scce rfg june 24 leffel final - scce official sitehk, china, philippines, jordan, bulgaria the red...

6/20/2013

1

Advisory | Auditing & Monitoring | Training & Communications | Due Diligence | Investigations | Technology | Education

From Good to Great: Compliance Program Evolution for Leading Organizations

SCCE Web ConferenceJune 24, 2013


Presenter

Robert Leffel,

Director of Advisory,

The Red Flag Group

[email protected]

www.redflaggroup.com

6/20/2013

2


About The Red Flag Group

Core practice areas: Advisory

Due Diligence

Technology Solutions

15 Corporate Offices Worldwide

Hong Kong (HQ), Singapore, Shanghai, Seoul, Dubai, London, New York, Boston, Washington DC, Atlanta, Houston, Chicago, Phoenix, Los Angeles, San Francisco

5 research centers HK, China, Philippines, Jordan, Bulgaria

The Red Flag Group is The Compliance Firm™ that helps companies turn compliance into a competitive advantage.

We create customized and integrated compliance solutions that add value to your business.


Today’s Agenda

Understanding and building the culture of compliance and integrity

Communicating with employees and keeping them engaged, aware and interested

Activating the missing link‐ the tone from the middle

Engaging the Board of DirectorsManaging your organization’s third party risks:

Focus on supply chain compliance & oversight

6/20/2013

3


Culture of Integrity and Compliance


Culture as Competitive Advantage

Integrity has a tangible impact on corporate performance

CEB: companies with strong cultures outperformed companies with weak cultures by more than 16% over 10 year

Source: Conference Executive Board

Average Shareholder Return Over 10 years

6/20/2013

4


Culture and Talent Acquisition

Organizations perceived as ethical leaders can attract better talent

UC Stanford study: prospective employees expect a 12% premium for working at companies perceived less ethical

Organizations with reputational issues have serious succession problems


Culture and Misconduct

Improved compliance risk management

NBES and CELC: Organizations with strong cultures are far less likely to experience policy violation

ERC:” Ethical culture is the single biggest factor determining the amount of misconduct that will take place in a business”

Source: NBES

6/20/2013

5


Culture and Reporting

Improved misconduct detection:

NBES: “Employees in higher integrity cultures are more likely to report noncompliance and operational failures than employees in lower integrity cultures”


Culture and Regulators

U.S. Attorney Manual:

“A corporation is directed by its management and management is responsible for a corporate culture”

U.S. Sentencing Guidelines: “An effective compliance program promotes an organizational culture

that encourages ethical conduct and a commitment to compliance with the law.”

U.S. DOJ and SEC FCPA Guidance: “DOJ and SEC consider the commitment of corporate leaders to a

culture of compliance”

Regulators expect a well‐governed organization to promote the culture of integrity

6/20/2013

6


Building Strong Culture

Building a culture of integrity is a continuous process

Assess

PlanImplement


Culture Assessment

Conduct periodic employee surveys and focus groups

Identify cultural KPIs you want to continuously or periodically monitor and build your “culture dashboard”

Compliance awareness

Transparency

Trust in leadership/ethical leadership/tone at the top

Mid‐management and peers

Pressure to cut corners

Observed violations

Willingness to speak up

Equitable enforcement and justice

Identify red flags and deficienciesAnalyse understand the root causes

6/20/2013

7


Plan Your Culture

Develop action plan Think out of the box

Consult with experts

Think about values, not rules

Develop measurable short and long term goals

Don’t shoot for the moon, incremental small steps are fine

Leverage internal resources

Communication is key: identify clear communication objectives, target audiences and influences

Get executive and cross‐functional buy inImplement

Track and reassess


Change Management

1) Identify key Influencers and get their buy‐in

2) Be clear about the mission

3) Paint clear picture of the end state

4) Develop change implementation strategy

5) Break your strategy into manageable milestones

6) Communicate in easy‐to‐understand terms

7) Invite people to share concerns and fears and address them

8) Follow‐up frequently

9) Be flexible on the approach but not on the rule

10) Have a sense of humor

TEN POINTS to help bring about change

6/20/2013

8


Culture‐building Communications

1) Attitude

2) Transparency

3) Anonymity

4) Address disincentives for whistleblowing

5) Consistency

6) Trained supervisors

7) Quick follow up and investigation

How do you improve employee willingness to speak up?


Communication Trends

6/20/2013

9


Spotlight on Communications

Keep the message easy to understand. Communicate what the company wants employees to do and why. Communicate frequently, in short bursts, from and at all levels of the organization.

High

Hard

Fast


Communication Plan

Consider your audience, consider the core message, think about how, when and how often you will communicate

Engage communication specialists

Consider the range of communication methods and vehicles available

Identify your audiences Develop/tailor the message(s) for each

Consider marketing and branding aspects

Determine the frequency

Integrate with training plan

6/20/2013

10


Communicating with External Stakeholders

Customers

Suppliers Other third parties Shareholders/investors Regulators AuditorsMedia

NGOs Local communities/general public


Communicating with Internal Stakeholders

Consider your internal audience: Board members, executives, mid-management, employees, international locations, remote

employees, etc. Keep the message short and basic

Communicate often using different media

Make it interactive, challenge critical thinking and encourage discussion

Engage senior executives and mid‐level management to communicate on your behalf

Tailor the messaging for different groups

Consider roles and job scopes, level, geographic location

Ensure the messaging has reference material and links

Build your compliance intranet portal!

6/20/2013

11


Tone from the Middle


Fostering the Tone From the Middle

In order to properly resonate throughout an organization, the top from the top must be supported by strong and consistent

tone from the middle

Train supervisors on their special responsibilities Involve them on your communications plan and initiatives

Manager events and brown bag lunches

Manager specific communications

Provide them with tools and resources

Hold them accountable!

Link compliance/tone with compensation

Performance appraisal objectives/criteria

Other incentives

6/20/2013

12


Engaging the Board of Directors


Engaging the Board of Directors

The Board of Directors has oversight responsibility for your organization’s compliance and ethics program. This can include

personal liability.

Governance principles, committee charter

Board member training

Code of Conduct

Conflicts of Interest

Oversight responsibilities

Reporting lines and direct access Escalation/”red flag” process Frequency, format and scope of regular reporting

6/20/2013

13


Updates to the Audit Committee

When should be communicated to the audit committee?

Review of audits and investigations

Progress reports Final remediation steps following an investigation

Upon allegations being made

Hotline requests Allegations made through formal sources

Regulator letters and enforcement

General Updates on Compliance program

Update on key program initiatives

Monitoring and Measuring of the program Improvements and changes


Updates on investigations

Whether to discuss with a committee or the full board

Full Board• Escalations from committee• Disclosure issues

Committee

• Larger investigations• Multiple country investigations• Multiple business unit

investigations• Senior executive involvement

6/20/2013

14


Role of External Auditors

When the external auditors should be brought into a serious issue (e.g. FCPA allegation)

External Auditors

Complete collapse of

internal controls

Restatement of financials and revenue recognition

issues

Finance staff involved in issues and

investigation


Supply Chain Oversight

6/20/2013

15


Building Supplier Compliance Oversight and Due Diligence Program

Which problems are you trying to fix? What are your risks?

Who owns it?

New suppliers or both new and existing? Do you have complete data?

How do you address data gaps? How do you integrate into other system?

Which suppliers to focus on? How to prioritize?

How do you do the screening? How do conduct due diligence and analysis? How do you do follow up and monitoring?


Supplier Integrity Analysis

Supplier Integrity Analysis

Data Collection

Risk Assessment

Screening

Due DiligenceCertifications

Training & Communication

Remediation

6/20/2013

16


Which Suppliers fall into the mix?

Risk categorise of suppliers and other third parties based on: Category Dollar spend Compliance risk areas (with some overriding others depending on

risk appetite) Risk rating distribution charts can thereafter be generated from the data

Example:


Risk Categorization and Rating

Examples

6/20/2013

17


Data Collection Options

Multiple Inputs

Your Website

• Mapped from a Web form on your website (i.e new suppliers ‘sign up here’)

• Other CRM options

Your CRM

• Mapped from your CRM direct into an onboardingplatform

Direct into an on-boarding

• Questionnaire’s in multiple language entered by the third party

• Upload lists from CSV


Questionnaires to Existing Third Parties

Features

Seamlessly track the rollout of questionnaires, both internally and externally

Request detailed information from your partners in local language

Configurable and dynamic flow of questions

Score and escalate each questionnaire response in line with your internal risk parameters and processes

Integrate internal comments, vetting and approval by your Compliance, Finance and Legal teams

Email integration for updates and task notifications

Powerful and configurable reporting

Collect critical information required for due diligence planning

Manage and document the workflow that includes a configured evaluation and escalation process

6/20/2013

18


Benefits of using a questionnaire

Questionnaire Seamlessly track the rollout of questionnaires, both internally and externally

Request detailed information from your partners in local language

Configurable and dynamic flow of questions


Integrate internal comments, vetting and approval by your Compliance, Finance and Legal teams

Email integration for updates and task notifications

Powerful and configurable reporting

Collect critical information required for due diligence planning

Manage and document the workflow that includes a configured evaluation and escalation process


Risk Assessing the Data Collected

Two Options for Risk Scoring the Data

• Implemented into the questionnaire• Automatically recommends a

screening or due diligence level

Automatic Risk Scoring Embedded in the Questionnaire

• All third parties proceed to batch screening as a baseline

• Follow steps are determined based on results of screening

No Risk scoring

6/20/2013

19


Questionnaire – Risk Scoring

Determine risk score based on answers provided by the third party and the business sponsor in the Questionnaire


Link risk score with the Due Diligence level required

Summary of risk when reviewing the questionnaire


Screening

Content

Watchlists

Sanctions/DPL/etc

PEP

SOE

ComplianceChallenged™

Company own lists

Embedded within a platform

Can be auto searched from an incoming questionnaire

Can be escalated for false positive analysis

Can be escalated for further due diligence

Technology

6/20/2013

20


Due Diligence


Analysis and Reporting

6/20/2013

21


Certifications

Pushing certifications out to third parties

Automatically route when

needing review

Receive and analyse

Send Certification

annually to the third party


Training & Communication for Suppliers

Supplier Code of conduct Supplier directed communication materials

Roundtables and face to face meetings

Incentives Training and communication plan

How/when/what/who owns it?

6/20/2013

22


Remediation

Consider the red flag and any additional controls needed Contractual precautions Ongoing monitoring and audits

Compliance incentives

Track follow up/remediation actions against the third party

Set owners, actions and reminders


Thank you.

6/20/2013

23


The Red Flag Group Resources

Compliance Insider™ quarterly magazine

White papers

Benchmarking studies

IntegraMaps™

www.redflaggroup.com


Questions?

scce rfg june 24 leffel final - scce official sitehk, china, philippines, jordan, bulgaria the red...

Documents