CLEAR GOAL. Satisfy Regulatory Demands. Mitigates Current Risk Effectively. Provides Meaningful Information About Program Effectiveness

Transcription

1 Catalog # 3 Regulatory Interconnected 4 Growth Hyper Building Predictive Monitoring Capabilities SCCE Conference October 205 Las Vegas, Nevada CEB Compliance & Ethics Leadership Council Project # CELC983024SYN THE VALUE OF PREVENTION Cost of a Noncompliance Event Across Time Illustrative Predictive Detection Period when increased susceptibility for noncompliance can first be measured Rapid Internal Detection Period after event occurred but before widespread knowledge Slow Detection Inability to identify an event before it s widespread knowledge Cost of Noncompliance Cost Cost of Monitoring: 0% 5% of Corporate Compliance Budget Cost Cost Cost of Monitoring: 0% 5% of Cost of Monitoring: 0% 5% of Corporate Corporate Compliance Budget Compliance Budget Regulatory Fine: Approximately Regulatory Fine: Approximately US$5.8 US$5.8 Million Million Internal Remediation Costs Internal Remediation Costs Legal Fees: US$200 US$500/Hour Decrease in Stock Value: Up to 4% Public Disclosure Decline in Employee Perceptions of Integrity: 20% Decline in Employee Engagement: Up to 0% Decline Noncompliance Event Reputational Harm Time Source: CEB 204 State of the Compliance and Ethics Function Survey; CEB 203 Q3 Integrity Capital Quarterly. HEIGHTENED URGENCY The Expanding Corporate Risk Ecosystem Highlights of the Interconnected Risk Landscape DATA PRIVACY THE CLOUD INSIDER TRADING CORRUPTION RISK Fragmentation Supply Chains in Information Transparency A

2 5 6 7 CLEAR GOAL Primary Objective of Compliance and Ethics Monitoring Percentage of Compliance Executives Selecting as Primary Objective Compel Action to Mitigate Unacceptable Compliance Risk Obtain an Accurate Read on Compliance Provide Information About the Effectiveness of the Compliance Program Report Compliance Program Activities to the Board Report Compliance Effectiveness to Regulators 2% 7% 6% 22% 38% Identify and Mitigate Risk = 60% Demonstrate Program Effectiveness = 35% Other 4% n = 98. Source: CEB 204 State of the Compliance and Ethics Function Survey. 0% 20% 40% BUT LIMITED INSIGHT Measuring and Monitoring Effectiveness Percentage of Compliance Executives That Agree or Strongly Agree with the Following Statements About Their Compliance Monitoring Program Satisfy Regulatory Demands 43% Mitigates Current Risk Effectively 33% Limited Effectiveness Provides Meaningful Information About Program Effectiveness 23% Predicts Future Compliance Risks 5% Limited Foresight 0% 25% 50% n = Source: CEB 204 State of the Compliance and Ethics Function Survey. BARRIERS TO EFFECTIVE MONITORING Barriers to Building an Effective Measurement and Monitoring System By Percentage of Compliance Executives Complexity of Business Operations Lack of Predictive Metrics/Leading Indicators Poor Information Sharing (Across Functional Silos) Technology Constraints Corporate Culture Limited Understanding of the Organization s Risk Landscape n = 22. Source: CEB 204 State of the Compliance and Ethics Function Survey. Resistance from the Business Staff Skills (Mismatch of Skills and Needs) Regulatory Requirements/Expectations Other 8% 7% 6% 5% 5% 3% 0% 2% 2% 23% 0% 5% 30% A2

3 8 9 0 FOCUS ON ROOT CAUSES Current Versus Ideal Focus of Metrics Current Focus of Metrics: Period where detection that a noncompliance event has occurred takes place. Ideal Focus of Metrics: Period where earliest indication of the risk of noncompliance is possible. Reactive to Predictive Spectrum Representation Features: Activity and Efficiency Metrics Training completion rates Helpline call volume and trends Case cycle time Percentage of substantiated compliance cases Root Cause Metrics Tied to Risk Outcomes Measurable actions or events that indicate increased susceptibility to risk and allow for treatment of causes before an event occurs. IMPROVING THE SIGNAL TO NOISE RATIO Current Versus Ideal State of Risk Insight Illustrative Ideal State Current State Signal to Noise Ratio Ideal State: Predictive Monitoring Compliance only tracks the root caused-based metrics that increase understanding of the related risk. Number of Metrics Tracked Current State The average compliance program tracks 24 different metrics, yet lacks meaningful risk insight as there is no clear relationship between metrics tracked and risk outcomes. THE PATH TO PREDICTIVE MONITORING Key Barriers Understanding Meaningful Data 2 Creating Risk Indicators 3 Improving Visibility into Risk Change 4 Translating Monitoring Into Action Predictive Capabilities Identify the Root Causes of Risk Translate Root Causes Into Risk Indicators Embed Risk Indicators Into Existing Workflows Drive Business Accountability for Risk Mitigation Implementation Steps Conduct root cause analysis of noncompliance, focusing on cultural risk drivers Categorize root Create measurable KRIs by systematically translating root causes into specific, quantifiable metrics Build risk informationsharing protocols among internal partners Instill business leader support for KRI monitoring and mitigation by providing tools to ease the burden causes to prioritize Ensure efficacy of most significant risks corrective action plans A3

4 2 3 BUILDING PREDICTIVE MONITORING CAPABILITIES What drives How do I create How do I monitor how my How do I drive compliance risk? trackable risk indicators? risk indicators are changing? proactive risk mitigation? IDENTIFY THE ROOT CAUSES OF RISK TRANSLATE ROOT CAUSES INTO RISK INDICATORS EMBED RISK INDICATORS INTO EXISTING WORKFLOWS DRIVE BUSINESS ACCOUNTABILITY FOR RISK MITIGATION MassMutual Cultural Root Causes of Risk Root Cause-Based KRIs Business Risk Sensors Business-Led Risk Prevention Process-Based Risk Drivers Functional Risk Expertise High-Impact Risk Mitigation Principles for Conducting an Effective Root Cause Analysis ROOT CAUSES ENABLE PREDICTIVE INSIGHT Key Root Causes of Noncompliance Noncompliance Events Culture of Self Interest, Permissiveness, and Pressure Root Causes of Insufficient, Noncompliance Burdensome, and Complex Processes Description, Not Prediction Basic information about noncompliance events explains the type of noncompliance that can occur, but fails to provide insight into why noncompliance occurred. Predictive Insight Root causes explain the conditions and moments that precede and drive noncompliance, setting the foundation for a predictive monitoring system. Employee Mistakes ROOT CAUSES THAT MATTER MOST (AN INDEPENDENT ASSESSMENT) Primary Causes of Noncompliance , Council Analysis Company Gain 53% n = 209 Compliance Settlements. Personal Gain Pressure From Superior Permissive Culture Operational Burden Poor Process Design Employee Made Mistake Employee Unaware of Policy Other (External Actor) 0% 7% 0% 0% 9% 2% 4% 39% 0% 30% 60% Culture = 69% Process = 2% A4

5 4 5 6 ROOT CAUSES THAT MATTER MOST (STAKEHOLDERS PERSPECTIVES) Primary Causes of Misconduct Percentage of Compliance Executive Responses by Reason for Business Misconduct (Select up to Three Causes) Compliance Executives Employees Employee(s) Self-interest 32% 74% Employee(s) Felt Pressure to Commit Misconduct Poor (Permissive) Company Culture 0% % 9% 23% Insufficient Controls 23% 48% Operational Burden Process Complexity (Unintentional or Negligent) 0% 4% 0% 26% Employee Made Mistake 6% 4% n = 36; 3,668 employees. Source: CEB 204 State of the Compliance and Ethics Function Survey. 2% Lack of Awareness 2% 0% 40% 80% IDENTIFY THE ROOT CAUSES OF RISK What drives compliance risk? Challenge Understand the primary root causes of noncompliance Challenge 2 Identify where to focus root cause analyses Challenge 3 Conduct an effective root cause analysis Profiled Solution Profiled Solution Profiled Solution Cultural Root Causes of Risk Process-Based Risk Drivers Principles for Conducting an Effective Root Cause Analysis THE IMPORTANCE OF A CULTURE OF INTEGRITY Observations of Misconduct by Employee Perception of Culture Reporting Rates by Employee Perception of Culture Less Observations, More Reports Employees with the most favorable perceptions of the organization s culture are 90% less likely to observe misconduct and 63% more likely to report anything they see. 80% 80% = 63% 40% = (90%) 40% 0% Least Neutral Moderately Most Favorable Favorable Favorable n = 255,498. 0% Least Neutral Moderately Most Favorable Favorable Favorable n = 255,498. A5

6 7 8 9 A KEY CULTURAL ROOT CAUSE Organizational Justice Drives a Culture of Integrity 73% Organizational Justice Organizational Justice is employees degree of agreement that: Their company responds quickly and consistently to verified or proven unethical behavior and Unethical behavior is not tolerated in their department. 27% All Other Integrity Components Clarity of Expectations Leadership Comfort Speaking Up Trust in Colleagues Direct Manager Openness of Communication Tone at the Top n = 65 companies. CULTURE SHIFTS AS THE ORGANIZATION CHANGES Impact of Career Moments on Employee Perceptions of Integrity By Number of Career Moments in the Past Year (Excluding Promotions) No One Two Moments Moment Moments 0% Employee Perception of Integrity (6%) (2%) n = 3,3. Three Moments A 4% decline is equivalent to moving from middle to bottom-quartile scores in perceptions of integrity. Four Moments 5 0 Moments IMPLICATIONS FOR COMPLIANCE MONITORING Summary of CEB Cultural Research Implications on Compliance Monitoring By Number of Career Moments in the Past Year (Excluding Promotions) Compliance Monitoring Implications Over-invest in Monitoring Culture Cultural metrics are the most predictive indicators of future misconduct, compared to process-related factors and employee mistakes. Track Employee Perceptions of Organizational Justice Use operational metrics (e.g., percentage of employee concerns that receive follow-up) to monitor organizational justice. Include questions about employee perceptions of organizational justice (e.g., extent to which the company responds quickly and consistently to verified or proven unethical behavior) on annual C&E program or company-wide engagement surveys. Conduct Deeper Dives During Periods of Change Increase cultural monitoring and conduct focus groups during times of change when employees perceptions of culture (and thus the potential for increased risk) are most likely to shift. A6

7 20 2 Pseudonym. 22 CREATING THE MANAGER INTEGRITY DASHBOARD Manager Integrity Pre-Alert Dashboard Illustrative, CEB Employee Integrity Performance Human Resource Factors Compliance Factors Behaviors Risk Whistleblowing Leadership or Integrity Turnover, Actions Senior Engagement Exit Interview Assessment MBOs Absenteeism, ( >.5 SD Manager Survey Trends ( >.5 SD below Noncompliance below company Results company average) average) Comfort Speaking Up 80% to Organizational Justice SVP > 5% N/A Target Goal 5% Y-o-Y Direct Manager Within Range Leadership Comfort Speaking Up SVP 2 95% to Target Goal > 0% N/A 20% Y-o-Y Organizational Justice Direct Manager Leadership Within Range SVP 3 50% to Target Goal > 5% Increase in Management Concerns 5% Y-o-Y Comfort Speaking Up Organizational Justice Direct Manager Leadership Outside Acceptable Range CEB RISKCLARITY SERVICE: ASSESSING CORPORATE CULTURE CEB RiskClarity: A Corporate Integrity Service Employee Survey and Potential Responses Key Demographics of Survey Participants Multiple Industries CEB RiskClarity: A Corporate Integrity Service I have observed misconduct at my company in the past year. Yes No Don t Know Have you observed any of the following types of misconduct in the past year? (Select all that apply.) Don t Don t Yes No Know Yes No Know Accounting irregularities Improper payments 2 All Employee Levels 3 Global Coverage Alcohol or drug abuse Business information violation Conflict of interest Data privacy or information security violation Discrimination Fraud Harassment Inappropriate behavior Inappropriate giving Insider trading Misuse of time or resources Preferential treatment Stealing of company property Violation of environmental regulations Violation of health and safety regulations 4 All Business Functions 5 Dozens of Languages PROCESS-BASED RISK DRIVERS OVERVIEW Vista aligns compliance risks to associated business activities, forming the basis for quarterly risk-based monitoring plans that reflect the risk weight of each business activity. SOLUTION HIGHLIGHTS Align Business Activities with Compliance Risks Define the set of risks in Compliance s purview and align those risks to the activities in which they manifest. Pinpoint Business Activities Contribution to Risk Conduct an activity-based risk assessment to identify the level of compliance risk associated with common business processes. Derive Monitoring Plans from Risk Assessment Results Use annual risk assessment results to prioritize each region s monitoring efforts around its high-risk activities. COMPANY SNAPSHOT Vista Industry: Pharmaceuticals and Biotechnology 203 Sales: US$5 5 Billion Employees: 4,000 8,000 A7

8 A MORE HOLISTIC RISK ASSESSMENT Vista s Two-Pronged Risk Assessment Top-Down Environmental Risk Score Collection of broad conditions that describe a region s environment of compliance risk. Ownership Corporate Compliance pulls environmental conditions from functional and regional partners and other sources. Examples Sales Growth Expectation (from Finance) Employee Turnover Rates (from HR) Controls Required by Regulators (from external publication) Bottom-Up Operational Root Causes Risk rating of the specific business operations and processes in which misconduct can manifest. Ownership Each regional or functional compliance officer assesses the risk level of business activities within his or her region. Examples Likelihood of HIPAA violation during promotional interactions with patients Effectiveness of controls in preventing bribery during interactions with health authorities Accurate Insight Vista develops a comprehensive understanding of the conditions and processes that drive risk across the organization. Source: Vista; CEB analysis. Pseudonym. HOW THEY DO IT Overview of Bottom-Up Assessment and Monitoring Plans Align Risks with Activities Define the risks in Compliance s purview. Identify the company s core business activities and how they relate to compliance risks. Create a catalog that aligns each business activity to the relevant compliance risks. Identify High-Risk Business Activities Use an activity-based risk assessment to identify the business activities that drive the most risk within each region. Deploy Right-Sized Monitoring Plans Create a customized monitoring plan for each business activity that reflects its contribution to compliance risk exposure. Source: Vista; CEB analysis. Pseudonym. ACTIVITY-BASED RISK ASSESSMENT Vista s Risk and Control Assessment Illustrative, Does Not Reflect Real Results Risk Data Privacy Inherent Risk Control Risk- Overall (likelihood x Residual Activity Effectiveness Specific Compliance impact; Risk ( 3 Scale) Weight Risk Weight both on 5 Scale) Promotional Interactions % 28% with Patients Market Research % % Consulting Meeting % 7% Antitrust/Unfair Competition/ Competitor Disparagement Corruption and Bribery Promotional Interactions % 9% with Patients Hospital Sponsorships % % Education Grants % 5% Interactions with Health % 9% Authority Source: Vista; CEB analysis. Note: Up by the 60% for risk-specific weight and then at the bottom add: Risk-Specific Weight of 60% = Residual risk score of 5/total of all residual risk scores for data privacy of 25. Pseudonym. A8

9 26 Pseudonym. 27 Pseudonym. 28 IDENTIFYING HIGH-RISK ACTIVITIES Risk Weight of Activities, Data Privacy Risk Illustrative Risk Weight of Activities, All Compliance Risks Illustrative 6% Consulting Meeting Focus on a specific risk area. 9% Interactions with Health Authority 5% Education Grants View total compliance risk. 24% Market Research 60% Promotional Interactions with Patients % Hospital Sponsorships 47% Promotional Interactions with Patients 7% Consulting Meeting % Market Research Source: Vista; CEB analysis. Pseudonym. DEPLOY RIGHT-SIZED MONITORING Source: Vista; CEB analysis. Vista s Data Privacy Monitoring Plan Illustrative Monitoring Plan: United States Regional (204 Q3) Data Privacy Risk Sub-Activities Promotional Market Consulting Interactions Research Meeting with Patients Residual Risk Total Occurrences Monitoring Format Post-Transaction Post-Transaction Live Review Review Suggested Sample Size 30 4 Risk Score-Adjusted Sample Size BUILDING PREDICTIVE MONITORING CAPABILITIES What drives compliance risk? How do I create trackable risk indicators? How do I monitor how my risk indicators are changing? How do I drive proactive risk mitigation? IDENTIFY THE ROOT CAUSES OF RISK TRANSLATE ROOT CAUSES INTO RISK INDICATORS EMBED RISK INDICATORS INTO EXISTING WORKFLOWS DRIVE BUSINESS ACCOUNTABILITY FOR RISK MITIGATION MassMutual Cultural Root Causes of Risk Root Cause-Based KRIs Business Risk Sensors Business-Led Risk Prevention Process-Based Risk Drivers Functional Risk Expertise High-Impact Risk Mitigation Principles for Conducting an Effective Root Cause Analysis A9

10 MONITORING CHANGES IN RISK EXPOSURE Internal Capabilities to Monitor Risk Business Partners Information on changes in the business Internal Audit Previous audit findings Information Technology Systems access permissions Human Resources Employee information Finance Information on outgoing payments Compliance Hotline and investigations data Procurement Third-party vendor information CEB INSIGHTS IN BUILDING AND SUSTAINING A LIAISON PROGRAM Key Learnings in Developing a Liaison Program Align the Business Case with Key Stakeholders Interests 2 Right-Size Your Liaison Program Structure 3 Look Beyond Functional Background and Seniority in Selection 4 Provide Support to Build Early Engagement 5 Measure Ongoing Effectiveness of the Program Source: CEVA Logistics; CEB analysis. CEB INSIGHTS IN BUILDING AND SUSTAINING A LIAISON PROGRAM (CONTINUED) Case-in-Point: Overview of CEVA Logistics Liaison Program CEVA Logistics Liaison Program Situation: CEVA Logistics launched its liaison program in 2008 to strengthen its corporate culture while minimizing additional resource investment. Key Liaison Program Attributes: Phased Rollout: CEVA Logistics piloted its liaison program in South America. After a few years of success with its liaisons (called Compliance Leaders), CEVA expanded the program into other regions. Right-Sized Structure: To maximize coverage, CEVA Logistics assigns one Compliance Leader to each country of operation. The company provides additional liaisons to certain countries based on complexity of operations and risk profile. Competency-Based Selection: Compliance leaders are nominated by regional managers and selected based on key competencies. Leaders come from a variety of functional backgrounds (Operations, HR, Legal). Support Tools: New leaders receive one-on-one onboarding with the Compliance office, and monthly calls for ongoing support. Rewards/Recognition: Performance reviews include a compliance and ethics component. Compliance-in-Action is an initiative to recognize ethical behavior and reward leaders. Source: CEVA Logistics; CEB analysis. A0

11 NEW CEB RESOURCE: LIAISON TOOLKIT Liaison Toolkit Highlights Sample Resources Compliance and Ethics Liaison Toolkit Proposed Topics Liaison Program Organizational Structures and Decision Rules. Making the Business Case Overview of program benefits Customizable business case presentation 2. Structuring and Rolling Out a Liaison Program Sample program charter Liaison program organizational structures Sample Liaison Reporting Dashboard 3. Identifying and Selecting Liaisons Liaison roles and responsibilities Liaison selection criteria 4. Onboarding and Engaging Liaisons Liaison development plan Liaison onboarding presentations Liaison support tools (e.g., reporting dashboards) 5. Managing the Program Liaison performance management (e.g., performance criteria, incentives) Measuring liaison program effectiveness This Toolkit Will Help You: Implement a Liaison Program: Save time and effort organizing and implementing an effective ethics liaison program Enhance Ethics Network: Improve the reach and oversight of the compliance and ethics program across the company EMBED MONITORING IN FUNCTIONAL RISK CENTERS Monitoring Compliance Risk in Corporate Functions Functional Partners Compliance Risk- Relevant System Risk Indicator Examples Procurement Third-Party Database Sub-contractor due diligence Information Technology Information Security Incident Database Data privacy breaches Human Resources Human Resources Information System (HRIS) Employee career moments (e.g., layoffs, role changes, restructuring) Senior management involvement in noncompliance cases Sales & Marketing CRM Database Customer complaints Finance Accounts Payable Improper Payments Travel and Entertainment Expenses EMBED MONITORING IN FUNCTIONAL RISK CENTERS Monitoring Compliance Risk in Corporate Functions Implementation Guidance for Functionally-Integrated Monitoring Prove Business Value Build buy-in for consistent collaboration by outlining the benefits of closer integration (e.g., business efficiency, heightened corporate assurance, lower cost of compliance). Extract Value from Existing Capabilities Use risk information already tracked in functional systems to streamline monitoring efforts and reduce the burden of Compliance-led monitoring. Synthesize Risk Intelligence Utilize functional partners knowledge and experience of how noncompliance manifests to enhance practical understanding of compliance risk and local control environment. A

12 35 QUESTIONS? Jennifer Childs Kugler Principal Executive Advisor CEB Compliance and Ethics Leadership Council A2