compliance and ethics leadership council

Compliance and Ethics Leadership Council

Assessing Global Readiness: Adapting the Corporate Core to New Markets

Jennifer Childs Kugler


SCCE Annual Conference

Sunday, 14 October 2012

A FRAMEWORK FOR MEMBER CONVERSATIONS

The mission of The Corporate Executive Board Company and its a�liates (CEB) is to unlock the potential of organizations and leaders by advancing the science and practice of management. When we bring leaders together, it is crucial that our discussions neither restrict competition nor improperly share inside information. All other conversations are welcomed and encouraged.

CONFIDENTIALITY AND INTELLECTUAL PROPERTY

These materials have been prepared by CEB for the exclusive and individual use of our member companies. These materials contain valuable confidential and proprietary information belonging to CEB and they may not be shared with any third party (including independent contractors and consultants) without the prior approval of CEB. CEB retains any and all intellectual property rights in these materials and requires retention of the copyright mark on all pages reproduced.

LEGAL CAVEAT

CEB is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, CEB is not engaged in rendering legal, accounting, or any other professional services. CEB specifically disclaims liability for any damages, claims or losses that may arise from a) any errors or omissions in these materials, whether caused by CEB or its sources, or b) reliance upon any recommendation made by CEB.

© 2012 The Corporate Executive Board Company. All Rights Reserved. CELC4150612SYN

�3

16%


�4

27 7 27

23 13 25

23 17 13

30 17 3

18 15 15

30 7 10

14 9 19

25 7 7

17 13 7

29 8

894

824

498

532

620

683

735

784

838

872

932

989

997

1,012

THE FUTURE OF CORPORATE INVESTMENT

Foreign Direct Investment Inflows (2008–2014)US Billions

Source: “Global FDI–The Rocky Road to Recovery,” Economist Intelligence Unit, 15 March 2010.

Emerging markets will continue to receive about half of all global foreign direct investment flows.

Developed Countries

Emerging Markets

Brazil

India

China and Hong Kong

Korea

Canada

Australia

United Kingdom

United States

Russia

Japan

Source: A. T. Kearney Foreign Direct Investment Confidence Index, 2010; PricewaterhouseCoopers 2010 CEO Survey.

Top 10 Countries in Which Corporate Jobs Are Being AddedPercentage of CEOs Increasing Headcount in 2010

Increase Jobs by Less Than 5%

Increase Jobs by 5–8%

Increase Jobs by More Than 8%

n = 467 of 1,198 CEOs. Multiple responses allowed.

2008 2009 2011 2012 2013 20142010


�5

EMERGING MARKET CHALLENGES

Barriers to Expansion in Emerging MarketsIllustrative

Di�culty of Management

Like

liho

od

of

Occ

urre

nce

High

Medium

Low

Easy Di cult Very Di cult

Increasingly Protectionist Government Strategies

(Policy Risk)

Political Instability

Economic and Financial Instability

Fraud and Corruption

Lack of Local Talent and Leadership

Cultural Risk

Regulatory Risk

Emergence of “National Champion” Firms�1

Threat of Asset Seizure/Expropriations

Increased Competition from Domestic Rivals

Currency Fluctuations

Ill-fitting Business Model

Lack of Contract Enforceability

1 Government promotion or favoritism of key economic sectors resulting in uneven playing field.Source: Gibson Dunn, “FCPA and International Anti-Corruption Enforcement—Trends in 2010.”


�6

A SHIFTING COMPLIANCE ENVIRONMENT FOR COMPANIES (AND THEIR EMPLOYEES)

Key Trends Driving Future Compliance Risks Compliance Implication

Competing Regulatory DemandsCompanies face a more complex and aggressive regulatory environment, creating inconsistent compliance expectations.

2. Growing and Fragmented Regulatory and Enforcement Environments Notwithstanding the fact that regulators in di�erent countries are focused on common issues, increasing the volume of legislation and regulation in key areas (e.g., anti-bribery, anti-trust, data privacy), they are often using di�erent standards to enforce these issues.

Growing Focus on Information RisksEmployees now have more opportunities and incentives to disclose information outside of the company. In addition, customers and other third parties are demanding greater protection from data leakage and disclosure.

3. Explosion of Information and Transparency The exponential growth in the amount (and types) of data creates new risks and opportunities for how companies and employees create, use, and dispose of information.

Changing Employee Value PropositionMillennial-generation employees are motivated di�erently and desire, in general, more open, flexible, and socially interactive workplace environments.

4. Shifting Employee Demographics Companies increasingly hire Millennial-generation employees (characterized by an increased familiarity and informality with digital technologies and online communications).

Increasing Global Compliance RisksAs operational centers shift to new markets, compliance departments must learn to manage new (and often more volatile) political, legal, and cultural risks across geographies.

1. Company Growth into New Markets With slow growth expected in developed markets, companies are more rapidly expanding their businesses (and their value chains) into foreign jurisdictions.


�7

CHALLENGE #1: HARD TO ASSESS RISKS IN RAPIDLY CHANGING ENVIRONMENTS

Over the Past Two Years, How Have the Following Changed in Emerging Markets?Number of Respondents Indicating an Increase

Source: GCR and CELC Pre-Meeting Survey, June 2010.

75%

72%

63%

45%

44%

30%

30%

Business Volatility and Complexity (e.g., Increased Deal-Making,

Di�erent Creative Deal Structures)

Speed and Volume of Local Regulatory Changes

Financing and Solvency Concerns

Local Regulatory Activism in Emerging Markets

Business Pressure to Approve Deals Quickly

Governmental Favoritism Toward Local Competitors

(e.g., Lack of a Level Playing Field)

Willingness of Local Governments to Cooperate

with Foreign Companies

n = 59.

n = 54.

n = 57.

n = 55.

n = 55.

n = 48.

n = 46.


�8

CHALLENGE #2: HARD TO INFLUENCE LOCAL CULTURES What Is the Primary Challenge in Managing Legal and Compliance Risks in Emerging Markets?

What is the Best Measure of (Compliance and Ethics) Success in Emerging Markets?

Ensuring Employee Adherence to Corporate

Policy and Standards

Integrating Legal and Compliance into Local

Business Decision Making

Identifying (Trustworthy) Local Third Parties

Understanding Local Regulatory Expectations

n = 26.

27%

19% 19% 19%

CELC research indicates culture substantially drives local compliance success

n = 22.

Improvements in Corporate Culture

Reduced Misconduct

Business Partner Satisfaction

Reduced Damages, Settlements and Fines

50%

27%

14%

5%

Source: CELC Pre-Meeting Survey, June 2010.


�9

CHALLENGE #3: HARD TO KNOW THE STATE OF COMPLIANCE IN LOCAL MARKETS

How Significant a Challenge Is Gathering Quality Information on Compliance Performance?Percentage of Regional Respondents Answering “Very Significant” or “Fairly Significant”

Latin America Far East Middle East and Africa

Central and Eastern Europe

n = 279.

Source: Ernst & Young, 11th Global Fraud Survey.

88%

75% 74%

56%


�10

THE ROLE OF COMPLIANCE AND ETHICS IN SUPPORTING GLOBAL READINESS: KEY QUESTIONS TO ADDRESS NOW

Program “Bones”Risk Identifi cation

Compliance Oversight Outreach

Do we know what our key risks, including cultural hot spots, are in these new markets? How are we mitigating those risks? And what is the upside of getting this right?

Do we have the resources and program structure in place to enable us to adapt and respond quickly?

What oversight do we need to put in place to ensure we are reducing the likelihood of misconduct?

Have we targeted the high-risk audiences with appropriate (and appropriately-timed) outreach, training, etc.?

For another day:

■ Managing Third-Party Risks in New, Emerging Markets ■ Measuring the Success of your E� orts


�11

1. What insight does CELC data provide?

2. What do I need to know about Asia?

3. How are leading companies proactively managing these risks?

4. What about cultural risks?









�12

LEVELS OF OBSERVED BUSINESS MISCONDUCT

Percentage of Employees Who Report to Us Observed Business MisconductCELC Cultural Diagnostic�1 Data: All Employees by Country, 2009–2010

�� %

��% ��%

1�%

1�% 1�%

1�%1�% 1�% 1�% 1�%

11%

Brazil

n = 11,749.

Mexico

n = 3,693.

Latin America

n = 5,070.

Eastern Europe

n= 3,601.

U.S.A.

n = 109,755.

Africa

n = 721.

China

n = 7,028.

Scandinavia

n = 2,030.

India

n = 11,511.

UK

n = 6,616.

Western Europe

n = 11,197.

Russia

n = 335.

15%Global Average

Rates of observed misconduct substantially higher across Mexico, Central, and South America


�13

0%

5%

10%

15%

0%

5%

10%

15%

BUSINESS MISCONDUCT ELEVATED IN MOST EMERGING MARKETS

Observed Misconduct by TypeCELC Cultural Diagnostic Data: Distribution of Misconduct by Type

Global Averagen = 210,999.

Indian = 5,962.

Chinan = 4,473.

Braziln = 3,513.

Har

assm

ent

or

Bu

llyin

g

Pre

fere

nti

al

Trea

tmen

t

Dat

a P

riva

cy

Vio

lati

on

Bu

sin

ess

Info

rmat

ion

V

iola

tio

n

Dis

crim

inat

ion

Mis

use

of

Org

aniz

atio

n’s

T

ime/

Res

ou

rces

Inap

pro

pri

ate

Giv

ing

/Rec

eivi

ng

o

r G

ifts

Ste

alin

g

Env

iro

nm

enta

l V

iola

tio

n

Co

nfl i

ct o

f In

tere

st

Inap

pro

pri

ate

Beh

avio

r

Imp

rop

er S

ales

Hea

lth

or

Saf

ety

Vio

lati

on

Imp

rop

er

Pay

men

ts

Alc

oh

ol a

nd

/or

Dru

g A

bu

se

Acc

ou

nti

ng

Ir

reg

ula

riti

es

Fra

ud

Insi

der

Tra

din

g

HR-Related Sales and Finance Legal ViolationsMisuses of

Corporate Assets


�14

54%61% 63% 64% 65% 66% 68% 71%

88%

THE VAST MAJORITY OF MISCONDUCT GOES UNREPORTED

Non-Reporting Rate of Observed Business Misconduct at MNCsCELC Cultural Diagnostic Data: All Employee Reporting by Country, 2009–2010

MexicoEastern Europe

Western Europe

U.S.A. Russia ChinaIndia

Why Don’t People Report?

■ Globally, the two reasons cited most by employees as to why they failed to report misconduct are “Fear of retaliation” and “I did not think the company would do anything about my report.”

■ In Asia, the top two reasons are “Did not think I had enough information” and “Not certain it was a violation,” indicating some uncertainty about what constitutes misconduct.

UK Brazil

61%Global Average

Employees in China are four times less likely to report business misconduct than employees in the United States.


�15

ARE WE GETTING OUR MESSAGE THROUGH?

Percentage of Employees Witnessing Misconduct Who Observe Confl icts of Interest

Country Management Status Yes Don’t KnowU.S.A.n = 17,561.

Manager 24.8% 8.3%Non-Manager 22.5% 15.9%

UKn = 794.


Braziln = 2,585.


Chinan = 914.


Indian = 1,381.


Country Management Status Yes Don’t KnowU.S.A.n = 17,561.


UKn = 794.


Braziln = 2,585.


Chinan = 914.


Indian = 1,381.


Percentage of Employees Witnessing Misconduct Who Observed Improper Payments Including Bribes, Kickbacks, or Inappropriate Payments

China and India

High levels of “don’t know” suggest the importance of providing meaningful awareness training and setting clear expectations for local employees.

Of non-managers who observed misconduct in China, only 29.8% are confi dent that they did not observe a confl ict of interest.


�16

SUMMARY OF CULTURAL FINDINGS: BRIC COUNTRIES

Observed misconduct most signifi cantly above global average—Preferential treatment, confl icts of interest, misuse of time, harassment/bullying, stealing

Reporting rate—36%Most frequent “don’t know”—Accounting IrregularitiesTop drivers of ethical culture—Organizational Justice, Openness of Communications, Departmental Climate

CELC Recommendations ■ Focus on compliance training, with HR–support, on interpersonal relations and topics such as harassment and bullying.

■ Focus training on group dynamics and business pressures (since relatively low-levels of “don’t knows” suggest employees understand expectations, but sometime willfully ignore).

Observed misconduct most signifi cantly above global average—Improper sales, fraud, data privacy, accounting irregularities

Reporting rate—32%Most frequent “don’t know”—Accounting IrregularityTop drivers of ethical culture—Organizational Justice, Openness of Communications, Departmental Climate

CELC Recommendations ■ Focus compliance training and mitigation e� orts on sales sta� . ■ Provide local training that focuses on Corporate values, organizational justice, and open communications.

Observed misconduct most signifi cantly above global average—Business information violation, improper sales, fraud

Reporting rate—39%Top drivers of ethical culture—Organizational Justice, Openness of Communications, and Mood in the Middle

CELC Recommendations ■ Focus on role of and interactions with the State (especially if product might be considered a State asset).

■ Employees place unusual importance on peer behaviors and perceptions of culture. Build training and communication around established peer networks.

Observed misconduct most signifi cantly above global average—Confl ict of interest, misuse of time, stealing, improper payments, inappropriate giving or receiving of gifts

Reporting rate—12%Most frequent “don’t know”—Accounting IrregularitiesTop drivers of ethical culture—Organizational Justice, Direct Manager Leadership, Comfort Speaking Up

Brazil India

China Russia

CELC Recommendations ■ Focus on corruption training. ■ High levels of “don’t knows” suggest employees need to enhance basic understanding of laws and expectations.

■ Focus on speaking-up and

comfort with investigations process.

■ Employees value strong direct manager leadership. Local leadership must understand and reinforce compliance messages.

�17


Brief Spotlight on Asia


�18

HIGH PROPORTION OF EMPLOYEES IN ASIA UNSURE OF HAVING OBSERVED MISCONDUCT

Percentage of Employees

n = 131,089 United States; 9,745 United Kingdom; 12,753 India; 7,551 China; 2,087 Singapore; 1,874 Malaysia; 399 Indonesia.

Don’t Know

Have Observed Misconduct

Have Not Observed Misconduct

United States

United Kingdom

China Malaysia IndiaIndonesia Singapore

Source: CELC RiskClarity Survey Data, 2009–2010.

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��


�19

32%

41%

49%51%

56%

MOST MISCONDUCT GOES UNREPORTED IN ASIA

Reporting Rate of Observed Business MisconductPercentage of Respondents Who Reported Observed Misconduct

n = 4,538 India; 3,962 China; 905 Malaysia; 809 Singapore; 182 Indonesia.

China Malaysia Singapore India Indonesia

Asia Average

46%

Global Average

58%



�20

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

FEAR OF RETALIATION TOP REASON FOR NOT REPORTING MISCONDUCT IN ASIA

Top Three Reasons for Not Reporting MisconductPercentage of Employees

Singapore

China

Malaysia

India

Indonesia

Global Average

Asia Average

Fear of Retaliation I Did Not Think the Company Would Do Anything About It

I Did Not Think I Had Enough Information About the Misconduct

37%

24%

49%

16% 15%

20%

n = 12,753 India; 7,551 China; 2,087 Singapore; 1,874 Malaysia; 399 Indonesia.


Note: The list of top fi ve reasons for not reporting misconduct by country is included in the appendix.

�21


How Are the Best Companies Adapting Their Risk Assessments to Local Conditions in Order to Stay on Top of Risks?


�22

RISK MANAGEMENT INEFFECTIVE IN EMERGING MARKETS

Legal and Compliance Department Ranking of Ability to Manage Risk, by RegionPercentage Ranking as Ine� ective, GCR Legal Risk Diagnostic, 2010

n = 112.

��

��

��

��

��

��

North America

Western Europe

Eastern Europe

Central America

South America

Asia-Pacifi c

Africa Middle East

Five to seven times more legal and compliance departments report being ine� ective in these regions than in North America


�23

OVERVIEW: ADAPTING RISK ASSESSMENT TO LOCAL CONDITIONS

Scope of the Risk Assessment

Assessment FrequencyRisk Criteria and

Information Sources

Distinct Emerging Market Challenge for Compliance O� cers

■ Local culture, as well as political, economic, and regulatory policy greatly impact business conduct

■ Companies often quickly enter markets via acquisition or partnership

Uncertain political and social environment quickly render static assessments inaccurate or outdated

Volatility of socioeconomic and political conditions dramatically shifts and accelerates risk impact

Implications in Emerging Markets

Consider multiple factors a� ecting local risks (e.g., legal, regulatory, economic, political, social, cultural) and method of entry (e.g., acquisition)

Provide the framework to regularly update assessments and “price” compliance, thereby reducing undue business pressures

Select indicators that are relevant to your business and consider the speed at which local risks may change

Leading Approaches for Discussion

11

1 Pseudonym.

�24


COUNTRY-BASED COMPLIANCE EVALUATION

OVERVIEW

Trier follows a structured process to identify and mitigate the country and company-specifi c compliance risks that jeopardize the value and synergies of potential acquisitions in emerging markets. Beginning with target due diligence, Trier rapidly integrates the acquisition into its existing risk management framework.

KEY INSIGHTS

1. Country-Based Review—Compliance and Ethics should, in advance of market entry, develop a robust sense of the political, cultural, and business conditions that will impact operating success and the achievement of, in the case of an acquisition, desired synergies.

2. Integrate Acquisition into Existing Compliance Framework—Compliance and Ethic’s involvement in the due diligence process should assess business risks and the control environment with an eye towards rapid integration into existing company controls systems and risk management framework.

3. Identify Employee Pressure Points—Especially in emerging markets, legal and compliance risks stem from pressure points throughout operations. Compliance and Ethics must work to highlight these pressures (interactions with government o� cials, familial ties, etc.) that infl uence behavior and provide employees the requisite bu� er and support to act on the company’s behalf.

COMPANY SNAPSHOT

Trier Corporation Industry: Chemical2009 Sales: US$5–20 Billion2009 Employees: 5,000–20,000

1 Pseudonym.

1


�25

ACQUISITION PROCESS OVERVIEW

Market Entry and Acquisition Process Plan

Acquisition Working Team

Composition: ■ Corporate Development Group,

Legal, HR, Finance and a business representative

■ The Acquisition Working Team size is sta� ed according to the size of the deal

Target Identifi cation Team

Composition: ■ One or two employees from

Corporate Development group and relevant business

■ May include employees from Technology, Marketing, and/or the Strategy group

Integration Working Team

Composition: ■ Business, HR, Finance, Legal, IT,

Health, Safety and Environment, Manufacturing, Technology, and Supply Chain

■ Additional employees of the region where assets or business is located

Market ReviewStrategy Defi nition

Target Identifi cation

Initial Due Diligence and Valuation

Due Diligence and Valuation

Negotiation and Execution

IntegrationPost-Signing

Final Integration Planning

Risk Tracking and Accountability

Compliance Role ■ Begins initial review of

country-specifi c political risks

■ Reviews and validates Target Identifi cation Team business and operating model assumptions

Compliance Role ■ Identifi es local employee

“assets” willing to e� ectively support compliance initiatives

■ Holds local management accountable for compliance integration objectives

Compliance Role ■ Begins initial integration planning

by reviewing the target’s compliance infrastructure and evaluating the available resources for improvement

1

1 Pseudonym.


�26

REVIEWING COUNTRY-SPECIFIC COMPLIANCE RISK

1. Political risk

2. Human capital

3. Expropriation risk

4. Contract repudiation rates (enforceability of contracts)

5. Government stance toward business

6. Intellectual property piracy

7. Business environment (corruption risk)

8. Supply chain e� ciency

9. Competitive intelligence

10. Market Size

Before entering Vietnam, Trier’s Compliance O� cer interviews three law fi rms (one international, two local) and two forensic accounting fi rms about the country:

■ Political Risk Questions – What political risks have you seen in the last three years? – Could you tell me about litigation in this country? How long does it take to receive a judgement?

– Are contracts enforced here? Can I domicile operations in a more favorable location? – Have military budgets been increased/decreased? Could decreased military budgets provoke civil unrest?

■ Business Culture Questions – Can you tell me about corruption in the government? – What are employee perceptions of confl icts of interest in this country? – What local customs do Western companies run afoul of?

■ Business Risk Questions – Who are my local and international competitors in this market? Do you know and can you trust the behavior of your competitors

– How reliable is electricity (utilities and infrastructure) in this market? – Tell me about the three to fi ve business mistakes I’m going to make?

Preparing for Business Change “By the time a new deal is proposed. I typically have an understanding of the political, cultural, and business environment we are entering. This ensures the proper compliance consideration through due diligence and integration.”

AGC, Ethics and Compliance O� cerTrier Corporation

1

Key Market Entry Considerations Country Risk Review: Case in Point

1 Pseudonym.


�27

ACQUISITION RISK REVIEW

List of Reviewed RisksIllustrative

1. Map Compliance Risks—Maps the acquired line of business workfl ows to compliance risks (e.g., personnel who interact with government o� cials)

2. Assess Control Environment and Compliance Infrastructure—Follows COSO framework to audit entity-level processes and controls (e.g., testing presence of corruption policies, obtaining documentation from key process owners, reviewing policies and procedures, manufacturing safety procedures and posters).

Strategic Objectives ■ Become the number one supplier in Russia ■ Generate revenue synergies of US$8 million by year two ■ Reduce shipping costs

Country Risks1. Corruption risk2. Size of gray market3. Expropriation risk or government interference

4. Unforeseen tax liabilities

Line of Business/Compliance Risks5. Product quality

6. Product classifi cation and export7. Interaction with government o� cials8. Logistics and third parties

9. Compliance software and system integration delays10. Fraud11. Intellectual Property12. Relations with local unions13. Loss of key talent14. Poor cultural integration15. Control environment

Acquisition Risk Assessment

Acquisition Risk Heat MapIllustrative

Critical (> 20%)

Major (5-20%)

Manageable(< 5%)

Remote(< 10%)

Possible(10-50%)

Likely(> 50%)

Likelihood

Imp

act

(on

Eco

nom

ic P

rofi

t)

10

9

8 7

6

5

4

3

2 1

1112

15

1314

Medium High

Medium

Medium

High

LowLow

Low

CRITICAL

Although most companies do not consider these factors in integration planning, the fi nancial impact and likelihood of the occurrence have serious repercussions on value capture success.

1 Pseudonym.

1


�28

COMPLIANCE INTEGRATION PLAN

Compliance Integration Plan: Vietnam AcquisitionIllustrative

1 Pseudonym.

1

Compliance Integration Milestone

Task # Description Timeframe

Develop and introduce a unifi ed Code of Conduct

101.01 Introduce Trier’s Code of Conduct to acquired employees.

Establish plan for end-state Ethics Helpline

101.02 Deploy helpline system to location (subject to local laws).

Integrate software systems and controls

101.03 Test target’s software controls and/or integrate into SAP system.

Review external board service of target execs for potential confl icts of interest

101.04 Review existing confl icts and confi rm adherence to Trier’s policy.

Implement compliance standards in new acquisition

101.05 Determine whether acquisition possesses compliance standards as set forth in federal sentencing guidelines.

Designate appropriate employees for training

■ Anticorruption ■ IP protection ■ Competition law

101.06 Ensure proper compliance training for high risk employee segments.

Trier creates a fi rm compliance integration timeline prior to deal close.

�29


PROJECT-BASED COMPLIANCE ASSESSMENTS

OVERVIEW

Fluor identifi es and assesses the impact of potential compliance and ethics risks before bidding on projects, helping it prepare more realistic risk mitigation plans that factor in the business costs of e� ectively managing risk.

KEY INSIGHTS

1. Analyze Compliance Risks Up Front—Review business opportunities to consistently and thoroughly identify potential risks, including export and corruption compliance and ethics risks inherent in typical operations based in emerging markets.

2. Account for the Costs of Compliance—In addition to capturing and documenting potential areas of compliance exposure, account for the time, e� ort, and resources the business will need to invest in to proactively manage risks. Use cost information to inform cost-benefi t decisions about business opportunities.

3. Update Ongoing Risk Management Plans—Regularly assess changes to local operating conditions and other factors that positively or negatively a� ect existing risk mitigation plans, updating compliance processes as appropriate to maintain adequate and ongoing risk coverage.

COMPANY SNAPSHOT

Fluor CorporationIndustry: Engineering and Construction

2009 Revenue: US$21.9 Billion

2009 Employees: 36,152


�30

ENSURING COMPREHENSIVE RISK MANAGEMENT

Overview of Fluor’s Business Risk Management FrameworkIllustrative

Business Risk Management Framework (BRMF)The Business Risk Management Framework is a formalized and systematic process for assessing, managing and monitoring Fluor’s business risks for high-risk projects the company considers or executes, including investments and acquisitions.

Develop and Execute Risk Management Plan

Monitor and Report on Risk Management Performance

Continuous Performance Improvement

Select Risk Management Strategy for Each

Risk Identifi ed

Weight Potential Risks and Costs ■ Begin when the project is still a prospect ■ Identify potential risks that may threaten the project

■ Weigh potential risks against profi tability

Potential High-Risk Project

Note: Fluor executes engineering, procurement, construction, and maintenance work, typically in the form of discrete projects, for commercial and government clients around the world.


�31

CAPTURING THE COST OF COMPLIANCE RISK

Case in Point: Export Compliance Risk, Emerging Market Construction ProjectIllustrative

Potential Risk List

1. FCPA violation by subcontractor

2. Export compliance permit delays

3. Labor disruptions

4. Supply chain disruptions

Projected Costs: Export compliance permit delays

Cost 1: Additional three months added to project timeline.

Cost 2: Potential penalty of dollar per day imposed by client for breaching contractual schedule.

Project Scoring Worksheet (If yes, provide cost estimate) Projected Cost (Time, Money, etc.)1. Anticorruption/Government InteractionWill this project require us to work with agents or new subcontractors?If this is a public contract, would there be fewer than two bidders or is this a repeat bidding process?

2. PermitsDoes the project require permits from US export authorities?Does the project require permits from local country authorities?

3. LaborWill we need to use labor brokers to hire employees? Would pay or terms of service for newly-hired employees be di� erent to existing employees?

4. Supply ChainWould this project require us to rely on two or fewer suppliers?

Total

Project Price

�32


LOCAL CORRUPTION RISK MITIGATION

OVERVIEW

Capri selects local risk indicators that directly relate to the nature of their business, operating model, and the inherent risks posed by the country. Capri then uses predetermined risk thresholds to assess local business risk and appropriately plan mitigation e� orts.

KEY INSIGHTS

1. Customize Local Risk Approach—Customizes mitigation activities according to the risk category of the business, streamlining local implementation and maximizing limited legal and compliance resources.

2. Identify Country Specifi c Controls and Processes—Identifi es the organizational and country-based issues that pose the greatest risk to the business, minimizing gaps and overlaps in risk assessment and management.

COMPANY SNAPSHOT

Capri CompanyIndustry: Diversifi ed European Multinational 2009 Sales: US$75–125 Billion2009 Employees: 200,000–300,000

1

1 Pseudonym.


�33

COMPONENT #1: IDENTIFY RELEVANT LOCAL RISK INDICATORS

Basic Requirements of the Foreign Corrupt Practices Act

Relevant Risk Indicator

Who ■ Any individual, fi rm, o� cer, director, employee, agent, or

stockholder acting on behalf of the business in FCPA violations ■ Anyone who engages in conspiracy to violate the FCPA

Corrupt Intent ■ Intention of inducing the recipient to misuse his/her o� cial

position ■ Intention of infl uencing a foreign o� cial in his/her o� cial capacity

Payment ■ Any payment ■ O� er or promise to pay ■ Money or anything of value ■ Directly or indirectly

Business Purpose ■ Obtaining or retaining business ■ Directing business to anyone ■ Improper advantage

– Avoid customs duties – Reduce taxes – Increase profi ts – Prevent action – Obtain approvals – Engage in espionage – Get money due

Receipt ■ Foreign o� cials ■ Government employees ■ Employees of government-owned or controlled enterprises ■ Foreign political party ■ Candidate for foreign political o� ce

1. Level of Investment and Board Membership in Local A� liates, Subsidiaries, etc.

2. Country Risk Ranking (Based on TI Corruption Perception Index Scores)

3. Business Model (e.g., Sales, Financing)

4. Percentage of Business That Is Government-Facing

1

1 Pseudonym.


�34

COMPONENT #2: ASSESS LOCAL BUSINESS RISK BASED ON RISK THRESHOLDS

Risk Classifi cation of Business Based on Risk IndicatorsIllustrative

Risk Category of the Business

1 (Highest Risk) 2 3 4 5

(Lowest Risk)

1. Level of Investment and Board Membership

Majority-Owned Business



Minority-Owned Business

Minority-Owned Business with Board Membership

2. Country Risk TI CPI Score 5.2 TI CPI Score 5.2 TI CPI Score 5.2 TI CPI Score > 5.2 TI CPI Score > 5.2

3. Business Model Sales Business Sales Business Sales BusinessNon-Sales Business

Non-Sales Business

4. Percentage of Business That Is Government-Facing

More Than 3% in High-Risk Country

Between 0–3% in High-Risk Country

> 25% in Low-Risk Country

< 25% in Low-Risk Country

0%

1

1 Pseudonym.


�35

Risk Category of the Business

1 (Highest Risk)

2 3 45 (Lowest

Risk)

Mitigation Activities Required

Compliance Consultation Desk

Yes Yes Yes Yes No

FCPA Relevant Policy and Guidelines

Improper Payments and Other Benefits Yes Yes Yes Yes No

Retention and Use of Intermediaries in Sales and Distribution Yes Yes Yes Yes No

Compliance Due Diligence

Compliance Due Diligence in New Sales Intermediaries Yes Yes Yes Yes No

Compliance Due Diligence on Existing Sales Intermediaries (with concerns/change of ownership) Yes Yes No No No

Internal Controls

Implementation of Compliance Package Yes Yes Yes No No

Self-Assessment Yes Yes Yes No No

HR Compliance

Specific Anti-Bribery Compliance Targets for CEO, CFO, etc. Yes Yes Yes No No

HR Checklist for Screening Applicants (CEO, CFO, etc.) Yes Yes No No No

Training and Communication

Communications (e.g., Newsletter, Intranet) Yes Yes Yes Yes No

Code of Conduct Training Yes Yes Yes Yes No

Anti-Bribery Standard Classroom (and Refresher after 24 Months) Yes Yes No No No

Anti-Bribery Standard e-Learning (and Refresher after 24 Months) Yes Yes Yes Yes No

Local Compliance Manager Network

Implementation of Local Compliance Manager Yes Yes Yes No No

Government Business Controls

Implementation of Mandatory Consultation Process Yes Yes No No No

Reporting on Governmental Business Yes Yes Yes Yes No

COMPONENT #3: EMBED CATEGORY-BASED MITIGATION PLANS

Mitigation Plan According to Risk CategoriesIllustrative Excerpt

Businesses in a lower risk category (i.e., four or above) have fewer mandated mitigation activities. These mostly consist of policies, training, due diligence, and HR requirements.

Businesses in a higher risk category must appoint a local compliance manager and participate in the mandatory consultation process.

1

1 Pseudonym.


�36

HOW TO MAXIMIZE YOUR IMPACT ON COMPLIANCE RISK

Compliance and Ethics O� cers Role in Assessing Emerging Markets RiskMoments of Greatest Potential Impact

Critical Point 1: Market Entry

■ New market entry substantially elevates compliance risk, introducing new economic, political, legal, cultural, and acquisition/partnership risks

Compliance Role ■ Use the market entry decision

process to assess new country risks and ensure integration of new processes into the existing compliance risk framework

Critical Point 2: New Projects and Product Lines

■ New business launches expose the company to new customers, competitors, partners and regulatory requirements

Compliance Role ■ Consistently assess risks

associated with new project or product launches, integrating specifi c compliance criteria into investment decisions to appropriately “price” risks and establish clear operating expectations

Critical Point 3: Operating Environment

■ Changes in operating environment (enhanced enforcement, changes in internal processes) may increase compliance risk levels

Compliance Role ■ Customize compliance

requirements by local risk conditions, streamlining local implementation and maximizing limited compliance resources

Extending Compliance Infl uenceWhile Compliance and Ethics may not participate in every business decision, it can insert key considerations into the critical risk points.

�37


Why Should We Focus on Risks to Our Culture and Integrity as We Expand Into New Markets?


�38

850,000+ EMPLOYEES WORLDWIDE, 185 GLOBAL COMPANIES: CEB’S RISKCLARITY SURVEY

RiskClarityEmployee Survey and Scale

Multiple IndustriesParticipating companies represent the following industries: Energy, Drilling and Gas, Insurance, Pharmaceuticals and Medical Supplies, Financial Services, Non-Profi t, Professional Services, Retail, Construction and Building Materials, Manufacturing, Food Services, Chemical, and Consumer Product Goods.

Global CoverageRespondents work in more than 115 countries across North America, Europe, Asia, the Pacifi c Rim, and Latin America.

All Employee LevelsEmployees at all levels, from the CEO and senior management to middle management and frontline employees.

All Business FunctionsRespondents represent all business functions, including Finance, Sales, Marketing, Information Technology, Call Centers, Human Resources, and Manufacturing.

Key Demographics of Survey Participants to Date

1 3

2 4

Survey StatementsStrongly

Agree AgreeSlightly Agree Neither

Slightly Disagree Disagree

Strongly Disagree

I can report unethical behavior or practices without fear of retaliation.

My company responds quickly and consistently to verifi ed or proven unethical behavior.

I am often exposed to situations that could lead to inappropriate conduct.

Note: All questions were coded or recorded in such a way to directionally be on the same scale.


�39

1 The 18 questions of the integrity index are scored on a seven-point scale from 1 (weakest value) to 7 (strongest value) and collectively serve as a proxy for the cultural health of organizations.

DECONSTRUCTING THE COMPONENTS OF INTEGRITY

The RiskClarity Survey Analyzes the Strength of Key Attributes That Impact a Culture of Integrity

INTEGRITY INDEX�1

Clarity of Expectations

Comfort Speaking Up

Openness of Communication

Trust in Colleagues�

Organizational Justice

Direct Manager Leadership

Tone at the Top


�40

IMPROVING CULTURE REDUCES MISCONDUCT

Distribution of Employees By Overall Perception of CulturePercentage of Respondents in Each Category and Their Corresponding Observation/Reporting Rates

n = 180,548 from 2010.

1 Percentage of employees within category who observed misconduct in past year.2 Percentage of employees within category who responded “Don’t Know” when asked if they had observed misconduct over the past year.3 Percentage of employees within category who reported the misconduct they observed.

9.6% 22.6% 63.0%

"I Saw Misconduct"�1 61.3% 33.7% 16.5% 7.4%

“I Don’t Know if I Saw Misconduct”�2

22.1% 30.3% 21.8% 8.0%

”I Reported What I Saw”�3

47.2% 46.5% 53.3% 73.8%

4.8%

Least Favorable

Neutral

Moderately Favorable

Most Favorable


�41

FINDING RISKS IN BUSINESS UNITS

Impact of Culture on Misconduct and Reporting RatesFindings from Alpha Company1

Highest Integrity Business Unit

Management

Integrity Index = 6.21

Observation Rate = 7%

Reporting Rate = 75%

Non-ManagementIntegrity Index = 5.82



Lowest Integrity Business Unit

Management




Non-ManagementIntegrity Index = 5.15



Company-Level ResultsActual RiskClarity Data




17 Business Units

1 Pseudonym.


�42

UNDERSTANDING THE CULTURAL COMPONENTS OF RISK

Year One ■ Establish a Baseline

Launch survey to establish a baseline measure of corporate culture

■ Deploy Enterprise-Wide CommunicationsCommunicate survey results to employee base, emphasizing organizational commitment to values

Year Two ■ Analyze Survey Results at Multiple Levels

Analyze cultural results at di� erent organizational levels to highlight specifi c areas of potential ethical risks

■ Conduct Cultural AuditsPerform cultural audits at low scoring business units to validate survey fi ndings and uncover the hidden cultural dynamics

■ Integrate Cultural Measures into Risk AssessmentsIntegrate business unit specifi c cultural information into quarterly risk reports

Testing Corporate Culture Developing Culture Mitigation Plans

Functional Area 1

Functional Area 2

CEO

Division 1 Division 2

Business Unit A—Senior

Management

Business Unit B—Senior

Management

Business Unit C—Senior

Management

Centene tests culture at di� erent organizational levels, highlighting specifi c areas of potential ethical risk.

RiskClarity Tests

■ Employee Comfort Speaking Up

■ Organizational Justice

■ Trust in Colleagues

■ Direct Manager Leadership

■ Tone at the Top

■ Openness of Communications

■ Clarity of Expectations


�43

YEAR 2: CONDUCTING LOCAL CULTURAL AUDITS

Cultural Audit Process Map

Identify In-Scope Business Units

for Cultural Audit

Hold Key Stakeholder Discussions

Conduct Focus Groups and Interviews

Create Corrective Action Plan

The four lowest-scoring business units receive a compliance-led cultural audit.

The Ethics and Compliance O� cer interviews business unit leaders to discuss the local cultural audit and the business context to understand if the low score presents a signifi cant risk.

Compliance leads focus group sessions with senior, mid-level, and line employees to better understand the local cultural dynamic.

A corrective action plan is created and owned by the business, supported by compliance, and tracked across the year.

Key Focus Group Questions

1. Have you observed misconduct?

2. Do you believe that senior management shares the appropriate amount of information with employees?

3. Do you believe the culture encourages open and honest communication?

4. Do you understand the company’s expectations for behavior and disciplinary guidelines?

5. Do you feel comfortable reporting concerns to your direct supervisor without fear of retaliation?


�44

1 Remaining risk exposure is calculated as (risk severity × risk likelihood) × (1 – level of control).

INTEGRATING CULTURE INTO RISK ASSESSMENTSMonthly Risk Assessments for Business Unit A

Legal Risk Risk LikelihoodScale:

10 = High Risk1 = Low Risk

Risk SeverityScale:

10 = High Risk1 = Low Risk

Level of ControlScale:

100% = E� ective Control 0% = Ine� ective Control

Remaining Risk Exposure�1

Competition Law 4.0 10.0 60% 16

Contract Compliance 8.0 7.0 95% 3

Fraud 4.0 6.0 50% 12

Privacy Laws 8.0 5.0 40% 24

Corporate Culture: ■ Serves as a mitigating control supporting integrity in business practice ■ Is a forward-looking indicator of misconduct ■ Improves prioritization of corrective action planning ■ Identifi es the root cause of underlying systemic compliance failures

RiskClarity results are one of several standard rating criteria (including policies, training, and controls testing) Centene uses to measure “Level of Control.”


�45

TAKE A QUICK PULSE OF MICROCULTURES

Tapping the Line

1. Hearing a True Voice—Tyco uses RiskClarity questions to gather readings on subculture concerns

2. Surfacing Outliers—As opposed to focus groups, polling ensures “group-think” will not infl uence individual responses

3. Teaching in the Moment—Aggregate responses are displayed in real-time, enabling spontaneous educative discussions about fl agged issues

Analysis of Firmwide Polling ResultsIllustrative

Internal and External Benchmarking

By polling using questions about comfort speaking up, perceptions of management, and training e� ectiveness, Tyco can tap into the local climate of individual factories, o� ces, and regions.

Do You Feel Comfortable Speaking Up?

Does Management

Have High Integrity?

Have You Heard of These

Regulations Before?

0

20

40

60

100

80

Tyco Plant A

Tyco Company Mean

Average Across Tyco Subsidiary

Tyco’s Polling SessionIllustrative


�46

SMALL DIFFERENCES, BIG CONSEQUENCESIn

teg

rity

Ind

ex S

core

Individual Company Score

Relative to Employees at Top Quartile Companies, Employees at Bottom Quartile Companies Are…1.6 times as likely to observe misconduct.

Two times as likely to observe HR–related misconduct.

Three times as likely to observe misconduct in high-risk compliance areas such as confl icts of interest or accounting irregularities.

Bottom Quartile (25th Percentile)

Top Quartile (75th Percentile)6.2

6.0

5.8

5.6

5.4

5.2

5.0

4.8


�47

HIGHER INTEGRITY, STRONGER LONG-TERM TOTAL SHAREHOLDER RETURNS

Average 10-Year Total Shareholder Return for Bottom and Top Quartile of 48 Companies

Top Quartile of RiskClarity Integrity Index

Bottom Quartile of RiskClarity Integrity Index

Correlation (r) = 0.58Signifi cance level of Correlation: P-value < 0.01

n = 48.

Culture as Competitive Advantage?

While promoting a culture of integrity may not always be a high corporate priority, failure to properly engage with employees represents a strategic (as well as compliance) risk that threatens long-term competitive advantage.

(7.4%)

8.8%


�48











�49

WHY IS THIS SO HARD FOR ME?

Greatest Barrier to Achieving Program SuccessPercentage of Respondents Selecting as Greatest Barrier, 2010

n = 157.

Compliance and Ethics Resources

Corporate Culture

Poor Information

Sharing

Ambiguous Regulatory

Expectations

Mismatch of Skills and

Needs

Technology Constraints

Lack of Useful Performance

Metrics

Other

32%

��%

��%

�% �%�% 3%

��%

32%


�50

HOW ARE C&E TEAMS STRUCTURING TO MANAGE RISKS IN NEW MARKETS? PART 1: EMBEDDING

Percent of Compliance and Ethics Full-Time Employees Embedded in the Business

n = 134.

56%C&E Employees Embedded in the Business

44%C&E Employees in the

Corporate Center

Source: CELC’s 2012 State of the Compliance and Ethics Function Survey Results.


�51

HOW ARE C&E TEAMS STRUCTURING TO MANAGE RISKS IN NEW MARKETS? PART 2: LIAISONS

Use of Part-Time Compliance and Ethics Liaisons 2012

n = 231.

57%Yes

43%No

Source: CELC’s 2012 State of the Compliance and Ethics Function Survey Results.


�52

Source: CELC’s Global Compliance Program Management Forum.

OF INTEREST TO CELC MEMBERS: ARE YOU ROTATING YOUR LIAISONS? HOW OFTEN?

“The term is 18 months, a� ording others the opportunity to grow in this role and growing the number of employees who have had exposure to this area.”

Anonymous

“We do not have a formalized network of ethics liaisons, but it is part of role responsibilities embedded in our Employee Relations roles. The individuals in those roles may rotate every 2–3 years, and the responsibilities are assumed by their successors.”

Anonymous

“My company does use liaisons in other business units to help with the compliance e� ort, which is a role over and above their day-to-day operational responsibilities. We do not have a set time period for people in these roles. However, there is some movement due to people taking other jobs in the company.”

Ethics and Compliance Manager

“Our analysis shows that due to changing job responsibilities as people move through our company, there is a natural time limit for most of our Ethics and Compliance Manager (ECM) positions of about two to three years. Former ECM are excellent champions for our Ethics and Compliance Program. We are considering whether to include ECM ‘alumni’ in our ECM updates.”

Associate General Counsel, Manufacturing


�53

CELC MEMBER PERSPECTIVE: ROLES OF CORPORATE COMPLIANCE COMMITTEE AND REGIONAL COMPLIANCE COMMITTEES

Percentage Ranked by Respondents as Top Role

1. Oversee implementation of compliance initiatives (41%)

2. Identify areas of potential risk (22%)

3. Review allegations and monitor investigations (13%)

4. Review company policies and procedures (11%)

5. Monitor compliance with policies and procedures (9%)


�54

CELC MEMBER PERSPECTIVE: CORPORATE COMPLIANCE COMMITTEE MEMBERSHIP

Who Are the Members of Your Corporate Compliance Committee (Check All That Apply)?

��

��

��

��

General Counsel

Head of HR

Head of Internal Audit

Business Unit

Leaders

CFO CEO CRO COO Head of Sales

Other


�55

REGIONAL COMPLIANCE COMMITTEE SEMI-ANNUAL REPORT CHECKLIST: MOTOROLA’S APPROACH


�56











�57

RISK MANAGEMENT INEFFECTIVE IN EMERGING MARKETS

Legal and Compliance Department Ranking of Ability to Manage Risk, by RegionPercentage Ranking as Ine� ective, GCR Legal Risk Diagnostic, 2010

n = 112.

North America

Western Europe

Eastern Europe

Central America

South America

Asia-Pacifi c

Africa Middle East

Five to seven times more legal and compliance departments report being ine� ective in these regions than in North America

��

��

��

��

��


�58

CURRENT STATE OF LOCAL COMPLIANCE OVERSIGHT

How Often Does Compliance/Internal Audit Assess Compliance in Emerging Markets? Percentage of Respondents, CELC Pre-Meeting Survey, 2010

Do You Require Local Business Self-Assessments of Compliance and Ethics E� ectiveness? Percentage of Respondents, CELC Pre-Meeting Survey, 2010

Depends Upon Local Risk Level

AnnuallyQuarterly OtherEvery OtherYear

Semi Annually

n = 25.

No Yes, Annually Yes, QuarterlyYes, Less Frequently

Than Annually

Other

n = 25.

��

��

��

��

��

��

��

��

�59


FACILITATE BUSINESS SELF-ASSESSMENTS

OVERVIEW

To help the business meet its compliance and ethics obligations, Intel’s corporate Ethics and Compliance Program O� ce ensures implementation of oversight and operational execution, including providing the necessary tools and guidance for business partners to e� ectively monitor and improve their compliance and ethics processes.

KEY INSIGHTS

1. Enable the Business-Led Assessment Process—Provide the business with a framework and tools to help it gauge the e� ectiveness of local ethics and compliance initiatives in mitigating local internal and external risks.

2. Review and Improve Business Mitigation Plans—Create opportunities for corporate review of business self-assessments to deliver constructive feedback to the business while creating visibility into the state of the local ethics and compliance program and reinforcing senior management commitment to ethics and compliance.

3. Advance Business Goals Through E� ective Risk Management—Demonstrate the long-term business value of identifying and correcting compliance and ethics risks by tying compliance and ethics improvement to overall business performance.

COMPANY SNAPSHOT

IntelIndustry: Technology2009 Sales: US$35 Billion2009 Employees: 79,800


�60

REPORTING ON LOCAL RISK MANAGEMENT

Intel’s Ethics and Compliance Program

Comprehensive Risk Assessment Review

Business groups, which range from entire business lines to country-specifi c operations, prepare for the review using a self-assessment questionnaire to identify local risks and proactively address potential gaps.

Delivering fi ndings in-person to the ECOC enhances corporate visibility into local conditions, fosters dialogue between the business and senior leaders from across the company, and reinforces senior management commitment to compliance and ethics.

Review Topics1. Internal and External Environment

2. Compliance, Controls, Ethics, and Code of Conduct

3. Periodic Risk Assessment Results

4. Business Continuity Plans

5. Review Process Feedback and Learning

Selected Program Components

■ Tone from the CEO

■ Code of Conduct

■ Ethics Training and Communications

■ Ethics and Compliance Oversight Committee (ECOC)1

■ Business-Led Risk Assessments – Periodic Risk Assessments

– Comprehensive Risk Assessment Review

■ Ethics and Compliance Business Champions

■ Ethics and Compliance Advocates

■ Reporting Mechanisms

■ Annual Employee Survey

1 The ECOC reports to the Audit Committee of the Board and is co-chaired by the VP and Director of Corporate Legal and Director of Internal Audit. Other members include Vice-Presidents or Directors of Legal Compliance, Finance, HR, HR Legal, Technology and Manufacturing, Architecture (Platforms and Products), Sales and Marketing; and the Directors of IT, Corporate A� airs, and EH&S.


�61

Feedback and Learning

Internal and External Environment

GAUGING BUSINESS OWNERSHIP OF COMPLIANCE AND ETHICS

Intel’s Self-Assessment Questionnaire (Excerpt)

1 Ethics and Compliance Business Champions—Business or functional leaders in each business group responsible for advocating for and monitoring ethics and compliance within their groups.

Periodic Risk Assessment

Business Continuity1. How often does the business review business continuity plans to ensure they are current with

respect to peer audits, integrated drills, and other related activities?

Compliance, Controls, Ethics, and Code of Conduct

Section B. Responsibility and Structure Questions

1. What framework does the business have in place for the Ethics and Compliance (E&C) program? What are the local E&C roles and responsibilities?

2. How does senior management visibly support this initiative? To what extent do they visibly participate in, lead or support E&C discussions and activities?

3. How does senior management ensure that the local E&C Business Champion has the support and resources needed to carry out E&C activities?

4. How is the business ensuring and monitoring that managers (senior through fi rst line) send consistent tone? How are managers reviewing and sharing case studies and specifi c compliance topics with their sta� ?

5. To what extent is ethics and compliance embedded in business performance dashboards and management objectives, with ownership for delivery by line management? Is E&C embedded into performance expectations?

Promoting Culture

Open-ended questions focus on ascertaining management’s role in promoting and supporting a culture that drives sustainability of E&C initiatives.

Promoting Business Success

Including questions about business continuity in the self-assessment helps assess business management objectives and compliance and ethics goals in the same exercise.


�62

TESTING LOCAL SELF-ASSESSMENTS

Overview of the Comprehensive Risk Assessment Review

Providing Feedback and Taking Action

■ The ECOC meets after the presentation to discuss fi ndings and make formal recommendations or pose additional questions to the business.

■ Business groups draft action plans and send these to the Manager of the Ethics and Compliance Program for fi nal approval.

■ On a case-by-case basis, some business groups may be required to provide additional updates or make subsequent presentations to the ECOC.

3Delivering Findings in Person

■ The General Manager of each group delivers a two-hour presentation; other business managers and business champions also participate.

■ During the presentation, the ECOC fosters open dialogue and focuses the discussion on any identifi ed compliance and ethics gaps and proposed mitigation steps.

2Preparing for the Presentation

■ Business groups prepare for the presentation 4–5 months in advance, using self-assessment results to build PowerPoint slides.

■ Each group is assigned an Audit Manager and ECOC Sponsor (a senior leader who sits on the ECOC) to answer questions and facilitate the review process

■ The ECOC identifi es specifi c areas of concern in each business group and prepares probing questions for the review.

1

�63


ASSESSING GLOBAL PROGRAM EFFECTIVENESS

OVERVIEW

Through location-based program self-assessments, Amalfi Company compares regional performances to identify lagging business units and ensure the adequacy of its overseas compliance program.

KEY CONCEPTS

1. Conduct Monitoring at a Granular Level to Raise Performance Levels—Monitor individual locations to test whether the compliance and ethics program is e ectively deployed across the far corners of the organization and ensure that lagging locations quickly improve to operate at the level of their highest performing peers.

2. Adopt Consistent Program Evaluation Standards to Enable Cross-Company Comparison—Establish consistent objectives and minimum expectations for program evaluations to enable meaningful comparison across business locations and identify performance laggards.

COMPANY SNAPSHOT

Amalfi Company�

Industry: Manufacturing

2009 Revenue: US$10–20 Billion

2009 Employees: More than 50,000

1 Pseudonym.

1


�64

1 Pseudonym.

ACHIEVING GREATER COMFORT

Key Components of Annual Compliance and Ethics Program Review at Location-Level

I. Location-Based Program Assessment

II. Consistent and Explicit Standards

III. Compliance Risk Identifi cation

Locations

Business Units

Objectives Minimum Expectations Tests

1. Program Deployment

2. Management Commitment

3. Employee Understanding

Compliance and Ethics Program Self-Assessment Score Review

Business Unit A

Satisfactory Scores Across Locations

Business Unit B

Non-Satisfactory Scores Across Locations

Business Unit C

Excellent Scores Across Locations

Key Attributes ■ Detailed assessments help to validate whether program e� orts reach the lower levels of the organization and whether local management embraces a culture of compliance and ethics

■ Granular assessment scope helps to identify systemic business unit risks or emerging enterprise-wide weaknesses that may have been missed in a broader review

Key Attributes ■ Adoption of consistent program objectives and minimum expectations to ensure appropriate deployment of compliance and ethics programs across locations and to enable meaningful comparisons against a uniform standard

Key Attributes ■ Use of compliance and ethics program audit results to highlight meaningful trends or emerging risks across a business unit or region, that warrant senior management attention and response

1


65

1 Pseudonym.

Mandatory Self-Assessment Audit ProgramCoverage of 500 Locations, Illustrative

Key Learnings from Location-Level Program Assessments

REACHING THE COMPANY’S FAR CORNERS

Key Attributes

■ Self-assessment of major functional areas performed by local audit sta� , with assistance from corporate audit

■ Action plans determined by local self-assessors: follow-up action for priority gaps approved by corporate audit

■ Audits cover typically 40% of total locations each year

Compliance and Ethics Program Self-

Assessment Objectives

Has the program been fully deployed? Is management committed to the program? Do employees understand the program?

Annual Self-Assessment Audit Program

Areas Reviewed

Number of Audit Objectives

Finance 30

IT 20

Environment 15

Procurement 5

Compliance and Ethics

3

Brazil Operations: Self-Assessment Audit Program

Location assessment unearths whether employees at the local factory-level understand their basic compliance and ethics obligations and have access to resources to gain further awareness.

Employee Understanding of the Program

Criteria Knowledge of Compliance Requirements Familiarity with Code of Conduct Awareness of Helpline

3

Commitment to Culture of Compliance

Location assessment helps to demonstrate whether the next generation of company leaders (current location managers) proactively encourages a culture of compliance in their actions and communications.

2

2010 Initiatives ■ Compliance Bulletins ■ Compliance 101 for

New Employees ■ Web-Based Ethics

Training

Deployment of Corporate Initiatives at Location Level

Location assessment identifi es whether corporate compliance and ethics initiatives actually are implemented at the company’s operational level.

1

1


�66

Self-Assessment Objectives

Minimum Expectations to Meet Objective

Standard Tests to Demonstrate Minimum Expectations (Selected)

I. Has the program been fully deployed at this location?

1. Provision of recurring ethics training2. Provision of compliance and ethics

materials to new sta� 3. Existence of e� ective issue escalation

and reporting mechanisms4. Dedicated location ethics and

compliance liaison

Program Deployment Checks

II. Does local management demonstrate an active commitment to the program?

1. Full adherence with anticorruption policy

2. Full disclosure of any confl ictof interest

3. Active encouragement of compliance and ethics mandate across location

Location Management InterviewIn-depth interviews with top-four location managers to evaluate possible confl icts of interest, knowledge of policy violations, and proactivity in encouraging ethical and compliant behavior across location

III. Do local employees understand the program?

1. All sta� is trained on code of conduct2. Compliance and ethics posters are

visible throughout all locations3. All sta� participated in recent ethics

training session

On-Site Inspection of All Factoriesand Facilities

Program Elements

■ Communications ■ Risk Assessment ■ Training ■ Reporting

Key Tests

Are compliance and ethics materials distributed to all factory fl oors? Is new sta� educated on code of conduct? Do factory workers certify code of conduct?

Evidence Needed

Percentage of sta� trained Existence of compliance liaison position Code of conduct certifi ed by percentage of sta� Awareness levels of help line call system

1 Pseudonym.

COMPARING APPLES TO APPLES

Annual Compliance and Ethics Program Self-Assessment at Business Location LevelIllustrative

1


�67

FINDING OUTLIERS

Program Self-Assessment Score Reporting to Corporate ManagementQuarterly Compliance Council Meeting, Illustrative

Quarterly Compliance Council Meeting

Breakdown of Self-Assessment Scoresby Business Locations

CCO

CEO

GC

CFO

Compliance and Ethics Self-Assessment Scores by Business Unit

Self-Assessment Scores(1 = Poor, 5 = Excellent)

ObjectiveLocation 1 Score

Location 2 Score

Location 3 Score

Has the program been fully deployed?

3 3 2

Is management committed to the program?

1 2 1

Do employees understand the program?

4 3 1

Compliance and Ethics Program Self-Assessment Score Review

Business Unit A

Satisfactory Scores Across Locations

Business Unit B

Non-Satisfactory Scores Across Some Locations

Business Unit C

Excellent Scores Across Locations

1 Pseudonym.


�68

FOCUSING INTERNAL AUDIT RESOURCES

Source: CEB, Audit Director Roundtable, 2012.

Extensive Internal Audit Review

Internal Audit leverages the intelligence gathered by peer reviewers to perform a more in-depth audit.

Extensive Audit CharacteristicsIncreased FrequencyYearly audits on high risk unitsLonger Engagement DurationMore extensive sampling and testing on prevent-and-detect controlsFocus on Vulnerable AreasBalance Sheet, Cash Cycles, Sales, Purchasing/Inventory Management

5

Produce Peer Report

The peer report drives fraud risk awareness of Audit sta� and clients by identifying areas of potential concern and capturing the unique context of the business unit.Sample Peer ReportCtrl. No.

Control Statement Status Recommendation Response

A-1 Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.

Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.



A-5 Tat. Ut lore dolorer senim accum dolortin vel ulputem nulputpatem inim qui essim autpat ad doloborem ero etue dionse modoloborper sum zzriliq uatuerit.




4 Perform Peer Review

Peer review engagements are intended to identify potential control exceptions, evaluate business process e� ciencies, and assess the control environment.

Peer Review CharacteristicsFlexible Test Program Includes fraud testing; program provides suggested steps only and reviewer can change scopeConsultative EngagementNon-policing nature facilitates auditee transparency and receptiveness

3

Identify Peer Reviewer

Internal Audit relies upon specially selected local peer reviewers to more e� ectively gain visibility into local operations in advanceof auditsPeer Reviewer CharacteristicsBusiness Familiarity: Operates similar processes as auditee and understands KPIsCultural Familiarity: Familiar with or from regionIndependence: Does not have a working relationship with auditeeControls Expertise: Frequently has an audit background

2

Target High Risk Units

Cookson considers several factors to identify the business units for special review.

1

Fraud Risk Factors ■ Smaller remote business unit

■ Receives less management attention

■ High risk country

■ Unit not in central ERP system

■ Unique business practices

■ Unit manages its own cash


�69

PARTNER TO MONITOR HIGH-RISK LOCATIONS

Key Benefi ts ■ Having two representatives from corporate instead of one brings new perspectives to the table and helps generate

potential solutions in real-time. ■ Joint audits provide more action-oriented advice, helping local functional heads implement solutions more rapidly.

Duplication of Audit Work Across Functions Joint Audits of Local Units

Source: CEB, General Counsel Roundtable, 2012.

Local PlantManager

Corporate LegalRepresentative

Health and SafetyRepresentative

“Yes, here’s thechecklist I created.”

Initial Questions“Do we have a process in place to comply with this regulation? Is itdocumented?”

Legal and Compliance Follow-Up“It looks like we’re misinterpreting these guidelines, we can actually need to change our process a bit to protect the company from liability.”

Legal Risk Assessment: ThailandMake sure the business is complying with all new local regulations.

Health and Safety Quality Control Checks: ThailandEnsure quality control at all manufacturing sites.

1

2


�70

BUILDING CROSS-REGIONAL COMPLIANCE NETWORKS

Council Implementation GuidanceSelected Member Approaches

Questions for Discussion ■ Are compliance and ethics sta� at my company, including functional partners and ethics liaisons, communicating e� ectively with

each other?

■ How can I leverage existing activities (e.g., quarterly management meetings) to improve knowledge-sharing between compliance sta� and other assurance functions? How do I know when I need to add compliance sta� in emerging market locations?

■ What can I do at the corporate o ce to facilitate the e� ectiveness of knowledge networks? Are there any compliance and ethics issues that shouldn’t be shared across these networks?

Compliance Leadership ForumDell’s Compliance Leadership Forum is a group of compliance program subject matter experts who meet quarterly to identify critical risk domains and help set priorities. They also collaborate with Legal, Procurement, and Audit partners to collect compliance materials, policies, and programs that already exist.

1. Utilize Local Information Sources—Solicit risk information from subject matter experts in emerging markets who already handle compliance duties.

2. Include Other Stakeholders—Add representatives from the business and other functions to cross-regional compliance and ethics committees and discussions, especially if there are no compliance sta� in-country.

Online Communities of PracticeEni’s online Communities of Practice connect the legal department, spread across 30 countries. Community members actively discuss new ideas, work on companywide problems, and respond to help requests from colleagues across the globe.

3. Improve Cultural Awareness—Build an understanding of local cultural norms and business customs in compliance and legal team members.

4. Facilitate Collaboration—Leverage technology—including shared work spaces and video conferencing—to maximize coordination and communication across geographies and time zone di� erences.


�71










�72


CULTURAL FRAMEWORK FOR DRIVING ETHICAL BEHAVIORS

OVERVIEW

Realizing that employees often view corporate values—and accompanying ethical guidelines—as lofty and abstract, Wal-Mart disaggregates its corporate values into 26 “plain language” topics that are easily understood by ordinary employees. Each topic explains one aspect of the company’s values in simple words, addresses specifi c workplace behaviors, and sets clear expectations for employees. Ethics-based topics blend in with those unrelated to ethics, and therefore appear as an integral part of the corporate culture. To reinforce the topics and underlying behaviors in employees’ daily activities, Wal-Mart China uses a stage-gated training process, values-based business policies, proactive coaching and modeling by senior leaders, and a variety of culture promotion programs.

KEY INSIGHTS

1. Translate Corporate Values into Employee-Friendly Terms—To be locally meaningful, corporate values should be articulated as a series of actionable goals to which individual employees, at their location, can reasonably aspire.

2. Integrate Ethics into Business Messaging—Business ethics and integrity works best not as separate messages, but as part of how business is conducted. Make ethics an integrated component of all operation and strategy-focused employee sessions.

3. Consider the Impact of Collective Pressures—To address the collective work pressures that increase the likelihood of misconduct in a given location, conduct discussion-based ethics refresher courses which focus on the behaviors that alleviate pressure and prevent misconduct.

4. Devolve Ethics Responsibility to Local Employees—To foster a problem-solving culture where local employees and management proactively address ethical issues, create opportunities for employees to discuss critical behaviors in an open environment that encourages discussion.

COMPANY SNAPSHOT

Wal-MartIndustry: Retail

2008 Employees: 86,000 (Mainland China)


�73

MAKING CORPORATE VALUES MEANINGFUL FOR EVERYONE

Foundation of Wal-Mart Culture

Three Basic Beliefs

Integrity

■ Respect for the Individual

■ Service to Our Customers

■ Strive for Excellence

■ “What do these concepts mean to our associates�1 in their daily work?”

■ “How do we deliver our values to customers, associates, vendors, and the community on a day-to-day basis?”

1. “Sundown Rule”2. Open Communication3. Servant Leadership4. Empowerment5. Teamwork6. Grass Roots7. Open Door Policy8. Associate Ownership9. People Development10. Confi dentiality11. “Ten Foot Rule”12. Aggressive Hospitality13. Friendly Atmosphere14. Pleasant Shopping Experience15. Everyday Low Price16. Sense of Urgency17. Quality Always18. Community Minded19. Satisfaction Guaranteed20. Continuous Improvement21. Result Oriented22. Integrity Always23. Competitive Spirit24. Failure Allowance25. Risk-Taking Encouraged26. Expense Control

Wal-Mart’s 26 Cultural Topics

1 Wal-Mart refers to its employees as “associates.”

Source: CEB,Asia HR Executive Board, 2012.Wal-Mart copyright. All rights reserved.

Other Stakeholders

Corporate Leaders

HR


�74

Integrity Always: Honesty Is the Best PolicyIntegrity is a cornerstone of the Wal-Mart culture. All of us must have it in all our business dealings as well as our personal lives. At Wal-Mart, we do not make excuses for our mistakes. We take responsibility and learn, so that we do not make the same mistakes again.

Confi dentiality: Keep It Under Your Hat!All confi dential or sensitive information pertaining to the Company should not be disclosed to persons that are not Wal-Mart associates. If you are unsure whether any information that you have is confi dential in nature, you should assume that it is confi dential and take measures to guard that information.

PROMOTING (AND CLARIFYING) ETHICAL BEHAVIOR AS A VALUE

Training Material: 26 Cultural Topics (Excerpt)Wal-Mart China

Wal-Mart copyright. All rights reserved.

Topics on Ethics ■ Explain in simple terms. ■ Set clear expectations for employees. ■ Refer to specifi c behaviors.

Wal-Mart copyright. All rights reserved.Wal-Mart copyright. All rights reserved.

Source: CEB, Asia HR Executive Board, 2012.


�75

BUILDING AN INFRASTRUCTURE TO INFLUENCE BEHAVIORS

1 Wal-Mart refers to its employees as “associates.”

Source: CEB, Asia HR Executive Board, 2012.

Corporate Culture Support ChannelsWal-Mart China

Practice Snapshots

POLICY Monitoring and Enforcement

■ Open Door Policy

■

■ Ethics Violation Hotline and Mailbox

■ “Statement of Ethics”

CULTURE PROMOTION PROGRAMS Ongoing Awareness and Participation

■ “Integrity Star” Award

■ Award for Ethical Courage

■ Integrity-Themed Community Services

■ Integrity-Themed Company Festival (“Integrity Quarter”)

EDUCATION Learning and Absorption

■ 1 Orientation Training

■ Cultural and Ethics E-Learning Modules

■ New Associates Cultural Training

■ Integrity Management Training

LINK CONCEPTS WITH BEHAVIORSGoal: To help employees internalize the company’s values and convert theory into action.Solution:session in which they do the following:

1. Review the corporate values and cultural topics learned during orientation training.2. Share observations on how corporate values and culture have shown up in their work

experience so far.3. Create individual action plans on incorporating cultural and ethical behaviors into daily work.

EXPLAIN ETHICS IN THE BUSINESS CONTEXTGoal: To ensure associates understand what “integrity” entails in Wal-Mart’s business transactions and work environment.Solution: The “Statement of Ethics” code explains to employees the company’s relationships with

the individual.1. “Integrity” in Business

■ Impartial Competition ■ Fraud Prohibition ■ Integrity Financing ■ Anti-Insider Trading ■ No Trade Restriction

TRANSFORM MANAGERS INTO ETHICS STEWARDSGoal: To equip managers with knowledge and skills to recognize misconduct and promote ethical behaviors among direct reports.Solution:

1. Learning Agenda ■ Internal Challenges to Integrity Management ■ External Challenges to Integrity Management ■ Skills of Integrity Management

– Understanding Laws, Regulations, and Corporate Policies – Violation Risk Analysis – Integrity Leadership


�76

A LOCAL TRAINING FORCE

Train the Trainer Program for Anticorruption and Antibribery PolicyTyco International

321

Main Features

■ Half-day training session to make local managers part-time compliance coaches

■ Led by Chief Compliance Counsel

■ Participants include managers selected from legal, human resources, and local business operations, with specifi c language expertise

Classroom Management

■ Managers are instructed in facilitating thoughtful discussion rather than lecturing to employees

Understanding the Substance of the Policy

■ Managers gain knowledge of policy

Dress-Rehearsal

■ Given di� culty of training delivery and start-up, managers practice their opening with colleagues


�77

PENETRATING LOCAL CULTURES

Key Strategies Used in Delivering Anticorruption and Antibribery Training RegionallyTyco International

Training Linked to Local Laws and Perceptions

■ Make content less US–centric by including anticorruption laws and regulations from region

■ Share business community’s perceptions about corruption levels within the region

Training Content Standardized, but Delivery Made Flexible

■ In China, to get employees more engaged, the trainer uses an audience response system

■ In India, due to desire by employees for much discussion, training sessions for employees included extra time for Q & A

■ Training provided to audiences in local language

Discussion Focused on Actual Experiences

■ Invite managers to share stories of ethical courage and dilemmas

■ Provides deeper understanding of real life situations

■ Strengthens culture of “doing the right thing”

Elicit Discussion of Alternative Business Practices

■ Introduce policy tools, such as the anticorruption matrix and the FAQ document, to begin discussion of alternatives to longstanding, sometimes illegal, practices

4

3

2

1


�78

MOVING BEYOND CALENDAR-BASED OUTREACH

Timing of Compliance and Ethics TrainingIllustrative

Ro

le-C

hang

e Tr

aini

ngTr

adit

iona

l Tra

inin

g

Drawbacks of Traditional Approach

■ Unaddressed Risks: Employees are not always prepared for new risks they may face.

■ Unclear Compliance and Ethics Expectations: Employees may lack awareness about what conduct is expected of them.

Advantages of Role-Change Approach

■ Increased Employee Receptivity: Employees will be more receptive to training messages if they receive them soon after a role change.

■ Greater Applicability: In-the-moment training better addresses changes in employees’ risk profi les, increasing applicability.

Employee A Changes Job

Function

Employee A Changes Job

Function

Employee B Is Promoted

Employee B Becomes a Manager

Employee C Relocates to High-

Risk Country

Employee C Moves to New

Geography

Employee A Receives Training

Employee B Receives Training

Employee C Receives Training

Quarter 2 Quarter 3 Quarter 4 Quarter 1

Annual Online

Training Deployment

Nine-month gap until next training

Six-month gap until next training

Three-month gap


�79

1. Identifying High-Risk Employee Training Needs

Potential Risk: With a Corruption Perceptions Index (CPI) score of less than fi ve, Mexico meets Johnson Controls’ objective defi nition of a high-risk country.

HR System: Sends an alert to Compliance LMS, as well as Human Resources and Compliance contacts in Mexico.

Timeline: Alert sent within 24 hours of employee’s move.

DELIVERING ADDITIONAL TRAINING WHEN NEEDED

Illustrative Case in Point: Employee Moves from the United States to Mexico

Key Benefi ts ■ Timely Training Delivery: The system ensures employees receive relevant training in a timely manner

and therefore always stay current on training. ■ Global Reach: The global nature of the system ensures all employees can be tracked and targeted across the enterprise. ■ Ongoing Visibility: E� cient sharing of data between the HR and LMS systems provides corporate compliance

and local management updated information about employee training needs and completion rates.

2. Delivering In-Country Guidance

LMS: Sends an e-mail to employee notifying him or her of online training requirements, if employee’s responsibilities also change.

Local Compliance Contact: Sets up a one-on-one meeting with employee to discuss country and region-specifi c risks. Typical discussion topics cover:

– Navigating local regulations

– Working with local government o� cials

– Avoiding corruption exposure

Timeline: Local compliance contact typically meets with employee as quickly as possible, but not more than 90 days after employee’s move.

AB


�80

LOWER-RESOURCE OPTIONS FOR TARGETING ROLE CHANGES

Administer a Role-Change Survey Deploy a Training-Needs Questionnaire

On a quarterly basis, e-mail a three-question survey to employees with a recent change in their HR fi le (e.g., promotion, change in manager), inquiring about the nature of the change. Use responses to determine whether the change indicates a need for additional compliance and ethics training.

Embed a mandatory “Training Needs Questionnaire” at the end of the annual Code of Conduct training module to identify material compliance training and knowledge gaps that may have resulted from changes in employees’ roles.

1

1 Pseudonym.


�81


Program “Bones”Risk Identifi cation Compliance Oversight Outreach





For another day:

■ Managing Third-Party Risks in New, Emerging Markets ■ Measuring the Success of your E� orts


�82

HAVE QUESTIONS AFTER TODAY’S SESSION?

Contact CELC (part of the Legal and Compliance Practice of CEB)

E-Mail: [email protected]: 1-866-913-8103Web: www.celc.executiveboard.com www.executiveboard.com


compliance and ethics leadership council

Documents