Compliance and Ethics Leadership Council Assessing Global Readiness: Adapting the Corporate Core to New Markets Jennifer Childs Kugler Compliance and Ethics Leadership Council SCCE Annual Conference Sunday, 14 October 2012 A FRAMEWORK FOR MEMBER CONVERSATIONS The mission of The Corporate Executive Board Company and its affiliates (CEB) is to unlock the potential of organizations and leaders by advancing the science and practice of management. When we bring leaders together, it is crucial that our discussions neither restrict competition nor improperly share inside information. All other conversations are welcomed and encouraged. CONFIDENTIALITY AND INTELLECTUAL PROPERTY These materials have been prepared by CEB for the exclusive and individual use of our member companies. These materials contain valuable confidential and proprietary information belonging to CEB and they may not be shared with any third party (including independent contractors and consultants) without the prior approval of CEB. CEB retains any and all intellectual property rights in these materials and requires retention of the copyright mark on all pages reproduced. LEGAL CAVEAT CEB is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, CEB is not engaged in rendering legal, accounting, or any other professional services. CEB specifically disclaims liability for any damages, claims or losses that may arise from a) any errors or omissions in these materials, whether caused by CEB or its sources, or b) reliance upon any recommendation made by CEB.
42
Embed
Assessing Global Readiness: Adapting the Corporate Core to ......Source: A. T. Kearney Foreign Direct Investment Confidence Index, 2010; PricewaterhouseCoopers 2010 CEO Survey. Top
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Compliance and Ethics Leadership Council
Assessing Global Readiness: Adapting the Corporate Core to New Markets
Jennifer Childs Kugler
Compliance and Ethics Leadership Council
SCCE Annual Conference
Sunday, 14 October 2012
A FRAMEWORK FOR MEMBER CONVERSATIONS
The mission of The Corporate Executive Board Company and its a�liates (CEB) is to unlock the potential of organizations and leaders by advancing the science and practice of management. When we bring leaders together, it is crucial that our discussions neither restrict competition nor improperly share inside information. All other conversations are welcomed and encouraged.
CONFIDENTIALITY AND INTELLECTUAL PROPERTY
These materials have been prepared by CEB for the exclusive and individual use of our member companies. These materials contain valuable confidential and proprietary information belonging to CEB and they may not be shared with any third party (including independent contractors and consultants) without the prior approval of CEB. CEB retains any and all intellectual property rights in these materials and requires retention of the copyright mark on all pages reproduced.
LEGAL CAVEAT
CEB is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, CEB is not engaged in rendering legal, accounting, or any other professional services. CEB specifically disclaims liability for any damages, claims or losses that may arise from a) any errors or omissions in these materials, whether caused by CEB or its sources, or b) reliance upon any recommendation made by CEB.
Barriers to Expansion in Emerging MarketsIllustrative
Di�culty of Management
Like
liho
od
of
Occ
urre
nce
High
Medium
Low
Easy Di cult Very Di cult
Increasingly Protectionist Government Strategies
(Policy Risk)
Political Instability
Economic and Financial Instability
Fraud and Corruption
Lack of Local Talent and Leadership
Cultural Risk
Regulatory Risk
Emergence of “National Champion” Firms�1
Threat of Asset Seizure/Expropriations
Increased Competition from Domestic Rivals
Currency Fluctuations
Ill-fitting Business Model
Lack of Contract Enforceability
1 Government promotion or favoritism of key economic sectors resulting in uneven playing field.Source: Gibson Dunn, “FCPA and International Anti-Corruption Enforcement—Trends in 2010.”
Competing Regulatory DemandsCompanies face a more complex and aggressive regulatory environment, creating inconsistent compliance expectations.
2. Growing and Fragmented Regulatory and Enforcement Environments Notwithstanding the fact that regulators in di�erent countries are focused on common issues, increasing the volume of legislation and regulation in key areas (e.g., anti-bribery, anti-trust, data privacy), they are often using di�erent standards to enforce these issues.
Growing Focus on Information RisksEmployees now have more opportunities and incentives to disclose information outside of the company. In addition, customers and other third parties are demanding greater protection from data leakage and disclosure.
3. Explosion of Information and Transparency The exponential growth in the amount (and types) of data creates new risks and opportunities for how companies and employees create, use, and dispose of information.
Changing Employee Value PropositionMillennial-generation employees are motivated di�erently and desire, in general, more open, flexible, and socially interactive workplace environments.
4. Shifting Employee Demographics Companies increasingly hire Millennial-generation employees (characterized by an increased familiarity and informality with digital technologies and online communications).
Increasing Global Compliance RisksAs operational centers shift to new markets, compliance departments must learn to manage new (and often more volatile) political, legal, and cultural risks across geographies.
1. Company Growth into New Markets With slow growth expected in developed markets, companies are more rapidly expanding their businesses (and their value chains) into foreign jurisdictions.
CHALLENGE #3: HARD TO KNOW THE STATE OF COMPLIANCE IN LOCAL MARKETS
How Significant a Challenge Is Gathering Quality Information on Compliance Performance?Percentage of Regional Respondents Answering “Very Significant” or “Fairly Significant”
THE ROLE OF COMPLIANCE AND ETHICS IN SUPPORTING GLOBAL READINESS: KEY QUESTIONS TO ADDRESS NOW
Program “Bones”Risk Identifi cation
Compliance Oversight Outreach
Do we know what our key risks, including cultural hot spots, are in these new markets? How are we mitigating those risks? And what is the upside of getting this right?
Do we have the resources and program structure in place to enable us to adapt and respond quickly?
What oversight do we need to put in place to ensure we are reducing the likelihood of misconduct?
Have we targeted the high-risk audiences with appropriate (and appropriately-timed) outreach, training, etc.?
For another day:
■ Managing Third-Party Risks in New, Emerging Markets ■ Measuring the Success of your E� orts
3. How are leading companies proactively managing these risks?
4. What about cultural risks?
THE ROLE OF COMPLIANCE AND ETHICS IN SUPPORTING GLOBAL READINESS: KEY QUESTIONS TO ADDRESS NOW
Program “Bones”Risk Identifi cation
Compliance Oversight Outreach
Do we know what our key risks, including cultural hot spots, are in these new markets? How are we mitigating those risks? And what is the upside of getting this right?
Do we have the resources and program structure in place to enable us to adapt and respond quickly?
What oversight do we need to put in place to ensure we are reducing the likelihood of misconduct?
Have we targeted the high-risk audiences with appropriate (and appropriately-timed) outreach, training, etc.?
Non-Reporting Rate of Observed Business Misconduct at MNCsCELC Cultural Diagnostic Data: All Employee Reporting by Country, 2009–2010
MexicoEastern Europe
Western Europe
U.S.A. Russia ChinaIndia
Why Don’t People Report?
■ Globally, the two reasons cited most by employees as to why they failed to report misconduct are “Fear of retaliation” and “I did not think the company would do anything about my report.”
■ In Asia, the top two reasons are “Did not think I had enough information” and “Not certain it was a violation,” indicating some uncertainty about what constitutes misconduct.
UK Brazil
61%Global Average
Employees in China are four times less likely to report business misconduct than employees in the United States.
Observed misconduct most signifi cantly above global average—Preferential treatment, confl icts of interest, misuse of time, harassment/bullying, stealing
Reporting rate—36%Most frequent “don’t know”—Accounting IrregularitiesTop drivers of ethical culture—Organizational Justice, Openness of Communications, Departmental Climate
CELC Recommendations ■ Focus on compliance training, with HR–support, on interpersonal relations and topics such as harassment and bullying.
■ Focus training on group dynamics and business pressures (since relatively low-levels of “don’t knows” suggest employees understand expectations, but sometime willfully ignore).
Observed misconduct most signifi cantly above global average—Improper sales, fraud, data privacy, accounting irregularities
Reporting rate—32%Most frequent “don’t know”—Accounting IrregularityTop drivers of ethical culture—Organizational Justice, Openness of Communications, Departmental Climate
CELC Recommendations ■ Focus compliance training and mitigation e� orts on sales sta� . ■ Provide local training that focuses on Corporate values, organizational justice, and open communications.
Observed misconduct most signifi cantly above global average—Business information violation, improper sales, fraud
Reporting rate—39%Top drivers of ethical culture—Organizational Justice, Openness of Communications, and Mood in the Middle
CELC Recommendations ■ Focus on role of and interactions with the State (especially if product might be considered a State asset).
■ Employees place unusual importance on peer behaviors and perceptions of culture. Build training and communication around established peer networks.
Observed misconduct most signifi cantly above global average—Confl ict of interest, misuse of time, stealing, improper payments, inappropriate giving or receiving of gifts
Reporting rate—12%Most frequent “don’t know”—Accounting IrregularitiesTop drivers of ethical culture—Organizational Justice, Direct Manager Leadership, Comfort Speaking Up
Brazil India
China Russia
CELC Recommendations ■ Focus on corruption training. ■ High levels of “don’t knows” suggest employees need to enhance basic understanding of laws and expectations.
■ Focus on speaking-up and
comfort with investigations process.
■ Employees value strong direct manager leadership. Local leadership must understand and reinforce compliance messages.
Trier follows a structured process to identify and mitigate the country and company-specifi c compliance risks that jeopardize the value and synergies of potential acquisitions in emerging markets. Beginning with target due diligence, Trier rapidly integrates the acquisition into its existing risk management framework.
KEY INSIGHTS
1. Country-Based Review—Compliance and Ethics should, in advance of market entry, develop a robust sense of the political, cultural, and business conditions that will impact operating success and the achievement of, in the case of an acquisition, desired synergies.
2. Integrate Acquisition into Existing Compliance Framework—Compliance and Ethic’s involvement in the due diligence process should assess business risks and the control environment with an eye towards rapid integration into existing company controls systems and risk management framework.
3. Identify Employee Pressure Points—Especially in emerging markets, legal and compliance risks stem from pressure points throughout operations. Compliance and Ethics must work to highlight these pressures (interactions with government o� cials, familial ties, etc.) that infl uence behavior and provide employees the requisite bu� er and support to act on the company’s behalf.
4. Contract repudiation rates (enforceability of contracts)
5. Government stance toward business
6. Intellectual property piracy
7. Business environment (corruption risk)
8. Supply chain e� ciency
9. Competitive intelligence
10. Market Size
Before entering Vietnam, Trier’s Compliance O� cer interviews three law fi rms (one international, two local) and two forensic accounting fi rms about the country:
■ Political Risk Questions – What political risks have you seen in the last three years? – Could you tell me about litigation in this country? How long does it take to receive a judgement?
– Are contracts enforced here? Can I domicile operations in a more favorable location? – Have military budgets been increased/decreased? Could decreased military budgets provoke civil unrest?
■ Business Culture Questions – Can you tell me about corruption in the government? – What are employee perceptions of confl icts of interest in this country? – What local customs do Western companies run afoul of?
■ Business Risk Questions – Who are my local and international competitors in this market? Do you know and can you trust the behavior of your competitors
– How reliable is electricity (utilities and infrastructure) in this market? – Tell me about the three to fi ve business mistakes I’m going to make?
Preparing for Business Change “By the time a new deal is proposed. I typically have an understanding of the political, cultural, and business environment we are entering. This ensures the proper compliance consideration through due diligence and integration.”
AGC, Ethics and Compliance O� cerTrier Corporation
1
Key Market Entry Considerations Country Risk Review: Case in Point
1. Map Compliance Risks—Maps the acquired line of business workfl ows to compliance risks (e.g., personnel who interact with government o� cials)
2. Assess Control Environment and Compliance Infrastructure—Follows COSO framework to audit entity-level processes and controls (e.g., testing presence of corruption policies, obtaining documentation from key process owners, reviewing policies and procedures, manufacturing safety procedures and posters).
Strategic Objectives ■ Become the number one supplier in Russia ■ Generate revenue synergies of US$8 million by year two ■ Reduce shipping costs
Country Risks1. Corruption risk2. Size of gray market3. Expropriation risk or government interference
4. Unforeseen tax liabilities
Line of Business/Compliance Risks5. Product quality
6. Product classifi cation and export7. Interaction with government o� cials8. Logistics and third parties
9. Compliance software and system integration delays10. Fraud11. Intellectual Property12. Relations with local unions13. Loss of key talent14. Poor cultural integration15. Control environment
Acquisition Risk Assessment
Acquisition Risk Heat MapIllustrative
Critical (> 20%)
Major (5-20%)
Manageable(< 5%)
Remote(< 10%)
Possible(10-50%)
Likely(> 50%)
Likelihood
Imp
act
(on
Eco
nom
ic P
rofi
t)
10
9
8 7
6
5
4
3
2 1
1112
15
1314
Medium High
Medium
Medium
High
LowLow
Low
CRITICAL
Although most companies do not consider these factors in integration planning, the fi nancial impact and likelihood of the occurrence have serious repercussions on value capture success.
Fluor identifi es and assesses the impact of potential compliance and ethics risks before bidding on projects, helping it prepare more realistic risk mitigation plans that factor in the business costs of e� ectively managing risk.
KEY INSIGHTS
1. Analyze Compliance Risks Up Front—Review business opportunities to consistently and thoroughly identify potential risks, including export and corruption compliance and ethics risks inherent in typical operations based in emerging markets.
2. Account for the Costs of Compliance—In addition to capturing and documenting potential areas of compliance exposure, account for the time, e� ort, and resources the business will need to invest in to proactively manage risks. Use cost information to inform cost-benefi t decisions about business opportunities.
3. Update Ongoing Risk Management Plans—Regularly assess changes to local operating conditions and other factors that positively or negatively a� ect existing risk mitigation plans, updating compliance processes as appropriate to maintain adequate and ongoing risk coverage.
COMPANY SNAPSHOT
Fluor CorporationIndustry: Engineering and Construction
Overview of Fluor’s Business Risk Management FrameworkIllustrative
Business Risk Management Framework (BRMF)The Business Risk Management Framework is a formalized and systematic process for assessing, managing and monitoring Fluor’s business risks for high-risk projects the company considers or executes, including investments and acquisitions.
Develop and Execute Risk Management Plan
Monitor and Report on Risk Management Performance
Continuous Performance Improvement
Select Risk Management Strategy for Each
Risk Identifi ed
Weight Potential Risks and Costs ■ Begin when the project is still a prospect ■ Identify potential risks that may threaten the project
■ Weigh potential risks against profi tability
Potential High-Risk Project
Note: Fluor executes engineering, procurement, construction, and maintenance work, typically in the form of discrete projects, for commercial and government clients around the world.
Case in Point: Export Compliance Risk, Emerging Market Construction ProjectIllustrative
Potential Risk List
1. FCPA violation by subcontractor
2. Export compliance permit delays
3. Labor disruptions
4. Supply chain disruptions
Projected Costs: Export compliance permit delays
Cost 1: Additional three months added to project timeline.
Cost 2: Potential penalty of dollar per day imposed by client for breaching contractual schedule.
Project Scoring Worksheet (If yes, provide cost estimate) Projected Cost (Time, Money, etc.)1. Anticorruption/Government InteractionWill this project require us to work with agents or new subcontractors?If this is a public contract, would there be fewer than two bidders or is this a repeat bidding process?
2. PermitsDoes the project require permits from US export authorities?Does the project require permits from local country authorities?
3. LaborWill we need to use labor brokers to hire employees? Would pay or terms of service for newly-hired employees be di� erent to existing employees?
4. Supply ChainWould this project require us to rely on two or fewer suppliers?
Capri selects local risk indicators that directly relate to the nature of their business, operating model, and the inherent risks posed by the country. Capri then uses predetermined risk thresholds to assess local business risk and appropriately plan mitigation e� orts.
KEY INSIGHTS
1. Customize Local Risk Approach—Customizes mitigation activities according to the risk category of the business, streamlining local implementation and maximizing limited legal and compliance resources.
2. Identify Country Specifi c Controls and Processes—Identifi es the organizational and country-based issues that pose the greatest risk to the business, minimizing gaps and overlaps in risk assessment and management.
COMPANY SNAPSHOT
Capri CompanyIndustry: Diversifi ed European Multinational 2009 Sales: US$75–125 Billion2009 Employees: 200,000–300,000
COMPONENT #1: IDENTIFY RELEVANT LOCAL RISK INDICATORS
Basic Requirements of the Foreign Corrupt Practices Act
Relevant Risk Indicator
Who ■ Any individual, fi rm, o� cer, director, employee, agent, or
stockholder acting on behalf of the business in FCPA violations ■ Anyone who engages in conspiracy to violate the FCPA
Corrupt Intent ■ Intention of inducing the recipient to misuse his/her o� cial
position ■ Intention of infl uencing a foreign o� cial in his/her o� cial capacity
Payment ■ Any payment ■ O� er or promise to pay ■ Money or anything of value ■ Directly or indirectly
Business Purpose ■ Obtaining or retaining business ■ Directing business to anyone ■ Improper advantage
– Avoid customs duties – Reduce taxes – Increase profi ts – Prevent action – Obtain approvals – Engage in espionage – Get money due
Receipt ■ Foreign o� cials ■ Government employees ■ Employees of government-owned or controlled enterprises ■ Foreign political party ■ Candidate for foreign political o� ce
1. Level of Investment and Board Membership in Local A� liates, Subsidiaries, etc.
2. Country Risk Ranking (Based on TI Corruption Perception Index Scores)
3. Business Model (e.g., Sales, Financing)
4. Percentage of Business That Is Government-Facing
Mitigation Plan According to Risk CategoriesIllustrative Excerpt
Businesses in a lower risk category (i.e., four or above) have fewer mandated mitigation activities. These mostly consist of policies, training, due diligence, and HR requirements.
Businesses in a higher risk category must appoint a local compliance manager and participate in the mandatory consultation process.
Compliance and Ethics O� cers Role in Assessing Emerging Markets RiskMoments of Greatest Potential Impact
Critical Point 1: Market Entry
■ New market entry substantially elevates compliance risk, introducing new economic, political, legal, cultural, and acquisition/partnership risks
Compliance Role ■ Use the market entry decision
process to assess new country risks and ensure integration of new processes into the existing compliance risk framework
Critical Point 2: New Projects and Product Lines
■ New business launches expose the company to new customers, competitors, partners and regulatory requirements
Compliance Role ■ Consistently assess risks
associated with new project or product launches, integrating specifi c compliance criteria into investment decisions to appropriately “price” risks and establish clear operating expectations
Critical Point 3: Operating Environment
■ Changes in operating environment (enhanced enforcement, changes in internal processes) may increase compliance risk levels
Compliance Role ■ Customize compliance
requirements by local risk conditions, streamlining local implementation and maximizing limited compliance resources
Extending Compliance Infl uenceWhile Compliance and Ethics may not participate in every business decision, it can insert key considerations into the critical risk points.
850,000+ EMPLOYEES WORLDWIDE, 185 GLOBAL COMPANIES: CEB’S RISKCLARITY SURVEY
RiskClarityEmployee Survey and Scale
Multiple IndustriesParticipating companies represent the following industries: Energy, Drilling and Gas, Insurance, Pharmaceuticals and Medical Supplies, Financial Services, Non-Profi t, Professional Services, Retail, Construction and Building Materials, Manufacturing, Food Services, Chemical, and Consumer Product Goods.
Global CoverageRespondents work in more than 115 countries across North America, Europe, Asia, the Pacifi c Rim, and Latin America.
All Employee LevelsEmployees at all levels, from the CEO and senior management to middle management and frontline employees.
All Business FunctionsRespondents represent all business functions, including Finance, Sales, Marketing, Information Technology, Call Centers, Human Resources, and Manufacturing.
Key Demographics of Survey Participants to Date
1 3
2 4
Survey StatementsStrongly
Agree AgreeSlightly Agree Neither
Slightly Disagree Disagree
Strongly Disagree
I can report unethical behavior or practices without fear of retaliation.
My company responds quickly and consistently to verifi ed or proven unethical behavior.
I am often exposed to situations that could lead to inappropriate conduct.
Note: All questions were coded or recorded in such a way to directionally be on the same scale.
1 The 18 questions of the integrity index are scored on a seven-point scale from 1 (weakest value) to 7 (strongest value) and collectively serve as a proxy for the cultural health of organizations.
DECONSTRUCTING THE COMPONENTS OF INTEGRITY
The RiskClarity Survey Analyzes the Strength of Key Attributes That Impact a Culture of Integrity
Distribution of Employees By Overall Perception of CulturePercentage of Respondents in Each Category and Their Corresponding Observation/Reporting Rates
n = 180,548 from 2010.
1 Percentage of employees within category who observed misconduct in past year.2 Percentage of employees within category who responded “Don’t Know” when asked if they had observed misconduct over the past year.3 Percentage of employees within category who reported the misconduct they observed.
The four lowest-scoring business units receive a compliance-led cultural audit.
The Ethics and Compliance O� cer interviews business unit leaders to discuss the local cultural audit and the business context to understand if the low score presents a signifi cant risk.
Compliance leads focus group sessions with senior, mid-level, and line employees to better understand the local cultural dynamic.
A corrective action plan is created and owned by the business, supported by compliance, and tracked across the year.
Key Focus Group Questions
1. Have you observed misconduct?
2. Do you believe that senior management shares the appropriate amount of information with employees?
3. Do you believe the culture encourages open and honest communication?
4. Do you understand the company’s expectations for behavior and disciplinary guidelines?
5. Do you feel comfortable reporting concerns to your direct supervisor without fear of retaliation?
1 Remaining risk exposure is calculated as (risk severity × risk likelihood) × (1 – level of control).
INTEGRATING CULTURE INTO RISK ASSESSMENTSMonthly Risk Assessments for Business Unit A
Legal Risk Risk LikelihoodScale:
10 = High Risk1 = Low Risk
Risk SeverityScale:
10 = High Risk1 = Low Risk
Level of ControlScale:
100% = E� ective Control 0% = Ine� ective Control
Remaining Risk Exposure�1
Competition Law 4.0 10.0 60% 16
Contract Compliance 8.0 7.0 95% 3
Fraud 4.0 6.0 50% 12
Privacy Laws 8.0 5.0 40% 24
Corporate Culture: ■ Serves as a mitigating control supporting integrity in business practice ■ Is a forward-looking indicator of misconduct ■ Improves prioritization of corrective action planning ■ Identifi es the root cause of underlying systemic compliance failures
RiskClarity results are one of several standard rating criteria (including policies, training, and controls testing) Centene uses to measure “Level of Control.”
1. Hearing a True Voice—Tyco uses RiskClarity questions to gather readings on subculture concerns
2. Surfacing Outliers—As opposed to focus groups, polling ensures “group-think” will not infl uence individual responses
3. Teaching in the Moment—Aggregate responses are displayed in real-time, enabling spontaneous educative discussions about fl agged issues
Analysis of Firmwide Polling ResultsIllustrative
Internal and External Benchmarking
By polling using questions about comfort speaking up, perceptions of management, and training e� ectiveness, Tyco can tap into the local climate of individual factories, o� ces, and regions.
While promoting a culture of integrity may not always be a high corporate priority, failure to properly engage with employees represents a strategic (as well as compliance) risk that threatens long-term competitive advantage.
2. How are leading companies proactively managing these risks?
THE ROLE OF COMPLIANCE AND ETHICS IN SUPPORTING GLOBAL READINESS: KEY QUESTIONS TO ADDRESS NOW
Program “Bones”Risk Identifi cation
Compliance Oversight Outreach
Do we know what our key risks, including cultural hot spots, are in these new markets? How are we mitigating those risks? And what is the upside of getting this right?
Do we have the resources and program structure in place to enable us to adapt and respond quickly?
What oversight do we need to put in place to ensure we are reducing the likelihood of misconduct?
Have we targeted the high-risk audiences with appropriate (and appropriately-timed) outreach, training, etc.?
Source: CELC’s Global Compliance Program Management Forum.
OF INTEREST TO CELC MEMBERS: ARE YOU ROTATING YOUR LIAISONS? HOW OFTEN?
“The term is 18 months, a� ording others the opportunity to grow in this role and growing the number of employees who have had exposure to this area.”
Anonymous
“We do not have a formalized network of ethics liaisons, but it is part of role responsibilities embedded in our Employee Relations roles. The individuals in those roles may rotate every 2–3 years, and the responsibilities are assumed by their successors.”
Anonymous
“My company does use liaisons in other business units to help with the compliance e� ort, which is a role over and above their day-to-day operational responsibilities. We do not have a set time period for people in these roles. However, there is some movement due to people taking other jobs in the company.”
Ethics and Compliance Manager
“Our analysis shows that due to changing job responsibilities as people move through our company, there is a natural time limit for most of our Ethics and Compliance Manager (ECM) positions of about two to three years. Former ECM are excellent champions for our Ethics and Compliance Program. We are considering whether to include ECM ‘alumni’ in our ECM updates.”
2. How are leading companies proactively managing these risks?
THE ROLE OF COMPLIANCE AND ETHICS IN SUPPORTING GLOBAL READINESS: KEY QUESTIONS TO ADDRESS NOW
Program “Bones”Risk Identifi cation
Compliance Oversight Outreach
Do we know what our key risks, including cultural hot spots, are in these new markets? How are we mitigating those risks? And what is the upside of getting this right?
Do we have the resources and program structure in place to enable us to adapt and respond quickly?
What oversight do we need to put in place to ensure we are reducing the likelihood of misconduct?
Have we targeted the high-risk audiences with appropriate (and appropriately-timed) outreach, training, etc.?
To help the business meet its compliance and ethics obligations, Intel’s corporate Ethics and Compliance Program O� ce ensures implementation of oversight and operational execution, including providing the necessary tools and guidance for business partners to e� ectively monitor and improve their compliance and ethics processes.
KEY INSIGHTS
1. Enable the Business-Led Assessment Process—Provide the business with a framework and tools to help it gauge the e� ectiveness of local ethics and compliance initiatives in mitigating local internal and external risks.
2. Review and Improve Business Mitigation Plans—Create opportunities for corporate review of business self-assessments to deliver constructive feedback to the business while creating visibility into the state of the local ethics and compliance program and reinforcing senior management commitment to ethics and compliance.
3. Advance Business Goals Through E� ective Risk Management—Demonstrate the long-term business value of identifying and correcting compliance and ethics risks by tying compliance and ethics improvement to overall business performance.
Business groups, which range from entire business lines to country-specifi c operations, prepare for the review using a self-assessment questionnaire to identify local risks and proactively address potential gaps.
Delivering fi ndings in-person to the ECOC enhances corporate visibility into local conditions, fosters dialogue between the business and senior leaders from across the company, and reinforces senior management commitment to compliance and ethics.
Review Topics1. Internal and External Environment
2. Compliance, Controls, Ethics, and Code of Conduct
3. Periodic Risk Assessment Results
4. Business Continuity Plans
5. Review Process Feedback and Learning
Selected Program Components
■ Tone from the CEO
■ Code of Conduct
■ Ethics Training and Communications
■ Ethics and Compliance Oversight Committee (ECOC)1
1 The ECOC reports to the Audit Committee of the Board and is co-chaired by the VP and Director of Corporate Legal and Director of Internal Audit. Other members include Vice-Presidents or Directors of Legal Compliance, Finance, HR, HR Legal, Technology and Manufacturing, Architecture (Platforms and Products), Sales and Marketing; and the Directors of IT, Corporate A� airs, and EH&S.
GAUGING BUSINESS OWNERSHIP OF COMPLIANCE AND ETHICS
Intel’s Self-Assessment Questionnaire (Excerpt)
1 Ethics and Compliance Business Champions—Business or functional leaders in each business group responsible for advocating for and monitoring ethics and compliance within their groups.
Periodic Risk Assessment
Business Continuity1. How often does the business review business continuity plans to ensure they are current with
respect to peer audits, integrated drills, and other related activities?
Compliance, Controls, Ethics, and Code of Conduct
Section B. Responsibility and Structure Questions
1. What framework does the business have in place for the Ethics and Compliance (E&C) program? What are the local E&C roles and responsibilities?
2. How does senior management visibly support this initiative? To what extent do they visibly participate in, lead or support E&C discussions and activities?
3. How does senior management ensure that the local E&C Business Champion has the support and resources needed to carry out E&C activities?
4. How is the business ensuring and monitoring that managers (senior through fi rst line) send consistent tone? How are managers reviewing and sharing case studies and specifi c compliance topics with their sta� ?
5. To what extent is ethics and compliance embedded in business performance dashboards and management objectives, with ownership for delivery by line management? Is E&C embedded into performance expectations?
Promoting Culture
Open-ended questions focus on ascertaining management’s role in promoting and supporting a culture that drives sustainability of E&C initiatives.
Promoting Business Success
Including questions about business continuity in the self-assessment helps assess business management objectives and compliance and ethics goals in the same exercise.
Overview of the Comprehensive Risk Assessment Review
Providing Feedback and Taking Action
■ The ECOC meets after the presentation to discuss fi ndings and make formal recommendations or pose additional questions to the business.
■ Business groups draft action plans and send these to the Manager of the Ethics and Compliance Program for fi nal approval.
■ On a case-by-case basis, some business groups may be required to provide additional updates or make subsequent presentations to the ECOC.
3Delivering Findings in Person
■ The General Manager of each group delivers a two-hour presentation; other business managers and business champions also participate.
■ During the presentation, the ECOC fosters open dialogue and focuses the discussion on any identifi ed compliance and ethics gaps and proposed mitigation steps.
2Preparing for the Presentation
■ Business groups prepare for the presentation 4–5 months in advance, using self-assessment results to build PowerPoint slides.
■ Each group is assigned an Audit Manager and ECOC Sponsor (a senior leader who sits on the ECOC) to answer questions and facilitate the review process
■ The ECOC identifi es specifi c areas of concern in each business group and prepares probing questions for the review.
Through location-based program self-assessments, Amalfi Company compares regional performances to identify lagging business units and ensure the adequacy of its overseas compliance program.
KEY CONCEPTS
1. Conduct Monitoring at a Granular Level to Raise Performance Levels—Monitor individual locations to test whether the compliance and ethics program is e ectively deployed across the far corners of the organization and ensure that lagging locations quickly improve to operate at the level of their highest performing peers.
2. Adopt Consistent Program Evaluation Standards to Enable Cross-Company Comparison—Establish consistent objectives and minimum expectations for program evaluations to enable meaningful comparison across business locations and identify performance laggards.
Key Components of Annual Compliance and Ethics Program Review at Location-Level
I. Location-Based Program Assessment
II. Consistent and Explicit Standards
III. Compliance Risk Identifi cation
Locations
Business Units
Objectives Minimum Expectations Tests
1. Program Deployment
2. Management Commitment
3. Employee Understanding
Compliance and Ethics Program Self-Assessment Score Review
Business Unit A
Satisfactory Scores Across Locations
Business Unit B
Non-Satisfactory Scores Across Locations
Business Unit C
Excellent Scores Across Locations
Key Attributes ■ Detailed assessments help to validate whether program e� orts reach the lower levels of the organization and whether local management embraces a culture of compliance and ethics
■ Granular assessment scope helps to identify systemic business unit risks or emerging enterprise-wide weaknesses that may have been missed in a broader review
Key Attributes ■ Adoption of consistent program objectives and minimum expectations to ensure appropriate deployment of compliance and ethics programs across locations and to enable meaningful comparisons against a uniform standard
Key Attributes ■ Use of compliance and ethics program audit results to highlight meaningful trends or emerging risks across a business unit or region, that warrant senior management attention and response
Mandatory Self-Assessment Audit ProgramCoverage of 500 Locations, Illustrative
Key Learnings from Location-Level Program Assessments
REACHING THE COMPANY’S FAR CORNERS
Key Attributes
■ Self-assessment of major functional areas performed by local audit sta� , with assistance from corporate audit
■ Action plans determined by local self-assessors: follow-up action for priority gaps approved by corporate audit
■ Audits cover typically 40% of total locations each year
Compliance and Ethics Program Self-
Assessment Objectives
Has the program been fully deployed?
Is management committed to the program?
Do employees understand the program?
Annual Self-Assessment Audit Program
Areas Reviewed
Number of Audit Objectives
Finance 30
IT 20
Environment 15
Procurement 5
Compliance and Ethics
3
Brazil Operations: Self-Assessment Audit Program
Location assessment unearths whether employees at the local factory-level understand their basic compliance and ethics obligations and have access to resources to gain further awareness.
Employee Understanding of the Program
Criteria Knowledge of Compliance Requirements
Familiarity with Code of Conduct
Awareness of Helpline
3
Commitment to Culture of Compliance
Location assessment helps to demonstrate whether the next generation of company leaders (current location managers) proactively encourages a culture of compliance in their actions and communications.
2
2010 Initiatives ■ Compliance Bulletins ■ Compliance 101 for
New Employees ■ Web-Based Ethics
Training
Deployment of Corporate Initiatives at Location Level
Location assessment identifi es whether corporate compliance and ethics initiatives actually are implemented at the company’s operational level.
Standard Tests to Demonstrate Minimum Expectations (Selected)
I. Has the program been fully deployed at this location?
1. Provision of recurring ethics training2. Provision of compliance and ethics
materials to new sta� 3. Existence of e� ective issue escalation
and reporting mechanisms4. Dedicated location ethics and
compliance liaison
Program Deployment Checks
II. Does local management demonstrate an active commitment to the program?
1. Full adherence with anticorruption policy
2. Full disclosure of any confl ictof interest
3. Active encouragement of compliance and ethics mandate across location
Location Management InterviewIn-depth interviews with top-four location managers to evaluate possible confl icts of interest, knowledge of policy violations, and proactivity in encouraging ethical and compliant behavior across location
III. Do local employees understand the program?
1. All sta� is trained on code of conduct2. Compliance and ethics posters are
visible throughout all locations3. All sta� participated in recent ethics
training session
On-Site Inspection of All Factoriesand Facilities
Program Elements
■ Communications ■ Risk Assessment ■ Training ■ Reporting
Key Tests
Are compliance and ethics materials distributed to all factory fl oors? Is new sta� educated on code of conduct? Do factory workers certify code of conduct?
Evidence Needed
Percentage of sta� trained Existence of compliance liaison position Code of conduct certifi ed by percentage of sta� Awareness levels of help line call system
1 Pseudonym.
COMPARING APPLES TO APPLES
Annual Compliance and Ethics Program Self-Assessment at Business Location LevelIllustrative
Internal Audit leverages the intelligence gathered by peer reviewers to perform a more in-depth audit.
Extensive Audit CharacteristicsIncreased FrequencyYearly audits on high risk unitsLonger Engagement DurationMore extensive sampling and testing on prevent-and-detect controlsFocus on Vulnerable AreasBalance Sheet, Cash Cycles, Sales, Purchasing/Inventory Management
5
Produce Peer Report
The peer report drives fraud risk awareness of Audit sta� and clients by identifying areas of potential concern and capturing the unique context of the business unit.Sample Peer ReportCtrl. No.
Control Statement Status Recommendation Response
A-1 Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.
Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.
Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.
Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.
A-5 Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.
Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.
Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.
Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.
4 Perform Peer Review
Peer review engagements are intended to identify potential control exceptions, evaluate business process e� ciencies, and assess the control environment.
Peer Review CharacteristicsFlexible Test Program Includes fraud testing; program provides suggested steps only and reviewer can change scopeConsultative EngagementNon-policing nature facilitates auditee transparency and receptiveness
3
Identify Peer Reviewer
Internal Audit relies upon specially selected local peer reviewers to more e� ectively gain visibility into local operations in advanceof auditsPeer Reviewer CharacteristicsBusiness Familiarity: Operates similar processes as auditee and understands KPIsCultural Familiarity: Familiar with or from regionIndependence: Does not have a working relationship with auditeeControls Expertise: Frequently has an audit background
2
Target High Risk Units
Cookson considers several factors to identify the business units for special review.
Key Benefi ts ■ Having two representatives from corporate instead of one brings new perspectives to the table and helps generate
potential solutions in real-time. ■ Joint audits provide more action-oriented advice, helping local functional heads implement solutions more rapidly.
Duplication of Audit Work Across Functions Joint Audits of Local Units
Source: CEB, General Counsel Roundtable, 2012.
Local PlantManager
Corporate LegalRepresentative
Health and SafetyRepresentative
“Yes, here’s thechecklist I created.”
Initial Questions“Do we have a process in place to comply with this regulation? Is itdocumented?”
Legal and Compliance Follow-Up“It looks like we’re misinterpreting these guidelines, we can actually need to change our process a bit to protect the company from liability.”
Legal Risk Assessment: ThailandMake sure the business is complying with all new local regulations.
Health and Safety Quality Control Checks: ThailandEnsure quality control at all manufacturing sites.
Council Implementation GuidanceSelected Member Approaches
Questions for Discussion ■ Are compliance and ethics sta� at my company, including functional partners and ethics liaisons, communicating e� ectively with
each other?
■ How can I leverage existing activities (e.g., quarterly management meetings) to improve knowledge-sharing between compliance sta� and other assurance functions? How do I know when I need to add compliance sta� in emerging market locations?
■ What can I do at the corporate o ce to facilitate the e� ectiveness of knowledge networks? Are there any compliance and ethics issues that shouldn’t be shared across these networks?
Compliance Leadership ForumDell’s Compliance Leadership Forum is a group of compliance program subject matter experts who meet quarterly to identify critical risk domains and help set priorities. They also collaborate with Legal, Procurement, and Audit partners to collect compliance materials, policies, and programs that already exist.
1. Utilize Local Information Sources—Solicit risk information from subject matter experts in emerging markets who already handle compliance duties.
2. Include Other Stakeholders—Add representatives from the business and other functions to cross-regional compliance and ethics committees and discussions, especially if there are no compliance sta� in-country.
Online Communities of PracticeEni’s online Communities of Practice connect the legal department, spread across 30 countries. Community members actively discuss new ideas, work on companywide problems, and respond to help requests from colleagues across the globe.
3. Improve Cultural Awareness—Build an understanding of local cultural norms and business customs in compliance and legal team members.
4. Facilitate Collaboration—Leverage technology—including shared work spaces and video conferencing—to maximize coordination and communication across geographies and time zone di� erences.
2. How are leading companies proactively managing these risks?
THE ROLE OF COMPLIANCE AND ETHICS IN SUPPORTING GLOBAL READINESS: KEY QUESTIONS TO ADDRESS NOW
Program “Bones”Risk Identifi cation
Compliance Oversight Outreach
Do we know what our key risks, including cultural hot spots, are in these new markets? How are we mitigating those risks? And what is the upside of getting this right?
Do we have the resources and program structure in place to enable us to adapt and respond quickly?
What oversight do we need to put in place to ensure we are reducing the likelihood of misconduct?
Have we targeted the high-risk audiences with appropriate (and appropriately-timed) outreach, training, etc.?
Realizing that employees often view corporate values—and accompanying ethical guidelines—as lofty and abstract, Wal-Mart disaggregates its corporate values into 26 “plain language” topics that are easily understood by ordinary employees. Each topic explains one aspect of the company’s values in simple words, addresses specifi c workplace behaviors, and sets clear expectations for employees. Ethics-based topics blend in with those unrelated to ethics, and therefore appear as an integral part of the corporate culture. To reinforce the topics and underlying behaviors in employees’ daily activities, Wal-Mart China uses a stage-gated training process, values-based business policies, proactive coaching and modeling by senior leaders, and a variety of culture promotion programs.
KEY INSIGHTS
1. Translate Corporate Values into Employee-Friendly Terms—To be locally meaningful, corporate values should be articulated as a series of actionable goals to which individual employees, at their location, can reasonably aspire.
2. Integrate Ethics into Business Messaging—Business ethics and integrity works best not as separate messages, but as part of how business is conducted. Make ethics an integrated component of all operation and strategy-focused employee sessions.
3. Consider the Impact of Collective Pressures—To address the collective work pressures that increase the likelihood of misconduct in a given location, conduct discussion-based ethics refresher courses which focus on the behaviors that alleviate pressure and prevent misconduct.
4. Devolve Ethics Responsibility to Local Employees—To foster a problem-solving culture where local employees and management proactively address ethical issues, create opportunities for employees to discuss critical behaviors in an open environment that encourages discussion.
Integrity Always: Honesty Is the Best PolicyIntegrity is a cornerstone of the Wal-Mart culture. All of us must have it in all our business dealings as well as our personal lives. At Wal-Mart, we do not make excuses for our mistakes. We take responsibility and learn, so that we do not make the same mistakes again.
Confi dentiality: Keep It Under Your Hat!All confi dential or sensitive information pertaining to the Company should not be disclosed to persons that are not Wal-Mart associates. If you are unsure whether any information that you have is confi dential in nature, you should assume that it is confi dential and take measures to guard that information.
PROMOTING (AND CLARIFYING) ETHICAL BEHAVIOR AS A VALUE
Training Material: 26 Cultural Topics (Excerpt)Wal-Mart China
Wal-Mart copyright. All rights reserved.
Topics on Ethics ■ Explain in simple terms. ■ Set clear expectations for employees. ■ Refer to specifi c behaviors.
Wal-Mart copyright. All rights reserved.Wal-Mart copyright. All rights reserved.
1 Wal-Mart refers to its employees as “associates.”
Source: CEB, Asia HR Executive Board, 2012.
Corporate Culture Support ChannelsWal-Mart China
Practice Snapshots
POLICY Monitoring and Enforcement
■ Open Door Policy
■
■ Ethics Violation Hotline and Mailbox
■ “Statement of Ethics”
CULTURE PROMOTION PROGRAMS Ongoing Awareness and Participation
■ “Integrity Star” Award
■ Award for Ethical Courage
■ Integrity-Themed Community Services
■ Integrity-Themed Company Festival (“Integrity Quarter”)
EDUCATION Learning and Absorption
■ 1 Orientation Training
■ Cultural and Ethics E-Learning Modules
■ New Associates Cultural Training
■ Integrity Management Training
LINK CONCEPTS WITH BEHAVIORSGoal: To help employees internalize the company’s values and convert theory into action.Solution:session in which they do the following:
1. Review the corporate values and cultural topics learned during orientation training.2. Share observations on how corporate values and culture have shown up in their work
experience so far.3. Create individual action plans on incorporating cultural and ethical behaviors into daily work.
EXPLAIN ETHICS IN THE BUSINESS CONTEXTGoal: To ensure associates understand what “integrity” entails in Wal-Mart’s business transactions and work environment.Solution: The “Statement of Ethics” code explains to employees the company’s relationships with
TRANSFORM MANAGERS INTO ETHICS STEWARDSGoal: To equip managers with knowledge and skills to recognize misconduct and promote ethical behaviors among direct reports.Solution:
1. Learning Agenda ■ Internal Challenges to Integrity Management ■ External Challenges to Integrity Management ■ Skills of Integrity Management
Key Strategies Used in Delivering Anticorruption and Antibribery Training RegionallyTyco International
Training Linked to Local Laws and Perceptions
■ Make content less US–centric by including anticorruption laws and regulations from region
■ Share business community’s perceptions about corruption levels within the region
Training Content Standardized, but Delivery Made Flexible
■ In China, to get employees more engaged, the trainer uses an audience response system
■ In India, due to desire by employees for much discussion, training sessions for employees included extra time for Q & A
■ Training provided to audiences in local language
Discussion Focused on Actual Experiences
■ Invite managers to share stories of ethical courage and dilemmas
■ Provides deeper understanding of real life situations
■ Strengthens culture of “doing the right thing”
Elicit Discussion of Alternative Business Practices
■ Introduce policy tools, such as the anticorruption matrix and the FAQ document, to begin discussion of alternatives to longstanding, sometimes illegal, practices
Potential Risk: With a Corruption Perceptions Index (CPI) score of less than fi ve, Mexico meets Johnson Controls’ objective defi nition of a high-risk country.
HR System: Sends an alert to Compliance LMS, as well as Human Resources and Compliance contacts in Mexico.
Timeline: Alert sent within 24 hours of employee’s move.
DELIVERING ADDITIONAL TRAINING WHEN NEEDED
Illustrative Case in Point: Employee Moves from the United States to Mexico
Key Benefi ts ■ Timely Training Delivery: The system ensures employees receive relevant training in a timely manner
and therefore always stay current on training. ■ Global Reach: The global nature of the system ensures all employees can be tracked and targeted across the enterprise. ■ Ongoing Visibility: E� cient sharing of data between the HR and LMS systems provides corporate compliance
and local management updated information about employee training needs and completion rates.
2. Delivering In-Country Guidance
LMS: Sends an e-mail to employee notifying him or her of online training requirements, if employee’s responsibilities also change.
Local Compliance Contact: Sets up a one-on-one meeting with employee to discuss country and region-specifi c risks. Typical discussion topics cover:
– Navigating local regulations
– Working with local government o� cials
– Avoiding corruption exposure
Timeline: Local compliance contact typically meets with employee as quickly as possible, but not more than 90 days after employee’s move.
Administer a Role-Change Survey Deploy a Training-Needs Questionnaire
On a quarterly basis, e-mail a three-question survey to employees with a recent change in their HR fi le (e.g., promotion, change in manager), inquiring about the nature of the change. Use responses to determine whether the change indicates a need for additional compliance and ethics training.
Embed a mandatory “Training Needs Questionnaire” at the end of the annual Code of Conduct training module to identify material compliance training and knowledge gaps that may have resulted from changes in employees’ roles.
THE ROLE OF COMPLIANCE AND ETHICS IN SUPPORTING GLOBAL READINESS: KEY QUESTIONS TO ADDRESS NOW
Program “Bones”Risk Identifi cation Compliance Oversight Outreach
Do we know what our key risks, including cultural hot spots, are in these new markets? How are we mitigating those risks? And what is the upside of getting this right?
Do we have the resources and program structure in place to enable us to adapt and respond quickly?
What oversight do we need to put in place to ensure we are reducing the likelihood of misconduct?
Have we targeted the high-risk audiences with appropriate (and appropriately-timed) outreach, training, etc.?
For another day:
■ Managing Third-Party Risks in New, Emerging Markets ■ Measuring the Success of your E� orts