activist investors that weren’t about financial
performance but led to the CEO’s ouster.
• Compare that to a decade earlier, during the financial crisis in 2008, when 52 percent
of forced exits were tied to financial performance, 35 percent to board conflicts and
just 10 percent to misconduct.

Definitions
• Values = Characteristics of conduct that drive/motivate behaviour.
• Integrity = Living/acting on one’s values (i.e., “Walk your talk”)
• Principle = An action, statement, derived from one or more values, that distinguishes
right from wrong behaviour.
• Ethical Culture = When a community of persons actively works to achieve an
environment of mutual respect, and other ethical values, for all.
• Ethical issue = When one or more persons are affected by a situation in a way that
could cause benefit or harm to themselves or others.

Globalisation: ethics and the law

• Difference between law and ethics: Law gets tim to get into legislation. Look the culture
and society where you live and pick things that are not yet in the form of legislation
(ethics).
• Ethics and legislation overlap more or less depending on the country (ex: Belgium, big
overlap whereas in the US not much legislation protects social rights, etc.) Sometimes a
practice can be legal but isn’t ethical. Legislation must evolve to compensate for these
gaps. Companies also have a bigger duty of transparency.

Example: it is Legal, is it Ethical?

Legal but not ethical:
• Google Tax' targets 'double Irish' tax avoidance (UK 2014)
→ It has a permanent UK arm and large London staff but pays very little corporation
tax because its British sales transactions are made by an Irish subsidiary. The profits
are then shifted to another subsidiary in Bermuda as fees for using intellectual
property.

8
Célia Mohimont
2022-2023

• “Paradise Papers: Oxford and Cambridge invested tens of millions offshore

• Funds invested in by the universities include a joint venture to develop oil exploration
and deep-sea drilling
• Prem Sikka, an emeritus professor in accounting at the University of Essex, questioned
the ethics of universities sending their endowments offshore. He said: “All the
Caymans offer is secrecy and tax avoidance. There is nothing else there. It’s not as if
this is a place actively engaged in advancing science, research or human knowledge.”
• Sikka said universities needed to be more transparent about their investment
decisions since they were public institutions that received public money, including
from the EU. “We need to know what they are doing with the cash. There are issues of
corporate social responsibility.”
https://www.theguardian.com/news/2017/nov/08/paradise-papers-oxford-
cambridge-invest-millions-offshore-funds-oxbridge

How do you know what is “the right thing?”

• Ethical decision-making is recognising and considering the ethical issues in our daily
decisions
• Most decisions involve at least one ethical issue:
→ At least one person/entity has a right or responsibility in our decision AND/OR
→ At least one person/entity will benefit or be harmed by our decision AND/OR
→ At least one person/entity will see an issue of fairness in our decision AND/OR
→ At least one corporate value will be involved
• Since most business decisions involve at least one ethical issue, effective business
decision-making involves recognising and considering the ethical issues in those
decisions
• Most decisions involve at least one ethical issue. At least one person/entity has a right
or responsibility in the decision or will be affected (positively or negatively) by the
decision or will see an issue or fairness in the decision. Effective business decision-
making involves recognizing and considering these ethical issues.

How do responsible companies respond to it?

• There is a difference between personal and corporate accountability. People behave
differently when they are part of a group. Scandals can occur in some companies
when employees do something “because that’s what they were told to do”.
• What can a company do to respond to it or better, avoid it?
- Find out where the initiative came from
- Clarify their values
- Set up a control framework and implement preventive measures
- Dedicate resources to incorporate ethics
- Manage ethical and regulatory risks
• Get on the agenda at the highest level of the company
• Clarify their value
• Set up control framework
• Dedicate ressources
• Implement preventive measures
• Manage « ethical » or « regulatory » risks
9
Célia Mohimont
2022-2023

• Is it mainly a defensive behaviour or a constructive one?

Key components of Business Ethics Management

• Mission or value statements: “What are we as a company? What do we want to achieve
and how?” More and more ethical implications written in those statements.
• Code of Ethics or Conduct: Code which contains the values, rules and guidelines of the
company. They have to find the right equilibrium between rules and values. Meant to
guide the employees in case of doubt.
• Reporting Channels: system for employees to report a problem. Some companies don’t
like it because it can create a “bad atmosphere”. In some countries it is mandatory to
have a whistleblowing system.
• Risk analysis and management: companies need to identify the risks and prevent them.
Some sectors of business or some departments within a company are more susceptible to
some risks than others (textile industry-human right issue, financial department-fraud).
• Ethics officers, managers, committees: in some sectors having such officers is mandatory.
Depending on the company’s size, this can either be a part or full-time job.
• Education and training: employees need to be educated and trained in this field. They
need to understand the company’s values. It is also a protection measure for the company
because if they can prove that they educated their employee enough, but he still does
something unethical, it isn’t their responsibility.
• Stakeholder consultation: it’s valuable to ask external people about their expectations and
if the company’s actions meet those.
• Auditing, accounting, reporting: check if any transactions are suspicious or incorrect.
• Investigations: How does the company handle an unethical issue? You need to plan this in
advance and put an investigation system in place so that you’re ready when the problem
arises.
• Collective actions: companies which are too small or don’t have enough leverage on the
external world can group with other companies or organizations and join forces to
improve some ethical issues they find.
• Due diligence on associated persons: a company is accountable for the actions of
associated persons. “Third-party risk”: there is a possibility of adverse impact from a
dependant resource to a primary supplier or service provider. Due diligence means that
you make sure that your partners share your value.

10
Célia Mohimont
2022-2023

Module 1: Risk management

Creating enabling environments
Research has shown that fear of consequences may keep individuals from speaking up when
they make mistakes or detect unethical behaviour (Kish-Gephart et al., 2009). Fear not only
originates from bad experiences but may also stem from understanding what might happen
after a disclosure in terms of retaliation or punishment. This fear has implications for
organizations.

Some sectors have been particularly proactive in taking measures to encourage employees to
speak up.

In some of these sectors, the need to learn from mistakes is essential as safety issues may
lead to incidents or accidents with potentially disastrous consequences. To encourage
employees to speak up, the concept of just culture (culture where people are not afraid to
speak) has developed. This concept refers to an environment in which individuals are
encouraged to learn from their mistakes rather than being punished.

Just culture
Embracing a just culture does not mean that individuals are above the law: gross negligence,
wilful violations and destructive acts are not tolerated in a just culture.

However, organizational responses to mistakes should be driven by a desire to improve the

culture for the future, not just identify and punish someone. Only in an organizational culture
where occurrences are reported, investigations conducted and mitigating measures
administered (e.g. trainings, improved communication of rules and regulation, revision of
processes) will near misses come to light.

The concept of a no-blame culture seeks to support employees that make mistakes in order
to create an organizational culture that encourages problem-solving, transparency and high
performance. If mistakes occur (rather than intentional violations), a root cause analysis is
done to determine all contributing factors and the blame is most often put on the process
rather than the individual employee. Thus, the organization can learn from mistakes and
there is higher employee loyalty.

Ethics and compliance programs

The organizational level poses the question: How does the corporation behave? This is the
level where concepts like business integrity and ethics are applied and where the role of the
board of directors and the senior management of the corporation will be scrutinized.
The individual level addresses behaviour at the level of individual employees. Someone might
work for a corporation with a good reputation in an industry with a good reputation, but – as
an individual – still engage in unethical behaviour, e.g. cheating on expense claims or treating
fellow employees with disrespect

11
Célia Mohimont
2022-2023

Supporting ethical action through the organizational culture

• Who will bear the accountability of the programme? Management, external audit,
internal audit or the E&C function? The Board and CEO are always accountable. The
compliance officer is also accountable if he neglected something. The internal audit
system is also evaluated.
• Decision to be made on the boundaries:
• Policy setting, implementation, monitoring to a central E&C function?
• Policy setting to Functions (Legal, Finance, HR, ...)
• Management accountability for policy assurance
• E&C as support, advice and reporting role
• Policy setting, implementation and monitoring can’t all be performed by the same
team. Also, the E&C function needs to work together with specialists of different
topics (HR, Legal, Finance, etc). There needs to be a management accountability put in
place to report the effectiveness of the program. The E&C function often serves as an
advisory role and reporting role.

GSK fined in China (2013)

• GlaxoSmithKline (GSK) is Britain’s biggest drug maker. Chinese authorities found GSK
guilty of bribing both hospitals and doctors to help promote their products in China,
using a network of nearly seven hundred travel agencies to pay medical professionals,
health-related organizations, and government officials. According to Chinese
authorities, GSK funneled about 3 billion yuan, or US$482 million, through this
network to recipients. Receipts were forged for purchases and transactions that never
took place, including fake conferences.
• The Chinese officials also seemed to emphasize how the cost of the bribes was passed
directly to Chinese consumers. In other words, doctors and other medical staff were
bribed to sell their products and the cost of those bribes was added to the price of the
products that consumers paid for. In some cases, the final price of the product was
several times the cost in other countries. (BBC News) Chinese officials also claim GSK
bribed officials to obstruct Chinese investigations, according to a security ministry
official. (Bloomberg)
• In 2013, GSK’s sales dropped thirty percent after it was accused of corruption.
(Financial Times) Once one of GSK’s fastest-growing markets, GSK’s medicine and
vaccine sales, dropped 61% in the country, and sales of its consumer health products
dropped by 29%. (Jack)

GSK
• What are the themes related to GSK?
• How does this relate to Risk management?
• How do you bridge Ethics and Risk Management?

12
Célia Mohimont
2022-2023

Risk management
Introduction
Regulator push

• Regulated sectors (bank, insurance,..) : ethics and compliance function is mandatory

• The FSMA (Belgium) also implements the guidelines of the European Securities and
Markets Authority (ESMA) on the compliance function on the one hand, and on the
suitability test on the other hand. The guidelines on the compliance function (Dutch -
French) confirm the central role that this function plays in supervising compliance with
the rules of conduct.
- SFO(UK)Briberyactguidance2010
http://www.justice.gov.uk/downloads/legislation/bribe ry-act-2010-guidance.pdf
- Adequatebriberypreventionproceduresoughttobe proportionate to the bribery risks
that the organization faces. An initial assessment of risk across the organisation is
therefore a necessary first step. To a certain extend the level of risk will be linked to
the size of the organisation and the nature and complexity of its business but size will
not be the only determining factor. Some small organizations can face quite significant
risks,..
- The level of risks that organizations faces will also vary with the type and nature of the
persons associated with it.
Regulators push on all sectors
• Sentencing guidelines (US)-last edition November 2015
• Exercize due diligence to prevent and detect criminal conduct
• Promote an organizational culture that encourages ethical conduct
• Standards and procedures to prevent and detect criminal conduct
• Governing authority shall be knowledgeable about the content and operations of the
compliance and ethics programme and exercize reasonable oversight with its
implementation and effectiveness
• High level personnel shall ensure that the organization has an effective ethics and
compliance programme
International industry organisations toolkits
• ICC Antitrust toolkit 2013
• The first practical step in establishing your compliance programme is to ensure that
your company recognizes that antitrust law compliance is relevant to its operations

Reporting line of the Compliance officer

• It is an important decision for a company as well as the size of the function (from part
time to hundreds of staff)
• He has to fill a type of profile:
- Credibility: good understanding of the company, high level.
- Influence: respected and listened to
- Authority: in terms of resources, budget, documents.

13
Célia Mohimont
2022-2023

- Direct access to the Board and top management: senior enough to access it and
the Board can’t escape to its responsibility regarding E&C.

Resourcing the E&C function

• Adequate human and financial resources to perform its duties
• In house or using external third party providers (in specific areas for example)
• Skills ? Legal , HR, IT, Mgt, Communications,..
• High degree of credibility
• Familiar with company products, processes and daily activities
• It needs adequate human and financial resources to perform its duties. Usually,
companies also use a mix of in house and external service providers. The function
needs to be filled with a set of skills: HR, IT, Communication, Legal... and needs to be
familiar with the company products, processes and daily activities.

Interface with management

• Management has ultimate responsibility to define accountability, allocate resources
and establish processes and structures
• Active part in establishing corporate policies and ethical standards (code of Conduct,
Ethics principles, ...)
• Helping management, staff and business partners to understand how these policies
adress ethical and compliance risks in their business
• Management has ultimate responsibility to define accountability, the final decision
about the allocation of resources and establish processes and structures.
• The compliance officer:
→ He has an active part in establishing corporate policies and ethical standards. He is
there to help the management, but also staff and business partners to understand
how these policies address ethical and compliance risks in their business and to
find solutions.
→ He has to develop a provision of training in order to educate the staff but also to
protect the company in case of ethical breach.
→ He will review and control daily activities and raise red flags. The function also
exists to create a system that allows staff to ask questions and raise concerns with
the assurance that they will be properly investigated.
→ He will also help management in determining adequate support/consequence
management, which means finding a fair system to apply in case of unethical
behaviour of an employee.
• There is a constant interaction between compliance officer and management to
report on the effectiveness of the corporate E&C program.

Potential Roles of the compliance function

• Provision of training to management, staff, ... In those areas
• Providing advice
• Helping to identify where controls and monitoring can be embedded in daily activities
• Systems are in place to allow staff to ask questions, raise concerns and that those
concerns are properly investigated

14
Célia Mohimont
2022-2023

• Support management (with HR and Legal) in determining consequence management

and identifying lessons learned
• Interaction with Management on various topics: insure requirements are translated in
operational procedures, establish regular controls to insure those procedures
operates effectively...
• Key documents and standards are subject to Board review and approval
• Interaction to the Board (or a dedicated committee like Audit or CSR committe) to
report on a regular basis to communicate in an independent way on the effectiveness
of the corporate E&C programme.

Internal audit
• = Assurance provider on design and operation of the system of internal controls
• Perform compliance audits (financial, strategic, technical and operational risks), key
role and interaction with the E&C function e.g., testing employee knowledge, checks
of business controls, self assurance processes
• Audits the Ethics and Compliance function

External audit
• Rely on the work done by assurance providers to assess the scope of their tests and
develop and prepatre their opinion.
• Ethics and Compliance is clearly on their radar screen
Vidéo sur FTX, Binance et Alameda, sur la cryptomonnaie.

Step by step approach incidents

The Swiss cheese model:

As a E&C officer you want to put as many barriers as you can to avoid unethical behaviour.
With a good system, most of the incidents will be stopped at the first barrier. From time to
time, there is a failure in the system: supervisors are not well trained, the organization is not
well understood, the procedure is not clear, etc. But that failure should then be stopped at
the second or third barrier. As an E&C officer you need to think about those 3 things:
Organization, supervision, personnel and ask “How can I put the right organization in place?”

Framework to manage risks

• It’s a framework used by many companies to manage risk.

15
Célia Mohimont
2022-2023

→ You need to communicate and consult. When you do risk assessment on ethics,
it’s essential to meet the people in and out of the company and compile
information.
→ Monitoring and reviewing. A good risk assessment is something that you need to
review on a regular basis because risk is changing all the time.

1) Establish the context: what are the company’s objectives, risk appetite, key stakeholders,
key criteria, structure, governance?
2) Identify the risks: what can happen to the company on an ethical point of view? How can
it happen? Look for benchmarks within the same business, to see what happened.
3) Analyse the risks: What are the systems that the company has put in place? Control
systems, whistleblowing hotline. Then what is the likelihood of something unethical
happening? What is the impact on the company if this happens? (reputation, fine, value...)
4) Evaluate and rank the risks: Need to prioritize the risks in order to...
5) Treat the risks: How can I reduce this risk? What is the best response a company can have
to these risks? Act first in the field that is the riskiest.

The three lines of defense model

• The idea of this model is that, under the oversight of senior management, three
separate lines of defense are necessary for effective management of risks and control.
• The responsibilities of these three groups are:
- First line of defense. The people who own and manage the risks and controls. They
put the controls into place. The most important risks are faced by the people in
this line. It lies within the business and process owners whose activities create the
risks.
- Second line: The people who monitor risks and controls (ex: ethics and compliance
functions). They check if the controls are working effectively. They support
management by bringing expertise, process excellence and monitoring to help
ensure risks and controls are effectively managed.

16
Célia Mohimont
2022-2023

- Third line: The people who provide independent assurance to the Board and
senior management concerning the effectiveness of management of risks. You find
this role in: internal audit, ethics and compliance function. They provide assurance
to senior management and the Board over the first- and second-line efforts. It
reports to the Board and needs to have objectivity and independence.
• It is best that the 2 last functions are not done by the same people (segregation of
duty).
• Purpose of the three lines of defense model: The model brings clarity on roles and
duties, avoid gaps in coverage, no duplication of efforts and risks and controls more
effectively managed. Increases the probability of providing unbiased, good,
information to the Board of Directors about the significant risks and how management
respond to those risks.
• Role of the board and senior management:
1. Demonstrate commitment to integrity and ethical values.
2. Exercise oversight responsibility.
3. Establish structure, authority and responsibility
4. Demonstrate commitment to competence
5. Enforce accountability.

Purpose of the three lines of defense model

• The model brings clarity on roles and duties, avoid gaps in coverage, no duplication of
efforts and risks and controls more effectively managed.
• Increase probability to provide unbiased information to the Board of Directors about
the significant risks and how management respond to those risks
• Some functions may be split or combined e.g. designing controls and monitoring those
controls for Ethics and Compliance functions.

Role of the Board and Senior management

1. Demonstrates commitment to integrity and ethical values
2. Exercise oversight responsibility
3. Establishes structure, authority and responsibility
4. Demonstrates commitment to competence
5. Enforces accountability

Underlying principles of the model

• The first line of defense lies within the business and process owners whose activities
create the risks
• The second line support management by bringing expertise, process excellence and
monitoring to hep ensure risks and controls are effectively managed
• The third line provides assurance to senior management and the Board over the first-
and second-line efforts. It reports to the Board and need to have objectivity and
independence.

Understanding the company

• What are its business lines, products and/or services?
• What is its footprint? Market share, competitors, earnings, countries...

17
Célia Mohimont
2022-2023

• What is its strategy?

• What is its history and also its management risk appetite?
• How did the company grow?
• What is its culture?
• Does the company work with Business Partners?
• How is its Supply chain?
• What is the profile of its customers?
• What is its profitability?

Risk appetite ?
• The amount of risk an organisation accepts will vary from organisation to organisation.
As risk appetites vary from organisation to organisation so too can risk appetites vary
across business units and risk types.
• If properly articulated, it is key for the risk management strategy. A well-defined risk
appetite is reflective of the business, is documented, consider the resources required
to manage the risk, is reviewed periodically and has been approved by the Board.

First pass on potential key compliance risks

• When you look at the compliance risks and don’t have a clear way to start, you can
find a lot of information coming from audit firms, ethics associations, code of conduct
competitors, press...
• Topics often found in a company’s E&C framework:
- Health Safety Security & Environment. What is the impact of your company of
those topics?
- Competition laws: How is my company behaving on the market?
- Anti-corruption: more and more legislation to fight corruption.
- Data privacy: new topic on everyone’s mind. New EU legislation to be
implemented in 2018-2019 called the DGPA. As a private company, you need to
protect the private data that you have on people (employees, customers or
suppliers).
- Fraud
- Cyber security: linked with data privacy, intellectual property,...
- Human Rights: “I can protect the HR of my employees but what can I do in the
supply chain?”
- Money laundering: in the financial world, money laundering is on top of the E&C
officer’s agenda.
- International trade: you’re responsible for the country of origin, the country of
arrival (some goods are banned in some countries) and the end use of your good
and services.

Risks identification
• Assess risks from two perspectives: likelihood and impact
• On both a global and residual basis
• Employ a combination of qualitative and quantitative risk assessment methodologies

Risks measures

18
Célia Mohimont
2022-2023

• Qualitative measures: formal judgement, surveys, comments, structured interviews, ...

(cognitive bias from experience)
• Quantitative measures: audit findings, historical track records, external benchmarks,
mathematical models, trials, ...
• Constraints: time, money, skills, perception

Risk exposure
P(L) (Potential Loss) x S(L) (severity of potential loss) = R(E) (risk exposure)
P(L) x EF (exposure factor) = R(E)
• Is it possible to measure it for Ethics and Compliance issues?
• Is there some value to try to do it?
• What about low likelihood/high impact? Catastrophic events

Prepare your risk assessment

• An essential part of the governance process
• Allows Board members to act on an informed basis, in good faith and with due
diligence
• Board should request company management to plan and implement a systematic risk
assessment.
• Board may create a Risk comittee to cover the implementation of the risk policy

Design your risk assessment

• Proportionality to fits size, nature of its business, organization and geographical
diversity
• « Fit for purpose »?
• « Stand alone basis » vs « integration »
• Regular updates
• Requires appropriate attention by senior management

Factors to take into account

• Country risk: countries with higher perceived risk, lack of legislation, low level of
enforcement, weak institutions, lack of transparency
• Industry sector track records of industry, infrastructure projects
• Business transactions with public sector, transactions subject to licenses or permits
delivered by public officials

Factors to be taken into account

• Third party risks: joint venture, agents, intermediaries, contractors
• Size of the organization and organization (decentralized, complex, new affiliates,
remote locations, support functions, controls in place, ...)
• Leadership and governance: risk appetite, leadership style, stretched targets, ...
• Historical data on claims, litigation, enquiries

Risk matrix

19
Célia Mohimont
2022-2023

Estimate the impact

• What could happen if the control fails?

• Think in term of people, assets, environment, reputation
• Think in term of long-term sustainability of the company or the business under
consideration
• Look for examples in the industry
Estimate the likelihood
• For each of the potential impact, make an estimate of the Likelihood of the
consequence.
• Apply history to predict the future. Reliability of the Likelihood depends on a large
extend on the availability of data and the knowledge of the assessors
• A combination of available information and judgment from experience has to be
applied

Remember
• Risk assessed in the red area does not automatically mean that the Risk is
unacceptable, or Risk assessed in yellow that the risk is acceptable.
• Management needs to assess that all risk has been reduced to acceptable level.
• Pays attention to assessor’s « bias », avoid concensus, challenge findings
• Interview and involve senior management, but also specialists and operational people
• Validate the risk assessment with highest level of the organization
• Risk assessment is a tool and needs to be acted upon
• Make sure your record factual information (discoverable documents)

Risk sheet
• Good practice to produce a risk description for each of the risk recorded
• Typically following information will be made available:
• A description of the risk
• An evaluation of potential impact and likelihood
• Evolution of the risk for the company
• Risk owner
• Identification of existing controls already in place to mitigate the risk
• Actions still to be implemented to bring the risk to acceptable level (and timetable)

20
Célia Mohimont
2022-2023

• Indicators to monitor risk and effectiveness of the mitigation (including internal audit
ratings)

Main strategies for risk mitigation

Umicore
G16 Risk Management
Taking calculated risks is an integral part of the development of any company. Umicore’s
Board of Directors is ultimately responsible for assessing the risk profile of the Company
within the context of the Company strategy and external factors such as market conditions,
competitor positioning, technology developments etc and ensuring that adequate processes
are in place to manage these risks. Umicore’s management is tasked with successfully
exploiting business opportunities whilst at the same time limiting possible business losses. In
order to achieve this, Umicore operates a comprehensive risk management system... “The
Umicore Way” and the “Code of Conduct” are the cornerstones of the Internal Control
environment

Reflecting
• Using the matrix, identify three key risks for your company
• Position them on the matrix
• Discuss it with other participants and agree final position
• What are the mitigation actions in place?
• What else would be required?
• Have you an owner of the risk?

Joint ventures
• Insure at Board level that Directors request adoption of a materially equivalent
programme
• Formally request E&C report to the Board, ask questions to leadership
• Record objections to proposals involving step out of formal E&C controls
• Ensure objections are formally recorded
• Report infringement to the shareholders
• Seek resolve E&C issues or consider divestment
• Ensure incidents are managed

What are your controls ?

• Which controls have you in place?
• Good practices
• Other issues (e.g., money laundering?)
21
Célia Mohimont
2022-2023

• Any gap detected?

Risk review through a case

• ASML has entered discussions with consulting firms to establish an E&C risk review
with an associated plan of action for buidling a compliance programme. You received
a detailed pack of information about the company’s history, figures, implementation,
key customers, product lines.
• With your team, you have to present to the management team, an initial E&C risk
review, identify the critical risks associated with the operations and strategy of the
company, propose the next steps that you will take (and ressources associated to it)
and a concrete plan of action to mitigate the risk that you have identified with key
stakeholders involved.
• Team leaders have been identified.

Introducing ASML
ASML makes the machines for making chips (Integrated Circuits):
• Lithography is the critical tool for producing chips
• All of the world’s top chip makers are our customers
• Payroll: ~14,000 FTEs
2014 – Highlights :
• Record net sales of € 5,856 million, up 12% vs 2013
• Gross margin 44.3% vs 41.5% in 2013
• Net income € 1,197 million, up 18% vs 2013
• Basic EPS € 2.74, up 16% versus 2013
• Maintained our strong cash balance
• Returned € 968 million to shareholders through combined dividend and share
• buybacks
Founded in 1984 as a spin-off from Philips
A global presence

A market of 12 large ASML customers

22
Célia Mohimont
2022-2023

Vision, Mission, Strategy

Vision: ASML makes possible affordable microelectronics that improve the quality of life.
Mission:
1. ASML invents and develops complex technology for high-tech lithography machines
for the semiconductor industry.
2. ASML's guiding principle is continuing Moore's Law towards
ever smaller, cheaper, more powerful and energy-efficient semiconductors that drive
our customers' competitiveness.
Strategy:
1. Our success is based on three pillars: technology leadership, combined with Customer
and Supplier intimacy, high efficient processes and Entrepreneurial people.
2. We operate in a safe environment where we care for people, planet and our local
communities.
3. Our company is an inspiring place where employees work, meet, learn and share.
Driving the semiconductor industry: Moore’s Law
• Gordon Moore (1965): Number of transistors per chip doubles every year.
• Later adjusted to two years, the trend has held for more than four decades.
• Basicly means that’s a very high research

Moore’s Law makes chips cheaper...

23
Célia Mohimont
2022-2023

…and more energy-efficient

Cheaper chips drive market growth

24
Célia Mohimont
2022-2023

A virtuous cycle

How a lithography system works

The chip in your I-Phone

The manufacturing loop

The next step in lithography: EUV

Firing a laser on a tin droplet 40,000 times a second
Mirrors: Polished to sub-nanometer accuracy
EUV mirrors are polished to an accuracy of ~50 picometers – less than the diameter of a
silicon atom.
Blown up to the size of the Netherlands, the biggest difference in height would be less than a
millimeter.
Maintaining a clean vacuum
We need to maintain a clean vacuum, but every time we expose a wafer, the photoresist
releases trillions of particles.
25
Célia Mohimont
2022-2023

Module 2: Code of conduct

Principles
• It requires a process involving a large range of stakeholders
• Purpose is to create ownership of the company’s code and make it enthusiastic to
read
• Should be credible to be accepted by all employees as a guide to their business
behaviour
• The Code has to be adopted by the Board and is specific to the company’s spirit and
values.

• From business principles to code of conduct clarifying global standards or concepts

• Defines and expands on basic rules like Integrity, Trust, Confidence, ...
• Codes should be specific to reflect the culture and spirit of each company
• It is more common to have one global code instead of different ones in each
international branch. It’s more consistent to have the same values applied to all
employees all over the world. There can be some exceptions linked to divergences in
cultures.

What is a Code of Conduct?

• It is the collection of principles and standards of business conduct. It shows the
expected behaviour the company wants. Does this apply to what you do in your free
time? The more senior you are, the greater the impact of what you do in your private
life on the way you are seen in the company.
• Scope: It applies to all employees, contractors, entities over which the company has
significant influence; third parties like agents, intermediaries, other third parties with a
contractual influence. So everybody under contract terms, joint venture or
intermediaries/representatives.
• Key Principles: The Code needs to comply with the law in jurisdictions where you
operate. Also, it needs to evolve on regular basis because topics and risks change and
evolve.

Review the Code

• What are the topics?
• What is the style and the tone for the employees?
• How does it look?
• What would you feel as an employee? Why?

Some key principles

• Comply with the law in jurisdictions where you operate
• Only the beginning not the end of the process, needs to evolve on regular basis
(topics, new risks, new presentations)

26
Célia Mohimont
2022-2023

Preparing a Code of Conduct

• Different possibilities:
- Externalize or do it yourself? Danger of externalizing is that it doesn’t match the
reality of the company.
- Legal paper or involving multiple stakeholders? Code is made to be useful and
used so involving stakeholders is good to test its attractiveness.
- Role of local affiliates, divisions’ heads, auditors; marketing staff, salespeople ...
and key functions (Legal, Finance, HR, ...)

Drafting your code

• Final responsibility lies with the Board but involvement and consulting will enhance
legitimacy of the Code and is part of the change management
• Process takes time and involves hard discussions with varying positions
• With a range of views from stringent rules and zero tolerance standard while other
may prefer a more lenient way or wording.
• Principles based versus rules based wording
• Choice of words and sophistication: who are the readers?
• Legal expressions versus easy to understand

Everyone gets his Code

• Translation of the codes in multiple languages (countries of operations ?)
• Paper or electronic copies
• Cover note from CEO
• Distribution mechanisms (existing staff, new recruits, awareness, training, link with
Labour contract (HR involvement), par of the induction

Launch event
• Is it a major shift in Cultural approach of the company ? Is it new for some culture?
• « Tick the Box » or one of the few Group document
• Is the Senior management behind it or is it « lip services » •« Tone from the Top » and
« Walk the talk »
• Explain why we need a Code of Conduct to the organization

Culture change
• Prepare to deal with questions from staff, get feedback (e.g. from a pilot group of
readers)
• How will you increase staff awareness of the Code of Conduct (games, videos, mail,
line managers involvement,..)
• Worldwide launch event(s)
• Pay attention to the quality of the translations
• Position the Code to help staff to deal with dilemmas

27
Célia Mohimont
2022-2023

Other aspects
Having a Code of conduct also implies a duty to report unethical behaviours. An employee can
be considered complicit if he didn’t report something he witnessed. They need to raise
concerns in good faith knowing that there is a non retaliation policy, that the system is
trustworthy. A whistleblowing system can also be implemented. And it needs to state in the
Code that those who violate it will be subject to disciplinary actions.

What about contractors, agents, suppliers, joint ventures,..

• It is a difficult topic but you cannot stop at the gate of your company
• Contractors are independent staff working on your behalf; for an external customer
they look like an employee
• Agents are also representing the company, they can act as developping business but
also offer various other services (legal, accounting, IT,..)

Joint Ventures and Suppliers

• Joint venture: company can have either a majority shareholding or be the operator or
have a minority stake
• Suppliers offer a range of products or services; they manage also part of the supply
chain of the company (second or third level sub suppliers)

What would you do?

• High risk group
• Limited influence
• Potentially different culture
• Look to those groups, does the Code apply?

Insure you have robust process to deal with questions and issues
• Response time and advice to queries
• Investigation framework
• Ethics committee with Mgt, Legal and HR to impose disciplinary sanctions (no
exceptions, privileges, …
• Learning mechanisms to improve E&C programme and report

28
Célia Mohimont
2022-2023

Module 3: Whistleblowing
The EU Whistleblowing Directive gets translated in Belgium legislation : it will be dealt with JB
during his presentation.
• Scope : group wide system or specific ones ?
• Purpose: additional system or main one?
• Why? : Share concerns , seek advice, report suspected violation versus company code
of conduct
• Product quality,.. ?

Why an internal system?

• Employees are a major source for detection
• Erika Cheung: Theranos, whistleblowing and speaking truth to power | TED – YouTube
• The Epic Rise and Fall of Elizabeth Holmes
• In Silicon Valley’s world of make-believe, the philosophy of “fake it until you make it”
finally gets its comeuppance.

Creating a safe environment for staff

• Reprisals and harassment free environment
• Culture of transparency
• Duty to report
• Confidentiality
• Anonymous report

A choice among others

• One way among a number of reporting channels e.g. supervisors, company HR or
Legal counsel, management,..
• Internally managed system or externally managed through a service provider
specialized in receiving and handling whistleblower reports ?
• Independent, reputable, data protection,professionalism, languages, 24/7

Is it good to know?
• Early report is better
• Affirmative duty to report or strong encouragement
• Gather centrally serious concerns from other sources ? •Public helpline and rewards ?

Anonymous reports?
• Open reports encouraged
• Consideration given to anonymous reporting – more difficult to check good faith,
gathering additional nformation, checking validity of the concern, fair play for
employees against which allegation are made
• However fear for personal safety, reputation, confidentiality

29
Célia Mohimont
2022-2023

Issue of Confidentiality
• Every reasonable effort
Need to know basis information but may frustrate line management
• Circumstances when company must disclose findings to government or senior
management
• Not possible to guarantee confidentiality in all circumstances

Protecting whistleblowers
• Policy should prohibit retaliation (against concers reported in good faith)
• Disciplinary actions taken if employees fail to abide by this rule
• But can take years, difficult to prove and sometimes process may be abusedby false
claims

What to do with whistleblowers calls

• Investigate - yourself or external expert ( third party)
• Effective investigation
• Lawful investigation

Effective Investigations – The ROI

• Helps with mitigation with government agencies •Reduces civil litigation/damages
• Increases morale
• Helps to keep complaints internal
• Helps to create a culture where employees feel comfortable bringing complaints or
making reports

Goals of an Investigation
• Determine the facts: no personal opinions or conclusions
• Treat all involved with respect •Comply with legal requirements
• Provide defense to legal claims •Support good workplace climate
• Protect the record

Understanding the Investigator’s Role

Gather & Evaluate Information
The Role as an Investigator
• Impartial fact-finder (no biases)
• Good listener
• Appropriate investigation
• Attention to detail
• Protect the record
• Properly document investigation
• Fairness

30
Célia Mohimont
2022-2023

• Take off your lawyer hat

• Take out the emotion
5 STEPS in the Investigation

Investigations and corrective actions

31
Célia Mohimont
2022-2023

A process for dealing with the concerns is required

Triage Issues
• Safety: Is the health or safety of anyone put in jeopardy by this situation? • Company
Impact: Will this matter have an immediate impact on the
• company financially or from a brand perspective?
• Communications: Who needs to know about the matter or any part thereof? If
applicable, how quickly can you speak to the Complainant for an initial discussion and
to let them know you are taking their concerns seriously?
• Do you want an Attorney Client privilege?
Timing of the Investigation
• Investigations vary in complexity and the length of time to complete
• All investigations must be conducted promptly
• Promptness may be a mitigating factor
- in almost every level of government enforcement, and delay or indifference can be
seen as an aggravating factor
Proactive Strategies

• Confidentiality: What steps can be taken now to best limit the universe of people
involved to those who need to know?
• Evidence: Is there any evidence that needs immediate attention or would otherwise
be in danger of spoliation?
• Do not destroy evidence

32
Célia Mohimont
2022-2023

• Do not improperly create evidence

Stage 1: Receiving the report

• Get as much detailed information from the Reporter as possible
• Listen impartially without committing yourself

33
Célia Mohimont
2022-2023

• Ask open-ended questions

• Emphasize report will be taken seriously
• Advise the Reporter appropriately about what you intend to do
• Address retaliation issues
• Address confidentiality issues
Understanding the Allegation

Meeting the Reporter

• Determine who, what, where, when, why and how
• Ask the Complainant with whom do they think you should talk to
• Ask whom the Reporter has spoken to about the issue
• Ask whether the issue has affected the Reporter’s job
• Get as much detailed information as possible to prepare a good, efficient investigation
plan
• Do not express opinions about the alleged conduct and avoid opinions or comments
about the character or ability of the others involved
• Advise the Reporter not to discuss the matter with others within the company except
those with a need to know
• Reassure the Reporter that the company takes these complaints seriously and will
determine whether an investigation is needed. Emphasize that no final conclusion will
be reached until the investigation has been completed
Allegations Are Not Facts

• Don’t accept the Complainant allegation at face value

• You must analyze the facts you are offered and make your own determination
regarding the category in which it fits
• The report from the person who made the allegation is just a report
• Offer no opinions to the Reporter.
- You probably don’t know the motives, personalities or histories of the people
involved
Anonymous Reports

• Consider the form of the report

• Was it anonymous, or did it come from an identified party? Anonymous reports,
however, should not be discounted unfairly. An anonymous report maybe malicious,
or may be valid and accurate
• Most employees do not trust management to keep their names confidential. Most
people do not want to be identified as the person responsible for bringing the matter
to the attention of the management. The detail provided in the anonymous report
may either validate or invalidate the report
• Keep an open mind and don’t jump to conclusions

34
Célia Mohimont
2022-2023

Stage 2: Planning the investigation

The Strategy

• Once the scope has been determined, make your plan

• This is more than just a blueprint. It should incorporate a proposed strategy
• The strategy of the investigation should move from the general to the specific,
gradually zeroing in on the subject by carefully acquiring and analyzing information
• As information is gathered, your theory should be refined to focus the investigation on
the most logical source of misconduct and/or business process failure
The plan
• An investigation plan should set the scope properly so you will have the right
parameters to guide you
• You always must be prepared to explain why you did what you did
• Never put yourself in the position of explaining your plan by saying that you never
considered any other course of action
Planning the Investigation?

• What are the allegations?

• What are the legal issues?
• What are the ethical issues?
• What is the best strategy to proceed?
• Any potential liability? For whom?
• PR and communication issues?
• Retaliation concerns
The Investigative Plan

• Develop a written investigation plan

• Summarize allegations and relevant issues (legal and factual)
• Describe the scope of the investigation
• List business/management contacts
• Evaluate need for assistance (internal or external)
• Identify those who will be assisting
• Evaluate actions necessary to secure relevant files

35
Célia Mohimont
2022-2023

• Propose schedule/timeline for investigation

• Determine if any prelim disclosures are needed
• Attorney Client Privileged?? Do you need one??
Documents – What Can You/ Should You Look At?
• Personnel files
• Timecards
• Emails, texts
• Other electronic files
• Medical files
• Expense files
• Project files
• What are the legal issues when reviewing documents?
What About... Can you look at ?
• Text messages
• Social media
• Outside work emails/personal accounts
Critical Issues
• Privacy
• Work councils
• What else?

Stage 3: Conducting the interviews

Investigator’s Introduction
• Explain who you are and the purpose of the meeting
• Discuss anti-retaliation policy
• Confidentiality
• Use standard Investigator’s Introduction & Closing whenever possible
Planning for Confidentiality
• On a case-by-case basis, discuss why interviews or other data should be kept
confidential
• The complaint will be handled confidentially, except:
- The needs of the employer or the law may require that information be disclosed
on a need-to-know basis
Effective Interview Technique
• Funneling
• Active listening
• Closing the door
• Assessing credibility
1. Open Phase

36
Célia Mohimont
2022-2023

• Open-ended questions
• Objective
• Aim to learn all relevant evidence the witness has
• Encourage the witness to talk
• What? ? - Who ? - Where? - When ? - Why?
- Explain? - Describe? - Give me a list
2. Clarification Phase
• Now get clarification for details
- Who?
- What?
- Where?
- Why?
- Tell me in detail

3. Closing Off

• Close the door

• Get the final answer
• Anyone else present?
• Anyone else know about the details
• Listen to the witness
• Exhaust the subject
• Recap and ask, “Is there anything else?”
Active Listening
• Listen to the witness
• Don’t be wedded to your outline
• Hearing is different than listening
• Don’t miss obvious or subtle cues
• Take accurate notes
Follow-Up
• Do new facts or allegations require follow-up interviews?
• Any new places to look for documents or other evidence?
• Are there new or omitted questions?
Corrective actions taken

• Credibility of the system if employee feels no corrective action is taken

• System needs to be diligent, fair and respectful
• Corrective actions can take various shapes (clarification of issues, education and
training, disciplinary actions, ...)
• Feedback to the whistle blower but level of details to be considered

37
Célia Mohimont
2022-2023

Calls for EU lobbying rules to be reformed grow as corruption scandal rocks Brussels - Bing
video

Reporting and disclosures

• KPI whistleblowing
• Significant cases and incorporating learnings •Audit committee, Board and Senior
management
• Internal and external communication

Using the data for improving the process

• Do I get enough reports ?
• Is no reports in certain area a good thing ?
• What are the topics ?
• Why don’t I get reports from certain part of the world?
• Should I also gather information on significant concerns reported outside the
whistleblowing
• line ?
• Is my corrective actions system fair ?

Is your company helping ?

• What factors are affecting internal reporting ?

38
Célia Mohimont
2022-2023

• Personal factors ( fear,..) see above

• Organizational factors
• Resources not easily available (hotline, contact
• person, focal point,..)
• Hostile culture
• Toxic leadership
• Lack of justice

Implement system which is easy to use

• Train leaders to listen actively
• Availability of the system to report (24/7?), free of costs •Languages skills
• Various options (mail, phone,people,..)
• Visible communication (posters, training, web,..)

Individual dimension
• A recent study (Heumann, et. al., 2013) develops five differentiating whistleblower
typologies, based on goals, motivations and context:
• The Altruist: The conscience of the organization
• The Avenger: Motivated by revenge or retribution
• Organization Man: Speaks up for the economic interests of the company
• The Alarmist: Notorious complainer, always looking for dire consequences, regardless
of validity
• The Bounty Hunter: Seeks to make money through qui tam suits

Organizational dimension
• Research has shown (Vadera, et. al., 2009) that the most important factors that
influence reporting intentions and behavior include:
• Leadership
• Perceived support
• Organizational justice
• Organizational culture
• Type of organization
• Risk of retaliation

Legal dimension
• Laws and rewards, like the SEC Whistleblower Program, can influence the
whistleblower’s behavior, the process, and organizations.
• In the financial sector, the number of whistleblower tips received by the SEC has
grown more than 20% since 2012. (SEC Annual Report, 2014)

Open your whistleblowing line to external world ?

• Take care to follow local laws e.g. data privacy, staff council involvement..
• Request from various sides to make grievance mechanisms available to various
stakeholders systems to raise concerns (e.g. Huamn rights)
• Communication to various stakeholders (systematic, specific, contracts,..)

39
Célia Mohimont
2022-2023

Example
“Total’s affiliates have handled grievances for a number of years but we formalized the
process in 2012 with a mechanism that provides dedicated communication channels –
allowing individuals or groups who are our neighbors to raise questions or concerns related to
our activities – and processes to ensure grievances are promptly and fairly dealt with. “We try
to adapt these channels to the local situation and generally offer several channels in a given
project or affiliate so that literacy or language barriers do not prevent a person from making
his or her grievances known. “
Total Human rights briefing paper July 2016

Suppliers
• Communication through Supplier code (simple summary)
• External web site
• Contracts
• Transparency

40