CONVERGING ETHICS,

GOVERNANCE, AND CULTURE

Michael Brozzetti, CIA

Washington DC

May 12, 2011

DISCLOSURE: Michael Brozzetti represents his personal commitment to protect and guard the Internal Auditing profession's principles

for integrity, competency, confidentiality, and objectivity as provided for within the Institute of Internal Auditors Code of Ethics. Michael

Brozzetti is President of Boundless LLC, an expert internal auditing and governance firm and is Chairman of the Business Integrity

Alliance™ which is a joint venture between zEthics, Inc. and Boundless LLC missioned to advocate and advance the practices

supporting the principles of integrity, transparency, accountability, and risk oversight. Michael Brozzetti is a Certified Internal Auditor®

Learning System training partner with the Institute of Internal Auditors, Villanova University, and the Holmes Corporation. Michael

Brozzetti is currently under consideration for the zEthics, Inc. Board of Directors. Michael has no material holdings in the Capital

Markets.

Relevant Introductory Quotes • “What we really need is a new paradigm for due diligence when it comes to fraud.”

- Former SEC enforcement attorney, Pat Huddleston Interview,

- John Buchanan. “It Could Happen to You.” Conference Board Review – Spring 2011

• “It’s really about intentional opaqueness where transparency is legally required. It’s about taking steps to hide the true nature of transactions…”

• Former Prosecutor of the U.S. Attorney’s Office, George Terwilliger Interview

• John Buchanan. “It Could Happen to You.” Conference Board Review – Spring 2011

• “I have discovered that greater government attention to corporate ethics and compliance activities is a smarter investment than endless federal prosecutions, suspensions, and debarments.”

• Retired Federal Inspector General – May 12, 2011

• “Problems cannot be solved by thinking within the framework in which they were created.”

• Albert Einstein

2

The IIA asked is there a culture of risk?

3

If we define culture as "a way of life - the

behaviors, beliefs, and values that are passed

along by communication and imitation from one

generation to the next" and put it into an

organizational context then we can assume the

term "generation" refers to the hierarchical levels

and parent/child relationships that exist within an

organization.

Who want to talk about

Ethics and Culture?

4

Who thinks culture

affects performance?

5

The Convergence of EGC

6

Governance

Culture Ethics

Ethics

7

Governance

Culture Ethics

Ethics Gone Wrong

Satyam Computer Services Ltd.

• Known as the as the “Enron” of India.

• Some $1 billion in declared revenue at the outsourcing firm turned out to be nonexistent. PwC probed for signing off on financial statements.

• In 2005, the bank's CIO, was ousted for buying preferential stock options from Satyam, even as he awarded the firm major contracts. Satyam was allowed to remain.

• Satyam had been linked not only to financial wrongdoing, but "ultrasensitive data heists“ from customer World Bank.

Source: FOX News

Ethics Gone Wrong

New Century Financial

• New Century Financial Corp, the largest independent provider of home loans to people with poor credit, filed for bankruptcy two years ago amid mounting customer defaults.

• $1 Billion dollar lawsuit filed against KPMG in March 2009 by trustees of New Century.

• “As far as I am concerned, we are done. The client thinks we are done. All we are going to do is piss everybody off.”

- KPMG partner

Financial Week: March 31, 2008 12:01 AM

Ethics Gone Wrong

Enron

• On November 30, 2001 the Company filed bankruptcy and 4,000 employees lost there job that day with only 30 minutes to gather there belongings and exit the building.

• Ken Lay and Jeff Skilling were tried in 2006 for their part in a 53-count indictment covering a broad range of financial crimes, including bank fraud, making false statements to banks and auditors, securities fraud, wire fraud, money laundering, conspiracy and insider trading.

• "Well, thank you very much, we appreciate that . . . asshole.”

– Jeff Skilling, Former Enron CEO & COO

Ethics Gone Wrong Lehman “Alter Ego”

• One of the vehicles that Hudson Castle created was called Fenway, which was often used to lend to Lehman, including in the summer of 2008, as the investment bank foundered.

• Hudson Castle might have walked away earlier if not for Fenway’s ties to Lehman.

• Lehman itself bought $3 billion of Fenway notes just before its bankruptcy that, in turn, were used to back a loan from Fenway to a Lehman subsidiary.

• While Hudson Castle appeared to be an independent business, it was deeply entwined with Lehman. For years, its board was controlled by Lehman, which owned a quarter of the firm. It was also stocked with former Lehman employees.

Source: NY Times

Ethics Gone Wrong Goldman Sachs

Sued by SEC for Fraud

• The federal government charged Goldman Sachs, a prominent New York financial house, with fraud on Friday, accusing the firm of deceiving investors who bought mortgage bonds that select clients already knew were likely to fail.

• The SEC also named Fabrice Tourre, a Goldman Sachs vice president, who helped create and sell the investment deal, which cost investors more than $1 billion when mortgages defaulted.

• April 16, 2010 NY Times

Ethics Getting Better

Computer Associates, Inc.

• Charles Wang and a few other former executives participated in a $2.2 Billion accounting fraud against Computer Associates.

• New leadership executed a Deferred Prosecution Agreement “DPA” with the U.S. Government in 2000 to turnaround the company.

• In 2004, CA ended-up paying $225MM to victimized shareholders.

Ethics Gone Right

Coke • In a nutshell three people, including an

executive assistant at Coke, were busted and charged with stealing trade secrets, as well as a product sample, and trying to flog them to arch-rival Pepsi for $1.5 Million.

• In terms of ethics, the most interesting part about this story was that Pepsi had alerted Coke to what was going on, and Coke immediately called the police.

Principles, Values, and Ethics

15

• Inform our choice of values, morals, and ethics. Principles

• Attitude sets that influence behavior Values

• Standards by which behavior is evaluated for their morality – their rightness or wrongness

Ethics

“Values motivate, morals and ethics constrain”

– Paul Chippendale

Ethics in the Regulatory Context

• Section 406, which directs us to adopt rules requiring a

company to disclose whether it has adopted a code of

ethics for its senior financial officers, and if not, the

reasons therefor, as well as any changes to, or waiver of

any provision of, that code of ethics.

16

Honoring Public Service

17

(11) Employees shall disclose waste, fraud,

abuse, and corruption to appropriate

authorities.

TITLE 5: ADMINISTRATIVE PERSONNEL: PART 2635—STANDARDS OF

ETHICAL CONDUCT FOR EMPLOYEES OF THE EXECUTIVE BRANCH

Trust in Public Service

18

TITLE 5: ADMINISTRATIVE PERSONNEL: PART 2635—STANDARDS OF

ETHICAL CONDUCT FOR EMPLOYEES OF THE EXECUTIVE BRANCH

(c) A violation of this part or of supplemental

agency regulations, as such, does not create

any right or benefit, substantive or

procedural, enforceable at law by any

person against the United States, its

agencies, its officers or employees, or any

other person.

Caremark Case Law • Since the 1996 Delaware Chancery Court decision in In re Caremark International Inc. Derivative Litigation,1 the fiduciary duty of corporate directors has been understood to embrace the adoption and maintenance of corporate compliance programs that are designed to detect corporate wrongdoing and bring it to the attention of management and the board of directors.

• Stone v. Ritter involved a derivative action by shareholders of AmSouth Bancorporation ("AmSouth"), in the wake of the disclosure that AmSouth had paid $50 million in fines and civil penalties arising from violations of the federal Bank Secrecy Act.3 The lawsuit alleged that the directors of AmSouth had breached their duty to act in good faith because, while AmSouth maintained a program to monitor Bank Secrecy Act compliance, the program was not adequate to prevent the violations giving rise to the fines and civil penalties.

• First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues; and second, there is no duty of "good faith" that forms a basis, independent of the duties of care and loyalty, for director liability. 3 31 U.S.C. §5318 et seq. (2006).

The DOJ after Caremark:

• Legal Guidance Regarding Board Oversight

• The McNulty Memo provides that, when assessing the adequacy of a company’s compliance efforts, prosecutors should consider whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct;

• Such as whether directors exercise independent review over proposed corporate actions, whether directors are provided with information sufficient to enable the exercise of independent judgment, and whether directors have established an information and reporting system reasonably designed to provide management and the board of directors with timely and accurate information.

20

The Corporate Conscience

“A self-aware person will act completely within their

capabilities to their pinnacle, while an ignorant person will

flounder and encounter difficulty.”

- Socrates, Greek Philosopher

21

Governance

22

Governance

Culture Ethics

The “Black Box” of Governance

23

Ethics

Governance

Risk

Compliance

Internal Control

Communication and Trust

What state is the culture in?

Discovery risk Enterprise risk

20th Century Governance Challenges

Ethics

Governance

Risk Management

Compliance

Internal Control

Communication & Trust

What state is the culture in?

Level of transparency into the culture No practical way to continual monitor the “Soft controls” that

shape cultural norms and risk appetites.

Limited foresight into the cultural risks

that manifest misconduct and fraud.

Disclosure, speed, and flow of risk information Often filtered and/or distorted.

Accountability and culpability Case law suggests that not

knowing and ignorance is a

defensible claim.

Over 95% of lawsuits are

settled or dismissed

The Governance System

25

People

Ethics

& Culture

Internal

Adjudication

Process

Internal

External

Technology

Systems / Devices Information / Data

Key Governance Questions?

1. Is it Legal?

2. Is it Ethical?

3. Is it Sustainable?

26

Ethics in Context of a U.S. Law

27

Innocent

Not

Guilty

Guilty

Ethical Judgment Legal Judgment

“Not Guilty, Does Not Mean Innocent”

– University of Pennsylvania Law School Student

Judgment System Difference

• Measured to core

values

• Internally controlled

and adjudicated

• 100% Transparency

• Subject to confession

and repentance

• Immunity-in-

conscience

28

Ethical Judgment Legal Judgment

• Measured to law or

regulation

• Externally influenced

and adjudicated

• Opaqueness (95%)

• Subject to external

punishment and

damages

• No immunity

Mission and Code

29

Sustainability and Integrity in Context

30

• The rules of conduct recognized in respect to a particular class of human actions or a particular group, culture. Ethics

• A way of life - the behaviors, beliefs, and values that are passed along by communication and imitation from one generation to the next.

Culture

• The combination of processes and structures implemented by the board to inform, direct, manage, and monitor the activities of the organization toward the achievement of its objectives.

Governance

• Integrity is consistency of actions, values, methods, measures, principles, expectations and outcome. As a holistic concept, it judges the quality of a system in terms of its ability to achieve its own goals.

Integrity

Culture

31

Governance

Culture Ethics

Cultural Tones

32

Undertone Overtone

– Complacency, Laziness, and

satisfaction with status-quo

– Loose controls with

insatiable appetite for risk

– Short-term decision making

at the expense of long-term

benefit sustainability

– Autocratic and self-focused

cultures, internal politics,

power struggles

+ Strong cultural work ethic

that challenges assumptions

+ Tight controls with

thoughtful risk appetite

+ Balanced decision making

considering short and long

term benefit sustainability

+ Collegial and team-focused

cultures, “conscientious

employees,” balanced power

National Association of Corporate Directors

VI. Integrity, Ethics & Responsibility: Governance

structures and practices should be designed to promote an

appropriate corporate culture of integrity, ethics, and

corporate social responsibility.

NACD Comment Letter to SEC

“A strong corporate culture is one of the best tools a

company has for combating fraud.”

- NACD Barbara Hackman Franklin

Rating Scale

1 2 3 4 5 6 7 8 9 10

Poor Excellent

Cultural Elements

• Ethics & Governance - Assess the level of illegal or fraudulent activities; withholding or covering up

information; manipulating government reports; scandal; managerial mischief; misconduct; unethical

behavior; lying; falsification of records; sexual harassment; drug and alcohol abuse; etc.

• Risk Management - Identify risks, quantify and assess the level of risk taking by senior management;

quantify the risk of operational failures, etc.

• Strategic Planning - Assess the organization’s strategic planning methodology and practices;

determine whether managers are allocating sufficient resources to execute the strategic plan effectively

and efficiently; etc.

• Management - Assess the competence and character of management; does the management team

work well together; is management being held accountable for decisions that impact the organization’s

performance, strategic goals and objectives; is management consistent in its decision making; etc.

• Communication - Assess how well the organization communicates the information required to

accomplish goals and objectives; identify when there is a problem with miscommunication of

information or misinformation; etc.

• Organization - Assess the Organization’s Internal Controls, Policies, Procedures and Systems;

identify structural flaws or weaknesses in the organization; etc.

• Empowerment - are employees empowered to perform their duties and responsibilities without fear,

reprisal or reprimand; is management undermining the staff’s ability to perform their duties and

responsibilities; do employees have sufficient training and skills to perform their duties, etc.

• Compliance (Auditing, Quality) - Assess compliance with all laws and regulations; identify problems

or concerns with the

35

External Culture Benchmarks Industry Culture Benchmarks

36

Note: Chart is for illustrative purposes only. Y = Year.

37

Internal Culture Benchmarks Cultural Trend Analysis

Note: Chart is for illustrative purposes only. PY = Prior Year and CY = Current Year trending.

Cultural Assurance

38

BU #3 Executive Survey CEO CFO COO VP HR CIO

Ethics & Governance 8.6 8.2 2.1 1.6 5.8

Risk Management 8.0 7.2 3.1 3.0 5.8 Strategic Planning 7.4 7.6 3.6 3.4 5.2 Management 7.6 7.8 1.4 1.8 5.4 Communication 5.4 6.0 1.1 1.0 4.8 Organization 6.2 7.8 1.8 2.0 5.8 Empowerment 7.2 7.6 2.5 2.0 5.4 Compliance (Audit & Quality) 8.0 4.8 2.3 2.0 6.6

CCI™ Composite Rating 7.3 7.1 2.3 2.1 5.6

Business Unit Survey Business Unit 1 Business Unit 2 Business Unit 3 Business Unit 4 Business Unit 5

Ethics & Governance 4.6 4.7 2.4 5.3 4.3

Risk Management 4.3 4.9 1.0 5.3 3.9

Strategic Planning 3.7 4.0 2.8 5.0 3.9

Management 3.6 4.1 1.3 4.9 3.5

Communication 5.0 5.6 4.3 5.9 5.2

Organization 4.0 4.8 2.5 5.1 4.1

Empowerment 4.5 4.9 2.8 5.6 4.5

Compliance (Audit & Quality) 5.2 5.4 3.8 5.6 5.0

CCI™ Composite Rating 4.4 4.8 2.6 5.3 4.3

This is fictitious data for illustrative purposes only

Drill down and gain dynamic views into the

organizational corporate culture for internal

benchmarking

What conclusions can you yield?

Source: zEthics, Inc.

What conclusions can you yield?

Reporting Category Company Industry

Average

Sector

Average

Region

Average

Ethics & Corporate Governance 2.4 4.6 4.7 5.3

Risk Management 2.8 4.3 4.9 5.3

Strategic Planning 1.0 3.7 4.0 5.0

Management 1.3 3.6 4.1 4.9

Communication 4.3 5.0 5.6 5.9

Organization 2.5 4.0 4.8 5.1

Empowerment 2.8 4.5 4.9 5.6

Auditing / Quality Control 3.8 5.2 5.4 5.6

Composite Rating 2.6 4.4 4.8 5.3

Source: zEthics, Inc.

What conclusions can you yield?

Reporting Category CEO CFO COO CMO CAO

Ethics & Corporate Governance 5.8 1.6 8.2 5.8 8.6

Risk 5.8 3.0 7.2 5.6 8.0

Strategic Planning 5.2 3.4 7.6 5.4 7.4

Management 5.4 1.8 7.8 5.6 7.6

Communication 4.8 1.0 6.0 4.4 5.4

Organization 5.8 2.0 7.8 4.6 6.2

Empowerment 5.4 2.0 7.6 4.6 7.2

Auditing / Quality Control 6.6 2.0 4.8 6.6 8.0

Composite Rating 5.6 2.1 7.1 5.3 7.3

Source: zEthics, Inc.

What conclusions can you yield?

Reporting Category President EVP SVP VP Director

Ethics & Corporate Governance 5.0 6.2 7.0 8.4 8.6

Risk 4.4 6.6 6.6 8.4 8.2

Strategic Planning 2.8 6.6 5.2 5.0 5.6

Management 4.8 6.6 5.8 6.2 7.0

Communication 2.6 5.2 6.6 6.0 6.0

Organization 5.6 6.0 5.6 6.2 7.4

Empowerment 4.8 4.2 6.0 7.2 6.0

Auditing / Quality Control 5.2 5.6 5.4 5.4 7.0

Composite Rating 4.4 5.9 6.0 6.6 7.0

Source: zEthics, Inc.

What conclusions can you yield?

Reporting Category Chairman Non-Exec

Board Company Composite

Ethics & Corporate Governance 2.2 6.4 6.2

Risk 6.0 6.0 6.3

Strategic Planning 2.8 5.2 5.2

Management 3.4 6.2 5.7

Communication 1.0 5.4 4.5

Organization 1.4 6.4 5.4

Empowerment 2.0 5.2 5.2

Auditing / Quality Control 3.8 5.4 5.5

Composite Rating 2.8 5.8 5.5

Source: zEthics, Inc.

Internal Adjudication

44

Code of Conduct

Code of Ethics (Per Professional

Practice Standards)

Company Policy

Regulation

Law

Business Issues

Legal Issues

Ethics Compliance

Ethics Compliance

Management (Independent of Incident)

Audit, Risk, &

Compliance

General Counsel External Legal Counsel

General Counsel

Independent Committee

Independent Committee

Independent Committee

Transparency into Incident Reporting

45

# 1 # 2 # 3 # 4 # 5

Report Filings 16 12 28 25 21

Code of Conduct 5 4 15 5 8

Professional Conduct 4 5 6 5 6

Policy 4 2 3 12 4

Regulation 1 0 4 3 1

Law 2 1 0 0 2

Report Status

Open – In Queue 9 6 11 8 15

In Due Diligence 2 2 7 3 5

Resolved 5 4 10 14 1

Report Resolution (YTD) 1 2 9 2 4

Authority Change 0 1 3 0 2

Disciplinary Action Taken 1 0 4 1 2

Restitution 0 1 0 0 0

Prosecution 0 0 2 1 0

Average Cycle Time (Days) 102 82 55 77 89

Quality for the Ethics Compliance System

46

The Penney Idea A strong principled foundation since 1913

1. "To serve the public, as nearly as we can, to its complete satisfaction. “

2. "To expect for the service we render a fair remuneration and not all the profit the traffic will bear."

3. "To do all in our power to pack the customer's dollar full of value, quality, and satisfaction."

4. "To continue to train ourselves and our associates so that the service we give will be more and more intelligently performed."

5. "To improve constantly the human factor in our business."

6. "To reward men and women in our organization through participation in what the business produces."

7. "To test our every policy, method, and act in this wise: Does it square with what is right and just?

47

More Q&A Time…

48

Michael Brozzetti, CIA

President, Boundless LLC

(215) 687-7376

mike@BoundlessLLC.com