This week I am running a special five-part podcasts, which considers the evolving landscape around risk, compliance and ethics. In this podcast series, I will visit with Paul Johns, Chief Marketing Officer, and Rebecca Turco, Vice President of Learning, both from SAI Global Pty Limited, the sponsor of this podcast series. One of the more interesting discussion was on evolving nature of the ethics and compliance (E&C) marketplace and what that means for compliance programs.
Boards of Directors are moving from a lofty position, away from the limelight, to a more values based, customer-centric approach. This is playing out in a couple of key ways for the E&C marketplace. The first is that the Board sets the organization’s appetite for risk. To do this the Board must articulate what is the acceptable level of risk the company is prepared to work towards as it considers operating a particular enterprise. Next is the direct line of sight between that appetite for risk at the Board level and the performance and the behavior of everybody across the company.
To accomplish this continuum, the Board or Audit Committee would garner a sense of the markets they are in and the products that serve the market together with the associated risks. From there, the company would put together a strategy to move forward and push that strategy out to operationalize it across the company or applicable business unit. But the Board could never be assured that each employee, business unit or geographic region understands the articulated risk appetite. This is in contrast to corporate culture.
In the values-based economy of today, what is it that you expect from your employees? If the behavior of one employee is antithetical to your values, what is the damage to your corporate reputation? Consider the Starbucks store manager who called police for two patrons who were waiting for a third colleague. The two patrons were African-American and the store manager was white. The store manager had them arrested. Starbucks took a pounding the court of public opinion even though the store manager’s actions were against the stated culture and values of the organization.
Johns said means you must “make sure that everybody is living and breathing the values and the behavior that you’ve laid out”. If you do not do so, the reputational cost could be quite high; far beyond the cost of non-compliance with a law or regulation. The reality of today’s marketplace is that “millennials and centennials vote with their wallet.” This is true for where they purchase an espresso, where they buy running shoes or where they might order their pizzas from on a Friday night.
This values-based approach has changed the dynamic at the Board level and indeed all the way down through an organization. A company can have a Code of Conduct, policies and procedures and internal controls in place but today those regulatory requirements or those suggested by such government publications as the 2012 FCPA Guidance are not enough, even if they meet the baseline requirements under a law or regulation. Johns believes a much more holistic approach is called for and from the educational perspective, it is a continual learning practice. Johns stated, “it is more than simply a company saying some aspirational ideas in your Code of Conduct. Do they really live those values as an organization?”
You should ask such questions as “Are there key performance indicators (KPIs) in place to measure such a proactive approach to risk management and your company’s brand reputation?” It might be something along the lines of “what are you doing around how you identify the types of employees that you let into the business, the types of business partners or third parties that you do business with? What is the scrutiny? What is the high bar that you set to make sure that you have actually got the right people working with you and working for you?”
One of the most interesting things about the E&C marketplace is that all parties involved contribute to this evolution. From the regulators or prosecutors to companies and their compliance personnel and programs, to product and service providers in the marketplace. Everyone has contributed to this evolution and will continue to do so going forward. Turco noted that it has evolved far beyond “providing compliance content and checking the box”. It is significant that compliance is now part of the culture of a company. “The trends that we’re seeing really around how our company’s embed compliance and culture in their organization.”
Turco said that compliance training now is around changing employee behavior. This has led to consideration of the effectiveness of training and analytics around it. Turco has seen a “shift from 30 to 40 minutes of training to targeted training and targeted pieces of content. Companies want to be able to make sure their employees are valued in terms of the time they are spending on compliance training.” They not only want to measure compliance training effectiveness to show that the program is working but also to show risk areas that could present an issue(s) for companies going forward and warrant greater attention.
The targeted nature of training means tying training to the overall business process. So how does your compliance training help an employee do business more efficiently and, at the end of the day, more profitably? Are both goals appended onto and embedded into compliance training? This is one of the goals the Department of Justice (DOJ) included in its requirements for effective compliance training. It is about getting away from death by a PowerPoint slide deck or Xerox copy to have compliance training which is much more engaging. Indeed, companies want more focused and targeted training for the risk that people are engaging in and the risks people have out in the real world.
It is interesting to observe the spectrum of the players in the compliance space and how each player has a specific role in driving compliance forward. The DOJ began the dialogue about effectiveness of compliance training in the General Cable Technologies Corporation Foreign Corrupt Practices Act (FCPA) enforcement action. The DOJ then added the mandate for targeted training in its Evaluation of Corporate Compliance Programs (Evaluation) in 2017. That was really the first time they had said in a policy statement that they wanted to see not only that you have effective training but targeted training as well.
A company can begin to measure its compliance training effectiveness. Turco said, “the key to any learning objective is being able to understand its concepts and understand how it applies to you and then it’s daily, weekly or monthly repetition. It’s not a one and done.” This means that when thinking about compliance training effectiveness you should “begin with a high-level offering that talks about kind of risks in the business. The next step is to have the learner understand what it means to them.” Effectiveness most probably will not occur the first time they take the course. Turco was emphatic that it is not “a one and done.”
The role of compliance training continues to evolve. The regulators, in the form of the DOJ, have articulated a requirement for both effective and targeted training. Companies have responded by seeking ways to help their employees more effectively identify and then manage risks. But it is not a one-time event or one-way street. Effective compliance training is a continuing dialogue which allows organizations build their reputational brands.
The evolving role of risk, compliance and ethics will only continue. As the marketplace changes with new workers entering the workforce, becoming the new consumers and burgeoning social media led movements such as #MeToo, the risks will only become more dynamic. Are you ready?