The IT staff at Texas Health Resources Inc. must deliver more than technical functionality. And it needs to deliver more than the business requirements: It also has to meet the organization’s ethical standards.
To that end, its systems must help ensure that Texas Health complies with laws and regulations. And they also have to promote the right behaviors and prevent or flag undesirable ones, says Michael Alverson, vice president and deputy CIO at the Arlington-based nonprofit health care system.
Consider the challenge of handling patients’ medical records. Even though the federal Health Insurance Portability and Accountability Act mandates that agencies keep those records private, caregivers still need to access them—when appropriate.
So the organization’s electronic health records system gives doctors and nurses who are caring directly for patients quick access when they use the right authentication, Alverson says. But additional authentication is required to get records for patients who aren’t under the provider’s immediate care. The system records who gets access to what, allowing officials to audit and review cases to ensure there’s no inappropriate access.
The IT staff holds itself to similar ethical standards, too, Alverson says. The department has policies that prohibit taking gifts and endorsing vendors, to help guarantee that workers make procurement decisions only based on quality and needs. And when there’s any question — such as when a vendor proposes a deep discount if Texas Health agrees to be an early adopter of a new technology — IT leaders can turn to the systemwide Business and Ethics Council for guidance.
“If we really want everyone to subscribe to the idea that working at Texas Health is special, then we have to have people actively believe in doing the right thing,” Alverson says.
Companies are increasingly looking at their ethics policies and articulating specific values that address a range of issues, from community commitment to environmental sustainability, which employees can use to guide their work. The need to comply with federal laws and regulations drives some of this, while consumer expectations, employee demands and economic pressures also play a part.
“Companies use the term ‘corporate ethics’ to mean many different things. In many organizations, if not the majority, it means compliance with a set of legal and minimum standards. In other organizations, corporate ethics means defining a set of corporate values that are integral to how they go about business,” says Kirk O. Hanson, executive director of the Markkula Center for Applied Ethics at Santa Clara University.
Either way, CIOs have an opportunity to show how technology can further their companies’ ethics objectives.
“Policy decisions at the very senior level need the sensitivity that IT experts can bring to the table,” Hanson says. “CIOs will know the capabilities of IT and be able to contribute that to corporate strategy. They will also know the misuses of those capabilities and be able to flag those and prevent the organization from stepping in scandals.”
Hanson cites a 15-year-old case in which marketing workers at a large telephone company spent millions of dollars to develop a list of customers with ties to the Washington area that they planned to sell to other marketers. In violation of company policy, they compiled the list using the company’s database of customers who frequently placed calls to the District of Columbia.
Executives learned about the list before the marketing department sold it. IT then developed a system to monitor use and block future unauthorized access to such information, Hanson says. However, it came a bit late, since IT should have developed the application in advance, anticipating the need to protect the information as well as detect any efforts to breach it.
Hanson says IT today can build systems that can screen potential subcontractors and vendors to see if they share certain values. It’s also possible to create tools that flag contracts whose costs exceed expectations in ways that suggest bribery or other improprieties, or set up systems that analyze customer satisfaction surveys to find evidence of unethical behaviors on the part of workers.
Meanwhile, companies that put green initiatives at the top of their ethical concerns can have IT create applications that track energy consumption to flag anomalies that indicate inefficiencies or calculate the corporate carbon footprint and identify ways to reduce it.
“You have to step back a minute and ask, ‘What is the role of technology around ethics?’ ” says Dena L. Smith, senior technology consultant to the board of trustees at Capital University in Columbus, Ohio, and part owner of an IT consulting firm in Dublin, Ohio. “Technology can help from a monitoring, protection and prevention standpoint in a lot of ways.”
The notion of corporate ethics hasn’t always been so broad, says Mike Distelhorst, a law professor at Capital University Law School, a former adjunct professor of business ethics at the Capital School of Management and Leadership and former executive director for the university’s Council for Ethical Leadership.
More Than Compliance
Corporate ethics for a long time simply meant compliance with laws and regulations, Distelhorst says. But in the early 1990s, business schools started to emphasize the idea of integrity-based ethics, where companies developed ethics statements based on their own values and priorities and not just compliance with federal and state rules. Motives range from pure altruism to the notion that good ethics make for good business.
Still, he says, few companies are leaders in integrating their corporate responsibility programs into their day-to-day business dealings.
“You’d be hard-pressed to find any company that doesn’t have a beautiful ethics and compliance program,” Distelhorst says. “They’re talking about it, and they’re working it all out in various strategic documents. But the question is whether they’re actually living by it. Some are, and clearly some aren’t.”
Regardless of where a company stands in the process, IT leaders should be ready to contribute, he says.
“These policies are worked out on the ethics and compliance committees below the board level, and they’re having the CIO as a key player,” Distelhorst explains.
That’s the case at Intel Corp., says the company’s CIO, Diane Bryant.
Intel’s Ethics and Compliance Oversight Committee established the following five principles for the company and its workers: Intel should conduct business with honesty and integrity; the company must follow the letter and spirit of the law; employees are expected to treat one another fairly; employees should act in the best interests of Intel and avoid conflicts of interest; and employees must protect the company’s assets and reputation.
Intel’s IT staff builds and maintains the systems that allow the company to meet its legal and regulatory requirements, such as those laid out for accounting and governance by the Sarbanes-Oxley Act, Bryant says. It also developed applications and a team of workers to handle document retention, which is crucial should there be a legal case with electronic discovery requests.
But IT also enables Intel to enforce its own values, and not just meet regulatory requirements, Bryant explains. So there are applications to help perform rigorous checks on suppliers to ensure that they have sufficient business continuity plans and environmental sustainability plans as well as ethical stances that match Intel’s own.
IT has also delivered sophisticated systems that monitor the power consumption and carbon dioxide emissions of Intel’s data centers. And it developed systems that monitor for potential malicious behavior, such as violations of access management rights or the public release of Intel’s intellectual property.
“We put solutions in place that help protect Intel’s five principals,” Bryant says.
Few companies are that advanced in their use of technology to further an ethical agenda, says John Stevenson, a former CIO who is now president of JG Stevenson Associates LLC, an IT management consultancy in Plano, Texas.
“The level of sophistication offered by CIOs varies,” he says. “Some CIOs prefer to stand back and hear what the companies want to do. They’re the ones taking orders.”
Anemic leaders might do nothing more than block access to inappropriate Web sites, Stevenson says. Those at the next tier might deploy applications to comply with the laws that govern their businesses, but they probably wouldn’t have systems that monitor or report on how their organizations meet higher-level, company-specific ethical objectives.
“There are really only a handful of organizations that have effectively used IT to support the ethics and corporate responsibility programs of their organizations,” the Markkula Center’s Hanson adds.
He says Corporate America is only now slowly moving from making commitments to certain ethics and values to actually putting them into practice.
“Companies recognize that they have to be on record as being committed, but they’re not yet as convinced that they have to manage it like other parts of their business,” Hanson explains.
But when companies do decide to move in that direction, that’s when CIOs can shine, offering ideas on what metrics to use and what to measure.
“That’s where IT can be a real leader,” Hanson says, “since they know what can be measured and captured.”
Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at firstname.lastname@example.org.