Sharing expertise and resources among business functions not only benefits the compliance program in significant ways, but is an excellent way for ethics and compliance officers to gain the most important resource of all: buy-in.
During a panel discussion at Compliance Week 2016, ethics and compliance officers came together to discuss both the challenges and opportunities associated with working with other functions and how to minimize turf wars and silos while enhancing the compliance program. They also shared ways in which they engage business unit leaders to be their eyes and ears on the ground.
Small compliance teams in large, global companies face especially taxing compliance obstacles; few know this better than Brandan Kelleher, global compliance director at Keysight Technologies, a $3 billion manufacturer of electronic design and test equipment for the aerospace and defense industry.
Kelleher’s team has global responsibility for Keysight’s legal compliance program covering anti-corruption, competition, privacy, export controls, and Code of Conduct—a truly monumental task for a compliance team of just three people in a company with 10,000 employees and a global presence in more than 100 countries.
“The real challenge is achieving visibility into enterprise compliance risks, given the size of our team, the scope of company activities and the complexity of our business,” Kelleher said. “We really had to leverage a lot of strategic partnerships.”
The way compliance has been able to gain visibility throughout the company is by partnering with the heads of internal audit, field operations, and global trade to conduct joint, in-person “field risk assessments,” Kelleher explained. This entails meeting with business leaders in particular regions to understand, “How do you do business? What are your risks?”
“By bringing all the investigative tiers together that have some ownership in the process, by collaborating with them and working with them, it made the whole process more efficient.”
Anthony Tocco, Chief Ethics & Compliance Officer, DTE Energy
Where to conduct these field risk assessments is driven by the group as a whole, “so we have lots of different perspectives on where we should go, what questions we should ask,” Kelleher said. So far, these assessments have been conducted in Asia, Barcelona, China, India, Malaysia, and Russia.
To help reduce the fear factor of internal audit and compliance showing up at their door, some field operation leaders were alerted ahead of time about the meeting and what topics would be covered. “We try to work with their schedules,” Kelleher said. “We don’t just show up when we want to.”
The end result of these field risk assessments has resulted in numerous benefits, including:
Increased access to business personnel;
Greater insight into relevant local processes;
Broader perspectives on compliance risks; and
Cross-functional partnerships on follow-up compliance efforts.
Furthermore, because the different business unit heads don’t have to meet with field operation leaders separately, the business likes it because there are fewer disruptions, Kelleher said. In short, field risk assessments are one way to leverage one trip for a bunch of different purposes.
Panelists also shared how they conduct investigation protocols to minimize disruption to the business. Keysight, for example, only recently recalibrated its investigation protocol; this was achieved by compliance partnering with internal audit and HR to create an agreement documenting investigation roles and responsibilities.
Although the agreement is still a work in progress, Kelleher said, it’s already helped instill a sense of ownership over process for multiple functions and better defined roles to avoid duplicative efforts and conflict. This has had the dual effect of eroding tension caused by lack of clarity on investigative responsibilities and decision making and has generated executive dialogue on strategies toward internal misconduct and risk tolerance.
DTE Energy, a domestic diversified energy company with 10,000 employees, similarly has a centralized investigative protocol in place composed of different investigative tiers that include audit services; employee relations; corporate security; ethics and compliance; and legal.
“By bringing all the investigative tiers together that have some ownership in the process, by collaborating with them and working with them, it made the whole process more efficient,” said Anthony Tocco, chief ethics and compliance officer at DTE Energy.
DTE ENERGY'S INVESTIGATION PROTOCOL
Below is a description of DTE Energy's investigation protocol.
Issue reported through help line or “walk-ins.”
Cases are triaged by ethics and compliance to the appropriate investigative tier.
The assigned investigative tier opens the case and assigns an investigator.
Case data is updated as progress is made.
Case investigators work with the reporter and provides updates at least every two weeks.
Bi-weekly meetings are held with investigative tiers to discuss the progress of each case.
Overall consensus from investigative tiers are reached to close a case.
Investigative tier responds to reporters, as appropriate, prior to closing a case.
Closed cases are sampled for “after action” review.
Source: Working With Other Functions; Compliance Week 2016
“Prior to putting this process in place, it was a decentralized system,” Tocco added. “Every one of those tiers predominately had its own investigative process and protocol.” As a result, multiple tiers often would work on the same investigation at the same time, he said.
Investigation responsibilities are divided by tiers. Ethics and compliance, for example, has ownership over conflicts of interest, confidentiality and privacy issues, and non-compliance with laws and regulations, whereas audit services has investigative accountability for fraud, as well as accounting, auditing and financial controls.
Issues typically get reported through the helpline or walk-ins. Ethics and compliance, which owns the process and the database, then triages reports to the appropriate investigative tier. Case data is updated as progress is made.
“We all have the opportunity to request assistance from one of the other tiers,” Tocco said. If ethics and compliance, for example, is working on a case that requires a high degree of data analytics, “we might retain internal audit to help us do that,” he said. “So we’re all supporting each other based on our subject-matter expertise.”
During the investigation, Tocco said he meets every two weeks with the leader in each department and its tier representative. “In those meetings, we talk about every open case at the time,” he said. “We talk about progress. We talk about activity that’s occurred and any support that’s needed.”
Regular updates also are provided every two weeks, at a minimum, to the reporter. When a case gets closed, the report has seven days to respond if they have additional information. “Most people don’t respond,” Tocco said. No investigation gets closed without the consensus of every tier leader, which ensures the process has been done thoroughly and nothing was missed, he said.
As an additional quality check, a sample of closed cases are assessed in an “after action” review. In these reviews, the business talks about what intended to happen, what actually happened, lessons learned, and what, if any, process improvements ethics and compliance must put in place, Tocco explained.
Last year, the average amount of time it took the business to close a case was 35 business days, Tocco said. This year, that metric has been reduced to an average of 27 business days.
Code of conduct
The panelists also discussed how to get buy-in on a global scale as it pertains to the Code of Conduct, particularly when you’re building an ethics program from the ground, up. Less than two years ago, for example, Salesforce, a $6.6 billion cloud computing company, decided to create a whole new standalone ethics and integrity team.
That presented several unique challenges, explained April Oliver, associate general counsel at Salesforce and leader of global ethics and integrity. “How do you create an identity? How do you create a bond? How do you create a brand?”
That’s where the new Code of Conduct came into play, which the company rolled out about one and half years ago. To help get buy-in, Oliver recommended creating aliases that can help build the brand. “I honed in on IT and marketing, which are not traditional partners of compliance,” she said.
Specifically, Salesforce is fortunate enough to have television screens in the hallways of most of its major markets, which compliance takes advantage of by televising pieces of its Code of Conduct on these screens, with the help of marketing, which created the slides.
About every two weeks, a new piece of the Code of Conduct is shown on these television screens. These snippets are highly visual, short versed, and are rotated about every thirty seconds with other snippets of the Code. “It helps to fill that void of not having anything,” Oliver said.
Another way in which Salesforce marketed its Code of Conduct this year was through conducting training that went out in eight languages in 100 offices around the world.
IT and marketing are not the only aliases of Salesforce’s compliance team. Because on-boarding is so important in terms of culture, Oliver said, compliance also works with the HR team to ensure that new employees are aware of the Code of Conduct from day one when they come through the door.
The various functions across the business are the most cost-effective resources that ethics and compliance officers have. Utilizing them doesn’t cost very much at all, Oliver said, “except for our own creativity and time.”