The Next Generation of Compliance and Ethics Program ......Source: CEB 2016 RiskClarity. a...

1

Osmosis Use Policy

Osmosis lets you convert PDF documents into edit-ready PowerPoints (as long as you have the owners’ permission to make nonmaterial changes to the original content). Once the PDF is converted, you can do the following to the PowerPoint:✔ Change page order, flow, or the title.✔ Remove or edit dates.✔ Combine parts of AER decks together for an onsite presentation to a member.✔ Distill a member case study to the most salient points.

When working with converted PDFs, keep CEB safe from risk by avoiding the following:✖ Don’t make the finished file available on a public website.✖ Don’t change our marketing materials, especially when members’ brands are involved. We have agreements with many members to use only their name/logo in certain circumstances.✖ Don’t add members’ names or logos to case studies without members’ permission. (Contact Carla Meiner in Legal to discuss how you can get permission).✖ Don’t change the findings/conclusions, statistics/data, or spirit or intent of the content.

Keep these best practices in mind when using converted documents:➤ Before distributing converted and edited PPTX files, save files as PDFs because distributing editable CEB IP is risky.➤ Use your best business judgment when using Osmosis. Don’t expose CEB to unnecessary risk, and ensure you follow quality assurance protocols to keep the integrity of CEB’s research and brand.➤ Osmosis files are purged every 24 hours. Be sure to follow safe data handling practices if saving converted documents.

Osmosis will continue to evolve with feedback from users, so if you have suggestions we might incorporate into future releases of the tool, e-mail Dave Fisher ([email protected]). As more people use the tool and provide feedback, we will continue to adapt these guidelines as necessary. Note that the process of translating words to the individual letter and graphics to the bit level from a PDF (which may have been built in anything) is

CEB Compliance & Ethics Leadership Council

The Next Generation of Compliance and Ethics Program Effectiveness

From Bolt-On to Built-In

Jennifer Kugler

SCCE Conference

October 2017

2

A Framework for Member Conversations

The mission of Gartner’s CEB Leadership Councils is to help executives and their teams harness their growth potential by taking insights from the best companies to save

time and make better decisions. When we bring leaders together, it is crucial that our discussions neither restrict competition nor improperly share inside information.

All other conversations are welcomed and encouraged.

Confidentiality and Intellectual Property

These materials have been prepared by Gartner, Inc. and/or its affiliates (“Gartner”) for the exclusive and individual use of our CEB Leadership Council member

companies. These materials contain valuable confidential and proprietary information belonging to Gartner, and they may not be shared with any third party (including

independent contractors and consultants) without the prior approval of Gartner. Gartner retains any and all intellectual property rights in these materials and requires

retention of the copyright mark on all pages reproduced.

Legal Caveat

Gartner, Inc. and/or its affiliates (“Gartner”) is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, Gartner is

not engaged in rendering legal, accounting, or any other professional services. Gartner specifically disclaims liability for any damages, claims, or losses that may arise

from a) any errors or omissions in these materials, whether caused by Gartner or its sources, or b) reliance upon any recommendation made by Gartner.

2© 2017 Gartner, Inc. and/or its affiliates. All rights reserved. CELC174430


WE’VE COME A LONG WAY

Representative Examples of the Progress Compliance Programs Have Made

72%

Programs that train

managers on how to respond to employee reports of misconduct.

70%

Programs that provide

annual ethical decision-

making training to at least half of employees.

61%

Programs that track

changes in employee perceptions of the organization’s culture.

Source: 2014 CEB State of the Compliance & Ethics Function Survey.

Manage Compliance and Ethics RisksImprove Employee

Decision Making

Lead the

Function

Define

Program

Mandate

Mitigate and

Monitor

Risks

Establish

Policies and

Procedures

Oversee

Allegations of

Misconduct

Provide

Training and

Communica-

tions

Reinforce

Behavioral

Expectations

Manage the

Function

3


Identify the Need for a Third Party

Conduct an RFP

Select a Third Party

Onboard the Third Party

Monitor Third-Party Performance

STILL LARGELY A BOLT-ON

Typical Process for Receiving Compliance Approval on a New Third Party

Business Workflow: Select and

Onboard a New Third Party

Compliance Workflow: Conduct

Third-Party Due Diligence

Review and

Approve Third Party

Creates actual burden for

employees through extra steps and

handoffs.

Creates perceived burden because

employees must step outside of

their workflows.

Source: CEB 2015 Third-Party Risk Diagnostic.

a Median number of business days required for Compliance to complete due diligence.

Median Time Elapsed:

17 Business Daysa


A RISING CHORUS TO EVOLVE OUR PROGRAMS

Changes in Stakeholders’ Expectations of Compliance and Ethics Programs

Compliance and Ethics

Employees

Expect any additional asks of them to be low-

effort

Boards

Expect more clarity on risk exposure and mitigation plans

Regulators

Expect Compliance to be integrated into operations

Senior Business Leaders

Expect results with minimal business drag

Source: CEB analysis.

4


BOARDS PUSHING FOR A CONSISTENT VIEW OF RISK

Factors Driving Changes in Board Expectations of Compliance and Ethics

External Pressure on BoardsThe Yates Memo and high-profile corruption and privacy failures have pushed the Board to be better informed and more active in risk management.

Corporate Investments in Assurance

Boards expect the heavy corporate investment in assurance to facilitate a clear and accurate sense of risk exposure.

Conflicting Risk Information from Assurance Functions

Assurance functions often provide the Board with inconsistent or conflicting opinions on risk exposure.



0%

35%

70%

0%

35%

70%70%

59% 59%

42%

Source: CEB 2016 RiskClarity.

a Compliance and ethics requirements (training, approvals, documentation, etc.) slow my ability to achieve my business objectives.

Impact of Perceptions of Burden on Compliance OutcomesChange in Outcomes Between Employees Who Perceive Compliance as Low Versus High Burdena

60% Report More Work

+ +Asks from

11 Assurance Functions

More Training, Processes, and Requirements

Employees Who Retain Key Training Messages

Employees Who Report Observed Misconduct

Perceive Low Burden Perceive High Burden

n = 24,697. n = 3,088.

Source: CEB 2015 Careers Panel Survey.

UNDER PRESSURE, EMPLOYEES DEMAND EFFICIENCY

Assurance-Related Pressures Adding to Employees’ Base Workload

5


WHAT IT MEANS TO BE BUILT-IN

What Compliance Must Do to Build Compliance Activities into Business Operations


Assess

For burden and

integration

Built-In

Compliance

CoordinateWith related

assurance

activities

DesignTo be part of

business

workflows

Coordinated With:

Similar assurance activities that could cause overlap and unnecessary burden on employees

Designed To:

Be natural parts of business processes

Avoid extra steps and handoffs

Achieve business goals

Assessed For:

Ease of compliance

Degree of activity integration into business workflows


FROM BOLT-ON TO BUILT-IN

Design Compliance

to Be Part of Business

Workflows

Coordinate Compliance

and Related Assurance

Activities

Assess How Well

Compliance is Built into

the Business

Business-Focused

Control Design

Low-Lift Assurance

Coordination PlansPost-Project Impact

Assessment

1bserve Co.

Function-First

Compliance Training

Assessment of

Embedded Ethics

and Compliance

1 Pseudonym.

6





Assess

For burden and

integration


assurance

activities

DesignTo be part of

business

workflows

Designed To:

Be natural parts of business processes

Avoid extra steps and handoffs

Achieve business goals

Built-In

Compliance


MANY OPPORTUNITIES FOR BUILDING-IN

Select Examples

Compliance

Process or Control Bolt-On Built-In

Conflicts of

Interest Disclosure

Annual conflicts of interest

certification campaign

Conflicts of interest disclosures sent

with annual reminders about updates

to benefits and other information

Gifts and

Entertainment

Tracking

Gifts and entertainment tracking in

Compliance’s gift and

entertainment registry

Gifts and entertainment registry linked

to the expense system, enabling

automated data exports

Third-Party Due

Diligence

Compliance questionnaire sent to the

business following selection of a third

party

Compliance risk criteria embedded in

the RFP evaluation process

Manager Training

Compliance training courses

deployed to managers on an

annual basis

HR system links to Compliance’s

LMS to trigger training for newly

promoted managers

Third-Party

Monitoring

Compliance manually gathers

information from business partners

Compliance criteria are built into third-

party performance scorecards

New Product

Development

Compliance reviews and assesses new

products following the development

process

Compliance criteria are embedded in

the new product development process


7


A SIMPLE WAY TO SEGMENT OPPORTUNITIES

Compliance Processes and Controls Integration AssessmentIllustrative

Potential for

Increased Risk

Reduction

High

Low

Gifts and Entertainment Tracking

Third-Party Due Diligence

Conflicts of Interest

Disclosures

Compliance

Investigations

Low High


Cost of Building Into Business Operations

Manager-Delivered Communications

Compliance Policy

Management

FOCUS HERE

NOT WORTH BUILDING IN


FUNCTION-FIRST COMPLIANCE TRAINING

Overview

Dell’s ethics and compliance program embeds compliance training into the broader sales curriculum, which enables

improved employee retention of material and increased performance against sales goals.

Solution Highlights

Business-Oriented Design Principles

A set of functionally-oriented design principles ensures that the training is viewed by functional employees

as something that will help them meet their objectives, and speaks to their natural language, workflow, and objectives.

Targeted Content Sourcing

Collaboration with functional experts allows Compliance to understand the sales (functional) workflow,

enabling function-first design.

Solution-Focused Content Delivery

Structured delivery of content drives two-way dialogue intended to raise solutions that help attendees

better perform their functional tasks while remaining in compliance with company policies.

Company Snapshot

Dell Inc.

Industry: Technology Dell is a privately-owned company headquartered in America that specializes in computer hardware, computer software, IT services, and IT consulting. Dell is one of the largest technology companies in the world, serving customers globally.

2015 Sales: $59 Billion

Employees: 108,000

8


TRAINING MUST SPEAK TO THE FUNCTION

Design Elements of Dell’s Leading From the Front Training

Where Design Elements Count■ Titling and Labeling ■ Branding of Content ■ Facilitator Scripting ■ Pre- and Post-Training Messaging

Establishing Relevance

Use Business Language

Frame content using the vocabulary that functional

employees use daily to ensure the delivery is seen as

both impactful and credible.

Focus on Functional Workflow

Structure training around the core activities of and

tools used by functional employees.

Connect to Relevant Outcomes

Link concepts and actions to the outcomes that

employees care about.

Source: Dell; CEB analysis.


HELP THEM HELP YOU

Targeted Questions to Guide Functional Partners on How They Can Best Inform Training Design Illustrative

Source: Dell, Inc.; CEB analysis.

Gather Knowledge About Employees’ Jobs

How do sales people spend most of their time? Which activities are they focused on?

What are the tools employees use in their line of work?

What activities do employees struggle with?

What types of things do they view as distractions?

Understand the Vocabulary of Employees

What words should I never use with a salesperson?

What words get sales people excited?

Uncover the Outcomes Functional Employees Care About

What do employees personally want to achieve in their current roles?

What are sales employees held accountable for?

Understand Which Behaviors You Need to Reinforce

Where might employees struggle to be compliant?

How do the best salespeople do their jobs without being noncompliant?

9


Implementation Guidance for Structuring Actionable Conversations

Two-Way Dialogue Open-Ended Questions Real Examples



“I have set up peer networking events so prospects can talk to peers

who are satisfied with our product.”

“I’ve seen our Gifts and Entertainment policy, but nice meals is how

everyone wins business.”

Training

Facilitator

“Does anyone have an idea about how to impress prospects without

having to take them out to nice meals?”

Training

Facilitator

“Great idea. You can also simply consider splitting the meal as an

alternative.”

Employee

Employee

STRUCTURED DIALOGUE THAT DRIVES TO SOLUTIONS

How Dell Structures the Discussion to Drive to Actionable Solutions


93%

RELEVANCE FOSTERS IMPACT

Quantitative Feedback from Sales EmployeesNet Promoter Scorea (NPS), Leading From the Front

Dell’s Leading From the Front training received a high Net Promoter Score which aligns with many of the current modules in the sales training curriculum.


a A Net Promoter Score is a measure of how likely training participants would be

to recommend the training to others.

Qualitative Feedback from Sales Employees

“Legal director being together (with salesfacilitator) was terrific. He was able tobring cases which result in a richer class.”

Sales Employee

“Leading From the Front gave me trust in our ethical model facing the customer. I’m more confident on our go to market strategy and how Dell is differentiated in the market.”

Sales Employee

10





Assess

For burden and

integration

DesignTo be part of

business

workflows

Coordinated With:

Similar assurance activities that could cause overlap and unnecessary burden on employees


assurance

activities

Built-In

Compliance


LOW-LIFT ASSURANCE COORDINATION PLANS

Overview

National Grid’s compliance program shares planned business interactions with key assurance partners to foster operational

collaboration. Better collaboration reduces burden on the business, improves business leaders’ understanding of risk, and

ensures functional partners are allocating resources efficiently.

Solution Highlights

Short-List of Shared Business Interactions

Share planned business interaction with assurance partners to establish transparency and foster operational

collaboration.

Company Snapshot

National Grid

Industry: Utilities National Grid is an international electricity and gas company based in the United Kingdom and northeastern United States. They play a vital role in connecting millions of people safely, reliably, and efficiently to the energy they use.

Revenue: GB £15.2 Billion

Employees: 23,000

11


SHORT LIST OF INTERACTIONS WORTH SHARING

Business Interactions to Share with Assurance Partners

Share■ Outreach to Liaisons■ Reports to the Board, Senior Leaders, Audit Committee, etc.■ Meetings with Business Stakeholders on Cross-Functional Topics or Risks■ Planned Changes to Process that Impact Other Assurance Functions

Avoid Sharing■ Function-specific interactions (e.g., privacy impact assessment for Data Privacy)■ Last minute interactions or ad hoc meetings with no formal purpose or agenda

Source: National Grid PLC; CEB analysis.


April

Monday Tuesday Wednesday Thursday Friday

Weekly Assurance

Function

Conference Call

BU A:

John Smith

Purpose: Reaching

out to risk

champion about Q2

G&E Training

HR

Purpose: Reaching

out about the Risk

module in new hire

training

Risk Committee

Purpose: Update on

data privacy controls

in Q1

Weekly Assurance

Function

Conference Call

HR

Purpose:

Reaching out

about Compliance

module in new hire

training

HR

Purpose: Reaching

out about the Data

Privacy module in

new hire training

BU A:

John Smith

Purpose: Reaching

out to compliance

liaison about G&E

Communication

Planning

Risk Committee

Purpose: Update on

trends in cyber

security and data

privacy in Q1

A CONDUIT FOR COLLABORATION

National Grid’s Shared Assurance Planning CalendarIllustrative

Other Channels for Scaling Information Sharing with Assurance Partners



Periodic Assurance Conference Call

Periodic Assurance E-Mail Updates

Compliance Committee Meeting

Periodic WebEx Meetings

Compliance Risk Management Data Privacy

12


OPPORTUNITIES TO STREAMLINE

Case-In-Point: Coordinated New Hire Onboarding Training

Previous Uncoordinated Approach to Teaching New Hires

About Assurance

Coordinated Approach to Teaching New Hires About

Assurance

New hires receive redundant messaging, leaving them feeling

like the trainings were unnecessary

and unduly burdensome.

New hires receive concise, consistent messaging about

risk and the assurance functions.



OPPORTUNITIES TO COORDINATE

Case-In-Point: Coordinated Board Reporting

ERM Board Report

Export/Trade Compliance is a top three risk.

Compliance Board Report

Export/Trade Compliance risk is immaterial.

Do our stories match?

No, Compliance and ERM are reporting different top three risks

Why are our stories different?

“Filing deadlines were missed by Compliance,

the business unit, and Finance, so we may not be

approved for the license we need to move across

borders.”

“A compliance filing deadline was missed, but that does

not constitute a material compliance risk.”

Does this information change our view on the risk this poses?

“Yes, we need to elevate this risk in our report.”


In cases where this answer is no, we should be able to explain to stakeholders why our stories differ.

13



Assess

For burden and

integration


assurance

activities

DesignTo be part of

business

workflows

Assessed For:

Ease of compliance

Degree of activity integration into business workflows



Built-In

Compliance


SEEMS TOO HARD FOR WHAT WE WOULD LEARN

Common Assumptions About Measuring Built-In Compliance

“What will I learn that I don’t already know?”

“These things will be really difficult to

measure.”


14


TOO LITTLE, TOO LATE

Typical Approach to Soliciting Feedback From Business Partners Illustrative


January February March April December

Compliance

conducts a risk

assessment.

Compliance

conducts an

investigation.

Compliance

conducts due

diligence on a

third party.

Compliance

Annual Survey

What did you think

about working with

Compliance?

Survey Response

“It’s hard to work with

Compliance. They just

slow us down.”

Too Little, Too Late

Compliance’s ask for feedback is often too

disconnected from the activities respondents

can comment on, so rather than sharing their

specific experiences they often resort to

general feedback which is not as helpful for

Compliance.


POST-PROJECT IMPACT ASSESSMENT

Overview

After substantive interactions, Etihad assesses business partners’ perceptions of the value Compliance added and the burden

the program created to identify opportunities for improvement.

Solution Highlights

Impact-Oriented Questions

Questions on the impact Compliance created through the engagement—both the value added and the disruption caused—to

better gauge business perceptions and assess Compliance’s performance.

Interaction-Triggered Follow-Up

Timely requests for feedback from specific business partners immediately following a substantive interaction

(e.g., risk assessment, investigation) to receive more actionable feedback on the business’s experience with Compliance.

Process Change Review Criteria

Factors, including feedback volume and patterns, are used to determine when a deeper dive review is necessary to determine

potential process changes.

Company Snapshot

Etihad Airways

Industry: Airlines/ Aviation

As a commercial airline based in Abu Dhabi, Etihad Airways serves more than 85 destinations in 55 countries in Europe, Asia, and the Middle East, and is consistently rated as best airline. Destinations include London, Moscow, Mumbai, Abu Dhabi, Kuwait, and Islamabad. The airline also offers North American services in New York and Toronto.

2014 Sales: US$7.6 Billion

Employees: 25,867

15


Compliance Engagement Delivery Strongly

Agree

Agree Neither

Agree or

Disagree

Disagree Strongly

Disagree

Comments

Service Quality: The results of the

assignment were delivered within the time

frame set at the start of the engagement.X

Value Added: The assignment added

value to your business area.X

Burden Created: The assignment was

delivered with minimum disruption to

your business. X

Source: Etihad Airways; CEB analysis.

ASK ABOUT TOTAL IMPACT

Sample Questions in Etihad’s Post-Project Survey

Ask About Compliance Impact

Questions about the value Compliance added and the burden it

created provide a clearer picture of the program’s impact than

questions about business partner satisfaction alone.


Compliance Engagement TeamStrongly

Agree Agree

Neither

Agree or

Disagree Disagree

Strongly

Disagree Comments

The Compliance team member(s)

demonstrated personal integrity and

acted positively throughout the

engagement.

X


demonstrated good technical

knowledge of the Compliance area

during all aspects of the engagement.

X


were knowledgeable about your

business area.X

Total Score: 60% Rating:

Satisfactory


ASK ABOUT TOTAL IMPACT

Sample Questions in Etihad’s Post-Project Survey

16


WHO AND WHEN YOU ASK MATTERS

Etihad’s Approach to Soliciting Feedback from Business PartnersIllustrative

Risk

Assessment

Feedback

Requested InvestigationFeedback

RequestedThird-Party

Approval

Feedback

Requested

Compliance Survey Response

“The action items coming out of the

risk assessment had big budget

implications.”

Compliance

Survey Response

“Going through the investigations

process helped us learn a lot about

where we can improve.”

Compliance Survey

Response

“The approval took almost

two weeks—too long for us

to wait.”

One Week

Tied to Specific Interactions

Asking for feedback from business

partners involved in substantive

projects allows Compliance to

receive more detailed feedback.

Quick Follow Up

Requesting feedback soon after a

project ensures that business

partners will be able to recall

helpful details.

One Week One Week




MORE INPUTS, BETTER UNDERSTANDING

Shift in Etihad’s Understanding of Program ImpactIllustrative

What Employees Perceive■ Employee opinions on how much value Compliance adds■ Employee feedback on how much disruption Compliance causes

What the Program Does■ Number of compliance risks identified and mitigated■ Number of investigations conducted

Result: Compliance has somesense of the risk the programmanaged for the organization(e.g., what they covered).

Result: Compliance sees indicators of whether employees will comply with processes (e.g., how well those risks are likely managed).

17


How Companies Use CEB RiskClarity

Perform an Employee-

Wide Assessment of

Integrity and Misconduct

Identify Key Focus Areas to

Reduce Misconduct

Uncover the Root

Causes of Misconduct

Contact Us to Learn More

Phone: +1-866-913-8103

E-Mail: [email protected]

Web: cebglobal.com/exbd/compliance-legal/risk-clarity/index.page

■ Detailed analysis of

employee observations ■ Peer benchmarking

results■ Understanding of

employee perceptions

■ In-depth walk-through■ Customized action plan ■ Access to compliance

and ethics resources

■ Full-day workshop■ Metrics and key risk

indicators

CEB RISKCLARITY: A CORPORATE INTEGRITY SERVICETM

Product Features

The Next Generation of Compliance and Ethics Program ......Source: CEB 2016 RiskClarity. a...

Documents

Transcript of The Next Generation of Compliance and Ethics Program ......Source: CEB 2016 RiskClarity. a...