Press reports about workplace misconduct — egregious harassment or discrimination, or pervasive cultural failings — are emerging with increased frequency. The allegations transcend geography, company size, and industry. Substantiated or not, rarely do they pass without tarnishing the culture and corporate image of the implicated organization. 

No longer “simply” a litigation risk, misconduct in the workplace can frustrate a company’s culture, cause reputational damage, erode trust in leadership and disengage employees. To combat these risks, forward-thinking companies are implementing compliance frameworks to effectively prevent and respond to workplace misconduct. These programs are tailored to each organization’s particular operations, risk profile, resources and culture, and are informed by federal guidance. 

Compliance programs are most effective when the various program elements we discuss below work in concert and are embedded into day-to-day operations. You’ll probably recognize the high-profile organizations whose recent failings help to illustrate each point. Seven guiding principles in creating a compliance framework follow.

1. Policies, procedures and training are foundational

Policies and procedures establish the foundation of a company’s culture by setting the norms for what behavior will be tolerated and the consequences for failing to meet expectations. The EEOC suggests companies create policies that clearly explain expectations around prohibited conduct, the complaint system, the investigation process, and the prohibition against retaliation for reporting misconduct.      

To ensure that policies are effective and well integrated into an organization, trainings should be reinforced regularly, tailored, function-specific and routinely evaluated. For example, managers and supervisors should be trained on how to respond to allegations and how to address misconduct.  

In February 2022, mining and metals company Rio Tinto released a report related to allegations of widespread bullying, sexual harassment, racism and other forms of discrimination. Importantly, some of the report’s key recommendations suggested that Rio Tinto should develop an easily accessible global policy on “everyday respect,” to be supported by practical guides informed by local context, and provide tailored trainings, raise awareness of workplace misconduct, educate trainees on prevention and responses, and encourage reporting. 

2. Weak governance and controls enable misconduct to fester and blur accountability

No matter how technically strong a compliance program is, it cannot excel without sound organizational governance structures. As the DOJ and EEOC instruct, companies need governance structures that empower compliance functions to effectively exercise oversight, providing compliance leaders with sufficient seniority, autonomy from management and resources to execute their responsibilities. Companies should therefore consider the ability of senior HR compliance stakeholders to directly access the board and relevant committees.

Many of the organizations we have seen in the limelight recently had insufficient oversight, governance, and controls structures. For example, Activision Blizzard formed a Workplace Responsibility Committee of its board, which is tasked with receiving compliance program progress reports from senior management and will require management to develop metrics to measure the company’s progress. 

The Washington Commanders are another example: in the NFL’s July 2021 statement regarding the findings of an investigation into inappropriate behavior at the team, one of the key recommendations was for the Commanders to “implement [a] clear organizational structure and clear lines of authority for club executives to eliminate influence of informal or unaffiliated advisors on the Club’s business operations.” It is fundamental that proper lines of authority be drawn and observed so that independent functions and activities remain so.

3. Culture and conduct at the top matters

The most effective compliance programs exist within a values-driven culture. Indeed, when the DOJ evaluates how corporate compliance programs operate in practice, prosecutors look for commitment by senior and middle management: The board and executives should set the tone on HR compliance while middle management reinforces the message. The EEOC has emphasized that “the importance of leadership cannot be overstated.”

The 2020 Washington Post article that is credited for breaking the story about inappropriate behavior at the Washington Commanders found that employees “described an atmosphere in which bullying and demeaning behavior by management created a climate of fear that allowed abusive behavior to continue unchecked.” The NFL’s July 2021 statement, which followed an external review, acknowledged that inappropriate conduct by executives had “set the tone for the organization.”

4. Companies should periodically assess their unique risk factors. 

The EEOC cautions that certain workplace conditions can create a greater risk of harassment, such as isolated working environments, cultural and language differences, and significant power disparities. Not all organizations will face the same risks and risks will change over time. Periodic risk assessments are the seminal way to identify current and changing risk factors. 

The Rio Tinto report did just this when it described the company’s culture as male-dominated and hierarchical, found that “[e]mployees working in a country different to that of their birth experience much higher rates of racism than their colleagues working in the country of their birth,” and showed that the presence of isolated workplaces enabled misconduct.

5. An effective reporting and investigation system is critical. 

DOJ guidance states that organizations should develop effective reporting and investigation systems designed to promote a “speak up” culture. To be most effective, your program should incorporate timeliness in investigations, documentation of the process, anti-retaliation messaging, and confidentiality. Investigation reports can also be a very helpful source of information for risk assessments.

Rio Tinto’s report demonstrates the importance of testing reporting mechanisms for both functionality and substantive use. For example, while Rio Tinto found that it had a strong reporting culture with respect to health and safety issues, when it came to issues of harassment, discrimination and bullying, employees reported a “culture of silence.” Strikingly, some employees demonstrated that although they were generally familiar with the company’s reporting options, they did not recognize those as avenues for reporting certain types of issues.

6. Incentives and discipline are powerful tools for promoting compliant behavior. 

Organizations should incentivize ethical behavior and ensure consistent disciplinary measures are taken in response to misconduct, regardless of the perpetrator’s position or title. The DOJ has identified compensation as a key tool in this space. Companies can incentivize compliant behavior by incorporating compliance metrics into compensation decisions, performance reviews, promotions, and awards and should consider the use of compensation clawbacks and other punitive measures when individuals engage in misconduct.

In the Rio Tinto case, little accountability for senior leaders and “high performers” who engaged in misconduct created a perception that misconduct had been normalized and reinforced the “culture of silence” that emerged.

7. Monitoring and testing facilitate program relevance. 

If a compliance program doesn’t evolve, it will lose relevance. Ongoing monitoring and testing ensures that your company’s program responds to the risks presented and maintains effectiveness. A company’s monitoring and testing activities should consider data collected and any trends.

As suggested by the EEOC, employee surveys can be a useful tool in assessing program effectiveness. A recommendation in the Rio Tinto report was that the company periodically re-review its compliance program through various means, including by readministering employee surveys every two or three years. 

Key takeaways

By applying the various program components outlined above, you can help your organization mitigate litigation risks and improve employee well-being. Like other types of compliance programs, an HR compliance program should reflect a company’s specific risk profile so that measures are tailored to a company’s DNA. There can be commonalities across industries and by organization size, but individual risks are important to evaluate, meet and periodically reassess.

Moreover, by incorporating the HR compliance program into the day-to-day operations of the business, companies can implement a living and breathing program where each employee bears responsibility for its success, facilitating a feedback loop of information that allows the program to remain effective for the long haul.