Ethics under investigation

Network executives demand proof that vendors adhere to the highest business-conduct standards.

Two years ago, when it came to trusting your vendors, a firm handshake and an honest smile would have been just about enough to seal a network deal. Then in came WorldCom, and out went the trust.

Now network executives are putting the screws to their vendors on ethics, business conduct and compliance – longstanding relationships notwithstanding. They demand proof of honesty and integrity – in writing. That means an RFP today might contain as many questions about business practices as it does about a vendor’s technology and service.

Playing the adversary isn’t always easy. When you start probing a vendor about how it would handle challenges such as a billing error, employee misconduct, a security breach or records retention, the conversations get tough, says Brian Conlon, CIO at Howrey, Simon, Arnold & White, an international law firm in Washington, D.C. “Vendors sort of look at you like ‘What?’ ” he says.

But with WorldCom ingrained in their minds and company-making deals often on the line, IT executives want proof of their vendors’ good ethics practices. “Some vendors initially will say, ‘Go to this URL. Everything you need to know is there.’ But we know our in-house counsel will want more than that, so we expect signed documentation supporting what a vendor has,” Conlon says. “These are the new criteria we’re using in the IT world.”

The Sun shines on these ethics

Before awarding Sun an IT infrastructure overhaul project last year, Conlon scrutinized the vendor’s business conduct and compliance programs. He got the assurances he wanted: Sun not only has an organizational structure in place for handling business conduct and compliance, but also takes its reputation as an ethical vendor seriously.

Sun has been evolving its ethics and compliance policies over the last dozen years, since publishing its first Standards of Business Conduct policy statement, says Dave Farrell, who authored the 1991 document while an in-house counselor. Farrell has since become chief compliance officer, heading Sun’s 3-year-old Business Conduct Office. He reports to the CFO/executive vice president of corporate resources.

Under the Business Conduct Office, Sun has put each of its 35,000 employees worldwide through a basic online ethics training program and requires ongoing topical training. The company recently rolled out a module on how to handle conflicts of interest, and this summer will release an online training program on export compliance, Farrell says. In addition, top executives and some staff members – about 1,200 people – must participate annually in a two-day “boot camp.” At the boot camp, they learn about their fiduciary responsibilities and get training on how to be an ethical leader.

Conlon is not alone in thinking Sun’s ethics program impressive. Sun is known for its exemplary ethics and business-conduct programs, says Steve Priest, founder of the Ethical Leadership Group, a consulting firm.

Best practices

Of course, exceptional ethics won’t ever factor in more highly than technology when it comes to a vendor decision. So if Sun’s product choices aren’t to your liking, look for business-conduct best practices at your chosen vendor. Ethics experts name four must-haves.

The first is appointment of a top-level executive responsible for ethics, business conduct and compliance. Chief compliance officer is the more traditional version of today’s trendy “chief ethics officer” designation.

“A good ethics program starts with a CEO who believes in it – but that’s always been the case. One of the changes we’ve seen recently is in naming a chief ethics officer and having that person report periodically and directly to the audit committee of the board of directors. That’s a clear lesson from the past few years,” Priest says.

Network World 200 powerhouse Dell last December added an ethics title to its roster. Thurmond Woodard, vice president of global diversity, now is chief ethics officer as well. As part of his new role, he supports the Dell board’s audit committee in implementing processes to comply with governance requirements.

And, in a well-publicized appointment, former NW200er MCI (ineligible for consideration this year because of its bankruptcy status in 2003), hired Nancy Higgins as its first chief ethics officer. Higgins most recently served as vice president of ethics and business conduct for Lockheed Martin. Before that, she headed Boeing’s first company-wide ethics organization. (Companies in the defense industry were the first to adopt formal ethics programs, in the mid-1980s, to comply with federal mandates.)

Other NW200 companies with chief ethics or compliance officers include AT&T, HP, Nortel and Sprint. Nortel was one of the 25 original sponsoring partners of the 12-year-old Ethics Officer Association (EOA), a group of business-conduct executives.

Another best practice is providing employees a way to report suspected wrongdoing confidentially and anonymously. This is not the same as an open-door policy, Priest warns. “Many companies in the ’90s prided themselves on having an open door, and that’s all they needed. In this environment, that doesn’t cut it legally anymore,” he says.

Priest recommends delving into how employees perceive a stated open-door policy, especially in light of the goings-on at WorldCom. He says focus group participants often describe their employers’ open-door policies as such: “The door is always open – if you don’t like the way things are, you can leave at any time.”

A third best practice to watch for is how your vendor assesses program effectiveness. Nobody’s fooled by check-the-box lists anymore, says Lee Essrig, director of global initiatives at EOA. Toward that end, the EOA is promoting development of an international standard for a business-conduct management system that would, among other goals, let companies measure or benchmark the effectiveness of their programs, Essrig says.

A fourth best practice deals with training. Be sure the highest corporate officers at your vendors receive ethics training regularly. And check to see that all employees are required to participate in training sessions annually. Priest suggests that short annual training sessions are far more effective than a two-day, once-in-an-employee-lifetime ethics crash course.

Note that none of these best practices are particularly profound, Sun’s Farrell says. “The devil is in how you live by them,” he adds. “You can never just rest and say, ‘We’re done.'”

And for his part, Conlon easily can justify putting even the most well-respected vendor through the wringer on ethics, business conduct and compliance. “The things we are doing with Sun are not one-offs. It will be our partner for a long time, and we need to make sure it will stay in business,” he says.