Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
©2020 True Office Learning, Inc. | Confidential
Predictive ComplianceBoard and Executive Reporting
date
Live (anonymous) Q&A and PollingVisit www.slido.com
Enter code TOLBOD to enter the poll – OR –
Scan this QR code to join!
Understand the Board of Directors
Their biggest objectives:
Driving Sustainable Growth
Executive Oversight
Risk Management
Their biggest challenges:
Measuring Ethical Culture
Conduct Risk - Unconscious Bias/COVID-19/ #MeToo
Cybersecurity/Data Privacy
3
DOJ Guidance on Oversight (Updated June 2020)
4
What compliance expertise has been available on the board of directors?
Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions?
What types of information ha U.S. Department of Justice Criminal Division Evaluation of Corporate Compliance Programs (Updated June 2020) 11 the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
The On-Ground Reality
40% Reported their company’s chief compliance officer does not regularly attend audit committee meetings
70% reported that the CCO does not regularly attend board meetings
17% reported that CCO is responsible for managing culture risk
50% reported that their board training includes content on ethics & Compliance
5
Why The Disconnect
• Proactively measure and manage risk
• Build Culture and trust
• Drive bottom line performance 6
W H AT C O M P L I A N C E W A S C R E AT E D T O D O :
W H AT C O M P L I A N C E F E E L S L I K E N O W :
• Perceived cost center
• Policing organization; reactive state
• Struggle to prove value and efficacy
What Boards Are Looking For
<-- Compliance Programs -->
Why Utilize Data?
Prevention
Detection
Mitigation
Detection
Prevention
Mitigation
https://www.youtube.com/watch?v=opHxoS56aVM
Where Is Your Organization Currently
Shifting the DialogueBOD Reporting
Driving Strategic Dialogue
What is being forced upon us by regulators
Who showed up to work
What were our efforts
How many people raised their hand
Where we put out the fire
What were really obvious problems
What we spent and where we need more
Here’s what is likely to happen
Here’s why I think so
• External Landscape
• Internal predictive insight
Here’s what we are doing about it
Here’s how we will measure along the way
We need X to make Y happen
Old World New World
The Must Share Information
Risk Assessment
• List of risks based on business/geography
Risk Assessment
• Risk propensity and impact (Role & Region)
14
Old World New World
Investigations & Hot Line Reporting• # received• # resolved• Type of complaints
Training• # of courses• % completion
InvestigationsAnonymous reportingSubstantiationSufficiency of reports/proactively identified issues
TrainingPerformance by SectorTop 3 Most challenging trends by key risk areas
The Must Share Information
Communications
• # of activities
• Employee engagement/participation statistics
Communications
• Targeted root cause remediation activities
• Tone from the top dialogue facilitated
15
Old World New World
Culture • VOE Survey• Anecdotal feedback/Investigation result
Policies & Monitoring• Regulatory updates• Broad base/generic monitoring
DOJ Alignment• We have all the elements
Culture• Org Justice Metrics (by level)• Silent Retaliation or Disclosure Rate
Policies & Monitoring• Values Based• # of questions/Predictive Insight
DOJ Alignment• Progress Scorecard (R/G/Y or mile marker)
Measuring The Culture Of Compliance
Financial Transactions: • Risky Deals
High risk deals/total deals
• Fraud
Fraud revenue/total sales volume
• Sales Integrity
% of spend that is non-compliant
• Expense Fraud
% of expenses that are fraudulent/ non-compliant
• Brand Perception:
Brand Sentiment – customer• NPS Analysis
Brand Sentiment – market• Twitter/NLP sentiment analysis
Employee Recruitment:• # of applicants/ # of interviews
• % minority applicants/# of total applicants
• Time to fill the role
Employee Voice: # of issues reported per
thousand employees
# of disclosers per thousand employees
# of questions asked per thousand employees
• Anonymous Reporting
total anonymous cases/total cases
• Substantiation Rate
Substantiated cases/total cases to assess level of frivolous cases
Organizational Justice: • Retaliation Rate
Retaliation cases/total cases
• ‘Silent’ retaliation rate
Salary progression of whistleblowers vs. peers
• Investigation Resolution Time
Average closure times as measure of organizational justice
• Fair Resolution
Actions by each organizational level/total actions
Actions by each organizational level and performance rating/issues reported
16
Many transactional metrics can be analyzed to measure culture of compliance but are often difficult to gather:
Benchmarking Against Regulatory Guidance
Is the corporation’s compliance program well designed?“
“Is the program being applied earnestly and in good faith?“ In other words, is the program being implemented effectively?
“Does the corporation’s compliance program work“ in practice?
17
Old World New World
DOJ Alignment• We have all the elements
DOJ Alignment• Progress Scorecard (R/G/Y or mile marker)
Is the Program Well Designed?
18
Program Design
Risk Assessment
Policies & Procedures
Training & Communica
tions
Confidential Reporting & Investigatio
ns
Third Party Manageme
nt
Mergers & Acquisitions
The “critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct.” JM 9-28.800
prosecutors should examine “the comprehensiveness of the compliance program,” JM 9-28.800, ensuring that there is not only a clear message that misconduct is not tolerated, but also policies and procedures – from appropriate assignments of responsibility, to training programs, to systems of incentives and discipline – that ensure the compliance program is well-integrated into the company’s operations and workforce.
Risk Assessment
19
the location of its operations
the industry sector
the competitiveness of the market
the regulatory landscape
potential clients and business partners
transactions with foreign governments
payments to foreign officials
use of third parties
gifts, travel, and entertainment expenses
charitable and political donations
Policies & Procedures
prosecutors should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.
20
Design
Evolve
Integrate
Risk-Based Training
External Guidance
Appropriate Form and Content
Effectiveness
Communications
Availability of Guidance
True Office
5
4
3
2
1 • Is training appropriately tailored for high risk areas, and controls around those areas?
• Does it include case studies to address real-life scenarios and/or guidance to obtain ethics advice?
• Do supervisors (or those with approval authority) receive different or supplemental training?
Role & Risk Paths,Bias-free scenarios,In-course manager only OTS content
• Is training delivered in a form appropriate for the audience?
• Is training delivered in a language appropriate for the audience?
• Does the content address lessons-learned?
• Is there a process by which employees can ask questions arising out of trainings?
508C compliant & responsive with 65+ languages,Adaptive learn-by-doing algorithms, resources tabs
• How has the company measured effectiveness of training?
• Have employees been tested, and how does the company address those who fail a portion of training?
• Has the company evaluated the extent to which the training has an impact on employee behavior or operations?
Rich, predictive behavior insightsReal-time, proven remediation to 100% mastery
• Has the company relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise?
• What communications have there been generally if there has been discipline around violations of policies, procedures, and controls?
Individualized coaching feedbackScholar Micro, A.I. reinforcement & Poet Editor
• What resources are available to provide guidance relating to company policies?
• How has the company assessed whether employees know when to seek advice or willingness to speak up?
Policy attestation, resources, surveys & in-course disclosures
DOJ Guidance: Training Program Evaluation Checklist (at June 1, 2020)
Investigations “a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the
organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation”).
22
Reporting Mechanism
Effective Investigations
Response & Analysis
Is the Program Being Implemented Effectively
23
Commitment by Senior and Middle Management
Autonomy and Resources
Incentives and Disciplinary Measures
Even a well-designed compliance program may be unsuccessful in practice if implementation is lax or ineffective. Prosecutors are instructed to probe specifically whether a compliance program is a “paper program” or one “implemented, reviewed, and revised, as appropriate, in an effective manner.” JM 9-28.800. In addition, prosecutors should determine “whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts.” JM 9-28.800. Prosecutors should also determine “whether the corporation’s employees are adequately informed about the compliance program and are convinced of the corporation’s commitment to it.”
Does The Program Work In Practice?
The Principles of Federal Prosecution of Business Organizations require prosecutors to assess “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision.” JM 9-28.300. Due to the backward-looking nature of the first inquiry, one of the most difficult questions prosecutors must answer in evaluating a compliance program following misconduct is whether the program was working effectively at the time of the offense, especially where the misconduct was not immediately detected.
In answering this question, it is important to note that the existence of misconduct does not, by itself, mean that a compliance program did not work or was ineffective at the time of the offense. Indeed, “[t]he Department recognizes that no compliance program can ever prevent all criminal activity by a corporation's employees.” JM 9-28.800.
Of course, if a compliance program did effectively identify misconduct, including allowing for timely remediation and self-reporting, a prosecutor should view the occurrence as a strong indicator that the compliance program was working effectively. In assessing whether a company’s compliance program was effective at the time of the misconduct, prosecutors should consider whether and how the misconduct was detected, what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts.
To determine whether a company’s compliance program is working effectively at the time of a charging decision or resolution, prosecutors should consider whether the program evolved over time to address existing and changing compliance risks. Prosecutors should also consider whether the company undertook an adequate and honest root cause analysis to understand both what contributed to the misconduct and the degree of remediation needed to prevent similar events in the future. For example, prosecutors
24
Does The Program Work In Practice?
25
Continuous Improvement, Periodic
testing, and Review
Investigation of Misconduct
Analysis and remediation of any
underlying misconduct
•Reward efforts to promote improvement and sustainability
•Evaluate periodically the effectiveness of the compliance program
•Timely and thorough investigations of any allegations
•Documenting the company’s response, including any disciplinary or remediation actions taken
•Root cause analysis to understand the extent and pervasiveness of the criminal misconduct
•Recognition of seriousness, acceptance of responsibility, and measures to reduce the risk of repetitionand identify future risk
What Matters Most
26
Risk Assessment
Policies and Procedures
Training and communications
Confidential Reporting & Investigations
What Matters Most
27
Third Party Management
Mergers & Acquisitions
Measuring Effectiveness
Program Testing & Evolution
Identifying Risk ProactivelyGetting to Predictive Compliance
Data Sources in the Organization
Business Data
Operational Data
Behavioral Data
The Operational Data Journey
Behavioral Performance & Predictive Intelligence
Risk AreaBehavioral
Performance
Overall Export BasicsControlled Items,
Licenses and PermitsSanctioned and
Restricted PartiesRoles and Reporting Business Partners
86% 75% 80% 90% 91% 95%
Overall Payments Introduction Third Parties Expenses RecordkeepingQuestions and
Concerns86% 79% 80% 84% 87% 92% 94%
OverallAbuse of Market
PowerAnticompetitive
AgreementsCommunication and
DocumentationReporting and Non-
RetaliationCompetition and
Antitrust Laws87% 69% 83% 89% 93% 100%
Overall Reporting ViolationsPerforming Due
DiligenceIntroduction to
Economic SanctionsTypes of Sanctions
Programs94% 89% 89% 96% 100%
Economic Sanctions(1,004 learners)
XYZ Company Behavioral Performance
Export Controls(207 learners)
Anti-Corruption - 2017(1,148 learners)
Competition and Antitrust Global(4,641 learners)
Not every employee can face every situation in real-life, and not every violation is transactional. That is why simulations (drills and role play) are such effective means to assess likely behavior
Adaptive e-learning can be an untapped source of behavior intelligence for conducting simulations and measuring behavioral performance in a statistically sound manner
It also helps eliminate response and guess-ability bias inherent in quiz questions
Predictive Compliance: Going Beyond Hindsight Data
32
Regional Decision-Making Results
33
Identifying Hotspots
34
Digging Deeper
35
Going Beyond Thematics
36
Getting Into The Why
37
Sentiment vs. Performance
% of employees who are unable to perform appropriately as seen through behavioral analytics: Scenario 1: Socializing with clients and prospectsRow Labels Count of User IDHighly confident 16%Moderately confident 12%Not confident 20%Grand Total 15%
Scenario 2: Buying public stock of a competitorRow Labels Count of User IDHighly confident 18%Moderately confident 17%Not confident 28%Grand Total 18%
Scenario 3: Interacting with VendorsRow Labels Count of User IDHighly confident 15%Moderately confident 15%Not confident 13%Grand Total 15%
• Understanding response bias – sentiment does not always translate into performance
• Comparative analysis helps understand the root-cause
Bringing Us To A Robust Ecosystem
39
Learn: Clearly Communicate The Organization’s Values and Perspective – the more personal the betterPractice: Provide a safe space to navigate common day-to-day situationsAnalyze: Utilize behavioral insights to drive a rich dialogue amongst teams and leadershipReinforce: Share the stories, Micro-learning and other communicationsModify: Personalize the learning strategy and on-going communication initiatives
M.A.P: Provide every key stakeholder a Measure of their segment’s bias propensity so they can Adapt their efforts, use tools more effectively and proactively to Predict mis-alignment with the company’s values.
LEARN
PRACTICE
ANALYZE
REINFORCE
MODIFY
M.A.P.