Skip to content

Illustration by Joyce Hesselberth

How to Practice Ethics

“I am incredibly nervous that we will implode in a wave of accounting scandals…the business world will consider [our] past successes as nothing but an elaborate accounting hoax,” Sherron Watkins of Enron Corporation wrote in a six-page letter dated August 15, 2001. Watkins, Enron’s vice president of corporate development, sensed that the end was near for her firm, but even she did not know the extent of it. Enron Chief Executive Kenneth Lay, and his top lieutenants, had engineered one of the world’s largest fraudulent corporate accounting schemes in history. 

Enron’s ultimate collapse resulted in the loss of $61 billion in shareholder value and the elimination of more than 5,000 jobs. Sixteen employees pleaded guilty for crimes committed at the company. Several top executives, including ex-CEO Jeffrey Skilling, landed in prison for their roles in the scheme and for lying to employees and investors about Enron’s financial health. Skilling was sentenced to 24 years in prison and fined $45 million. 

As detailed in his seminal book Conspiracy of Fools, author Kurt Eichenwald revealed that greed and ambition were not the only reasons for Enron’s failure. Another crucial factor was the absence of an ethical culture, which ultimately enabled the wrongdoing.  

In the 15 years since Enron’s epic failure, the importance of maintaining an ethical culture continues to grow. As the world of security changes, corporations change, management approaches change, and technologies change. To remain ethically sound, organizations need more than a fixed set of specific rules contained within their codes of conduct. Security managers should take the lead in actively managing their department’s culture so that sound ethics are firmly embedded in all operations, which are in turn aligned with the organization’s values and mission. 

Ethics is the sum of the moral principles that help govern our behavior. Ethics allow us to distinguish between good and evil, between right and wrong. Ethics allow us to recognize virtue in ourselves, and in others. 

On the organizational level, the ethical guardrails designed to keep employees within the lanes of proper behavior can usually be found in the organization’s code of conduct. Moreover, properly crafted mission, vision, and values statements may also serve as ethical flashcards, reminding employees of conduct expectations and cultural goals. All told, many organizations demand rigid compliance to an array of rules, policies, and behavioral guidelines. 

At the same time, modern organizations of all types and sizes, in both the private and the public sectors, are embracing diversity. Employers are increasingly relying on a management philosophy that considers no two staffers alike. Each employee possesses their own unique truth, with distinctive background experiences, motivations, and values.   

This leads to a potential paradox. Employers are welcoming the wide range of backgrounds, opinions, and perspectives that their staff members provide, but at the same time they are demanding universal ethical conformity and compliance. Can this paradox be reconciled? Does it suggest that it is time to rethink ethical expectations and how organizations pursue them? 

Some forward-thinking security leaders have found the answer. They have begun to understand ethical behavior not as a commodity, nor a goal to be fulfilled at some point in the future, but as a sustainable organizational condition. As such, it is dynamic. The pursuit of ethics is never-ending, because the organization that embraces it is continually evolving. The organization may downsize, expand operations, take on new markets, or change focus, but because sound ethics are embedded in its culture, it and its employees act ethically, regardless of circumstances.  

And so, the paradox of prized individualism versus universal rules compliance can be resolved by the careful management—or nurturing—of the organizational culture. Thus, as Enron and its investors so painfully discovered, active culture management is essential for an ethical organization. As Eichenwald revealed, when an organization fails to manage its own culture and push ethical considerations to the fore, it becomes ripe for ethical lapses, sometimes catastrophically so.   

Below are two real-world examples of security managers who encountered ethically challenging situations in their organizations. These leaders were able to manage the culture of their firms by taking actions that had positive ethical ripple effects through the organization.  ​


To illustrate the importance of culture management to ethics, here’s how one hospital security manager—we will call her Rachel—changed her organization’s culture. 

Rachel knew she faced challenges before she accepted her position. The hospital that had hired her, which mostly served the inner-city poor, had an aging infrastructure; many of the buildings that housed the institution’s staff of more than 4,000 employees were in disrepair. The administration’s approach to selecting and using its security officer force was similarly outdated.  

As the hospital’s first new director of security services in more than 20 years, the first thing Rachel addressed was the complacency that she found in the organization’s culture. To communicate her expectations and set a new tone, she privately met with each of her 85 full-time team members. In each meeting, she asked three questions: Who is your customer? What are their needs? What have you done to meet them? 

The results were startling. Many on the team did not know whom they were serving. And many of the services that team members were offering were outside the department’s stated mission. For example, on occasion “volunteer” off-duty uniformed officers were provided for security purposes at hospital fund-raisers. The officers were expected to donate their time and work such events. Officers resented such treatment and complained, but executive management responded by questioning their loyalty to the community. 

Moreover, some of the services and practices that were being offered appeared potentially unethical. One such service was the screening of domestic help for hospital executives, several prominent doctors, and the doctors’ friends. Not only were such services a distraction, and potentially unlawful—possibly noncompliant with the Fair Credit Reporting Act—they were in conflict with the hospital’s code of conduct. It was also clear to Rachel that the delivery of these services squandered resources, adversely impacted morale, and set a poor example.  

She decided to address the matter in her first meeting with the board of directors. She opened by emphasizing the importance of culture and ethics. “Setting the tone at the top by demonstrating our ethical behavior ought to be a priority if we desire to derive the most value from our hospital’s security function,” she told the board.   

Rachel then provided the board with a new mission statement she had prepared for her department. The mission statement was crisp and on point. It included four fundamental expectations: 

  •  Treating all people with respect and dignity. 
  •  Performing and delivering all security services ethically and lawfully. 
  •  Demonstrating loyalty to the hospital and its mission to serve the community.  
  •  Embracing flexibility, innovation, and teamwork. 

She closed by identifying her team’s current activities. When she mentioned the employment screening of nonhospital applicants, she made it clear that she intended to discontinue that practice. She then discussed more beneficial current activities that she intended to renew and focus on. These activities included training for those officers responsible for the security and safety of emergency room staff; special training relative to the handling and management of violent patients and visitors; and a review of all officer benefits and compensation plans. 

Not long after the meeting, the hospital’s administrator announced her intention to undertake a top-to-bottom examination of all nonhealthcare activities at the hospital, with a focus on ethical practices and code-of-conduct compliance. Thus, without making accusations or pointing fingers, Rachel successfully altered her organization’s culture by changing its perception of ethical conduct from the top down.  ​


A regional security manager—we will call him Jose—worked for a global energy company and was based in a country in which the flow of petroleum dollars provided thousands of good paying jobs and a considerable amount of political stability. Jose’s predecessor enjoyed years of cozy relationships with both local authorities and contractors, and this inherited situation often made Jose’s job difficult.  

One of the most obvious challenges involved no-bid contracts. Technically, the organization had policies against such practices, but in actuality, long- 

entrenched relationships and favored vendors sometimes won out over the rules.  In addition, these cozy relationships sometimes resulted in unapproved add-on change orders to contracts, which meant cost overruns for Jose’s company. Privately, Jose sometimes wondered how high up the corruption went. 

Jose decided to meet the challenge head-on. He devised a five-step approach that was simple and effective. First, he met with his internal customers, such as site managers, project managers, and those responsible for operations. Together they identified needs, pain points, and priorities. 

Second, he compiled a list of action items and activities to meet those needs and priorities. He refined and affirmed the lists with his constituents. Third, he met with his suppliers and vendors, and requested information regarding their service and delivery capabilities. 

Fourth, he used all this collected information to carefully craft bid packages for the projects his customers identified as priorities, and formally presented them to each qualified vendor. Each package contained not only scoping and technical information, but regulatory compliance requirements, change order policies, and a new vendor code of ethics. Fifth, when the contracts were awarded, he held vendor orientation and safety meetings, and required sign-offs on the new vendor code of ethics.  

In the end, Jose’s professional and thoughtful approach to vendor selection and management proved rewarding. Many of the entrenched, poor performing vendors were replaced or left. Those that remained gained new respect for their customer, its business practices, and its ethical expectations.  ​


From these examples, it is easy to see that an ethical culture is a values-based one that often evolves incrementally. Small steps and straightforward actions by a single individual or group can ripple through an organization and ultimately produce seismic cultural changes.  

In these cases, Rachel and Jose were in organizations in which ethically questionable practices were apparent. But sometimes, ethical issues play out in a more oblique way. Take for example, a CSO we’ll call Robert, who worked for an international logistics organization spanning three continents. As a retired law enforcement officer from a U.S. federal agency, he had many well-placed friends both in and outside government. When needed, those friends, in addition to many former colleagues around the globe, served as both a reliable source of assistance and as fertile ground for recruiting. Robert also knew that the tactics sometimes used by his external resources did not always square with organizational policies and expectations. He ignored such exceptions and rationalized that they were merely the occasional cost of success. 

Nevertheless, over several years Robert recruited and groomed one of the finest teams of security managers in the industry. Like Robert, all team members had law enforcement experience. As a group, they shared the same values, level of professionalism, and sense of duty. In terms of the latter, they all agreed that they had a duty to bring criminal offenders—whether they be employees, contractors, or vendors—to justice.  

One day, the company’s CEO addressed the group while participating in a management budget meeting. The CEO began by reading aloud the organization’s mission statement. He then asked each manager to reflect and identify one activity that they were routinely engaged in that was inconsistent with the mission statement. 

Some chuckled or squirmed. Robert sat silent. He knew instantly that the impulse to pursue criminal offenders served neither his organization’s needs nor its mission. Instead, it was driven by his team’s sense of duty to enforce public law. While based on a clear ethi­cal impulse, the effort was not an effective deterrent, nor did it add value to the company.   

For several days, Robert considered his dilemma. He knew his team consisted of first-rate ethical professionals. However, his leadership had created a culture that put achievement of his personal ideals ahead of the ideals of the organization. Seeking a solution, he recalled what author Jim Collins wrote in his best-selling book, Good to Great: “You can’t start off by asking which direction you’re headed.…First you figure out if you’ve got all the right people on the bus.” 

 Collins suggested that making a clear-eyed assessment of key staff within an organization is one of the “brutal facts” leaders need to be willing to address as they look to set their team on the right path. “Sometimes more people need to be brought on board—and sometimes a longtime traveling companion needs to step off the bus before it can move forward,” Collins wrote. Robert realized that what his team lacked wasn’t ethical character or ability, it was diversity; every member came from a law enforcement background. What was needed was team members from different professional backgrounds, with a different base of experience and ideas.

Over the course of the next 12 months, Robert committed himself to changing his team’s culture. He embraced the idea of putting the right people on the bus; in this particular case, that meant diversifying his team and recruiting outside the law enforcement community.  

The outcome was remarkable. After two years, the culture had been transformed. Prosecutions were pursued only when they furthered the organization’s mission. In cases where they did not, other approaches were used. The most fruitful of these was restitution, where the investigation was tailored toward recovering loss, rather than prosecuting or simply firing the offender. This proved very successful; often, not only were losses recovered, but so were the costs of the underlying investigation. 

High ethical standards were still maintained in all operations; the team clearly communicated that the reduced number of prosecutions did not mean that the violations were less serious, or somehow excusable. Instead, the new approach communicated the concept that crimes of theft and embezzlement affect all members of an organization, not just the owners and shareholders, so restitution is the best course of redress for all concerned, and a sound ethical option.  

Soon, Robert’s division became nearly self-funded. Robert inverted the mindset of his team and turned his division into a profit center instead of a cost center. The transition was not painless, but it ultimately paid great dividends. Given the success of the new and more diverse hires, Robert worked with hu­­man resources to establish a new simple and effective recruiting strategy. The new strategy included recruiting constantly and deliberately; implement­ing a preemployment screening process that is ethical and has purpose; selling the organization, not the job; involving the team’s stakeholders and process-owners in the program; and focusing on the applicant’s character and values and not just his or her skills and experience. ​


In all three of the real-world examples above, the security manager made positive and ethical culture changes that in turn changed the organization as a whole. That process began with the belief that cultural change is achievable, and that the organization is capable of the change necessary to sustain a more ethical environment.  

Ethical security managers know that good results are in part the product of good planning. But culture management isn’t just about planning and resource deployment. Nor is it just about policies and codes of conduct. It is rooted in our individual behavior—how do we as security professionals behave and manage our responsibilities?  


Eugene F. Ferraro, CPP, PCI, is a member of ASIS International and an ASIS Standards and Guidelines Commissioner. He is the former Chief Ethics Officer of Convercent, Inc., and has been in­volved in the study of organiza­tional culture, governance, and compliance as it relates to asset protection and loss prevention for more than 30 years. His most recent book, Virtues & the Virtuous: Inspir­ing Lessons and Insights about Virtue, Virtuosity, and the Essence of the Human Spirit is available on Amazon.