Ethics & Compliance: Doing the Right Thing, Everywhere?
5 min read
2025-01-22

topic

Governance

jurisdiction

Global
Talk with the Author
Book a 1‑on‑1 call with the author under Chatham House rules. Limited slots are available for 20Minds editorial committee members on a first‑come, first‑served basis.
Book now
Fully Booked
Adam Hunt
(Acting) Head of Risk & Compliance, Lime

Executive Summary

  • Core corporate values remain universal, even in a geopolitically fragmented world.
  • Leaders should prioritise impact over optics and empower employees to act ethically at all levels.
  • Sharing and aggregating data across functions—including culture surveys, training feedback, financial metrics, and cybersecurity information—helps identify and address issues effectively. Horizontal risk assessment prevents underinvestment or overinvestment in specific risks.

Ethics is about doing the right thing, even when it is the hard thing. Adam argues that universal principles form the foundation of ethical business practices, regardless of regional norms. He emphasizes the importance of integrating compliance risk management into overall company risk management—not as an annual exercise, but as an ongoing effort.

Gallery

No items found.
Need this in PowerPoint?
Enter your email to request the file.
Thanks! We'll get in touch.
Something went wrong while submitting the form. Get in touch with 20Minds via info@twentyminds.com

article

sample

Defining ethics for global businesses

How would you define “ethics”?

Adam: Ethics is about doing the right thing.  

People often overcomplicate things. Doing the right thing is, in Justice Oliver Wendell Holmes’s famous words, the “simplicity that lies on the other side of complexity.” Compliance requirements can seem technical and intricate. But ethics for me ultimately means people are doing the right thing, even when it’s the hard thing.

Companies go global. How do you address differing perceptions of “doing the right thing” across regions?

Corruption Perceptions Index (CPI) - Regional Comparison

Adam: While there can certainly be variances in norms or standards across regions, I’m not sure I would agree that there are significant differences in perception. For example, behaviours like theft, bribery, and nepotism are generally not considered to be ethical regardless of region. However, the practical challenge arises when unethical behaviours occur with more frequency in certain locations. So the best way to address differing perceptions in my view is to build a company code that is grounded on the more universal values and principles.

I rather think of building a global ethics code like designing race cars. A car for a straight track is straightforward. Adding twists and turns to the track will require some modifications. But a race car remains a race car. The core components are the same.

Similarly, implementing ethical standards globally means starting with the same consistent principles and then tailoring the approach to different regulations, social norms, and economic conditions. You can have a global privacy policy with common principles, aligned with various regulations such as GDPR or California's Privacy Act.  

Global consistency

How do you ensure a consistent ethical standard across countries and functions?

Adam: Leadership sets the tone. Leaders must go beyond optics—compliance policies or routine internal emails—and focus on the impact of employee actions.

Impact means empowering employees, through all hierarchy levels, to act ethically and speak up when necessary. In other words, to do the right thing not just the easy thing.

This might be challenging in regions or in functions where management does not fully align with the company’s culture. It is important to get it right in these pockets of the organisation. I agree with the idea, as noted by Steve Gruenert and Todd Whitaker in their book School Culture Rewired, that an organisation's culture is ultimately defined by the worst behaviour tolerated by your leaders.

Measuring implementation

How do you translate leadership’s tone into action?

Adam: You manage what you measure. That’s why after Netflix’s newest Chief Talent Officer joined in 2021, I advocated for developing a company culture survey during our first 1:1 meeting. I felt it was essential to find out whether there was a disconnect between the company’s celebrated culture memo and employees’ lived experiences.

Participation rates for culture surveys can reveal engagement levels across teams. If low, there may be a lack of identification with the company’s culture, which can lead to non-compliance issues later down the road.  

Measurement is critical. Some companies even tie metrics to bonuses, driving attention to the behaviours leadership values.

What if the data from the survey reveals discrepancies?

Adam: Curiosity and exploration is essential in that scenario. I recommend three steps:

  • Investigate the cause:
    • Cultural issues (e.g., irrelevant or poorly translated training content).
    • Systemic issues (e.g., a lack of oversight or weak internal processes).
    • Intentional issues (e.g., a leader actively downplaying the importance of compliance).
  • Address the issue: Escalate as needed, engage with local teams, or adjust policies and training.
  • Prevent recurrence: Most people want to do the right thing—it’s the leaders’ job to make it easy for them:
    • Leaders in ethics and compliance must ensure policies are clear and accessible, supported by tools like AI for answering routine compliance questions.
    • Leaders should assess the organisation’s maturity level and collaborate across teams—compliance, internal audit, and local leadership—to develop solutions where processes and systems are immature.  
    • The overall goal is to connect compliance activity to business outcomes.

“Lateral” thinking around risks

Compliance risks is just one of the many operational risks a company faces. How can silo thinking be broken down?

Adam: Organisations need to think laterally.  

If data on training participation for fraud prevention, for example, flags an issue, one should also review related areas such as invoicing anomalies and upticks in hotline reports. This integrated approach strengthens enterprise-wide risk management.

For example, low compliance training participation in a region, combined with high fraud reports and hotline activity, can indicate a systemic issue requiring escalation.

Without this holistic view, the organisation operates largely in the dark and risks facing increasingly severe consequences that could likely have been prevented.

While some peers are taking this approach, adjacent risk functions and their leaders still tend to operate in silos. For example, Compliance, Finance, IT/Cybersecurity, and ESG teams often work in relative isolation during the year, only pooling data for annual or quarterly board reports. Instead, they should be encouraged to share insights earlier and create a clearer picture of organisational risks. Building a shared data dashboard is a great way to help accomplish this goal in an efficient and effective manner.

Bribery Investigations by Industry (U.S. FCPA)

Standardising risk assessments

How can organisations standardise risk assessments across functions?

Corporate Compliance Programs: Risk Assessment

Adam: I recommend creating something of a “Rosetta Stone of Risk”—a common taxonomy where functions do not change their specific assessments but calibrate them to a standardised scale.

This allows leadership to compare risks—cybersecurity, compliance, privacy—on the same scale and identify what is most material. For instance, is a cyber hack in one region comparable to three ethics violations in another? This alignment makes such comparisons possible.

How do you translate diverse risks into a unified framework?

Adam: I suggest using a five-point scale, ranging from “averse” to “aggressive.” Qualitative terms like those, as well as “conservative,” “balanced” and “tolerant”, are relatable and help align risk tolerance across teams. This is what Google’s former Chief Compliance Officer (Spyro Karetsos) refers to as the “five lane highway of risk.”

Each function evaluates and ranks its own risks. For example, ethics teams might assess the materiality of hotline reports, while cybersecurity teams differentiate between denial-of-service attacks and ransomware.

Regular calibration and reporting is essential. Another trick I learned from Spyro is using a framework of hindsight (what happened), insight (current risks), and foresight (future risks). This process evolves every quarter, refining accuracy and response.

What is the benefit of aligning different risks that way?

Adam: It shifts focus from risk mitigation to optimisation. For example, you might be overinvesting in compliance training or regulatory inquiries while underinvesting in public policy or government affairs. The goal is to align broader efforts, investments and resources with your organisation’s risk appetite and risk profile.

Leaders must define terms like “aggressive” in practical terms (e.g., financial impact).  

Metrics like the number of regulatory inquiries or amount of legal costs can then reveal where resources are strained, helping to balance spending against outcomes.

Geopolitics as an added pressure on compliance

With proliferating tariffs, trade controls, and sanctions, compliance functions may soon find themselves having to do more with less. What is compliance’s answer to that?

Adam: I hear often about the “ever-increasing” demands on the compliance function. Yes, demands are rising, but compliance doesn’t bear the burden alone as many functions and leaders are being asked to do more with less. Compliance leaders should be proactive, not passive. For example:

  • Add value at the table when the global strategy is formulated: Companies must first step back and assess their global strategy in light of the new geopolitical realities. When deciding to enter or exit markets, management and boards should weigh the "distraction tax"—the big question: Is the distraction worth it? Or, as we asked at Netflix, “Is the juice worth the squeeze?” Compliance teams have information to help inform these business decisions. They can improve the quality of decision-making by sharing real data on what it means, in terms of costs and additional risk, entering a certain market.
  • Tackling behavioural, regulatory, and legal risks requires creativity and teamwork: Compliance must collaborate with legal, IT/cybersecurity and other departments, think creatively, embrace new technology, and take bold steps. For example, a trade compliance lawyer in Washington, D.C. recently suggested considering tariff adjustment clauses in contracts to prepare for potential U.S. policy changes. While not ideal for counterparties, these clauses could mitigate risk for the company— so they might prove to be practical, even if not perfect.

Now is the time for collaboration and fast problem-solving, not perfectionism. By addressing risks layer by layer, teams can reduce them to a manageable level, enabling the company to continue operating in markets where opportunities exist. The future of corporate compliance is based on leveraging data to optimise risk across the enterprise and ensure resources are allocated appropriately to enable continued business growth.

Adam Hunt is an expert in the ethics and compliance field. He is currently the (Acting) Head of Risk and Compliance at Lime. Previously, Adam built and led Netflix's Global Ethics & Compliance organisation, growing it from a single direct report in 2018 to a team of 14 compliance professionals across seven countries.

Sources