How Are We Doing? Why We Assess Compliance Programs and Strategies for AssessmentSCCE WebinarJune 13, 2016

Pete Rock, Deputy Chief Compliance OfficerKnights of Columbus

Eric Morehead, Principal ConsultantMorehead Compliance Consulting

Morehead Compliance Consulting

1. Why Turn Over the Rocks? Some Benefits and Some Goals for A Periodic Compliance Program Assessment

2. Measure Twice and Cut Once: Preparing for a Compliance Program Assessment

3. Sum of Its Parts: What are Different Tools and Approaches Organizations Can Take for Assessments?

Morehead Compliance Consulting

Morehead Compliance Consulting

SOURCES FOR DATA

> Compliance and Ethics Program Environment Report, SCCE and NYSE Governance Services (CEPE 2014) http://m1.corpedia.com/resource_database/CEPEReport.pdf

> 2013 Association of Corporate Counsel / Corpedia Benchmarking Survey on Compliance Programs and Risk Assessments (ACC 2013)

Morehead Compliance Consulting

Why Turn Over the Rocks? Some Benefits and Some Goals for Periodic Program Assessment

Morehead Compliance Consulting

5

Why Assesses?• Regulator Expectations

• Federal Sentencing Guidelines §8B2.1(b)(5)(B)• “[E]valuate periodically the effectiveness of the organization’s compliance and ethics

program”

• Started appearing in NPA’s and DPA’s in the 2000’s• Encouraged risk-based mapping and review of Program• Builds off of language in the Organizational Sentencing Guidelines

• Spelled out in the FCPA Guidance in November 2012• “DOJ and SEC will evaluate whether companies regularly review and improve their

compliance programs and not allow them to become stale.”

6

Why Assess?Consequences are Large and Unpredictable

From: Brandon L. Garrett, Too Big To Jail: How Prosecutors Compromise with Corporations (Harvard U. Press 2014).

7

Why Assesses?• Stakeholder Expectations

• Shareholders, including Institutional Investors• Board of Directors

• Prevention and mitigation of risk• An assessment can identify risks and suggest steps to prevent violations

• Identify gaps in training, policies, procedures, controls• An assessment can identify gaps that require attention

8

Why Assesses?• Budget prioritization

• An assessment can identify areas to allocate resources

• Affirmative defense for organization & oversight personnel (Remember board members can be held labile for misconduct under the In re Caremark case.)• An assessment can provide an affirmative defense for both the organization

& individual oversight personnel in the event of a violation

9

A Little Benchmarking: Who Assesses?

83%

17%

Do You Conduct a “Formal As-sessment of the Overall C&E

Function”[CEPE]?

YesNo

8 out of 10 of your peers.

10

Goals and Scoping• What End Product Do You Want?

• A detailed report with recommendations and action items?• To set a baseline for future assessments?• To provide a verbal update to the Board of Directors?• To answer specific questions?

• Begin with the End in Mind• What’s the timeline?• Who is the audience?• Will this be repeatable and periodic?

11

Goals and Scoping• Who is in Charge?

• Legal, audit, compliance?• What resources they will have?• What the broad expectations are for the result?

• What Operations Will Be Covered?• Will this review cover subsidiaries, joint ventures, overseas operations, contractors, etc?• Will this review cover all aspects of the program (will it be multi-year)?

• How will data be collected? • Surveys, focus groups, interviews, document and record review

• Scoring and evaluation• Determine how (and if) there will be scoring and evaluation• Written report? With recommendations?

12

Goals and Scoping• Should You Work With a Third Party?

• Pros• Have already developed methodology and tools• Has resources, expertise and project management experience• Access to benchmarking and best practice data• Independence and ability to leverage independence

• Cons• Costs – it can sometimes be easier to control costs internally • Possibly steep learning curve on your operations• Future repeatability dependent on contract with third party (you won’t own methodology)• Third parties could face barriers in some organizations

13

Who Conducts The Risk Assessment [CEPE]?

73%

14%

13%

Internal

Third Party

Other/Combo

Measure Twice and Cut Once: Preparing for a Compliance Program Assessment

Morehead Compliance Consulting

15

Let’s Get Started!!• Who is on the team?

• Usual suspects (legal, audit, HR)• Include “boots on the ground” – operational and international• Make sure team has resources, authority and profile

• Establish the process plan• Order of data gathering (including document review, surveys, focus groups, interviews• Discuss possible scoring or reporting models

• Seven hallmarks of the USSG• ISO 19600• Custom

• Build a realistic timeline – be generous but have clear goals and milestones • Complete assessments, including surveys and benchmarking, can easily take six months or more.

Be cautious about expectations.

16

Let’s Get Started!!• Consider Peer Organizations

• Discuss assessment experiences and processes• Consider peers for benchmarking

• Including publicly sources such as Code of Conduct and governance information• Keep up with SCCE and industry groups

• Establish Buy In (and Anticipation) at the Top• Regularly update the board • Consider building interest (particularly for survey components) at operational

meetings and other internal marketing opportunities• Look at Hotline/Helpline and Reporting Trends to Help Establish Scope• Look at Prior Survey (Culture or HR Survey) Results to Help Establish

Scope

Sum of Its Parts: What are Different Tools and Approaches To an Assessment?

Morehead Compliance Consulting

18

What Now?Common Compliance Program Elements Included in an Assessment [CEPE]

Co de

T r a i n i ng

Po l i c i e s

R e po r ti ng Syst e m

I nve sti g a ti o ns

Co mm uni c a ti on

Cul t ur e of E t h i c s

B OD O ve r si g h t

KA o f R i sks

3 r d P a r t y

79%

78%

77%

72%

62%

59%

56%

52%

43%

39%

19

What Now?• What Documents Do You Gather?

• Review of documentation that memorializes the program, including the code, written policies and procedures, any prior reviews or audits, reporting system information, board minutes, survey data, any program charters, training materials, communication examples

• Access to resources, such at the intranet, LMS, gift reporting systems, etc

• Collection of data will be from various stakeholders and might be a good time to conduct interviews or establish questionnaires for stakeholders to fill out while providing data

• Leave the Door Open – Establish A Process for Follow Up and Additional Requests

20

Data Evaluation Considerations• Written Standards

• Clear, consistent, concise and available?• Are rules and applicability addressed?• Provides guidance and resources?• Systematic process for generation, update and review?• Policy portal or policy management system?

• Other Internal Data• Reporting statistics, investigations and disclosures• Internal reporting, BOD minutes• Training and communication examples

• Online training availability and LMS operation • Live training process

• IA reports – ERM data

21

Data Evaluation Considerations• Some External Data Sources

• Analyst and auditor reports• Litigation research (DPA’s, NPA’s, filings)• Media coverage• Corporate reviews, CSR reviews, public reports from NGO’s and others• Other external stakeholder views• Data sources like NBES and risk topic specific data (such as data breach and

social media)• Institutional investor proxies and statements• Informal sources like SCCE and local ethics roundtables

22

Looking Outside the Organization• Benchmarking Data Can Be Instrumental To Useful Results

Does Your Organization Benchmark What Data is Collected? Your Compliance and Ethics Program [ACC] [CEPE]

59%

41%NoYes

43% Collect External Documentation

23

Just One More Question• Culture Surveys Should Cover

• Resources available• Do you know where to report? Have you read the Code in the last year?

• Perception of organizational justice (e.g. “Do you feel the company takes allegations seriously? Do you feel all employees are treated the same?)

• Perceptions of misconduct• Perceptions of manager’s ethics• Perceptions of peer employee’s ethics

• Pressure to commit misconduct• Perceptions of misconduct

• Who commits it• Perceptions around reporting for those who have observed misconduct

• Retaliation fears

24

Other Surveys• Manger Sample Survey

• Awareness of and adherence to specific policies/controls• Examination of key actual/perceived risks• Focused, deep-dive on specific targeted issues (e.g. “My organization has an anti-

corruption policy that applies to operations in [country x], true or false?”)

• Broader Employee Sample for a Knowledge Assessment• Questions should be targeted (i.e. not every participant will receive all questions)• Questions should be based on baseline risk determinations to identify risk topics• Topics and questions are often scenario-based (similar to training questions, e.g.

“Which of the following could create a COI or the appearance of a COI?”)

25

Some Considerations for Surveys Demographic

Breakdown Location/Country Job Level Job Function Business Unit Tenure

If Internal Survey Identify team Identify resources

Third Party Culture Data for Benchmark ECI NBES

Preparations for Survey Early approval of questions Platform selection Beta testing Provision for

Translations Paper surveys

Survey Communication Email templates Reminder schedule

26

Survey Use by Peer Organizations Does Your Organization Conduct Culture Surveys? [ACC] [CEPE]

51% Conduct

Culture Surveys

23%

7%

70%

Yes

Part of RA

No

27

Interviews • Will the assessment team be conducting interviews?• Language issues? Does team have direct facility to speak with foreign

personnel? • Should be a consistent “script” or plan tailored with data gathered from

the document review or the surveys (e.g. knowledge survey on anti-corruption showed low scores in certain areas)

• Interview list should include the “usual suspects” (legal, C&E, audit, HR) but also operational personnel with interview subjects from each significant operating unit, location and function

• Functional management should be included• Consider including rank and file (resource issue)

28

Interviews • Phone or virtual? Both have benefits and minuses• Possibly engage a third party just for interviews?• Is the team going to use exhibits or documents? Slows process down,

narrows forcus• Follow-up potential• Who is present? Is it one-on-one or is manager or HR (or someone else)

present?

29

Focus Groups• Who will run the focus groups from the team?• How structured will they be -

• Q&A, open-ended, role-play, or mixture?• Formal vs. informal?• How long will the sessions be?• How many participants?• How many sessions?• Will rank and file be intermixed with management?• External facilitator?• Recorded?

• Topics for Focus Groups• Culture• Compliance risk topics (knowledge assessment)

30

Tools Used By Peers [CEPE]

62% Management

Interviews 46%Employee Interviews

15% Employee

Focus Groups

31

Analysis and Reporting• Oral Report to Board (or Management)

• The report will often be accompanied by data from the surveys and other previously generated data such as reporting statistics and training completion rates (so, no newly generated data or presentations)

• The report will detail findings on the status of the program elements and controls in place based on the 7 hallmarks of the sentencing guidelines or some other scoring outline

• The team will also report on benchmarking data gathered informally during the process for comparison

• The report will not typically include recommendations

32

Analysis and Reporting• Written Formal Reporting• After completing the document and data review, surveys and individual

interviews the team will often conduct an analysis of the results that will include benchmarking for certain aspects of the program

• Once the analysis is complete, the team may offer an oral report that includes primary findings and recommendations

• Once recommendations are discussed, the team will often then draft a written report that will include

• Program findings based on the agreed methodology (e.g. the 7 hallmarks, best practices, or some other agreed criteria)

• Recommendations for the program moving forward• Benchmarking data comparing various aspects of the program

33

Some Considerations for Reporting Reports should be effective and meet audience expectations

Does that mean a straightforward approach with an digestible executive summary? Does that mean a detailed, data-driven exercise with methodology explained, use of

charts, graphs and heat maps? Is this meant for internal audiences only?

Privilege to be invoked? Clear and direct writing with a pleasant and organized layout

Ask third parties for sample reports Use of recommendations

Are recommendations practical? Are recommendations well explained and executable?

34

Do Peer Organizations Write a Report [ACC]?

76%

24%

Yes No

35

Next Steps• The assessment team provides specific updates to the applicable

operating units effected by the findings (HR, IT, Legal, etc)• The assessment team works with the exec management to determine

the best cycle for repeating the process• The assessment team puts together a written follow-up plan

• Based on the recommendation in the report• Addressing each recommendation directly• Assigning responsibility for any follow-up plan• Establishing a timeline

36

Is a Written Plan Generated from the Assessment [ACC]?

63%37% Yes

No

37

Next Steps – Example of a Simple Action Plan

Recommendation Response Action Plan Assignment Date for Completion

Draft New Code Code is 4 years old and needs only a refresh

Will edit and revise the Code General Counsel Q1 2016

Implement G&E pre-approval tool

Currently informal approval process in place

Determine best process and implement

CECO Q2 2016

Implement integrated, multi-year communications and training curricula

Individual training stake holders have their own plans and there is sufficient coordination

No action N/A N/A

Executive support for non-retaliation could be more visible

CEO Code letter updated and CEO filmed video that was sent to all hands

Already addressed N/A N/A

38

Basic Assessment Process

Establish: Scope

Team

Goals

Timeline

Collect data

Review documentation

Establish and complete surveys

Interviews and focus groups

Analysis

Additional data or interviews

Findings

Recommendations

Reporting

Actionable next steps

Throughout the project consider process improvement and repeatability

Morehead Compliance Consulting

Questions?

Eric Morehead

eric@moreheadconsulting.com

www.moreheadconsulting.com

512-961-3890