Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 0

Steps to an Effective

Compliance Programme

Presented byRandy Stephens | Vice President, NAVEX Global

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 1www.navexglobal.com

Randall (Randy) Stephens Vice President, NAVEX Global

Randy Stephens is a Vice President with NAVEX Global’s Advisory Services team. A lawyer and compliance specialist, Randy has worked in roles with legal and compliance responsibility for over 30 years. Clients engaged Randy to train employees or conduct culture, risk and programme assessments in Japan, China, Australia, United Arab Emirates, Saudi Arabia, Kuwait, Jordan, Qatar, Romania, Serbia, Switzerland, Italy, the UK and Canada while also working with clients with offices and operations throughout the U.S. and around the world. Randy has significant in-house experience leading compliance programmes and working for some of the largest and most diverse public and private corporations in the United States, e.g. Home Depot, Family Dollar and US Foods.

He is the author of numerous compliance related articles and commentary and is regularly featured or quoted as a compliance expert in press and publications. In 2017 Randy was named by JD Supra as #3 of the Top Ten Compliance Authors for 2016 based on readers’ choice.

He joined NAVEX Global’s Advisory Services team in 2012.

Presented By

Chris Morton

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 2www.navexglobal.com

• Effectiveness Standards

• Review of the Elements to an Effective E&C Programme

• Third Parties

• Monitoring and Measuring Effectiveness of the Programme

• Takeaways

Agenda

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 3www.navexglobal.com

Effectiveness Standards

Many Models – How do you choose?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 4www.navexglobal.com

Four Important Factors When Assessing Effectiveness

1. Does the compliance programme demonstrate thoughtful design?

2. How operational is the programme (not a paper-based programme)?

3. How well do stakeholders communicate with each other?

4. How well is the programme resourced?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 5www.navexglobal.com

A Partial Timeline Ethics & Compliance Effectiveness Models

US FSGO

COSO Risk

Model

USSOX

FSGO Revision & World

Bank Group Integrity

Guidelines

Dodd-Frank

& FSGO Revision

UK Bribery Act &

ISO 19600

COSO Revision & FCPA

Guidance

ISO 37001

Sapin II, Netherlands

& DOJ Guidance

1991 1992 20102004 2011 2012 2013 20172016

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 6www.navexglobal.com

The Essentials

Many Models – How do you choose?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 7www.navexglobal.com

What is effectiveness component is your weakest link?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 8www.navexglobal.com

All based on a Risk Assessment and applicable standards for your industry, organisation and risk tolerance

Elements of an Effective Compliance Programme

• Leadership and oversight of the programme with appropriate resources and authorities

− Deny leadership to people who have engaged in misconduct

• Standards and procedures

• Communications on standards and procedures of compliance programme

• Training that is relevant and effective

• Monitor and audit

• HR alignment with incentives and discipline

• Reporting and timely responses to allegations and modify programme

• Culture

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 9www.navexglobal.com

Oversight, Structure & Leadership

• Programme oversight responsibilities codified in governance committee charter

• Knowledgeable about programme operation

• Conducts oversight of programme effectiveness

• Accessible and holds executive sessions with those managing the programme

• Receives timely reports of significant issues

• Assigns adequate resources to programme

Common Practice Best Practice

Boar

dLe

ader

ship

Stru

ctur

e

• Responsibilities under E&C programme understood by directors to employees

• Person in charge of programme has clout

• High level person and person with day-to-day activities manage programme with a defined relationship to the board

• Management ethics committee gets information from managers and gives practical programme input

• Programme applies to third-party partners

• Individuals/committees deploy programme initiatives regionally/locally, as needed

• Programme integrated with business operations

• Management ethics committee charters/procedures

• Senior leadership understands/exercises responsibility to sustain culture of compliance and integrity

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 10www.navexglobal.com

Standards & Procedures

• Code in readable language and includes links to applicable policies, reporting processes, responsibilities of employees and managers, and conduct standards for high risk areas

• Standards for third parties

• Schedule periodic review of code and policies

• Good accessibility to the code, policies and procedures

• Document retention programme including E&C documents

• Policy development and dissemination process

• Current policies to address high-medium risks

• Code update at least every 3-4 years

Common Practice Best Practice

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 11www.navexglobal.com

Training & Communications

• Role relevant education

• Board and leadership training (not just briefing)

• Assess effectiveness of education efforts

• Sanitised cases and lessons learned

• E&C education tied to risk assessment

• Manager awareness of responsibilities and how to respond to issues

• Leadership messaging

• Multiyear education plan including various methods and formats

• Tracking of completion

Common / Effective Practice Best Practice

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 12www.navexglobal.com

Reporting & Response

• Case closure times average < 30 days

• Policies/procedures for assigning, conducting and overseeing investigations

• Tracking corrective actions for consistency

• Focus on root cause analysis and related programme improvements

• Data tracking, trending and reporting to leadership and the board

• Confidential and anonymous system for reporting E&C questions and concerns

• Employees understand reporting process and are encouraged to speak up

• Report escalation policy or process

• Non-retaliation policy is enforced

• Incident management system that allows tracking and reporting of statistics

Common / Effective Practice Best Practice

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 13www.navexglobal.com

What is your top compliance programme objective?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 14www.navexglobal.com

Culture

• Alignment of varying cultures within an organisation

• Management of pressure to reach goals

• All staff held equally accountable

• Employees have heard and believe compliance messages

• Trust in compliance processes and systems

• Low fear of retaliation

Common / Effective Practice Best Practice

Culture trumps compliance and culture is what happens “when no one is looking”

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 15www.navexglobal.com

Culture tops the list again with prevention cited better than cureTop Ethics & Compliance Programme Objectives

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 16www.navexglobal.com

Third Parties

Are your third parties putting you at risk?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 17www.navexglobal.com

Why are Third Parties a Concern?

• Third Party (“3P”) Risk Management Growth

• Globalisation

- OECD Foreign Bribery Report (2014) confirmed that intermediaries pose the single greatest bribery risk for companies, concluding that 75 percent of foreign bribery schemes are executed through an agent or other third party

- Increased use of 3Ps

- Agent or 3P liability

- Growing 3P enforcement

• Karen Brockmeyer, former Chief of SEC’s FCPA Unit, “Over 70% of FCPA investigations involve the actions of 3Ps”

30 percent of the 3P survey respondents indicated they would increase the use of third parties in the coming 12 months. Only 6% will reduce current relationships. (2016 NAVEX 3P survey)

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 18www.navexglobal.com

Measuring Effectiveness

How do you measure what works and why?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 19www.navexglobal.com

How do you measure compliance programme effectiveness?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 20www.navexglobal.com

Measuring performance, lack of staffing and managing regulatory jurisdictionsTop Ethics & Compliance Programme Challenges

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 21www.navexglobal.com

Capturing metrics is a first step to measure & improve programme effectivenessMeasuring & Monitoring E&C Programme Effectiveness

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 22www.navexglobal.com

Effectiveness Measurement is a Process

TELL THE STORY:Report on outcomes and action plans to key audiences

• Begin With The End In Mind: Define Effectiveness

• Determine What Metrics You Should Use

• Identify Possible Barriers

• Do The Work: Measure, Evaluate & Create Plan

IDENTIFY YOUR GOALS

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 23www.navexglobal.com

Examples of Effectiveness Goals

• Drive awareness of E&C expectations/requirements

• Change behaviours around particular issues (bribery, retaliation, etc.)

• Assess strength of risk controls

• Evaluate programme resources

• Ensure compliance with policies and the law

• Identify education needs and impacts

• Measure the impact of programme on culture

• Set priorities and develop work plan

• Demonstrate progress

• Defending your organisation against key financial, reputational risks (bribery & corruption, etc.)

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 24www.navexglobal.com

Takeaways & Conclusions

Plan and execute

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 25www.navexglobal.com

Key TakeawaysConclusion & Recommendations

• Try to address a few key areas at a time: don’t try to do too much

• If you don’t have the right culture, no programme changes will work

• Understand it is not all about metrics

• Don’t just check off the steps ꟷ it’s about how you identify and manage the biggest gaps between risk and current mitigation

• Culture and good risk management are what matter most

• Credible communications with leadership will help make the case

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 26www.navexglobal.com

Questions?

Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 27www.navexglobal.com

Thank You