Developing Meaningful Ethics and Compliance Data · 4 | +1 952 933 4977 or 888 277 4977 7 McNulty Memorandum Factors – Effectiveness of Governance: • Do directors exercise independent

1

Society of Corporate Compliance and Ethics

6500 Barrie Road, Suite 250, Minneapolis, MN 55435, United States

www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977

Program AssessmentDeveloping Meaningful Ethics and Compliance Data

Anthony Tocco Larry Parsons T. Dean MainesDirector of Enterprise Compliance Vice President, President, SAIP Institute

DTE Energy Business Conduct and Ethics University of St. Thomas

Freescale Semiconductor, Inc. Opus College of Business

www.corporatecompliance.org | +1 952 933 4977 or 888 277 4977 2

Background: Why Evaluate Program Effectiveness?

• Required under Federal Sentencing Guidelines and DOJ McNulty Memorandum

• Identifies gaps and weaknesses within and across your various programs

• Tells you the “big picture” – How are you doing as an organization?

• Creates leadership support

• Results matter

2


Federal Sentencing Guidelines - §8B2.1. Effective Compliance and Ethics Program

(a) To have an effective compliance and ethics program, for purposes of subsection

(f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall—

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

(b) Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:

(1) The organization shall establish standards and procedures to prevent and detect criminal conduct.

(2) (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.

Guidelines Standard§8B2.1 (b) :

(b) Due diligence and the promotion of an organizationalculture that encourages a commitment to compliance with the law within the meaning of subsection (a) minimally require the following steps : …

(5) The organization shall take reasonable steps -(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program


What does “due diligence” mean for your organization?

• What is reasonable and prudent?

• Is there an industry standard?

• Is it the same degree of care used for other management priorities within a prudent organization?

• What are the hallmarks of due care for management priorities?

– Resources to do it right

– Metrics + Trending to measure progress

– Accountability for results

– Rewards/incentives

– Responsive action to improve points of weakness

3


McNulty Memorandum

Corporate Compliance Programs: two overarching questions:

1. Is the compliance program well designed?

2. Does the compliance program work?


McNulty Memorandum

Factors:

• Comprehensiveness of the compliance program

• Is compliance program a “paper program” only, or has it been adequately implemented?

• Are resources adequate?

• Are employees adequately informed about the program?

• Do employees have confidence in the corporation’s commitment to the program?

• Extent and pervasiveness of the misconduct

• Level of employees with responsibility for the program

• Remedial actions taken (restitution, discipline, revision of thecompliance program)

• Promptness of self-disclosure

4


McNulty Memorandum

Factors – Effectiveness of Governance:

• Do directors exercise independent review or merely ratify recommendations of management?

• Are directors given adequate information to allow independent judgment/oversight?

• Are internal audits adequately funded?

• Have directors established adequate internal reporting mechanisms?


What to Assess

• Your program itself

– Starting Point: Track the Guidelines

– Activities (measurement examples)

• Contacts

• Investigations

• Training Completions

– Culture (measurement examples)

• Ethics Related Actions

• Employee Opinion

• Employee Action

5


Elements This Session will Cover

• Code of Conduct

• Policies and Procedures

• Governance

• Surveys

• Risk Assessment

• Ethics Training and Communications

• Auditing and Monitoring

• Avenue for employees to seek ethics advice

• Anonymous reporting

• Incentives and Discipline - Consequences for misconduct

• Assessment Tools

Source: National Business Ethics Survey 2005, Ethics Resource Center


Process and Takeaways

• Activities

– Presentations

– Table Work

– Group Discussion

• Takeaways

– Program Assessment Tool

– Possible Survey Questions

– Metrics examples

– Checklists

6


Program Evaluation – Some Third Party Resources

Measurement & Metrics Guide: Performance Measurement Approach and Metrics for a Compliance & Ethics Program

www.oceg.org/view/NMG

Ethical Leadership Group:

www.ethicalleadershipgroup.com/assessment.psp

Corporate Leadership Counsel:

www.clc.executiveboard.com/public/ourservices.aspx




Program AssessmentCommunications and Training

Larry Parsons Freescale Semiconductor

7


Freescale – Company Overview

Semiconductor design and manufacturing company established in 1953

� Focused on the networking, automotive, wireless communications, industrial control and consumer electronics markets

� Engaged with 10,000+ customers globally; over 100 of the top electronic manufacturers

� $5.7 billion in revenue in 2007

� Headquartered in Austin, Texas

� 24,000+ employees in over 30 countries

� Separated from Motorola in 2004 (IPO/Spin)

� No. 368 on Fortune 500 list in 2006

� Leveraged buyout by consortium of private equity funds completed December 1, 2006

� Listing on NYSE ceased on December 1, 2006


Freescale – Ethics Communications Plan

• Planning – Develop communications plan at beginning of year.

• Elements

– Summit (Freescale Employee Intranet Portal) Articles

– Ethics in Action

– Ethics IQ

– Recurring specific subjects (Insider Trading, Confidential Information, Export Compliance)

– CEO Messages

– External Communications

– Town Hall Materials for Management

– Newest Element: Ethics Blog

8


Freescale Sample – Summit (Intranet) Article

It’s not easy being green:An emphasis on the environment8 February 2008

Kermit the Frog says, “It’s not easy being green.” I doubt that the Muppet was talking about the semiconductor industry, but I believe his statement fits. The world grows more conscious about the environmental impact ofhazardous materials and energy consumption. Companies are modifying their products, processes and packaging – making their products better for the environment and more attractive to customers.

Environmental efforts feed our bottom line

Freescale’s Environmentally Preferred Products (EPP) program spent years implementing low lead (Pb) content chip packages without mercury, cadmium, hexavalent chromium, or two brominated compounds – PBB and PBDE. We also implemented programs with our suppliers to ensure they minimized these hazardous substances.

The EPP team certifies that each new product and component is free from 39 Freescale banned substance groups. We also certify that our products meet today’s regulatory and customer requirements for hazardous substance content.


Freescale Sample – Ethics in Action

Freescale's Impeccable Ethics in action:

Corporate credit cards are only to be used to pay approved company expenses

18 April 2008

Maintaining our commitment to Freescale’s Impeccable Ethics fundamental requires constant diligence in our daily job responsibilities. Periodically, we publish a summary of a recent matter handled by Freescale’s Office of Business Conduct and Ethics (OBCE), including the outcome and how the situation should have been handled consistent with our Code of Business Conduct and Ethics (the Code) and commitment to a culture of impeccable ethics.

Obviously, discussing any issue handled by the OBCE has an educational and awareness benefit that must be balanced against issues of privacy and confidentiality. As such, all identifying information (such as names and places) has been removed from this summary. If you are familiar with the situations described in this article, we ask that you not disclose the names of the individuals involved or any other details.

Read on for this month's Impeccable Ethics in action article.

9


Freescale Sample – Test Your Ethics IQ

Test your ethics IQ:What would you do? 22 February 2008

We all face ethical choices each day as we carry out our responsibilities for Freescale. Test your ethics IQ by reading the scenarios below and selecting the best course of action. Do your responses support Freescale’s commitment to Impeccable Ethics?

Scenario one:

A good friend of yours is employed by a Freescale customer. He recently sent you an e-mail that his employer received from a Freescale competitor thatcontained test specifications for a product being developed by the competitor. The test specifications provide some technical information that would be useful to your department’s development of a similar product line for Freescale.

What should you do with the e-mail?

• Thank your friend for the information and send copies of the e-mail to all of the managers and engineers working on the similar Freescale product line.

• Consult with your manager before distributing the e-mail information.


Freescale - Internal Program Communications 2007

1Q2007

2Q2007

3Q2007

4Q2007

Jan -- iCAP and Records Management policies and processes, Emails: SLT, employees

Mar 23 – Freescale Remains Committed to Impeccable Ethics; Summit Feature, Parsons to all employees,

Apr 20 –He Met the Deadline But Violated Our Code – intentional misreport of costs; Summit Feature, Ethics in Action, all employees:

Jun 22 – Protecting Confidential Information, Summit Feature, Test Your Ethics IQ, all employees

Jul 20 – Personal Relationships, Summit Feature, Test Your Ethics IQ, all employees:

Sep 21 – They Used Freescale Assets for Personal Benefit – misuse of company assets; Summit Feature, Ethics in Action, all employees

Sep 27 – 2007 American Business Ethics Award; Summit Feature; All Employees

Oct. 1 – Summit Feature – Insider Trading Policy Reminder

Oct 19 – Gifts and Entertainment, Summit Feature, Test Your Ethics IQ, all employees

Dec 8 –Guidelines for Holiday Gift Giving and Receiving; Parsons Email to all employees

10


Freescale – Training Plan

• Planning – Rolling three year plan for training

– Courses (Risk Assessment)

– Audiences

– Timing

– Year to year modification

• Coordination with other functions

– Human Resources – Training function (to mesh with other training initiatives

– Communications


Measurement of training programs

1. Content and objectives

2. Courses and target audiences

3. Total attendance

4. Percentage of target audience who attended

5. Format (e.g., live, computer-based)

6. Names and credentials of trainers

7. Materials provided to attendees

11


Freescale Ethics and Compliance Training - 2007

Feb – Completion of online Code course by approximately 900 employees previously exempted because of attendance at instructor-led ethics course

Apr - Two courses, FCPA and Antitrust, approximately 1500 employees in each course, Communications, Sales, Strategy, Procurement, Finance

1Q2007

2Q2007

3Q2007

4Q2007

Jun – Two courses, Whistleblowing and Conflicts of Interest, approximately 2000 employees in each course, Executives and Managers

Nov – two courses, Ethical Principles and Practical Ethics, approximately 1000 employees, Managers and Individual Contributors, Malaysia

Oct – E-compliance & Careful Communications, approximately 11,000 employees, Executives, Managers and Individual Contributors

Jan - Completion of iCAP/Records Management online course regarding new policies, 17,000 employees with emailJan - Board of Directors Education Session

May - Board enrolled in online Code course




Program AssessmentGovernance


12


Freescale: Audit and Legal Committee Charter

Business Conduct, Ethics and Compliance

16.The Committee will review the Company’s business conduct and compliance policies and programs. In connection with such review, the Committee will:

– Receive periodic reports from the ethics and compliance officer regarding ethics and compliance.

– Periodically meet separately with the ethics and compliance officer without other senior management present.

– Obtain reports from management, the Company’s internal audit director and the independent auditor that the Company and its subsidiary/foreign affiliated entities are in conformity with applicable legal requirements and the Company’s Code of Business Conduct.

– Advise the Board with respect to the Company’s policies and procedures regarding compliance with applicable laws and regulations and with the Company’s Code of Business Conduct.


Business Conduct & Ethics Organization

Larry Parsons

Vice President , Business Conduct

and Ethics

Code of Business Conduct and Ethics

Human Resources Compliance Issues

Regulatory Compliance and Governmental Affairs

Compliance Special Projects

InvestigationsEthics and Compliance

Training

• Records Management

• Data Privacy

• Corporate Social Responsibility

• Supplier Certifications

• Code of Business Conduct and Ethics

• ETHICSline

• BCE Committees

• EEO

• Immigration

• OFCCP

• Regulatory Compliance

• Trade Compliance

• Government Relations

• EPP Function

• EHS Audit

• FCC/CE

• Risk Assessment

13


The Eight Elements of an Effective Ethics and Compliance Program

Management Support & Resources

Clear WrittenStandards & Controls

Effective Training & Communication

Consistent Monitoring, Evaluation & Reporting

Response & ContinuousImprovement

Periodic Risk Assessment

Due Care in Delegating Authority

Consistent Enforcement

• VP, Ethics & Compliance

• Resources

• Freescale Business Conduct & Ethics Leadership Team (“FBCELT”)

• FSL Code of Business Conduct & Ethics

• Ethics & Compliance policies

• Initial & Ongoing

• All Employee Training

• Senior Leadership

• Board

• FSL ETHICSline

• FBCELT

• Audit & Legal Committee

•SOX Disclosure Committee

• FSL Fundamental –Impeccable Ethics

• Performance Mgt. & incentives aligned

• Disciplinary Actions

• Track record of integrity prior to delegation

• Screening of new hires

• Business Integrity Questionnaires

• ERM Process

• Review & amend program after problems occur

• Senior Leader Meetings


Consistent Enforcement and Alignment of Incentives

Impeccable Ethics

> Follows the Freescale code of conduct> Acts with integrity> Communicates openly and honestly> Treats everyone with respect and fairness

Creates an environment where employees want to do the right thing

Manager specific

Maintain our commitment to being the most ethical company in the business

Freescale

Innovation

Speed

CustomerFocus

FundamentalsImpeccable

Ethics

Ownership

14


ETHICSline Contacts

OBCE Contact Statistics 2005 2006 2007

•Total Contacts Received by the OBCE *** *** ***

Anonymous Contacts 17 35 36

Unsubstantiated Allegations 18 14 23

Anonymous with Unsubstantiated Allegations 5 11 8

Contacts Immediately Reported to the

Audit/Legal Committee4 0 2

Contacts Leading to Employee Termination 7 7 6

Total Employee Terminations 9 10 6


ETHICSline Contacts

US

Unknown

LatAm/Can

EM EA

AsiaPac

2005 2006 2007

N/ A

P ol i cy

Gui dance

Issue

Repor ted

A ppr oval

per P ol i cy

2005 2006 2007

Securit y

Misc & Other

Human

Resources

Finance

EHS

Code of

Conduct2005 2006 2007

Contacts by Region

Contacts by Category Contact Type

15


ETHICSline Contacts

United States

LatAm/Can

EM EA

AsiaPac

Referred Out

OBCE

Investigation

Immediate

Response

2005 2006 20072005 2006 2007

31+ Days

15-30 Days

3-14 Days

0-2 Days

Employee Terminations Contact Cycle Time Handling and Response

2005 2006 2007


Standards, Monitoring and Reporting

� Freescale Code of Business Conduct and Ethics

� Audit and Legal Committee Meeting

� Quarterly Meetings:

Freescale Business Conduct and Ethics Leadership Team

Regional Business Conduct and Ethics Committees

Country Manager Meetings

Disclosure Committee

� Reports:

Monthly Contacts Report

Audit Committee Reports

Year End Metrics

� Regular Communications on Program

Ethics in Action

Test Your Ethics IQ

Summit Articles

16




Program Assessment Using Employee Surveys to Measure Ethical Climate



Why Do an Ethical Climate Survey

• What is it?

– a measure of employee perceptions of the practices and behaviors that get rewarded and supported with regard to ethics in the workplace

• Why do it?

– Useful for assessing the current state of your organization’s ethical climate

– Signals to employees and other stakeholders that their opinions are valued, and that the organization is committed to acting with integrity

• But, done poorly, with no visible actions after the survey, and it will be viewed as management “papering the file”

• Credit Where Credit is Due

– For portions of this section of my presentation, I relied heavily on the following article: Tiffany McDowell, PhD and Jose Tabuena, JD, CFE, CHC, Measuring Your Organization’s Climate for Ethics: The Survey Approach, Society of Corporate Compliance and Ethics, August 2007

17


Freescale’s Employee Survey – “FreeSpeak”

Background:– Freescale partnered with Corporate Leadership Council Solutions to create and implement

FreeSpeak, our employee engagement survey

– The survey leverages the question bank of CLC solutions to permit comparisons of employee engagement levels with other companies

– Freescale first conducted the survey in April 2005, one year after we launched as an independent company, and within six months of separating from Motorola

– We conducted two surveys a year in 2005, 2006 and 2007. Beginning with our next survey in September 2008, we will conduct our survey on an annual basis

Objectives:– The employee engagement survey is a key element in Freescale’s cultural transformation.

– Survey results serve as the key measure of our progress in realizing the desired Freescale culture

– Provide employees a forum for their feedback on the Freescale work environment

– Identify areas for improvement at team, organization, division and corporate levels – (Ex: Customer Loyalty – Key focus area in 2008)

– Provide feedback directly to managers


What is Measured?

Results measure four aspects of cultural change:

– Alignment to the Freescale Fundamentals

– Employee opinions on how effective managers are in leading a high-performance culture

– Employee engagement levels, a measurement proven to have strong correlation to company performance

– Retention index, which is reflective of employees’overall intent to stay

Freescale Fundamentals

Manager Effectiveness

Employee Engagement

Retention Index

18


Freescale Overall Results

Cultural Dashboard

0.4

1

0.4

1 0.5

7

0.3

8

0.4

8

0.5 0.5

9

0.4

3

0.4

9

0.5

1

0.6

0

0.4

40.5

0.5

1 0.6

0.4

5

0.4

9

0.5

2 0.6

0.4

-1

-0.8

-0.6

-0.4

-0.2

0

0.2

0.4

0.6

0.8

1

Fundamentals Manager

Effectiveness

Engagement Retention Index

Strongly Agree

Disagree

Agree

StronglyDisagree

Fundamentals

0.5

0

0.5

2

0.4

5

0.3

6

0.3

2

0.3

3

0.5

8

0.5

8

0.4

8

0.4

2

0.4

4

0.4

20.5

9

0.6

0

0.5

0

0.4

5

0.4

5

0.4

4

0.6

0.6

0.5

0.4

8

0.4

7

0.4

5

0.4

60. 6

0. 5

6

0. 5

1

0.4

6

0.4

9

0.4

4

0. 4

7

-1.00

-0.80

-0.60

-0.40

-0.20

0.00

0.20

0.40

0.60

0.80

1.00

Ethic

s

Cust

omer

Focu

s

Owner

ship

Innova

tion

Speed

Gre

at T

alen

t

Colla

borat

ion

GoalGoal

Key Findings

Strengths & Most Improved:– Engagement continues to be the strongest of the four dashboard indicators

– Ethics and Customer Focus continue to be the strongest Fundamentals

– Speed showed the most improvement, increasing by +.02

Areas for Continued Improvement – Retention Index (Intent to Stay)

– Customer Focus

2Q05 4Q05 2Q06 4Q06 2Q07


Law Department Results

Cultural Dashboard

0.6

2

0.6

6

0.6

8

0.6

0

0.6

9

0.7

4

0.7

5

0.6

9

0.6

6

0.6

8

0.7

3

0.6

5

0.6

2

0.6

2

0.7

1

0.6

0.6

1

0.6

7

0.6

9

0.40.4

9

0.5

2 0.6

0.4

-1.00

-0.80

-0.60

-0.40

-0.20

0.00

0.20

0.40

0.60

0.80

1.00

Fundamentals Manager

Effectiveness

Engagement Retention Index

Strongly Agree

Disagree

Agree

StronglyDisagree

Fundamentals

0.7

6

0.6

4

0.6

4

0.5

3

0.5

8

0.5

5

0.8

3

0.7

2

0.6

9

0.6

4

0.6

0

0.6

20.7

9

0.7

3

0.6

8

0.6

0.5

9

0.5

0.7

7

0.6

9

0.6

3

0.6

1

0.5

4

0.5

7

0.5

8

0.8

1

0.6

2

0.6

1

0.6

1

0.5

5

0.5

8

0.5

7

0.6

0.5

6

0.5

1

0.4

9

0.4

7

0.4

6

0.4

4

-1.00

-0.80

-0.60

-0.40

-0.20

0.00

0.20

0.40

0.60

0.80

1.00

Ethic

s

Cust

omer

Focu

s

Owner

ship

Speed

Colla

boratio

n

Innova

tion

Gre

at T

alen

t

GoalGoal

Key Findings

Strengths & Most Improved:– Engagement and Manager Effectiveness scores are the strongest indicators

– Ahead of the rest of Freescale on all Fundamentals

Areas for Continued Improvement – Retention Index dropped dramatically, by .2

– While still ahead of Freescale overall, most areas continue to decline

2Q05 4Q05 2Q06 4Q06 2Q07 FSL

19


Sample - Calendar & Expectations

� 22 January Manager Reporting Tool available: www.clcmetrics.com/ManagerTool

� 15 February Share results with your manager and direct reports

� 28 February Work with manager and team to formulate your action plan

� 15 March All M1 & above managers must document action plans within the Talent Pipeline Management (TPM) tool:

https://summit.freescale.net/irj/portal

All supervisors must document action plans within the Performance

Management (PM) System: https://summit.freescale.net/irj/portal

� Ongoing Schedule regular follow up dialogues with your employeesand manager to highlight progress and solicit support neededduring the year.

Update your progress to action plan via TPM - M1 & above managers and via Performance Management tool - Supervisors


Sample - Action Planning Expectations

• All supervisors and managers are expected to meet with their direct managers and teams to develop action plans around their individual and/or organizational FreeSpeak results.

• Supervisors and managers with less than three (3) respondents will not receive a feedback report, however, they are strongly encouraged to align and utilize their direct manager and/or organizational feedback to develop action plans.

• Goal is to have an action plan in place for 100% of our Freescale management population to ensure we’re working together to drive the changes needed within our culture.

• OBCE Specific Actions: Review all results to identify ethics “hotspots,” specific locations or organizations with low scores. Action plans developed around those locations, organizations and managers.

20


Ethical Climate Survey on a Budget

• Recognize that not everyone will have budget approved for a third party survey

• Doing it yourself

– There is no single right approach to measuring a climate for ethics

– Step 1: Determine your survey objectives

• Why conduct a survey

• What will you do with the results

– Step 2: Identify your audience

• All employees or random sample

• Suggest – combine with senior leader interviews and focus groups

– Step 3: Determine Response Scale

• Not a testing expert, but some suggestions

– Step 4: Determine method of administration

– Step 5: Administer the survey

– Step 6: Assess the results and develop communication and action plans


Survey on a Budget – A Word about Wording

• Keep your questions short

• Avoid jargon and acronyms

• Avoid requiring inaccessible information (“How does our ethics program compare to the programs of our competitors?”

• Avoid hypothetical questions (“What would you do if…”)

• Avoid leading questions (“Most people feel…do you agree”)

• Use multiple questions on the same topic

• Don’t make the survey too long

• Provide a comments section at the end

21


Table Work: Ethical Climate Survey

• Table Work:

– Develop your “case” for conducting a survey

– Develop your plan for using the results

– Develop questions for a basic Ethical Climate Survey

• General Format for a Survey (Handout - initial survey draft):

– Use Suggested Survey Areas to Develop Questions

– Review Suggested Case Statement, Plan for Use and Questions as aGroup

• Output: Compilation of items identified by group for inclusion in draft survey. Distribution after event of survey tool, statement of reasons for conducting survey, and plan for use of results.


Compliance and Ethics – Suggested Survey Areas

– Observations of perceived misconduct

– Willingness to report misconduct/violations and violations in fact are reported when they are perceived to occur

– Perceptions about the organization’s responsiveness to misconduct

– Fear of retaliation for reporting concerns

– Willingness to seek help within the organization for ethical issues

– Supervisors demonstrate/pay attention to ethics

– Leadership demonstrates/pays attention to ethics

– Open discussion of ethics in the workplace encouraged

– Ethical behavior rewarded at all levels

– Unethical behavior punished at all levels (management accountability)

– Perceptions of fair treatment in the workplace

– Employee willingness to deliver “bad news” to management

– Employee knowledge of workplace rules

– Employee “commitment” to the organization

– Confidence in preparedness to respond to ethical situations

22




Program AssessmentPolicies and Procedures

Dean Maines SAIP Institute, University of St. Thomas


University of St. Thomas: Corporate Ethics Activities

• Ethics & Business Law

– Teaching

– Case Studies

– Other Research

• Support & Collaboration – Practitioners

– Center for Ethical Business Cultures

– SAIP Institute

23


Policies and Procedures: Role and Function

• Provide guidance on recurring/critical issues;

• Communicate standards/expectations for employee behavior within specific areas;

• Supplement and support a company’s code of conduct;

• Help prevent unethical or illegal conduct;

• Other…


Policies and Procedures: Sample Topics

• Questionable payments to government officials and other agents

• Financial representations

• Document management

• Confidentiality

• Supplier selection

• Employee participation in political campaigns

• Other…

24


Policies and Procedures: Effectiveness Issues

• How does the organization formulate its policies?

– Assessment of principal operational and legal risks

• How are policies communicated?

• How is employee understanding developed and assessed?

• How is policy compliance monitored?

• What process is used to ensure policies are periodically reviewed and updated as needed?


Policies/Procedures: Sample Process Metrics

• Development

– Periodic review of risk assessment results to identify/initiate new policies or policy revisions;

– Periodic review of emerging legal/regulatory requirements to identify/initiative new policies or policy revisions.

• Communication

– Prompt orientation of new employees to applicable policies and procedures;

– Prompt notification/orientation of existing employees to revisedpolicies.

25


Policies/Procedures: Sample Outcome Metrics

• Development

– Policies/procedures cover principal areas of operational and legal/regulatory risk

• Effectiveness

– Audit results: Number and nature of errors where new/revised policies have been implemented

• Communication

– Audit results: Interviews suggest employees understand policy and procedural requirements




Program AssessmentAuditing and Monitoring


26


Auditing and Monitoring: Terminology

• Auditing:

– Review of compliance with internal or external standards, conducted by independent staff;

– May be repeated periodically;

– Usually focuses on high risk areas/activities.

• Monitoring:

– Compliance review, typically conducted by operational management;

– Repeated regularly, usually part of normal operations;

– May be focused or broad in scope.


Auditing and Monitoring: Role and Function

• Test current compliance with internal policies and procedures and legal/regulatory requirements

• Assist risk management efforts

– Identify possible illegal behavior or misconduct;

– Help correct non-compliance.

• Provides evaluation of compliance processes and activities

– E.g., effectiveness of training, screening, etc.

• Facilitate improved compliance effectiveness over time

• Other…

27


Auditing and Monitoring: Effectiveness Issues

• How is planning for auditing/monitoring addressed?

– Is there a written auditing/monitoring plan?

– How does the organization determine which areas or activities are targeted for auditing and monitoring?

– How frequently are risk areas reviewed and auditing/monitoring plans updated?

– Is the plan consistent with the organization’s size, complexity, and scope of operations?

– Are adequate resources available?

• How does the organization ensure that independent and properly trained audit resources are utilized?


Auditing and Monitoring: Effectiveness Issues

• How and when are appropriate parties notified of outcomes, including adverse findings?

– Compliance officer

– Local management

– Senior management

– Board of directors

– Governmental agencies

• Are corrective plans developed and implemented to address adverse findings?

• How are results used to enhance the organization’s ethics/compliance program?

28


Auditing/Monitoring: Sample Process Metrics

• Establishment of written annual plan/budget

• Periodic progress reports

– Status of planned activities

– Budget status

– Identification of special implementation issues

• Prompt communication to appropriate parties of major findings and corrective action requirements

• Establishment of corrective action plans

• Periodic progress reports against corrective action plans


Auditing/Monitoring: Sample Outcome Metrics

• Adverse findings for current year

– Number;

– Nature (e.g., degree of seriousness);

– Required corrective action.

• Trend data

– Overall number/nature of adverse findings

– Results from repeat audits

• Issue: Do trends suggest an improvement in the organization’s understanding of compliance requirements and adherence to those requirements?

29




Program AssessmentIncentives and Discipline



Incentives and Discipline: Role and Function

• Promote conduct that is ethical and legal

• Deter and sanction unethical and illegal conduct

• Signal the importance of ethical conduct and legal compliance to employees at all levels

• Other…

30


Incentives and Discipline: Relevant Systems

• Performance Assessment

– Organization:

• Balanced/Integrated Scorecard

– Individual:

• Performance Management

• Compensation

• Recognition

• Discipline Policy and Procedures


Incentives and Discipline: Effectiveness Issues

• How is ethics/legal compliance highlighted in the company’s operating plan and assessments of its performance? In plans/assessments of key subunits?

• How is ethics/legal compliance factored into the work plan, performance assessment, and compensation of individual employees, from the CEO on down? What weight is assigned to these criteria?

• How does the organization recognize employees who “did the right thing” in difficult circumstances?

31


Incentives and Discipline: Effectiveness Issues

• Does the company have a written policy that specifies:

– What conduct merits discipline;

– Factors to be considered in assigning discipline;

– The range of possible disciplinary actions; etc.

• How are disciplinary standards communicated?

• How does the company ensure fair and consistent application of its disciplinary guidelines?

• How does the company publicize instances of misconduct and discipline?


Discipline: Example - Publicizing Misconduct

• Business Ethics Bulletin: Opening up the dialog about how to better live our values

In 2004 [the company] terminated 18 employees who failed to follow company policies or industry regulations. The following is a sampling of the issues that arose, and some lessons to be learned from them.

Situation #1

A research analyst was terminated for misrepresenting the analyst’s identity in the marketplace in order to obtain information that this person would not have been able to get had the analyst’s affiliation with [the company] been disclosed.

Addressing the Issue

The [company’s] Code of Ethics and Business Conduct identifies common areas in which ethical issues might arise and provides guidance for carrying out our responsibilities and observing the highest standards of ethical conduct. While not an exhaustive list of issues, the Code does specifically address competition and fair dealing. In part, it states:

We seek to outperform our competition fairly and honestly. Misappropriating proprietary information, possessing trade secret information that was obtained without the owner’s consent, or inducing such disclosure by past or present employees of other companies is prohibited. You must respect the rights of and deal fairly with our customers, suppliers, competitors and employees.

Other industry regulations that deal with this issue include:

– SEC Regulation SP

– NASD Rule 2110- Standards of Commercial Honor and Principles of Trade

– NYSE Rule 476(a)(6)

32


Incentives/Discipline: Sample Process Metrics

• Incentives

– Performance on ethics/legal compliance factored into organizational assessments (company, subunits)

– Performance on ethics/legal compliance is factored into employee assessments and compensation/recognition decisions

• Discipline

– Prompt orientation of new employees to disciplinary policy;

– Prompt notification/orientation of existing employees to policy revisions;

– Regular maintenance of discipline records for ethics/compliance violations;

– Periodic review of discipline records for consistency/fairness;

– Prompt reporting of disciplinary actions to appropriate parties.


Incentives/Discipline: Sample Outcome Metrics

• Incentives

– Overall company rating for ethics/legal compliance;

– Ratings of organizational subunits;

– Number/percentage of employees who satisfy ethics/legal compliance elements within their work plan

• Discipline

– Number of employees disciplined for ethics/compliance violations;

– Types of disciplinary actions taken;

– Assessment of disciplinary fairness/consistency;

– Audit results: Employee understanding of disciplinary policy;

– Survey results: Employee perception of disciplinary fairness/consistency.

33




Code of Conduct

Anthony M. Tocco CCEP, CIA, CFE

Director, Enterprise Compliance

DTE Energy

Detroit, MI


Elements of an Effective Code of Conduct

• Organization

– Includes a Table of Contents

– Utilizes subject headings to separate topics

– Organized by company/industry risk areas

– Considers appropriateness of document length (average 5,000 – 7,000 words)

THE DTE ENERGY

WAY

THE DTE ENERGY

WAY

34



• Content

– Includes an executive statement of commitment and support

– Ties to company’s values, principles, etc.

– Applies to all levels of the organization

– Outlines behavioral expectations of employees

– Communicates a commitment of ethics and compliance to employees,customers, vendors, shareholders and the community

– Emphasizes non-retaliation policy throughout the document (i.e. table of contents, executive statement, separate heading, hotline section, etc.)

– Describes company policy on enforcement and discipline involvingCode violations



• Writing Style

– Keep it simple (i.e. high school level of reading)

– Translate to all foreign languages as needed

– Use “active” voice whenever possible

– Ensure correct spelling, punctuation and grammar

35



• Educational Resource

– Provides names and links to supporting policies, values, etc.

– Incorporates examples, scenarios and/or frequently asked questions

– Prominently displays information on the company hotline program

– Instructs readers on how to report concerns (i.e. hotline)

– Includes contact information for referenced resources (i.e. security, ethics, etc.)



• Distribution

– Easy to access by employees and the public

– Provided to new hires in print

– Requires employee signed acknowledgment and commitment

– Integrated into employees’ performance goals and evaluations

– Includes a regular review and revision cycle or process

– Integrated into periodic training programs and other company initiatives

36



• Branding

– Identifies with program name and/or graphics

– Incorporates company logo and colors throughout

– Includes photos of company facilities, personnel, community, etc.




Hotlines



DTE Energy

Detroit, MI

37


Elements of an Effective Hotline

Relevance

Federal Sentencing Guidelines Sec.8B2.1(b)(5)

“The organization shall take reasonable steps to have and publicize a

system, which may include mechanisms that allow for anonymity or

confidentiality, whereby the organization’s employees and agents

may report or seek guidance regarding potential or actual criminal

conduct without fear of retaliation.”



Relevance

Sarbanes-Oxley Act - Section 301(4)

“Each audit committee shall establish procedures for:

(A) the receipt, retention, and treatment of complaints received by

the issuer regarding accounting, internal accounting controls, or

auditing matters; and

(B) the confidential, anonymous submission by employees of the

issuer of concerns regarding questionable accounting or auditing

matters.”

38



Relevance

• Proactively prepares for increased enforcement actions by regulators

• Protects organization’s reputational integrity

• Supports compliance and ethics program

• Promotes employee engagement

• Provides risk management data point



Hotline Objectives

• Meet regulatory requirements

• Easy access, simple to use, and available

• Single repository of reported misconduct

• Resource guide for ethical dilemmas

39



Shareholder Expectations

• No fear of retaliation

• Confidential

• Anonymous

• Reports are thoroughly investigated

• Feedback on status

• Resolution



Methods of Measuring Effectiveness

• Independent audit

• User survey

• Industry benchmarks

• Internal metrics

40



Measurements of Effectiveness

• Clear accountability for administration

• Clear accountability for investigation

• Consistent application of protocol

• Reporter awareness

• Process metrics

• Reporter trust

• Policy, procedure or control modifications

• Report volume and tracking

• Integration with other programs

• System availability

• Communication strategy




Number of days to respond to a question

Source: Ethical Leadership

Group and ECOA, October 2006

Days 2006

1 Day 38%

2 Days 16%

3 Days 10%

4–13Days 16%

14+ Days 16%

41




Number of days to close a case involvingan allegation

Source: Ethical Leadership

Group and ECOA, October 2006

Days 2006

1- 3 Days 2%

4 - 10 Days 13%

11 - 21 Days 33%

22 - 30Days 35%

30+ Days 17%




Risk Assessment



DTE Energy

Detroit, MI

42


Elements of Effective Compliance Risk Assessments

• Usefulness

– Supports Federal Sentencing Guidelines expectations

– Integrates with Enterprise Risk Management (ERM) Program

– Demonstrates diligence in compliance oversight and monitoring

– Serves as SOX entity level control

– Provides information to management and Board

– Fulfills regulatory demands for increased oversight

– Forces compliance accountability into business units

– Serves as a training and developmental exercise

– Assists other functional initiatives (i.e. internal audit, training, HR, etc.)



• Objectives

– Identify key organizational risks

– Prioritize organizational or program gaps (i.e. policies, training, etc.)

– Assign accountability for remediation

– Assist in resource allocation

– Communicate to management and Board

43



• Defining the Scope

– Enterprise wide

– Geographic

– Business Unit

– Compliance program design and activities (i.e. training, hotline, etc.)

– Laws and regulations



• Tools and Techniques

– Internally generated model (i.e. Excel, Access, etc.)

– Vendor software or technology

– Survey or questionnaire

– Remediation templates

– Interviews

– Focus groups

– Document or version controls

– Audit trail

44



• Rating Critieria

– Likelihood or probability

– Severity or significance

– Inherent risk

– Residual risk

– Control Effectiveness

– Improvement opportunities



Examples of Rating Scales

Likelihood of Occurrence

1 2 3 4 5

Very Low Low Moderate High Very High

Almost Impossible

Extremely Unlikely

Possible Sometimes

Isolated Incidents

Repeated Incidents

Less than once/5 years

Less than once/year

Once/month to once/year

Once/week to once/month

More than once/week

Less than 1% 1% - 5% 5% - 10% 10% - 20% More than 20%

45




Severity

1 2 3 4 5

$0 > $100K $100K>$500K $500K>$5M $5M>$25M $25M or >

< 1% of revenue

1% - 3% of revenue

3% - 5% of revenue

5% - 10% of revenue

> 10% of revenue

No reputational exposure or regulatory harm

Localized negative impact on reputation but recoverable

Negative media coverage in state or region

Negative national media coverage (not front page news)

Sustained national negative media coverage (front page news)

No operational impact or loss of business

Noticeable but easily manageable; limited impact on operations

Results in some damage at an individual or stakeholder level; requires careful management attention

Severe impact on the business unit’s or company’s operational performance

Catastrophic impact on the business unit’s or company’s operational performance




Control Effectiveness

1 2 3 4 5

Ineffective Partially Effective

Effective Highly Effective Very Highly Effective

No control in place to date

Largely ineffective

Partially effective on some occasions

Effective on most occasions

Highly effective on almost all occasions

46




Improvement Opportunity

1 2 3 4 5

Low Opportunity

Partial Opportunity

Reasonable Opportunity

High Opportunity Very High Opportunity



• Documentation

– Keep it simple to understand and easy to use

– Provide clear instructions

– Establish protocol for language and tone

– Limit the distribution of documents

– Ensure consistency

– Link remediation to risks, including responsible parties and completion dates

– Do not assume documents are “confidential” or “privileged”

– Obtain support to validate risk rankings

– Request remediation plans and monitor progress

– Retain and secure documentation

47



• Assessment and Analysis Techniques

– Completed by accountable business unit representative

– Collaboration with other support functions (i.e. internal audit, legal, etc.)

– Perform a reasonableness check for objectivity

– Prioritize rankings by enterprise, by business unit, by activity, by risk category, etc.

– Create illustrative heat maps to support data

– Determine overall average and median risk scores for the company

– Create dashboards

– Perform trending over time



• Reporting

– Business unit management

– Senior/executive management

– Board

Documents

Developing Meaningful Ethics and Compliance Data · 4 | +1 952 933 4977 or 888 277 4977 7 McNulty Memorandum Factors – Effectiveness of Governance: • Do directors exercise independent