A resource

THE

DATAAGE

THEDATAAGE

How will the growing emphasis on data in compliance and ethics impact modernizing programs across the world? It’s a question that will chart the courseforward for the C&E industry.

And you’re at the forefront of it.

2Copyright © 2017. All Rights Reserved. ConvercentTM

We could fill this guide with buzzword after buzzword from business intelligence to modeling and forecasting, but what

good will that do for a compliance and ethics leader? It’s actually knowing how to use data that will help, not just

knowing the jargon. This guide will help with just that.

• Big data

• Business intelligence

• Data visualization

• Predictive analytics

• Descriptive analytics

• Real-time analytics

• Unstructured data

Collectively, we know the industry has been moving toward depending on data-decision making (DDM) for some time (oops, sorry for that buzzword drop), yet we hear often at our global roundtable events, it’s a struggle to figure out how — not to mention to find the time — to learn that how with an already packed

schedule and overflowing inbox.

They all have one thing in common: numbers. And those numbers help to tell your compliance and ethics story.

Don’t let the jargon scare

you away...

3

Why Measure At All? Can’t We Just Eye It?

Not only will the appropriate C&E metrics help determine if your program is effective (yes, we will help define what “effective” is later in

this guide), but they can make the case of asking for more resources to fund the compliance and ethics office a successful one. It’s often

misunderstood that taking a look at process metrics such as the number of hotline reports or training completions there are — when represented

alone – will not determine program effectiveness or success.

The great majority of hotline calls tend to be human resource related or not highly significant to the compliance program, and any decline in the number of hotline reports cannot be explained by numbers alone,” says Richard Kusserow of Wolters Kluwer. “Declines may be a result of a more compliant work environment or perhaps a loss of confidence in reporting problems. Increases in call volume have similar problems in deducing the reason for change.

Consider this your data crash course. So, block an hour off your calendar, and let’s get started.

4

“

“

From heavy handed penalties and fines to a tarnished public reputation and liability – even jail or prison time – knowing the in’s and out’s of what effective means for the regulators in your jurisdiction is an absolute must.

Mitigating those risks begins by diving into a favorite of ours: data.

• Compliance and ethics can be dubbed a human-based practice in most respects where practitioners and executives are trying to manage and oversee human behavior. Yet, making decisions off emotions is not best practice. Removing that human element and rooting your decisions in objective data, brings you to the forefront of this business shift into the data age. And it’s not such a scary place to be after all. Let’s discuss further.

• Think of your business and organization as an information processor. From IT to HR, compliance, ethics and elsewhere, the data that is swimming around in your organization provides you a grand opportunity to re-invent the way you manage and conduct business.

• Adoption of data-driven decisions are expected to rise even more as: o Technology costs fall o Management practices evolve o Awareness increases

(Source: McElheran, Kristina and Erik Brynojolfsson. “The Rise of Data-Driven Decision Making is Real but Uneven.” Harvard Business Review. Posted Feb. 6, 2016.www.hbr.org/2016/02/the-rise-of-data-driven-decision-making-is-real-but-uneven. Date Accessed Feb. 21, 2017.)

The Risks of Ineffectivenessare Significant

The best way a company can

improve the effectiveness of

their compliance programs

without shelling out large

amounts of money is by using more

efficient metrics, according to a

study conducted by SAI Global.

5

So, uhh... What Exactly is Effective?

EFFECTIVE C&E ELEMENTSAccording to the Federal Sentencing Guidelines for Organizations (FSGO)

Standards and Procedures

Organizational Leadership and Culture

Reasonable Efforts to Remove Bad Actors from Managerial Ranks

Monitoring and Auditing

Performance Incentives andDisciplinary Measures

Appropriate Remedial Action

Risk Assessment

6

These are only recommendations to encourage ideas of where you can measure your program for effectiveness as it relates to the unique position of your program, organization, and industry.

Example Input Metrics• Number of times and how often the Code of Conduct and other policies are reviewed and/updated year-over-year• Number and nature of violations relating to the Code of Conduct and other policies• Culture surveys, knowledge assessments and questionnaires• Training reach, medium, frequency, completion and engagement rates compliance communications• Rates on updates to training programs• Post-training test results• Number and nature of incidents by employees who have completed training• Reporting rates, known and anonymous per 1,000 employees by reporting channel• Retaliation report trends, including the number of reports of retaliation• Trends by location or department; or specific employees generating higher than average repots of retaliation• Incident categories, including emerging risks• Trends following policies updates or releases• Training or communication campaigns• Categories driving top risks• Source of hotline awareness• Knowledge assessments• Q&As forums and/or focus groups• Number of investigations (active and closed)• Length of time to investigate and resolve issues• Disposition of cases and fees associated with any settlements, litigation or penalties• The risk areas and compliance initiatives to each case• Background check rates by seniority level, business unit, department or geographic location• Conflict of interest disclosure rates by seniority level, business unit, department or geographic location• The number, type and amount of gifts and entertainment given, received and offered by or to employees• Number and type of misconduct reports related to conflicts of interest or improper gifts• Number of surveys – when/how often they are distributed (monthly, annually, etc.)• Employee retention• Anonymous online reviews (positive and negative)• Company and leadership reputation (internally and externally)

What To Measure – Input Metrics

7

What To Measure – Output Metrics

8

“

“

Just this week, federal regulators outlined nearly a dozen topics around evaluating C&E programs around emerging criminal misconduct.

Data analysis extends far beyond the basics,” says Michele Edwards, Managing Director with StoneTurn, a Chicago-based consulting firm. “Training program completion rates and code of conduct confirmation statistics are no longer sufficient. Companies need to use meaningful data to assess and remediate corporate compliance programs, as well as prove program effectiveness.

Example Output Metrics Aka “Meaningful Data” • Number of transactions or deals that were stopped, modified

or more closely examined as a result of compliance concerns— how many payment transactions were most closely examined?How many new business deals were nixed because it exemplifieda potential bribe?

• Look at the number of requests for C&E resources that have beendenied

• How many audits did Internal Audit perform in an area related tomisconduct?

• Look at the number of red flags ID’d as a result of due diligenceon third parties

• How many third parties were suspended, terminated or auditedfor compliance issues?

• The number of third parties on acquisition target re-evaluatedunder the acquirer’s standards/policies.

• How many audits were conducted on acquired business units?

Meaningful data is information that helps define effective specific to criminal investigations of potential Foreign Corrupt Practices Act (FCPA) violations, anti-bribery and corruption programs, according to Edwards, may include output metrics that are excerpted above. Read Edwards full piece as it appears in the FCPA blog here.

“

“

KEITH READManaging Director, Europeat Convercent

Training program completions rates and code of conduct confirmation statistics are what are known as input compliance,”says Keith Read, Managing Director, Europe at

Convercent. “They hinge on the — historicpremise that if the inputs to a compliance program are good (such as training) then the output will be a commensurately compliant company.

How ToMeasureStart by summarizing the key changes and developments in your C&E program.

Then talk through progress, results and challenges as they stand today, in relation to previous years and benchmarked against other firms:

Implementation Process Status of important compliance initiatives and what work remains.

Risk Profile Changes Any new, emerging risks or noteworthy changes to the likelihood or severity of your organizational profile, either due to business changes or environmental developments.

Policy Attestation and Training Certification How many employees have successfully completed training and policy requirements, including the results of any post-training tests and policy attestation rates.

Employee Feedback The feedback received through employee focus groups, culture surveys and knowledge assessments, and how you are using this feedback to drive improvements.

Audit Findings Results of internal or external audits, and what these findings mean for the organization and the compliance program.

Comparative BenchmarkShare the state of your program compared to last year and compared to similar organizations in your industry or with a comparable organizational size, structure and geographic reach.

Hotline/Internal Reporting Data How many tips your hotline or other reporting channels have received, trends by type of incidents being reported and any hotspots that have emerged in particular locations, departments or business units.

Incidents and Investigations The number and type of investigations

athat took place, the disposition of cases and what ongoing investigations the board should be aware of.

Recent SuccessesShow the value of your program by highlighting any incidents the compliance program has prevented from occurring or escalating.

Gaps and Opportunities Identify soft spots and holes in your program, and specific areas where improvement is needed.

Upcoming Initiatives Outline a policy training curriculum roadmap, communication plans and any other program improvements planned for the next year – including how you plan to address the aforementioned soft spots.

Potential Cost, Value, Comparators and Opportunities An annual cost of compliance per employee against a single fine per employee – compliance is then a reasonable investment in keeping the company away from the courts, reputational damage, etc.

9

FROM THE FIELD

Experts Weigh-In

We very often overlook the skill of storytelling in business. Simply presenting the raw numbers, the raw data – actually isn’t enough. You have to connect it to the arching narrative of where we start from, where this takes us, and why that’s a good or bad thing and results in the end. In an area like compliance, [business storytelling] helps you move the business forward.

– Donald Farmer

Ask yourself two questions when looking at different metrics: 1. What are we using today to help measure? (For example, Microsoft Excel or Tableau)2. Where are the gaps and opportunities around that?

If you have well-structured C&E program, then there’s likely to be some metrics inherent in that even if they’re not already captured around the completeness of training and the numbers of people who were involved in those things.

Second order data – look at metrics around the length of time it takes to resolve issues, the number of issues which are raised but not resolved, etc.

Increasing Data Literacy

11

“ “

DONALD FARMERPrincipal at TreeHive Strategy

Convercent’s EVP and Chief Compliance Officer Katie Smith told us that her experience in the field exposed two challenges when using advanced analytics and data to measure effectiveness:

1. Most C&E teams are very lean and often one-man teams.2. Even in large organizations, the benefit of using a data science engineer or business analyst isnot available.

From climate change and political issues all the way to compliance and ethics, these issues are all brought to our attention with supporting data. Without that supporting data, we begin to loose trust in the validity of a claim.

Using these industries as examples, if you will, of how to exemplify a problem from a data-driven point-of-view, you can increase your own data literacy by simply becoming more aware of the uses of data that are all around you currently, says Farmer.

You can start from the very clear metrics – simple counts of numbers of what’s going on into a second order level of reporting around the nature of those events that are happening and the nature of the training that you’re doing.

Compliance practitioners often use data to identify gaps and opportunities but also see where training may be missing – that’s the kind of next stage beyond that is starting to use data to understand the effectiveness of the programs we have in place.

You’ll start to do before and after comparisons between different parts of your organization or at the more advanced level, even comparisons between your organization and others in the industry in the form of benchmarking, for example.

12

KATIE SMITHEVP and Chief Compliance Officer at Convercent

As the CECO of CH2M, Bill Brierly has seen the compliance industry change from being solely investigations-focused to being a fully-operational and an independent function within the organization with dedicated resources. He measures compliance success by addressing the following questions:

• How do people feel about the company?• How do they feel about the ethics program?• Do employees think we are living up to our reputation as an ethical company?• Are we living up to the expectation that they had when they came into the

company?

Smarter Compliance, Better Results

13

Company Overview:

CH2M Hill, aka CH2M HQ: Englewood, CO, USA Industry: Construction and Engineering

Operates in over 100 countriesApproximately 26,000 employees worldwide Convercent customer since: 2014

BILL BRIERLYChief Compliance and Ethics Officer

Specific metrics Brierly seeks out include:• Information from the expense account review process • How fast people are completing training courses• How the company is meshing all the data together in terms of completions versus reports received

To validate, measure and report on the effectiveness of the CH2M compliance and ethics program, Brierly compares what they provide to what other compliance officers across the country are providing.

He gathers this intel: • By attending meetings with the opportunity to meet other compliance officers; and, • By using the Convercent platform, he receives direct feedback from the company’s board members.

They’re members of boards of other companies, some of whom are larger than us, some of whom are smaller than us,” says Brierly. “And what I’ve consistently heard from them, the feedback I get from them, is the data I’m presenting them and the way that we’re presenting it is something they haven’t seen.

14

“ “

Convercent is the leading SaaS provider of ethics and compliance solutions

for the enterprise. Its cloud solution enables global enterprises to implement,

measure and manage modern compliance programs and instill ethics at their

core of their company. Its fully integrated products bring efficiency and an

intuitive user experience to risks, cases, disclosures, training and policies. With

hundreds of customers in more than 130 countries – including Airbnb, Dolby

Laboratories, LinkedIn, Alamo Group, Baxter, McGraw-Hill Education, and

Philip Morris International – Convercent’s award-winning GRC solution enables

organizations in all industries to build a foundation of ethics and safeguard

their financial and reputational health in the process. Convercent is based

in Denver, Colorado and backed by Sapphire Ventures, Tola Capital, Azure

Capital, Mantucket Capital and Rho Capital Partners.

www.convercent.com

About Convercent

15

GET SOCIAL WITH US: