Page 1

2012-10

The Evolving Role of a Chief Ethics and Compliance Officer: Managing Compliance and Ethics in the New Era

Prepared By:

Michael Rasmussen J.D., OCEG Fellow, CCEP Risk & Compliance Lecturer, Author, & Advisor

This is Not Your Predecessor’s Compliance Program Regulations, ethics, and integrity are challenging the organization like never before. As government scrutiny and stakeholder demands for transparency increase, clients want to know if the organization is reputable, while business partners want to see a commitment to compliance and ethics.

“Success in compliance risk management In many organizations, the role of the Chief Ethics and Compliance Officer (CECO) is taking on greater importance. Traditionally viewed as a compliance cop, the CECO begins with strategy. is being called upon to champion corporate integrity, accountability, responsibility, values, culture, and ethics. Organizations must identify and prioritize Today’s CECO must have a holistic understanding of the ethical, regulatory, and cultural risks the company faces, how they relate to each other, and how they fit major risks resulting into broader enterprise risk strategies. from regulatory As a key player in the strategic team of the enterprise, the CECO must address: mandates, and maintain ■■ Key external stakeholder (investors, regulators, NGOs, local communities) oversight and control demands for transparency and evidence of an effective compliance and ethics program. over business processes. ■■ Board and C-suite demands for clear and reliable information about ethics They must also shift their and regulatory risks that will drive strategic decisions and future outcomes. compliance focus from reactive fire-fighting to Table of Contents proactively managing, monitoring, mitigating, This is Not Your Predecessor’s Compliance Program.................................................. 1 Regulations and Integrity Bear Down on the Organization ...................................... 2 preventing, and detecting Integrity: Does Your Organization Walk Its Talk?...............................................................................................2 Compliance and Integrity in a Dynamic and Distributed Business...............................................................2 compliance risks.” A GRC Perspective of Compliance................................................................................. 3

CECO: A Pillar of GRC Leadership ...........................................................................................................................3

A “CECO” SWOT Analysis................................................................................................. 4 Taking a Risk-Based Approach to Compliance............................................................. 5 Business Process Framework for Managing Compliance Risk ................................... 5

MetricStream Delivers a Holistic Approach to Compliance Management .................................................7 MetricStream provides the following core capabilities:....................................................................................7

www.Corp-Integrity.com research@Corp-Integrity.com +1.888.365.4560

About this Paper . . ......................................................................................................... 9 About Michael Rasmussen . . ........................................................................................ 9

©2012 Corporate Integrity, LLC - All Rights Reserved

Page 1


The Evolving Role of a Chief Ethics and Compliance Officer: Managing Compliance and Ethics in the New Era ■■

The Compliance executive need to efficiently allocate limited resources to minimize exposure to compliance and ethical risks.

■■

The Line-executive need for policy communications, training, surveys, and risk and compliance assessments that have coordinated schedules and content.

■■

An overarching need for improved efficiencies and reduced risks throughout the extended enterprise.

All the while, the CECO must embrace a strategic view that satisfies the demands of these competing forces while keeping an eye on the prize — meeting organizational objectives for value.

Regulations and Integrity Bear Down on the Organization Managing an organization’s ethics and values is challenging enough. Introduce a legion of laws, regulations, contractual obligations, judgments, and fines, and the CECO has a difficult path to tread. Distributed businesses that cross jurisdictions in transactions and relationships have an even greater regulatory burden -- so much so that the CECO needs to use a risk-based approach to understand where the most critical ethics and compliance risks are.

Integrity: Does Your Organization Walk Its Talk? Organizations operate in a field of ethical, regulatory, and legal landmines. Any day of the week, business and trade publications have headlines revealing organizations that failed to comply with compliance obligations and ethical practices. Most organizations have written ethics and compliance practices to govern business operations, transactions, processes, employees, and relationships. But are these practices effectively integrated into corporate culture? Integrity is measured by what an organization does and does not do when it thinks it can get away with something. Reports, filings, and stakeholder communications may say one thing when, in reality, the organization is doing something else. From an organization’s perspective, personal and corporate integrity are two sides of the same coin - both employees and business partners must be willing to follow corporate policies and procedures. From an individual perspective, an employee will want to work for an organization that does the right thing, is in sync with personal values, and demonstrates the integrity to live by communicated practices and commitments.

Compliance and Integrity in a Dynamic and Distributed Business Organizations today have global clients, partners, and business operations. The larger the organization, the more complex its operations. Organizations are also constantly changing due to new employees coming in, roles changing, new partner relationships being established, new markets being explored, and new products and services being introduced. Regulations are also changing, as is the risk environment. In the midst of these changes, how does the organization ensure ongoing compliance with legal and regulatory requirements as well as other obligations? The key is to define compliance culture at the top, and communicate it down to the lowest level of employees. The CECO must continuously articulate the culture, establish it in policies and procedures, and monitor compliance. The CECO must

©2012 Corporate Integrity, LLC - All Rights Reserved

Page 2


The Evolving Role of a Chief Ethics and Compliance Officer: Managing Compliance and Ethics in the New Era also keep in mind the big picture - the desire to achieve business objectives and overcome obstacles, but stay within the mandatory legal requirements and voluntary organizational values.

A GRC Perspective of Compliance Most organizations have an internal maze of isolated compliance and control processes. Governance is usually handled by the board, risk is managed by the CRO and risk-management department, and legal compliance is addressed by the legal department and CECO. This siloed and uncoordinated approach duplicates human and information resources, and diminishes the visibility into necessary data. By contrast, an integrated GRC strategy helps carve out a well-defined and enterprise-oriented path to achieving objectives within the boundaries of regulatory and legal requirements, as well as internal expectations. It is a transforming initiative that brings change across the four principal operational dimensions: people, processes, technology, and culture. It also enables organizations to better manage risks, and ensure value preservation and growth.

CECO: A Pillar of GRC Leadership The CECO is a critical player in the strategic design of an integrated GRC approach. He or she must understand the organization’s compliance and ethical risks, as well as the opportunities to control cost, improve resource utilization, and align GRC with company objectives. The CECO must champion these corporate compliance and ethics goals: ■■

Articulate to the board why a clear view of compliance and ethics is critical to the organization’s culture, performance, and fiduciary responsibilities.

■■

Demonstrate how centralized oversight and supporting technology for policy and procedure lifecycle management drives predictable behavior and performance.

■■

■■

■■

■■

CECO’s ROLE IN GRC Core ethics and compliance role:

Communicate the benefits of including compliance and ethics within business change initiatives as well as changes in partner and supplier relationships.

■■

Definition of the code of conduct, values, and ethics

■■

Policy and procedure communication

Assist the CEO in evaluating opportunities, and preventing adverse effects from regulatory compliance and ethical risks.

■■

Investigations

■■

Training

■■

Compliance assessment

■■

Regulatory intelligence and monitoring

Demonstrate how integrated GRC can improve processes while reducing or eliminating redundant efforts. Incorporate compliance, risk management, and assurance across extended business relationships (e.g., supply chain, vendors, and contractors).

©2012 Corporate Integrity, LLC - All Rights Reserved

management

and

Other areas of responsibility: ■■

Vendor and third-party risk and compliance management

■■

Enterprise Risk Management

■■

Corporate social responsibility

Page 3


The Evolving Role of a Chief Ethics and Compliance Officer: Managing Compliance and Ethics in the New Era A “CECO” SWOT Analysis Using the SWOT analysis framework, the CECO can uncover opportunities, develop specialized talents and abilities, and eliminate threats proactively.

Strengths ■■

Visionary: Provides insights to the CEO and board for creating and protecting organizational integrity, ethics, and values, while maintaining compliance with laws, regulations, policies, and procedures

Weaknesses ■■

Little experience in business operations and ERM

■■

Tendency to focus solely on compliance, and is now being challenged to take on ethics, values, social responsibility, and corporate culture

■■

Energetic: Good communicator, builds interest in better approaches to compliance, ethics, and values

■■

■■

Versatile: Broad experience in managing compliance, ethics, regulatory issues, and corporate values, and their impact on other business disciplines and roles

May be viewed as a corporate cop rather than a strategic and operationally influential champion of the business

■■

Spends resources mostly on investigations and putting out compliance fires, leaving few, if no resources for planning

■■

Driven: Goal-oriented problem-solver, moves the enterprise forward by finding and fixing compliance and ethical problems

■■

Collaborative: Partners with peers, adept at leveraging best practices and initiatives across operating units

Opportunities ■■

Assess external regulatory and social responsibility trends to develop a full understanding of mandatory and voluntary boundaries

■■

Formulate an enterprise GRC strategy, and aggressively implement it

■■

Leverage technology to communicate policies and training, establish and influence corporate ethical culture, and meet regulatory requirements

■■

Improve compliance reporting to senior management and the board by integrating compliance metrics and information into existing reporting processes

■■

Build superior shareholder relations and broader stakeholder communications around ethics, values, and compliance activities

■■

Demonstrate broad organizational leadership

©2012 Corporate Integrity, LLC - All Rights Reserved

Threats ■■

Fraud, corruption, and social responsibility and compliance violations

■■

Compliance issues and exposures (known and unknown)

■■

Failure to implement adequate compliance and ethics infrastructure to monitor, mitigate, and respond to the risk of unethical conduct

■■

Siloed processes and systems causing delayed reporting and inconsistent quality of risk information

■■

Document-centric approaches handicapping compliance reporting and relative value

■■

Communicating compliance requirements after an event or incident occurs, rather than identifying potential problems before they occur

Page 4


The Evolving Role of a Chief Ethics and Compliance Officer: Managing Compliance and Ethics in the New Era Taking a Risk-Based Approach to Compliance The CECO is challenged to implement a risk-based approach to compliance. This involves gathering information from the external business and regulatory environment, understanding the current and future context of a dynamic and distributed business, and accordingly modeling the current and future risk impact. CECOs should use risk models that support bow-tie, decision-tree, and scenario-risk analysis. The principles of compliance risk management are: 1. Understand risk: Risk assessments should be both periodic and dynamic in response to significant business change (e.g. mergers and acquisitions, expansion into new markets) that could lead to new risk exposure. 2. Approach compliance in proportion to risk: If a business in a certain country has a high risk of corruption or ethical issues, the organization must respond with strong compliance procedures and controls. This also applies to the size of the business — smaller organizations are not expected to use the same control measures as larger enterprises. 3. Monitor the risk and regulatory environment: Tracking changes in risk and regulatory environments is critical to understanding compliance risk. 4. Establish a tone at the top: The compliance risk management program must be fully supported by the board and executives. Communication with top-level management needs to be bi-directional. 5. Know who you do business with: Organizations need a risk-monitoring framework across employees, business partners, and suppliers, as well as markets, and geographies. Due diligence in background checks helps ensure that only ethical entities are hired. 6. Keep information current: Risk assessments must be done on a regular basis, or when the business becomes aware of conditions that point to increased ethical and compliance risk. 7. Ensure compliance oversight: There needs to be someone responsible for the oversight of compliance risk management processes and activities, with the authority to report to independent monitoring bodies such as audit committees or the board. 8. Manage change: A deliberate program of change management must be established to document, implement, and monitor changes that may impact the compliance and ethics program, and introduce greater risk to corporate integrity.

Business Process Framework for Managing Compliance Risk Success in compliance risk management begins with strategy. Organizations must identify and prioritize major risks resulting from regulatory mandates, and maintain oversight and control over business processes. They must also shift their compliance focus from reactive fire-fighting to proactively managing, monitoring, mitigating, preventing, and detecting compliance risks. Using the OCEG GRC Capability Model, with guidance from the USSC Organizational Sentencing Guidelines, U.K. Bribery Act, and Australia’s 3806-2006, Corporate Integrity recommends the following core processes: ■■

Compliance program management: This is the core process that integrates all other functions into a cohesive program for managing and scheduling compliance reporting, assessments, controls, investigations, policies, regulatory change, and specific projects and tasks.

©2012 Corporate Integrity, LLC - All Rights Reserved

Page 5


The Evolving Role of a Chief Ethics and Compliance Officer: Managing Compliance and Ethics in the New Era ■■

■■

■■

Compliance risk identification and assessment: Regular compliance risk assessments and monitoring help ensure that policies and controls are in place and working. Regulatory and risk intelligence: Staying ahead of compliance risks involves continuously monitoring changes to regulatory, risk, and business environments. Subject matter experts for each risk area must be identified and held accountable for monitoring changes, and identifying new and developing compliance risks. Policy definition, communication and maintenance: Organizations need documented and up-to-date policies and procedures that address compliance and ethical risk in accordance with corporate culture, values, and obligations. Effective policy definition and communication provide proof that the compliance program is sound, and that controls are adequate.

CHANGES THAT CAN BRING FAST BENEFITS ■■

Develop a unified vocabulary and coordinated schedule for compliance activities such as assessments, training, and policy communication.

■■

Establish a uniform system of policy management to maintain consistency in policy development, maintenance, and communication.

■■

Coordinate with investigation teams across GRC roles to see that issue reporting and investigation are managed consistently.

■■

Collaborate with key C-suite executives to establish compliance program metrics that are objective, meaningful, and measurable.

■■

Perform compliance evaluations to test and provide assurance related to the effectiveness, efficiency, and responsiveness of the GRC program.

■■

Compliance risk reporting and accountability: Compliance is a distributed and federated function in most enterprises. While the board has ultimate accountability, the responsibility for compliance risk management falls to the CECO and is then delegated across a variety of business processes and functions. Therefore, effective compliance requires seamless collaboration across the business.

■■

Due diligence efforts: Organizations must properly screen employees and business partners to assure the business that it is not engaged with people who have a tendency towards unethical behavior.

■■

Training and communication: Written policies are not enough — individuals need to know what is expected of them on a day-to-day basis. Organizations increasingly use online training in addition to classroom training to deliver courses in compliance and ethics.

■■

Ongoing compliance assessment: Organizations need ongoing assessments of compliance policies and controls through regular surveys and self-assessments.

■■

Enforcement of the control environment: It is crucial to implement and monitor preventive and detective controls that support compliance. When there are issues, corrective controls should be implemented.

■■

Record and report issues: Clearly defined processes and channels (e.g. call centers, Websites) have to be in place for individuals to report concerns, weaknesses, and wrong-doing.

■■

Conduct investigations: Even in the best organizations, things go wrong. Investigation processes must be in place to quickly identify potential incidents of corruption, and enable effective investigation and issue resolution

■■

Implement communication and reporting processes: Organizations must have channels through which employees can get their questions answered to avoid non-compliance issues. These channels could include helplines, FAQs, and form processing.

Throughout all these processes, compliance risk management must have a clearly defined methodology to make sure that the organization learns from its issues, and is not a repeat offender. ©2012 Corporate Integrity, LLC - All Rights Reserved

Page 6


The Evolving Role of a Chief Ethics and Compliance Officer: Managing Compliance and Ethics in the New Era MetricStream Delivers a Holistic Approach to Compliance Management Corporate compliance departments have had very little use for technology. Processes have been manual and documentcentric, which led to laborious and costly processes to gather data and report on compliance. Further, compliance departments overly relied on word-processing documents and spreadsheets that lack an audit trail. This is a legal disaster for compliance as the organization does not preserve a defensible position: There is no real record, and no guarantee that records will not be compromised to paint a rosier picture and keep the organization or individual out of trouble. Compliance needs technology with a robust system of record to document any changes made and provide a complete audit trail. MetricStream is a GRC solution provider that Corporate Integrity has researched and evaluated. Through one of the most adaptable and end-to-end offerings for GRC, MetricStream eases the compliance risk management burden, and strengthens operational effectiveness, human and financial efficiency, and compliance agility.

MetricStream provides the following core capabilities: ■■

Compliance program management: MetricStream brings together distributed compliance management processes, metrics, and reports in a cohesive system, and provides role-based access to view contextually relevant tasks and items.

■■

Compliance risk identification and assessment: MetricStream provides powerful capabilities to manage compliance risk surveys, assessments, risk data, and reports. It also helps analyze and model compliance risk and ethical issues.

■■

Regulatory change management: MetricStream helps coordinate legal, regulatory, contractual, and corporate policy obligations with associated tasks and records. Stakeholders know when regulatory requirements change, and can quickly identify gaps in the compliance program, and manage the impact of regulatory changes on the business.

■■

Policy definition, communication, and maintenance: MetricStream supports the complete policy management lifecycle - right from aligning policies to the changing regulatory and business environment, to communicating the policies, monitoring compliance, and maintaining a robust audit trail.

■■

Training and learning management: MetricStream’s fully integrated Learning Management System (LMS) helps manage, track, and integrate compliance training courses with policies.

■■

Case and investigation management: MetricStream enables organizations to efficiently manage and monitor compliance issues and incidents, including those reported through channels such as hotlines. Advanced tools help document and report all issues, actions taken, and investigation results.

■■

Ongoing compliance assessment: MetricStream offers a consistent, cohesive, and centralized architecture to gather compliance information through assessments and surveys.

■■

Vendor/supplier governance: MetricStream helps manage compliance across extended business relationships. Its solution automates procedures to collect vendor information, communicate policies, and facilitate vendor selfassessments. It also helps track and manage vendor audits, score vendors based on risk, and trigger mitigation and issue management.

■■

Benchmarks, metrics, and dashboards: MetricStream helps establish compliance metrics and trends of compliance indicators over time. It provides a robust reporting engine, and enables communication of compliance reports across all levels of management.

■■

Compliance forms and processes: MetricStream manages forms and templates for compliance processes (e.g. conflict of interest, data privacy). All requests, approvals, and denials are maintained in a central repository

©2012 Corporate Integrity, LLC - All Rights Reserved

Page 7


The Evolving Role of a Chief Ethics and Compliance Officer: Managing Compliance and Ethics in the New Era supported by a robust audit trail and reporting system, email notifications, escalation policies, conditional logic, and workflows for efficient monitoring and compliance reporting. The MetricStream GRC solution addresses a range of challenges in managing compliance, risk, audit, business continuity, enterprise assets and processes, threats, incidents, investigations, and third parties. Its compliance and ethics management capability is a worthy candidate for any compliance program. Along with its other GRC modules, the MetricStream solution is a powerhouse of information, analytics, and insight.

Š2012 Corporate Integrity, LLC - All Rights Reserved

Page 8


The Evolving Role of a Chief Ethics and Compliance Officer: Managing Compliance and Ethics in the New Era About this Paper . . . This white paper is brought to you by MetricStream. MetricStream is a market leader in Enterprise-wide GRC and Quality Solutions for global corporations. MetricStream enterprise solutions are used by leading corporations in diverse industries such as pharmaceutical, medical device, high tech manufacturing, energy, financial services, healthcare, manufacturing, food and beverages and automotive to manage quality processes, manage corporate policies, manage regulatory and industry-mandated compliance and corporate governance initiatives.

About Corporate Integrity . . . Corporate Integrity, LLC is a GRC strategy advisory firm providing leadership in education, research, analysis, and advisory services by monitoring the challenges and trends in business for corporate governance, risk management, and compliance (GRC). Through ongoing research, interactions, and analytics, Corporate Integrity is the authority in understanding how organizations can foster a culture that “walks the talk,” where integrity is central to GRC practices. Corporate Integrity educates organizations — and GRC professionals within those organizations — on achieving sustainability, consistency, efficiency, and transparency in their corporate GRC practices to maintain a position of integrity aligned with corporate values and business performance.

About Michael Rasmussen . . . J.D., CCEP, OCEG Fellow: Business Ethics & Compliance Lecturer, Author, & Advisor Michael Rasmussen is an internationally recognized pundit on the topics of business ethics, corporate culture, policy management, and compliance. With more than 18 years of experience, Michael helps organizations understand their culture and improve related governance, risk, and compliance (GRC) strategies, processes, and technologies that deliver business agility, efficiency, and effectiveness. He is a sought-after keynote speaker, author, and advisor on compliance and risk management strategies. He is noted for being one of the earliest advocates for a collaborative and integrated approach to GRC.

©2012 Corporate Integrity, LLC - All Rights Reserved

Page 9

Evolving-Role-Chief-Ethics-Compliance-Officer