Embed Size (px)
Citation preview
Compliance MetricsMoving from Best Practice to Standard Practice
Tuesday, June 7, 2016
Housekeeping
ü You will receive a copy of the presentation and recorded version of the webinar via email after the conclusion of the webinar.
ü You have joined today’s session listening through your computer’s speaker system by default. This means, if you can hear music through your computer, you will be able to hear the presentation.
ü If you would like to call in using a phone, just locate your Audio Pane and select Use Telephone. The dial-in information and access code will then be displayed.
ü Please type your question(s) and click Send in the Questions Pane. At the end of the presentation we will do a Q&A session and take as many questions as we have time for.
Christopher NixonChris is the Executive Vice President of Marketing at Convercent where he works with compliance executives and teams everyday to help solve the pressing challenges that exist within today’s ever changing environment.
Chris’ responsibilities at Convercent include developing content and research that help drive results for customers and prospects. Convercent is the only SaaS solution purposely designed to address the needs of corporate compliance officers - at once fulfilling their breakneck day-to-day tactical management needs and their comprehensive boardroom reporting and analysis.
We help them avoid the financial and reputation fallout when employees - good and bad - do bad things. Convercent supports more than 440 companies in 130+ counties, and count Philip Morris International, Kraft Heinz, LinkedIn, and Under Armour as some of our biggest fans.
Laura JacobusLaura is a seasoned attorney who leverages a unique blend of legal acuity and strong business acumen. With both legal and strategic business operations leadership roles at global high tech companies, including Cisco Systems and Juniper Networks, Laura approaches compliance and ethics with a broad view and an emphasis on cross-functional ownership, metrics and implementation.
At Juniper, Laura developed and implemented a highly-regarded ethics and compliance program and led the process that resulted in Juniper twice receiving the coveted Ethics Inside Certification and being named a repeat honoree of the World's Most Ethical Companies designation by EthisphereInstitute.
Laura currently is consulting in the area of ethics and compliance while developing and teaching compliance related courses at multiple higher education institutions.
Ronnie KannRonnie Kann is the Executive Vice President, Research and Program Development, for the Ethics & Compliance Initiative (ECI), a non-profit that empowers organizations across the globe to operate their businesses at the highest levels of integrity. In this role, he is responsible for setting the ECI research agenda, developing new services to support the ethics and compliance industry, and advancing the mission of ECI.
Prior to ECI, Kann worked for CEB, a best practice insight and technology company. He held a variety of senior management roles across CEB’s businesses, serving chief compliance and ethics officers, general counsel, chief human resource officers, chief audit executives, and chief risk officers, bringing a cross-functional approach to solving management challenges.
Kann’s expertise in ethics and compliance has been featured by The Sunday Times, Financial Management, Human Resource Executive, Journal of Business Compliance, Treasury & Risk, Compliance & Ethics Professional, and Ethisphere Magazine.
Research & Content Referenced
Exclusive InterviewDOJ’s Andrew Weissmann and
Hui Chen Talk Corporate Compliance
Exclusive InterviewMetrics in Compliance
w/ Patrick Taylor, Patrick Quinlan, and Gaurav Kapoor
Interviews by Laura Jacobus published on ECI’s blog
Measuring Program Effectiveness is Front of Mind.
Senior compliance and ethics professionals are spending a considerable amount of time figuring out how to determine the effectiveness of their programs—specifically whether or not the training and communications they use are resonating with their workforce.
Why Are We Here?
Measuring ROI Remains Elusive.
Compliance officers still lack a meaningfulway to measure the ROI of their compliancebudgets. To more effectively elevate thestature, funding and influence compliance has in an organization, compliance teams need to establish a more direct correlation between compliance, company strategy and long-term business profitability.
What Metrics Are Currently Used?
Laura’s Interview w/ DOJ
In all areas – not just FCPA – this is extremely important in my view. I think strong compliance must be data driven. When I was recruiting compliance officers, one of my questions was to ask the candidates to articulate what types of data they would monitor.
My expectation was that a good compliance officer should be able to rattle off a list off the top of their heads and their list will tell me the level of their sophistication as a compliance professional. Similarly, when I look at compliance programs, the kind of data that they do and do not monitor tells me a lot about how sophisticated their program is.
“Hui ChenCompliance CounselDepartment of Justice
ECI’s Blue Ribbon Panel Report
Intensifying Regulatory Environment
Increasing Global Standards
Expanding Public Scrutiny and Reputation
Risk
Rising Costs of Misconduct
Model of an Ethically Healthy Organization
For nearly two decades ERC’s research has shown that a well-implemented ethics &
compliance program drives a strong ethics culture, and that these work together to drive positive changes in an organization
and help reduce ethics risk.
Strong Ethical Culture
Well-Implemented Program
Driver #1 Driver #2
Reduced Retaliation for Reporting
Reduced Ethics Risk
Increased Reporting of Misconduct
Decrease in Observed Misconduct
Reduced Pressure for Misconduct
Outcomes
Goal
Causal:Correlational:
Metrics of Well-Implemented Program
Risk Assessment
1Policies &
Procedures
2Training &
Communication
3Monitoring, Auditing, &
Helpline
4
Investigation & Response
5Conflicts of
Interest
6
Culture
7
Risk Assessment
“If you have a robust enterprise-wide risk assessment process, your priorities will evolve out of that. CCOs should be setting compliance monitoring and testing priorities based upon these risk assessments,”
Thomas RollauerExecutive Director at Deloitte.
Policies and Procedures
ü How often your Code and policies are reviewed, refreshed and/or rewritten
ü Number and nature of Code and policy violations
ü Results from culture surveys and knowledge assessments that gauge understanding and retention of key Code and policy tenets
Metrics to Gather
ü Ongoing Policy Updates
ü Regulatory Assurance
ü Identify Underlying Trends
How To Use Them
Training & Communication
ü Reach, medium, frequency and completion rates of compliance trainings
ü Reach, medium, frequency and engagement rates of compliance communications
ü How often your training is refreshed and reviewed for effectiveness
ü Results from post-training comprehension tests, knowledge assessments and culture surveys
ü Number and nature of incidents by employees who have completed training
Metrics to Gather
ü Training program effectiveness
ü Revamp training programs
ü Determine areas to update
ü See what messages are resonating
How To Use Them
Monitoring, Auditing, and Helpline
ü Reporting rates, known and anonymous/1,000 employees by reporting channel
ü Retaliation report trends, including the number of reports of retaliation
ü Trends by location or department or specific employees generating higher than average reports of retaliation
ü Incident categories, including emerging risk areas
ü Trends following policies updates or releases
ü Training or communication campaigns
Metrics to Gather
ü Categories driving top risks
ü Source of hotline awareness
ü Feedback from culture surveys
ü Knowledge assessments
ü Q&A forums and/or focus groups
ü Call volumes relative to organizational structure
Investigation & Response
ü # of investigations (active and closed)
ü Length of time to investigate and resolve issues
ü Disposition of cases and fees associated with any settlements, litigation or penalties
ü The risk areas and compliance initiatives for each case
ü Classification of the reasons why the individuals performed the actions that led to the compliance violation.
Metrics to Gather
ü Identify soft spots or gaps in your standard process
ü Evaluate Your Process
ü Due Diligence
ü Standardized Investigation Process
ü Classifying Root Cause
How To Use Them
Disclosures / Conflicts of Interest
ü Conflict of interest disclosure rates by seniority level, business unit, dept. or geographic location
ü The number, type and amount of gifts and entertainment given, received and offered by or to employees
ü # and type of misconduct reports related to conflicts of interest or improper gifts
Metrics to Gather
ü Updates to Your Disclosure Tracking Process
ü Abuse of Power
ü Deep Understanding of Gifts, Travel, and Entertainment
How To Use Them
Culture
ü # of Surveys -- when/how often they are distributed (monthly, annually, etc)• Employee retention rates
ü Anonymous online reviews (positive and negative)
ü Company and leadership reputation(internally and externally)
Metrics to Gather
ü Repair or fix culture holes
ü Determine Why People Are Staying
ü Use Perception To Help Take Advantage of Good Reviews
How To Use Them
Assessing Your Needs
Using a Rating Scale to Improve
Needs improvement – 1The compliance risks identified with the organization are either not fully mitigated by control or there are inconsistencies in the processes that make them susceptible to breakdowns and/or scrutiny.
Operational - 2Program processes and controls are in place to mitigate risk and are consistently operating.
Best Practice – 3The processes have achieved best practice criteria.
Transformational – 4The processes have matured beyond best practice criteria and/or is subject to re-engineering due to high impact changes affecting the process.
Compliance Metrics Interview
Part Three
Discuss what is pushing the progression to
metrics in compliance and how these
companies move compliance out of the compliance office into the operations of any
company.
Part Four
Insight into the culture of these companies in Part 4 of this interview.
And we will wrap up with some examples of
positive bottom line impact via metrics and some perspectives on the future of metrics
and compliance.
Part One
A brief intro to these three companies and the professionals to whom they sell their compliance based
products
Part Two
Focus on lawyers and their comfort with
metrics, the place of metrics dashboards in compliance programs
and Board presentations, and the
role of preventive controls vs. predictive analytics and closed
loop processes.
Published on ECI’s Website
Hotline Investigations w/ HR Overlay
Position
Location
Department
Manager
Length of Employment
Compensation
Age
Sex
Direct Reports
Performance
# of Investigations
North AmericaEuropeAfricaAsiaSouth America
Employees in a particular country in Asia that had a length of employment with the company for 6-9 years -that had been passed over for promotion, but were not close enough to their pension - were significantly and statistically more likely to commit fraud.
Root Cause of Non-ComplianceBEHAVIORAL FACTORS
Intentional BehaviorAn act of willfully disobeying
Lack of Sensitivity“I wasn’t aware my conduct would have that effect on others.”
Lack of Awareness“I didn’t realize that the conduct was wrong.”
Company Loyalty Rationalization“I was generating profits for the company.”
Legitimate Action Rationalization“It is an outdated rule.” “Everyone else is doing it.”
No Harm Rationalization“It didn’t really hurt anybody.”
ENVIRONMENTAL FACTORS
Cultural InfluencesCultural differences, from inside or outside the organization.
Financial or Performance IncentivesIncentive compensation or a performance reward drove the violation.
Operational BurdenAn undue operational burden left insufficient time to perform in a compliant manner.
Pressure from Management or PeersPressure to conform or complete tasks at all costs driven by a superior or peers.
Weak ControlsThere were weak controls over the employee or third-party activity.
Areas of Compliance Resource Focus
Recommendation to the Board
1. Address Root Cause of misconduct by quickly removing bad people from organization (intentional behavior) and implementing new controls.
2. Targeted Training for particular group prior to reaching 6 years of service w/ the company (instead of one-size-fits-all approach).
3. 3-6-12 Month Check-Ins to assess progress to ensure proper risk mitigation.
Q&A
Thank you.
Laura JacobusRonnie KannChris Nixon
