A truly modernized compliance department not only manages vast amounts of data, but also leverages that data in a proactive way—watching the road ahead, driving insight, and teaming with the business and the board to more efficiently and effectively reduce risks. Global conglomerate 3M is one such company on that journey right now.





Michael Duran is Vice President and Chief Ethics & Compliance Officer for 3M, where he leads 3M’s global ethics & compliance program driving innovations and enhancements to our program to mitigate, identify and address risk and build upon 3M’s strong ethical culture of Be 3M.


Michael was appointed to this role in June of 2019 after serving as Assistant General Counsel and Compliance Director for 3M, where he led the team that designed and implemented many of the global elements of 3M’s compliance program. His team was also responsible for managing all six successful applications for Ethisphere’s “World’s Most Ethical Companies” recognition program.


Michael joined 3M in December of 2011. From 2006 to 2011, Michael helped design and implement enterprise-wide compliance controls for Marsh & McLennan Companies. From 1998 to 2006, Michael held various financial and compliance roles at multiple General Electric businesses. Michael has a B.S. in Finance from DePaul University, a J.D. from the University of Illinois, and a M.B.A. in Finance from the Kelly School of Business at Indiana University. He is admitted to the Illinois, Nevada, and the Minnesota bar.

Implementing a modernized compliance department at a company the size of 3M is no easy task. After all, we’re talking about a company that made $32.8 billion of revenue in 2018, operates in 70 countries, and has roughly 90,000 employees globally. Founded in 1902, however, you might say the global powerhouse knows a little bit about changing with the times.

At NAVEX Global’s 2019 Ethics and Compliance Virtual Conference, 3M Chief Ethics and Compliance Officer Michael Duran shared lessons learned on the company’s journey toward predictive analytics, evolving from a labor-intensive collection and metrics-reporting system to the adoption of automated dashboards and scorecards.

Functionally, the business is organized into four diverse business groups: safety and industrial; transportation and electronics; healthcare; and consumer. Each one creates a very different, unique risk profile and different types of compliance risk, Duran said. “We have to be dynamic in how we address these types of risk.”

When Duran joined 3M eight years ago, the company at that time was in what he referred to as an “activity-based reporting” phase, meeting on a quarterly basis with key stakeholders, including the audit committee of the board and the business conduct committee, made up of senior executives and business leaders. At these meetings, stakeholders would be provided with basic metrics concerning current compliance initiatives and program highlights—for example, the number of employees who completed online training courses or the number of people who completed the annual conduct certification course.

These key stakeholders were also briefed on third-party risk and provided with information about the third-party risk management program. “We have a pretty robust third-party due diligence program, and we’ve internally built the workflow to support that,” Duran said. “We’ve centralized the use of it into our workflow system, where we get a great deal of data out of it.”

The data generated from this internal workflow system is what’s provided to the business stakeholders. This data includes, for example, the number of third parties who have gone through the due diligence program; how many are at each risk level; and what the status is of any mitigation plan. 3M risk-ranks all its third parties, with some requiring enhanced due diligence, Moran explained.

Also, at this basic activity-based reporting stage, stakeholders were provided data from 3M’s global case management system generated from its hotline reports. The type of data reported includes the number of hotline calls, the type of reports being made, the substantiation rate of these reports, and the number of employees who have decided to remain anonymous.

All these examples of activity-based reporting mentioned above marked “the start of our use of data,” Duran said. It opened the dialogue to what eventually evolved into the next stage of maturity, the “business insight and influence” phase, he said.

Business insight and influence

As 3M evolved, different stakeholders and partnerships were folded in to help develop, enhance, and deploy the compliance program, Duran said. Within 3M, its four core business groups have lots of business divisions underneath them, and each of those divisions are associated with different products or operations.

Thus, compliance ambassadors play a very important role in helping to design and deploy the compliance program globally. Duran described these individuals as “stewards of our program” who are separate and distinct from 3M’s regional compliance officers. These compliance contacts have “insight and influence” in their country’s operations and are typically nominated by a business division head or leader within each country’s operations, he said.

With these folks, 3M holds monthly calls reporting to them similar metrics as it does with the board but slightly modified to be more relevant to them. He cited the following questions as examples: “‘Here is an initiative we are doing. What will be the receptiveness within your region? What will be the challenges? What are your observations locally? How can we make enhancements to the overall program?’”

That would lead to some seeking additional information to delve deeper into the data. “Honestly, we welcome that, because that, to me, shows engagement,” Duran said.

As one way to progress and start to influence change behavior, scorecards were then created in which certain parties were measured against, using a color-coding system of green, yellow, and red. 3M’s country operations and divisional operations were then given this scorecard.

“This was a large undertaking,” Duran explained. “We were getting data from multiple, different sources.” These sources included 3M’s online training platform, its case management system, its third-party due diligence platform, its HR system, and its annual certification system.

As just one example, 3M requires annual third-party certification. If certification was done on time, they scored in the green. If they did it late, they scored in the yellow. If it still hadn’t been completed in an allotted amount of time, they were in the red.

Additionally, company leaders could see how they measured up against their peers. Each country’s operations were also measured, meaning that all the countries in the APAC region, for example, would be measured against each other.

“When you’re measuring business leaders in each country, when you’re color-coding them, they consider it a reflection upon them, so it’s a great influencing tool,” Duran said. If someone was in the red, for example, the business leader would say, “Give me the list of people who have not done this. I’m going to make sure they get it done.” Duran added, “We found this to be a very effective tool to help drive our program and drive engagement, as well.”

“What we’re looking for is how effectively our compliance program has been deployed.”

Michael Duran, Chief Ethics and Compliance Officer, 3M

Process optimization phase

The next phase in 3M’s data analytics maturity journey was the hiring of a data scientist. “Because we were sitting on so much data, we thought it would be helpful to hire someone with data expertise,” Duran said. “This was a big evolution in our program.”

It first required a steep learning curve for the data scientist. “We wanted this individual to learn and understand 3M,” Duran explained. This individual needed to be educated on where data was sourced; how the data correlated to 3M’s business operations; and the compliance reasoning behind why putting metrics around the data was important.

By hiring this data scientist, 3M was effectively able to automate its data-gathering exercise from one that used to involve a labor-intensive, manual process of gathering the data, putting it all into an Excel spreadsheet, creating a PowerPoint slide, and then sending it out to the business leaders for them to validate. “An exercise that took a month was cut by half,” Duran said. “So, the value benefit we got was simplification of our processes.”

Screen Shot 2019-11-11 at 2.12.04 PM

For some companies, making the business case for hiring a data scientist can pose a challenge, but for 3M the hire came at an opportune time, just as a position within its compliance function had become available. That’s when compliance decided to do some reshuffling of its team to fill that position with someone who had a data science background, Duran said.

Predictive and strategic analytics

The final phase of 3M’s journey is the predictive and strategic analysis stage. “Understanding the data first and foremost is important,” Duran said.

Because concerns about conflicts of interest are a frequently raised issue, analyzing 3M’s conflict-of-interest data is “one of the first big projects we gave our data scientist,” Duran said. The first stage of this process has involved the collation of all the data from 3M’s conflicts of interest disclosure platform, HR data, its case management system, as well as external benchmarking data and then analyzing how the data correlates with substantiated conflicts of interest investigations. Duran explained 3M is using the findings to help prioritize how to address—and, furthermore, get ahead of—conflict of interest matters, as well as where compliance needs to spend more time on education and training.

In terms of compliance using the data in a more predictive and strategic way, 3M also does compliance evaluations, which Duran described as “audit-like exercises, where we visit our various operations.” A select number of these visits, which span one to two weeks, are made each year to certain regions. The data helps prioritize where to do these evaluations.

“We partner with internal audit to do books and records testing,” Duran said. “What we’re looking for is how effectively our compliance program has been deployed.” More time can now be spent analyzing the data and more clearly seeing where there may be broader trends or trouble spots in certain countries or regions that need more attention, he said.

In this way, the business is also able to provide more thoughtful analysis to the board to show them what is driving certain trends. “That’s where we’re going with the data,” Duran said. “We’re explaining to them what we are doing with the data and how it is driving the direction of our program, and they’re giving us feedback as well. They’re expecting us to continue to evolve and improve. Like all of us, we are on a continuous evolution and journey with the data. We look forward to the next direction we go.”