Compliance officers are under intense pressure to demonstrate the efficacy and value of their compliance programs to senior leadership, their boards, and enforcement authorities. But coming up with a well-defined process for doing so continues to confound many compliance officers.
During a recent panel discussion at NAVEX Global’s 2017 Ethics and Compliance Virtual Conference, compliance officers shared their approaches toward compliance program effectiveness and how to demonstrate to senior leaders and the board the compliance program’s return on investment.
As one compliance officer noted, a good starting point is to establish common definitions around metrics. If business units in different countries of operation are each moving toward different end games, it makes it very difficult for the company to accurately measure the effectiveness of the enterprise-wide ethics and compliance (E&C) program, noted Lori Martinez, compliance officer, global procurement and sourcing, at San Francisco-based pharmaceutical company McKesson.
Just the term “effectiveness” may have many meanings within a company. To one business unit in one country, effectiveness may simply mean making sure everyone has received the compliance policy, whereas effectiveness to another business unit in another country may mean making sure people have the policy, are trained on it, and are monitoring controls against it, Martinez said. By establishing common definitions around metrics at McKesson, “we feel like it’s really helped us move forward in terms of making sure we have common expectations within our risk assessing organizations,” she said.
Panelists also stressed the importance of linking the strategic value of the compliance program to the strategic objective of the business, ensuring that compliance is not operating in a vacuum. Like many companies, McKesson, for example, uses an integrated risk assessment process “to make sure that we’re not looking at compliance risk in isolation,” Martinez said.
To get a holistic picture of McKesson’s overall risk profile, compliance harmonizes its risk profile with those of other parts of the business—financial risk, internal audit, IT risk, and more. “We try to work together and make sure we have a common set of measures, a common set of timelines from an efficiency perspective, and that we’re aligned around the outcomes,” Martinez said.
“The value to an organization of preventing one major incident can be incalculable; in fines alone, it can often pay for the entire compliance budget many times over.”
Taking the time to harmonize with the other internal risk assessing organizations “has resulted in a more targeted approach in terms of our controls, value, and from an efficiency perspective,” Martinez said. But it did not happen overnight, she said. “It has been many years in the making.”
Promoting a healthy corporate culture by encouraging employee involvement in the ethics and compliance program also wins brownie points with senior leaders and the board, not to mention enforcement authorities. At London-based international energy company BP, “the responsibility for ethics and compliance lies with everybody,” said Simon Hall, BP’s ethics and compliance manager.
At BP, the ethics and compliance function is quite small, Hall said. “Our main liaisons are embedded within the business. They don’t form part of our [E&C] function.”
Advisors within BP’s so-called “Ethics and Compliance Liaison Network” effectively help to advance the corporate-wide ethics and compliance agenda. Business units across the company are assessed on such things as their ethics and compliance communication and awareness-raising activities, their auditing and monitoring activities, their response to audits and investigations, and more. That process helps the ethics and compliance function distinguish between business units that are mature and those that may need more development, Hall said.
How to demonstrate ROI. Linking the strategic value of the compliance program to the strategic objectives of the business—and further creating organizational efficiencies by embedding compliance champions within the business—goes a long way toward demonstrating to senior leaders and the board the compliance program’s return on investment (ROI), helping to increase compliance budget down the line. The more mature the company’s compliance program, the more proficient compliance offers should be at demonstrating ROI. “Boards and senior leadership expect mature programs to be data-driven,” said Randy Stephens, vice president at NAVEX Global.
Demonstrating ROI comes down to good metrics, and specifically those that demonstrate a direct reduction in legal, financial, and reputational risks. Using recent benchmark data can help compliance officers to quantify those risks.
NAVEX Global report lists top ethics and compliance program challenges
“Measuring program effectiveness” was cited as the top ethics and compliance program challenge, cited by 45 percent of 256 key decision-makers and ethics and compliance professionals. This finding was closely followed by “Insufficient staff” (39 percent) and “Managing regulations across different jurisdictions” (39 percent).
The top E&C program challenge of measuring program effectiveness requires organizations to define not only the right combination of key indicators but also how to capture them consistently and how they relate to the overall cultural health of the organization.
The key challenges of a lack of resources—both human and financial—and managing regulations across international and cultural boundaries indicates compliance officers have an additional role to play in proving the program’s value to stakeholders. For many organizations, compliance officers need strong marketing skills to communicate the appropriate business implications to clients and shareholders, finance, legal, HR and the board.
Conducting a risk assessment can help identify resourcing gaps and provide direction for the allocation of resources, as well as prioritize regional support. Successful compliance programs regularly review resources against the organization’s risk profile to ensure appropriate mitigation.
Source: NAVEX Global
In NAVEX Global’s “2017 EMEA & APAC Culture & Compliance Program Benchmark Report,” for example, 73 percent of 256 key decision makers and ethics and compliance professionals polled said that their companies had avoided at least one incident of misconduct in the past two years directly due to their ethics and compliance program. Another one-fifth of companies had avoided at least 10 incidents. Moreover, the report found that companies with advanced compliance programs (43 percent) were more likely to have avoided more than five incidents compared to those with basic programs (19 percent).
“The value to an organization of preventing one major incident can be incalculable; in fines alone, it can often pay for the entire compliance budget many times over,” the report stated. Preventing misconduct not only reduces the likelihood of enforcement penalties and fines, but also protects the company’s reputation. Intangible assets—such as intellectual property, customer base, and the organization’s brand—account for more than 80 percent of total corporate value today. “This greatly increases the total cost of misconduct for an organization when a reputational crisis does occur,” the report added.
As discussed by the panelists, employee engagement surveys are an effective way to take the pulse of corporate culture to help reduce risk. For example, one issue raised in the BP employee engagement survey, according to Hall, was: “In my business, we hold meaningful conversations about the Code of Conduct, and ethics and compliance.” He added that based on the responses, early indications reveal a lower response rate in certain businesses than others, which may be a sign that “we need to do a little bit more awareness-raising, perhaps,” he said.
The limitation of an employee engagement survey is that it’s just a snapshot in time. To get around this, one new compliance initiative that BP is taking is to send out surveys to different subpopulations at different times throughout the year to “get a live pulse throughout the business to see how things are developing,” Hall said.
It’s important, however, that each company identify its own key metrics, depending on where its compliance program is on the maturity scale. Metrics that work for one company may not work for another. Take, for example, Global Fashion Group. The e-Commerce fashion company founded in 2011 does not use the sort of sophisticated metrics that companies with more mature compliance programs do, said Deborah Thomas, group head of compliance and risk management at Global Fashion Group.
As a company where the compliance program is still in its infancy stage, its focus right now is on ensuring that employees know that a compliance program exists in the first place, Thomas said. To help achieve that, Global Fashion Group uses an automated solution to distribute its compliance policy to its staff of 9,500 employees in its 24 emerging-market countries. Using an automated solution further provides an audit trail to certify that they have signed off and acknowledged receipt of the policy, she said.
No matter whether a company has a mature or undeveloped compliance program, both can benefit from automated solutions to help improve efficiencies and increase ROI. Many companies today utilize technology by feeding all their data from the different business units into a centralized database that enables consistent reporting throughout the organization and a holistic view of the company’s risk profile.
The most important message from the panel discussion is that ethics and compliance officers can play a leading role in fostering workplace morale among employees, developing leaders, building efficiencies, and helping the company prevent legal, financial, and reputational risk. Approach the board and CEO with confidence and the right metrics in hand, and they will be hard-pressed not to be enlightened.