The Compliance and Ethics Essentials Toolkit

Transcription

1 CEB Compliance and Ethics Leadership Council The Compliance and Ethics Essentials Toolkit Practical Resources to Accelerate the Development of Your Program Contact CEB to Learn More

2 A Framework for Member Conversations The mission of The Corporate Executive Board Company and its affiliates (CEB) is to unlock the potential of organizations and leaders by advancing the science and practice of management. When we bring leaders together, it is crucial that our discussions neither restrict competition nor improperly share inside information. All other conversations are welcomed and encouraged. Confidentiality and Intellectual Property These materials have been prepared by CEB for the exclusive and individual use of our member companies. These materials contain valuable confidential and proprietary information belonging to CEB and they may not be shared with any third party (including independent contractors and consultants) without the prior approval of CEB. CEB retains any and all intellectual property rights in these materials and requires retention of the copyright mark on all pages reproduced. Legal Caveat CEB is not able to guarantee the accuracy of the information or analysis contained in these materials. Furthermore, CEB is not engaged in rendering legal, accounting, or any other professional services. CEB specifically disclaims liability for any damages, claims or losses that may arise from a) any errors or omissions in these materials, whether caused by CEB or its sources, or b) reliance upon any recommendation made by CEB.

3 Boards, senior management, and regulators increasingly note the importance of demonstrably effective compliance and ethics. More Important Than Ever Change in Stakeholder Demand for Evidence of Effective Compliance in the Next Three Years Percentage of Key Company Stakeholders No Change New laws, increased enforcement, and heightened penalties highlight the increased importance of effective compliance and ethics programs. 8% 91% 22% 78% 29% 71% 32% 68% 35% 65% Increase n = 119. Regulators Audit Committee Business Partners Board Directors Senior Management Note: Totals may not equal 100% due to rounding. Source: PwC, The Results Are In. The PwC and Compliance Week 2012 State of Compliance Study, June 2012, Benefits of an Effective Compliance and Ethics Program Serves as a Mitigating Factor: Pronouncements and settlements by the Securities and Exchange Commission (SEC) and the US Department of Justice (DOJ) underscore the role of the compliance and ethics program in securing lenience from regulators in cases of misconduct. Reduces Financial Penalties: A properly implemented and maintained compliance program can reduce damages, settlements, fines, penalties, outside legal fees, and in-house counsel time. Improves Employee Productivity: Managers exhibiting corporate values can improve employee performance by 12%. Drives Performance: Companies with a higher culture of integrity have 10-year total shareholder returns (TSR) that are 16 percentage points higher than companies with low integrity scores. 3

4 Recent settlements and the amended federal sentencing guidelines provide critical guidance on the expected elements of a compliance and ethics program. understanding expectations Common Government Expectations 1 Program Imperatives Set Forth by the Federal Sentencing Guidelines Suggested Program Element 1. The organization s board actively oversees the program content and operation. Create (and Improve) Program Structure 2. Allocate program resources to highest risk activities. Determine Risk 3. Establish standards and procedures to prevent and detect criminal conduct. Establish Corporate Standards 4. Take reasonable steps to respond appropriately to the criminal conduct and prevent further similar criminal conduct. Create Investigation Procedures 5. Take reasonable steps to periodically educate an organization s members on the compliance program s standards and procedures. Deliver Training and Communications 6. Take reasonable steps to ensure the program is followed, including monitoring and auditing to detect criminal conduct, enforcing periodic evaluations, and creating a system for employees to anonymously seek guidance regarding potential criminal conduct. Assess Program Effectiveness and Establish Program Strategy Don t have just a paper [compliance and ethics] program. The biggest problem we see is lack of execution. US Department of Justice 7. Keep senior management and the board apprised of key risks and program performance. Report Results 1 There is a broad consensus in key compliance program elements as seen in the Federal Sentencing Guidelines, UK Bribery Act, recent DOJ Settlements, AS 3806, etc. 4

5 Improving Program Performance: Actionable Tools and Templates Key Elements of a Compliance and Ethics Program Create (and Improve) Program Structure Determine Risk Establish Corporate Standards Create Investigation Procedures Deliver Training and Communications Assess Program Effectiveness and Establish Program Strategy Report Results Representative Organizational Structures Functional Benchmarking Data Risk Assessment Tool Compliance Gap Interview Guides Policy Clearinghouse Code of Conduct Rollout Toolkit Investigations Management Toolkit Employee Reporting Protocols The Compliance and Ethics Message Generator Training Decision Support Center Program Assessment Tools Functional Efficiency Data Cultural Assessment, Benchmarking, and Related Services Board Presentation Builder Metrics Dashboard Tool Who We Are CEB Compliance and Ethics Leadership Council is the leading global network of compliance and ethics executives. We support more than 450 leading companies and thousands of compliance executives with our best practices, tools, templates, program assessment diagnostic and analytics, and advisory support. It is our mission to bring science and clarity to the compliance and ethics profession. Contact us at [email protected] for more information on how you can use our broad suite of tools and templates to build your compliance and ethics program. 5

6 Before addressing key program elements, compliance and ethics officers must take certain steps. Getting Started Compliance Readiness Checklist CEB Resource These steps include: Ensure adequate business support, Identify existing compliance activities, Determine program needs, and Establish a strategic program vision. Have you been in role for more than six months? Do you have a formal compliance and ethics program charter and defined program vision? Do you have senior executive and/or board support? Use our Managing the Transition guide to a compliance and ethics officer s first 100 days. Review our sample program charters and strategic roadmap. Use our business case presentations. Do you have a corporate compliance committee? Access our benchmarking and best practices for structuring and running corporate and regional committees. Have you implemented a helpline? Use our helpline implementation and management resources. Advisory Support Our advisory team supports member companies in the creation and development of a program. We ensure the appropriate program building blocks are in place and that companies assess existing compliance activities and the business context in which they exist to limit redundant, repetitive activities and properly define the scope and structure of the new program. Have you met your key functional partners? Have you identified critical compliance expectations in existing business processes? Review our best practices for cross-functional collaboration. Use our functional interview guides to identify key compliance processes and critical gaps. 6

7 From the COMPLIANCE AND ETHICS LEADERSHIP COUNCIL of the LEGAL AND COMPLIANCE PRACTICE The Corporate Executive Board Company. All Rights Reserved. Create (and Improve) Program Structure How We Help CEB resources, analytics, and advisory support help companies create an efficient, effective program structure that accounts for the scope and scale of distinct regulatory obligations, associated risks, organizational realities, and past compliance and ethics concerns. 1 Benchmark with Peers 2 Determine Appropriate Structure 3 Establish Roles and Responsibilities Staff and Reporting Lines Budget Allocation Compliance and Ethics Activity Ownership This statistic shows the This statistic shows This statistic shows th percentile value in the minimum value in the maximum value in a sample. a sample. a sample This statistic shows the This statistic shows the 25 median value in a sample. th percentile value in a sample. 60 All Respondents Revenue Brand Industry EMERGING ORGANIZATIONAL MODELS FOR COMPLIANCE AND ETHICS FUNCTIONS Model #1: Part of the Risk Key Attributes Chief Compliance and Ethics Compliance and Ethics is a component of the enterprise risk management function Frequent reporting and evaluation of exposure to compliance risk, less formal focus on ethics Compliance Directors directly oversee business unit compliance programs Corporate Compliance Manager CEO Chief Compliance Director, Regulatory Compliance Directors, Business Unit Compliance Model #2: Direct Reporting to the CEO Key Attributes Chief Compliance and Ethics Relatively large budget for companywide initiatives Compliance Directors directly oversee business unit compliance and ethics programs Business Unit Compliance CEO Chief Compliance Corporate Business Unit Compliance Model #3: Small, Within Legal Key Attributes Chief Compliance and Ethics Counsel Compliance and Ethics part of the legal department with limited discretionary budget Corporate Compliance Committee oversees compliance and ethics matters Part-time, business unit compliance and ethics liaisons provide interface with corporate compliance CEO General Counsel Chief Compliance Corporate Output: 12:32PM May Modified 12:29PM May Model #4: Within Legal and Decentralized Key Attributes Chief Compliance and Ethics Counsel Corporate Compliance and Ethics serves as an internal resource to the business units experts accountable for compliance CEO General Counsel Chief Compliance Corporate Compliance Manager Business Unit Compliance Compliance and Ethics Officer Compliance and Ethics Staff Job Descriptions Organized by Industry Food and Beverage Compliance and Ethics Manager A Defense Compliance and Ethics Manager B Ethics Training Administrator Risk and Compliance Officer Manager, Compliance Programs Technology Director Metals and Mining Global Compliance Training Specialist Energy and Utilities Principal Advisor, Compliance Senior Compliance Analyst Pharmaceuticals Financial Services Senior Director, Compliance Operations Deputy Compliance Officer Senior Director, Commercial Compliance Senior Counsel and Director, Ethics Policy Senior Director, Clinical Compliance and Governance Associate Director, Compliance Strategy, Compliance Resolution Managers Policy and Communications Commercial Compliance Leader, Field Senior Manager, Compliance Systems Senior Manager, Compliance Training and Communications Median Your Company s Value 9 Peer benchmarks and functional trends across industries and time including reporting lines, staffing levels, budget spend and allocation, key activities, and risk ownership Compliance performance and functional efficiency metrics Inventory of organizational structures across industries Diagnostic questions to assess appropriate compliance structure given business and regulatory needs Member-shared compliance and ethics officer and staff roles and responsibilities Best practices and guidance to identify program needs and build a multidisciplinary team 7

8 Determine Risk How We Help Companies conduct risk assessments to fulfill regulatory requirements, identify and mitigate potential risks to their organization, and allocate resources efficiently. Our resources support an efficient risk assessment process with a focus on mitigation of critical risks. Risk Assessment Tool 1 2 Compliance Risk Mitigation Plans and Tools Legal and Compliance Risk Catalog Evaluate Your Risks Assess each identified risk according to its likelihood, severity, and control effectiveness to generate a companywide risk heat map Top Compliance Risk Current Status Risk: Bribery and Corruption Risk Definition: Risk Owner(s): Key Stakeholder(s): Key Risk Drivers Risk Management Actions In Progress or Needed In Progress? (Y/N) Target Completion Date Expected/Actual Completion Date Risk Rating: Rating Rationale: Status Observations/ Comments Key Risk Indicators/Measures: (How will we demonstrate improvement in the management of this enterprise risk?) - DRAFT - 0 Identify Your Risks Customize the catalog of approximately 90 risks by adding new risks, risk categories, regulations, and business areas. Mitigate Identified Compliance Risks CEB supports mitigation efforts with risk-specific policies, training, due diligence procedures, red flag lists, and monitoring standards. Key Risk Domains Include the Following: Anti-Corruption Business Ethics Conflicts of Interest Data Privacy Employee Fraud Export Compliance Third-Party Compliance 8

9 Establish Corporate Standards How We Help Our resources save time and money identifying need for, writing and updating, and implementing the policies and procedures that inform and guide employee behavior. We help member companies create a framework and process for sustainable policy management. 1 Code of Conduct Rollout Toolkit 2 Policy Clearinghouse Output: 09:22PM May Modified 11:09AM Nov From Code of Conduct Creation to rollout Phase Action Steps Create and revise the Code plan Code rollout Determine project milestones and identify key players. Gather input to inform code content. Write and revise code of conduct. Obtain board approval and publish code. Create delivery, training, and certification plan. Identify functional partners and assign responsibilities. Introduce code to trainers and deliver training tools. Code of Conduct topic areas CelC s Code Database and Diagnostic Company x pan-industry Benchmark peer Benchmark Conflicts of Interest 85% 80% Employee Data Privacy 98% 90% Customer or Third Party Data Privacy Violations Reporting, Including Non-Retaliation Clause 57% 65% 98% 86% Internal Accounting Controls 90% 95% Deploy Code and ensure Certification Introduce code to senior management. Deliver code to all employees. Provide code training to all employees. Track code certification. Anti-Corruption/Anti-Bribery 90% 86% Gifts and Entertainment 88% 71% Antitrust/Competitive Information 85% 86% provide ongoing Communications Embed code messages in ongoing corporate communications. Enlist managers to reinforce compliance and ethics training with direct reports. Ensure manager accountability for ongoing code communications. All Rights Reserved. XXXXXXXXXXXXX Draft and Deploy Code Through a suite of best practices, tools, and templates, this resource center helps you save time and resources in creating, deploying, and certifying the company s code of conduct. 1 Write Effective Policies The database presents sample policies contributed by peers across all key compliance and ethics areas and reduces the time spent on creating your own policies. 9

10 Create Investigation Procedures How We Help We provide member-shared process maps, interview guides, disciplinary guides, escalation criteria, and other resources to ensure effective, consistent investigations. Speaking-up resources ensure employees feel comfortable raising concerns, therefore improving the speed of risk detection. 1 Investigations Management Toolkit 2 Employee Speaking-Up Resources Create Investigation Procedures This implementation guide includes sample process maps, tools, and templates that can easily be customized for your organization. Kraft Foods Reporting Up Protocol (What You Need to Report to Your Regional Compliance Officer and Why) Our HTUSpeaking Up PolicyUTH requires all employees to ask questions and report suspected violations of law, Company policy, or other misconduct. TOur employees have many avenues for speaking up - we encourage them to raise concerns first with their managers.t That is why you, as a manager, play a vital role in ensuring that we do the right thing and follow our HTUCode of ConductUTH and other HTUCompliance Policies.UTHT This Reporting Up Protocol explains the steps to follow should someone come to you with a report of possible misconduct or non-compliance. Some examples of misconduct and non-compliance are: discrimination or sexual harassment financial fraud or theft (e.g., kickbacks, overbilling, product theft or theft of other Company property) antitrust or competition law issues (e.g., collusion with competitors) document falsification (e.g., false travel or expense reports; false reports to government agencies) bribery or attempted bribery of government officials improper accounting of sales revenue retaliation. Support Employee Speaking-Up The speakingup toolkit provides an inventory of member-shared protocols, procedures, and speakingup materials to ensure comfort speaking-up and rapid risk detection. UWhat to Do U UFirstU, determine whether the concern raised needs to be reported to Compliance & Integrity or another function. As a general rule, you must report to your Regional Compliance Officer (RCO) any allegation that someone working for or on behalf of the Company may have been involved in misconduct or non-compliance with law or HTUCompliance PolicyUTH (including the HTUCode of ConductUTH) when doing something for the Company. This protocol includes reporting of confirmed or suspected incidents of fraud, defalcation, theft or robbery covered by HTUFinancial Policy 2001UTH, but also includes reporting of other types of suspected misconduct. The only exception is when an established or documented procedure exists to address the incident (e.g., grievance procedure under collective labor/bargaining agreement, worker safety incidents, environmental releases, special situations (more examples follow in the attached Q&A)), in which case that procedure should be followed. 10

11 Deliver Training and Communications How We Help CEB s online and customizable training modules and communications partner with best practice tools and strategies to create and deliver a curriculum that reduces noncompliance and maximizes employee integrity. 1 Online and PowerPoint Compliance Training 2 The Compliance and Ethics Message Generator Compliance Training Courses Include: Partial List Create Compliance Training Members can use a variety of customizable training templates and online training modules to foster awareness of and compliance with wide-ranging risk areas. Deliver Innovative Communications This tool allows you to select and customize compliance and ethics posters and brochures, develop relevant ethical dilemmas, and pull together FAQ documents on key issues. Avoiding Conflicts of Interest Complying with the Foreign Corrupt Practices Act Social Media in the Workplace Complying with the UK Bribery Act Discrimination and Harassment Avoiding Antitrust Activities Avoiding Insider Trading Introduction to the Code of Conduct Encouraging Speaking Up Handling Employee Concerns and Reports Appropriately 11

12 Assess Program Effectiveness AND ESTABLISH PROGRAM STRATEGY How We Help Our suite of program diagnostics creates a 360-degree program assessment from a variety of critical perspectives: objective criteria, internal partners, employees, and peer organizations. We combine these perspectives with empirical insights on the drivers of program effectiveness to create a meaningful dashboard of program performance. These distinct diagnostics help you assess the effectiveness of key activities and allocate time and resources appropriately. Case in Point Compliance and Ethics Program Dashboard I. How should I structure my function? State of the Compliance and Ethics Function Survey What risk detection activities does the compliance and ethics function own or participate in? How has your risk assessment process changed over the past three years? What are the most significant risks you face? Key Benefits of CELC Benchmarking Analysis Unique ability to validate and improve the effectiveness of your compliance and ethics initiatives Unparalleled transparency into the performance of your compliance program and health of your ethics culture compared to more than 100 other companies Opportunity to identify functional inefficiencies and cut unnecessary spending What organizational model do you currently use for managing compliance? Critical analysis of program performance from regulatory, executive, and employee perspectives Internal Client Importance Assessment ABC Company Internal Client Average Importance Scores Versus Benchmark An effective compliance program is not static but dynamic, adapting to meet new compliance challenges and subject to periodic review. Gary Grindler Assistant US Attorney General Compliance Dashboard Governance Framework Structure Policies/controls Integration into ERM Operating Business Metrics Feedback from senior business leaders Regulatory violations compared to industry average Efficiency of regulatory approvals Functional Metrics Allegation and investigation case-cycle time Compliance costs per $ billion relative to peers Employee/Cultural Metrics Employee perceptions of corporate culture Percentage of employee who fear retaliation II. What risks am I overlooking in my organization? Risk Clarity Business Unit Review Action Plan Survey Results Assess susceptibility to misconduct using indicators from the Council s Total Preempting Compliance Failures study BU A A A A B A A A Accelerate time-to-implementation using tools and templates from BU B A A A A A A A Performing a Legal and Compliance Risk Assessment BU A A B B B B B B Develop targeted compliance messages using the Council s online Total B A B B B B B Compliance Message Generator B Integrity Index Score Month Outlook Current Integrity Index: B Review adequacy of resources Target Integrity Index: A Create compliance program strategy and action plans to address gaps Industry Benchmark: A Forecast critical current and emerging issues III. how do my business partners perceive program effectiveness? IV. How mature is my program? Program Assessment Tool Key Program Sub-Elements/ Stage I Stage II Stage III Stage IV Stage Development Compliance Risk Features Features Features Features Management Process No formal compliance risk assessment process: selective audits of risk areas performed on ad hoc basis Inconsistent compliance risk assessment process applied to certain parts of the business A consistent, companywide risk assessment process exists to identify and prioritize current and emerging risks Consistent risk assessment process performed as part of the strategic planning process at the business unit level and validated by the center 12

13 Report Results How We Help The compliance and ethics function should regularly inform the board about program progress and compliance risk exposures. More importantly, the board requires information to effectively fulfill its oversight responsibilities and adequately protect the long-term interests of shareholders. We provide customizable dashboards, templates, and benchmarks to track and report on key compliance and ethics trends. 1 Board Presentation Builder 2 Metrics Dashboard Tool Create Effective Board Reports The Presentation Builder provides customizable templates and samples to help you do the following: Introduce the compliance and ethics program. Report periodically on key trends. Present key risks and mitigation plans. Communicate annual progress against key goals. Monitor Compliance Performance The metrics dashboard tool allows you to select from a menu of performance metrics and design your own scorecard to track progress against key goals. 13

14 Key Building Blocks CEB CELC arms you and your team with the data, tools, and advisory support to make better decisions, learn new skills, and complete critical projects. Chief Compliance Officer and CEB CELC Member Select CEB CELC Services and Associated Value One Year of Membership Report Results Create (and Improve) Program Structure Program Staffing and Spending Trends Determine Risk Risk Assessment and Rapid Risk Tools Mitigation Plans and Tools $25,000 $50,000 Establish Corporate Standards Code Database and Rollout Toolkit Policy Clearinghouse $10,000 $15,000 Create Investigation Procedures Investigation Toolkit Speaking-Up Toolkit $10,000 $20,000 Deliver Training and Communications Interactive E-Learning Modules Manager Education Tools $20,000 $50,000 Assess Program Effectiveness and Establish Program Strategy Program Assessment Tools RiskClarity Service $50,000 $75,000 Board Report Presentation Builder Metrics Dashboard Tool $10,000 $15,000 Organizational Models and Diagnostics $10,000 $20,000 14

15 Sample Engagement Plan for Code of Conduct Support Review and Benchmark Code of Conduct Revise the Code Plan for Code Launch and Rollout Deploy Code and Ensure Certification Use CELC s code database to benchmark against key aspects of your code, including: Organizing frame; Content sections and language; and Presentation style and graphics. Save time updating your code using CELC s: Code recommendations; Sample language and clauses; and Best practices for designing codes. Create project timeline using: Sample communications and communication calendar; Training template calendar; and Sample code of conduct trainings and Q&As. Certify and document code completion using CELC s: Sample certification statements and Certification rate benchmarking report. Contact CEB to Learn More

16 CEB Compliance and Ethics Leadership Council