Outside the box, inside the lines

Outside the box, inside the linesLeveraging ethics and compliance to boost tech sector innovation and growth

May 2015

PwC Outside the box, inside the lines2

Supporting the growth agenda: Ethics and compliance and the tech sector 3

Leveraging ethics and compliance for greater efficiency, collaboration, and performance 4

Building proactive ethics and compliance: An evolutionary plan 7

From a tiny acorn 14

Table of contents


For technology companies, the future is the business model: create the hardware and software that will shape tomorrow, and then keep pushing toward the next tomorrow. Driven by a culture of innovation and entrepreneurship, technology is always reaching past the horizon, breaking the rules to shift the paradigm.

But rules can also bite back. In today’s environment of constant innovation, exponential growth, and rapid expansion into unfamiliar markets, tech companies find themselves facing more-complex ethics and compliance (E&C) risks than they’ve ever faced before. Attempting to mitigate such risks by way of added oversight means overcoming the common view that a formal E&C process—with its focus on risks, rules, and complications—is tantamount to a ball and chain that slows tech companies down by hindering development, performance, and growth. But in fact, innovation and E&C are not mutually exclusive goals. In a time of heightened risk and increased scrutiny, with companies operating across multiple markets and legal and regulatory jurisdictions, a dedicated E&C function can instead be an asset to tech companies, supporting companies’ strategic agendas by:

• Ensuring that employees and other constituents have the information and tools they need to do their jobs compliantly and ethically

• Building and enhancing a culture of trust, integrity, and employee engagement

• Minimizing disruptions and associated costs

• Using data analytics and real-time monitoring to identify problems early

• Giving company leadership the comfort that leaders’ risks are covered, thereby freeing them to concentrate on strategy

Rather than run the risk of getting tripped up by the monetary costs, business interruptions, rework, and reputational impacts that can result from compliance failures and regulatory enforcement, tech companies should get themselves ahead of the game. By taking a number of relatively inexpensive and nonintrusive foundational steps, tech companies can begin laying the groundwork that will lead to the creation of a central E&C department that coordinates with core business and assurance functions to more efficiently and effectively meet those functions’ E&C obligations. From that beginning, the E&C function itself can grow organically over time, evolving to match the company’s moves into new markets, sectors, and strategies, including activity involving possible mergers and acquisitions (M&A) or an initial public offering (IPO). With the tech mind-set focused on tomorrow, doesn’t it make sense to have an E&C function that can help the company get there?

Supporting the growth agenda: Ethics and compliance and the tech sector

“A technology company’s sole focus cannot be coming up with the next big idea. Companies need to make compliance someone’s job.”

—Andy Hinton, Chief Compliance Officer, Google


Leveraging ethics and compliance for greater efficiency, collaboration, and performance

Companies frequently invite compliance failure when their desire for advantage and growth trumps insistence on respect for regulations and ethical standards, but the fact is that performance and ethics don’t represent an either/or proposition. On one hand, studies1 have found that establishing a culture of integrity and fostering a clear public perception of that integrity are linked to greater profitability, greater customer and employee loyalty, and greater employee engagement and productivity. On the other hand, doing the opposite—avoiding or downplaying compliance challenges or turning a blind eye to ethical violations—is a recipe for greater negative impacts down the line (see box Noncompliance in the news).

1 Including http://www.ibe.org.uk/userfiles/doesbusethicpaysumm.pdf.

“I see compliance as operational excellence.”

—Amyn Thawer, Head of Global Compliance and Integrity, LinkedIn

Noncompliance in the newsThe past several years have seen a number of high-profile domestic and international regulatory actions that were rooted in technology companies’ compliance or ethical failures. As examples,

• Chinese authorities took action against a leading wireless technologies company over inflated licensing fees and abuse of market position. In addition to a nearly $1-billion fine, penalties included reductions in licensing fees for Chinese clients—a move with the potential to stimulate similar actions elsewhere.

• Four US technology leaders agreed to a $415-million settlement of a suit centered on unfair employment practices.

• Several major search engines and social media sites have agreed to settlements with the US Federal Trade Commission that require them to maintain comprehensive privacy programs and submit independent privacy audits for 20 years.

• A subsidiary of a major software manufacturer settled with the US Department of Commerce’s Bureau of Industry and Security over charges that it had made unlicensed exports of encryption-containing software to foreign governments and other entities subject to specific licensing requirements.

• A major US computer manufacturer agreed to a $108-million settlement based on charges alleging improper payments to foreign officials to secure public contracts.

• Several major social media sites and search engines have been subject to legal actions and public scrutiny over allegations that they misled users about data privacy protections, improperly collected personal data from unprotected Wi-Fi networks, or violated ethical guidelines for informed consent.


A company that de-emphasizes ethics and compliance through its start-up and fast-growth phases will likely find itself lacking the culture, infrastructure, and coordination to effectively address growing E&C needs as it reaches maturity. A corporate culture that emphasizes creativity and the ability to shatter convention may not be paying sufficient attention to business ethics, and so may lack the perspective to see how compliance activities can actually facilitate strategy, growth, and operational effectiveness.

Such attitudes can have repercussions beyond regulatory considerations. For example, researchers2 have found that millennial-generation workers favor employers that reflect their own ethical values, which tend to include fairness, honesty, accountability, and social responsibility—meaning that tech companies that downplay ethical considerations may be putting themselves at a disadvantage in the often-youth-focused war for talent.

2 Including http://www.brookings.edu/~/media/research/files/papers/2014/05/millennials%20wall%20st/brookings_winogradv5.pdf.

E&C-related weaknesses in infrastructure and culture can be drags on companies as companies confront major current and future challenges for the tech industry such as rapid technological change, demographic and economic shifts, continued globalization, industry convergence, business transformation, and evolving regulations from multiple jurisdictions around the world. E&C risks associated with those challenges include:

• Business ethics risk

• Privacy and security risk

• Intellectual property risk

• Product and engineering compliance risk

• Third-party risk

• Trade compliance and export control risk

• Employment and labor risk

• M&A risk

• Environmental compliance risk

• Social media risk

• Bribery and corruption risk

Within well-functioning tech organizations, various business functions already exercise ownership over a number of those E&C risks. For instance, employment and labor risk is typically owned by human resources; product and engineering compliance risk, by engineering; and privacy and security risk, by information technology. What’s often lacking, though, is a quarterback: a dedicated E&C function that can coordinate compliance activities and owners across the organization, monitor effectiveness, and administer areas (such as ethics) that are not covered by other business functions.

“Designing and building the future are what technology companies do—and to do so successfully, we need to design a future in which real people want to live. Having an ethics and compliance program can help propel innovation forward by ensuring that they get accomplished in responsible, realistic, and sustainable ways.”

—Brian David Johnson, Futurist, Intel


By empowering an E&C function to fill that quarterback role, a tech company can promote collaboration and integration, boost process efficiency, reduce gaps and redundancies, and proactively deal with the compliance implications inherent in new products, new geographies, and other business changes—all of which will ultimately serve to help the company get its products to market faster. Simultaneously, the E&C function’s ownership of ethics policies and processes (antibribery, anticorruption, conflict of interest, etc.) can help foster a culture of integrity across the organization and address certain ethical behavior and legal compliance expectations.

Additionally, for businesses considering growth through an IPO or M&A strategy, the E&C function can lead to the formation of structures and the implementation of processes that may be required or expected by investors, acquiring companies, and stock exchange listing rules. During those types of major change and disruption, the E&C function can also help support and protect the company culture.

Ultimately, an E&C program brings the organization together around a process of proactive, streamlined E&C risk management. As the company matures and its E&C risks grow, having a quarterback function in place frees the main business to stay focused on the business goals of innovation, performance, and growth.

Macrorisks and market risks to business performance and growth plans

In PwC’s 2015 Risk in Review survey, 75% of respondents from technology companies and related industries (information, communications, and entertainment) agreed that risks to their companies are increasing either significantly or moderately. Asked about the biggest specific risks to their companies’ business performance or growth plans, respondents named the following at the percentages indicated:

Figure 1: In the tech sector, talent tops the risk list

Source: PwC, Risk in Review 2015: Decoding Uncertainty, Delivering Value

74%

71%

64%

62%

60%

59%

55%

44%

41%

64%

Macro challenge Market challenge

Talent availability

Data security & privacy

Global economic shifts and uncertainty

Regulatory complexity

Cost pressures

Government policy changes

Emerging technology risk

Reputation risk

Geopolitical/social unrest

Black swan events

Which of the following external forces will create the biggest risk or threat to business performance or growth plans?


Setting up a dedicated E&C function requires effort, but it doesn’t have to be a hugely expensive or onerously time-consuming effort—which is good, because in the environment of a young tech company, the time, resources, and corporate appetite for E&C activities are typically finite. Fortunately, so are the regulatory pressures: unlike in banking, healthcare, or other highly regulated sectors, no singular, overarching governing body requires tech companies to institute comprehensive E&C programs from day one as a cost of doing business.

Whereas a financial institution might have an E&C staff numbering in the hundreds, a tech company can launch its E&C function with a small group or with even one person acting in concert with functions already involved in compliance and assurance areas.

Building proactive ethics and compliance:An evolutionary plan

“Our employees want improved guidance on how to get things done but are naturally resistant to anything that’s perceived as a ‘constraint’ to agility and innovation. Our challenge is demonstrating how compliance process and controls can allow the business to scale more quickly.”

—Amyn Thawer, Head of Global Compliance and Integrity, LinkedIn

Risks

Identify

Assess

Determineownership

Initial policies and processes

Code ofconduct

Help line

TrainingDrill down from thetop risks tolower-tier risks

Focus on enhancing monitoring,reporting, and proactiverisk mitigationstrategies

Year 2 Year 3 and beyond

Go to the next level on training, communications, and reporting

Governance

Structure

Scope of responsibility

Compliance framework

Plan forthe future

Create multiyear plan to evolve governance, scope, and accountabilities

Year 1

Figure 2: Laying the groundwork for compliance


Year 1 efforts should focus on the creation of policies and processes for dealing with the company’s most-pressing E&C needs. Those foundational elements can all be put in place at a manageable cost, accomplished either in-house or by contracting with outside providers that offer efficient services at low prices (e.g. training, help-line management, or even part-time outsourced E&C management). Though economical to build, a strong E&C foundation can immediately begin delivering value beyond its cost by promoting efficiencies and providing a more holistic and actionable view of E&C risks.

The year 1 kick start of a new E&C function should include the foundational activities described in the following steps 1 through 8. After that, the E&C function can follow an organic, multiyear path to maturity by improving more and more the quality of E&C monitoring, reporting, testing, and training that support the business’s strategic needs.

1. Define the E&C function’s scope of responsibility

Which areas will the function own? Which areas will be owned by other groups but closely monitored by the E&C function? And in which areas will the E&C function have limited involvement—or none at all?

E&C risks and processes that are pervasive across the enterprise are typically managed by the E&C function, and more-compartmentalized compliance risks are typically owned by the department most relevant to the risk (e.g. product-related compliance issues get owned by the business; labor compliance, by human resources; etc.). In those areas, the E&C function may play a greater or lesser monitoring, review, or advisory role.

A newly established E&C function will likely limit its ownership role to core responsibilities such as creating and promulgating the company code of conduct; managing corporate E&C policies; establishing, implementing, and overseeing an E&C hotline; focusing on antibribery, anticorruption, and conflict-of-interest issues; ramping up E&C training for employees; and closely monitoring major areas such as data privacy.

As the E&C function matures, the universe of risks that fall under its ownership and close-monitoring purview might expand (Figure 2). Conversely, while relevant programs are getting built, a new E&C function might assume ownership of certain other areas (e.g. privacy) only temporarily, with the goal of eventually transferring ownership elsewhere in the business after the program becomes operational.


2. Establish a governance structure, an E&C team, and a compliance committee

The establishment of an effective governance structure for E&C includes:

• Securing the committed involvement of senior management in E&C program development

• Appointing an E&C leader to coordinate and oversee the program on a day-to-day basis—and specifying that leader’s responsibilities

• Securing budget, resources, and staff for the function

• Assembling a compliance committee to advise the E&C leader, approve E&C initiatives, and assist with the implementation and ongoing operation of the E&C program

• Establishing initial and baseline protocols for reporting relevant E&C management information to senior management and the board

Even though a stand-alone function dedicated entirely to an organization’s E&C needs is the ideal state, it isn’t realistic for most young tech companies. In the first year and sometimes beyond, a young company can get by with an E&C staff of a few people or even just one person. As the function matures, though, its staffing needs will change—and grow.

As noted in PwC’s 2014 State of Compliance survey, ethics and compliance, legal, and audit are the skill sets most frequently sought in hiring for the E&C function. Depending on company needs, other skill sets might include project management, finance, and data analytics. Permanent E&C staff may also be supported by volunteer E&C champions drawn on a temporary basis from throughout the business. Those volunteers can help spread the E&C message, help in assessing risk, and act as the function’s eyes and ears within their own departments.

In the company’s early days, compliance committee members are typically drawn from the E&C, legal, human resources, internal audit, finance, and information technology functions. But that committee membership can expand as the E&C function matures, bringing in representatives from the business (e.g. from supply chain, sales and marketing, and engineering) to help coordinate and champion E&C efforts across the organization

In the company’s early years, the role of E&C leader might be filled by the general counsel or a different executive wearing multiple hats within the organization.3 As the function moves toward maturity, however, the leadership role, too, should evolve. A dedicated chief E&C officer with access to senior management and the board can drive transformation of the E&C function into a valued strategic advisor.

3 In PwC’s 2014 State of Compliance survey, 66% of tech industry respondents reported that the person with the most responsibility for compliance “wears multiple hats” within the organization versus 34% who reported having a stand-alone compliance leader.

Risks

Figure 3: Compliance committees prevalent

64%64% of tech industry respondents to our2014 State of Compliance survey reportedthat they have compliance committees. �The figure is in line with overall survey responses for all industries combined (also reporting 64% with compliance committees) but which is a reduction of 6% over last year.


3. Create an E&C framework

Once the company considers ethics and compliance an integral part of its business, the company should define the framework it will use for E&C management—that is, the components it will put in place to manage any given E&C risk, from bribery and corruption to data privacy, to conflicts of interest. An organization-wide framework fosters consistency, leads to ease of reporting, and results

in improved program documentation irrespective of who in the organization owns a particular E&C risk. The framework should align with the model stipulated by the US government in Chapter Eight of the US 2011 Federal Sentencing Guidelines Manual.4 One such framework is PwC’s E&C Effectiveness Framework (Figure 4).

4 http://www.ussc.gov/guidelines-manual/2011/2011-8b21.

Figure 4: PwC’s E&C Effectiveness Framework

Tone atthe top

Risk assessment

Lines of communication

Oversight and responsibility

Policies and procedures

Training

Auditing Enforcement and discipline

Responseand prevention

Monitoring

Business strategy

Business management

Business assurance


4. Assess corporate compliance obligations, identify compliance owners, and focus on mission-critical risks

By way of a compliance risk assessment, companies identify the universe of compliance requirements and ethical risks they are exposed to, they determine which organizational functions are currently accountable for management of those risks, they prioritize efforts based on perceived risks to the business, and they gauge resource allocations based on assigned risk ratings.

As discussed earlier in step 1 (Define the E&C function’s scope of responsibility), a newly established compliance function typically focuses on only a few core responsibilities during the first year and performs limited monitoring of key risk areas. As such, the new function may initially conduct a limited compliance risk assessment to (1) identify overlaps, duplications, and gaps in current compliance risk management and (2) pinpoint compliance risks within the company culture and among the company’s mission-critical areas, where failure could be catastrophic for the enterprise’s reputation and long-term success. At a later stage, the E&C function might conduct a more-comprehensive compliance risk assessment for a deeper understanding and a more-extensive analysis of how the organization manages compliance risks. Such a comprehensive assessment can serve as a step toward the creation of a sustainable enterprise risk management program.

5. Create policies and procedures for major risks and requirements

The E&C function should work with both management and the business units to draft policies, procedures, and guidelines that facilitate compliance with applicable laws and regulations. Such policies should be clear and unambiguous. They should project the expectations of the company’s top ranks. And they should reflect actual expected behavior.

Vital core policies and procedures to create and communicate during the E&C function’s first year include a corporate code of conduct, antibribery and anticorruption policies, and insider-trading and conflict-of-interest policies. Later, the function can expand its policy focus to second-tier issues and to handling new regulatory developments and the compliance risks that come with new business products, services, and trends.


6. Establish an E&C help line

The E&C department is generally responsible for creating, implementing, and maintaining an effective system whereby employees can communicate queries or send allegations of misconduct. The system can offer online complaint forms, text messaging, e-mail, or a traditional telephone hotline. E&C is also responsible (1) for maintaining a case management system that tracks issues raised; (2) for ensuring—in concert with other functions such as internal audit, human resources, legal, and security—that those issues get addressed while protecting whistle-blowers’ anonymity and preventing retaliation against them; and (3) for verifying that parties responsible for investigating complaints have the skills and tools to do so.

“You can’t control what every single person in a 70,000-person organization will do. But you can make darn sure that they know what they’re supposed to do, that from the top of the company the message is clear—without a nod or a wink—that they are expected to do it, and that there’s a high likelihood they’ll get caught and punished if they fail in that respect .”

—Mark Chandler, Senior Vice President, General Counsel and Secretary, and

Chief Compliance Officer, Cisco

7. Launch initial E&C communications and training

The E&C function spreads the E&C message and conducts training to disseminate knowledge covering regulatory requirements, ethical expectations, and corporate compliance policies and procedures across the business. In year 1, the biggest challenge involves building awareness that the E&C program exists and is there to help employees do their jobs in ethical and lawful ways. First-year training should focus on core areas as set forth in the code of conduct. Over time, the program should align to company risks and encompass both (1) broad training that mainstreams new E&C policies across the business or that educates new hires on company policies and (2) targeted training relevant to specific roles.

To boost connection with tech employees, both communications and training should be delivered in short, easily digestible packets that emphasize interactivity. Social media channels—especially internal channels—are ideal for communicating E&C topics to employees accustomed to receiving information from multiple media streams such as via mobile devices.


8. Build a plan for the future

Based on first-year learnings and guided by the company’s overall compliance goals, the E&C function should develop a measurable, multiyear plan that will evolve the function’s governance, scope, and accountabilities. Building an E&C function gradually has two key benefits: (1) a gradual development is more likely to succeed than is an attempt to force a major change overnight, and (2) it makes the spread-out costs more palatable to management.

Future plans should include:

• Developing an approach and process for the monitoring of in-scope compliance risks (see Define the E&C function’s scope of responsibility)

• Further development of relevant programs (e.g. third-party risk management)

• Embedding E&C into the employee life cycle, from recruitment to development, to career progression, recognitions, and rewards

• Measuring program impact and effectiveness and embedding E&C into corporate activities and initiatives (e.g. M&A, new products or services, and geographic expansion)

• Collaborating with internal audit to plan the future use of more-sophisticated analytics and real-time monitoring, beginning with a limited rollout in main risk areas (e.g. identifying potentially problematic transactions from an antibribery or anticorruption standpoint).


Many companies in the technology sector are experiencing exponential growth and with it, entry into a complex and rapidly changing global environment. For such companies it’s all about racing ahead to deliver next-generation products and services to their customers and accepting the associated strategic and financial risks in order to be first to market. That risk-tolerant attitude tends to carry over to E&C risk, but those companies have not yet come to recognize that a well-structured E&C organization can help build the corporate resilience needed for quickly strategizing responses to such risk.

In evaluating the state of its current E&C stance, a tech company should answer the questions:

• Have we carried out a compliance risk assessment?

• Do we know our universe of compliance obligations?

• Do we completely understand the most-significant risks to accomplishing our growth plans?

• Do we have the right information and processes in place to effectively manage both current and emerging regulatory and compliance risks?

From a tiny acorn

• How do our E&C initiatives link to our business imperatives?

• Does our corporate culture encourage ethical practices? Do our leaders and managers model behaviors that build trust and integrity?

• Do we know how our competitors are meeting their own global E&C requirements?

• Are we prepared to take advantage of the rapid changes in the regulatory environment?

Google chief compliance officer Andy Hinton succinctly states the E&C value proposition: “Compliance is here to help. It can truly be an enabling function for the business, and ultimately, it’s a really good investment because it’s not just preventing people from going to jail but is also creating, nurturing, or preserving your company culture.”

For a maturing technology business, E&C is an investment in the future the company is busy securing.

© 2015 PwC. All rights reserved. “PwC” and “PwC US” refer to PricewatehouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only and should not be used as a substitute for consultation with professional advisors.

PwC US helps organizations and individuals create the value they’re looking for. We’re a member of the PwC network of firms, with 169,000 people in more than 158 countries. We’re committed to delivering quality in assurance, tax, and advisory services. Tell us what matters to you and find out more by visiting us at www.pwc.com/us. MW-15-2228

To have a deeper conversation about how this subject may affect your business, contact:

Brian Schwartz Principal, US Risk Assurance – Performance Governance, Risk and Compliance Leader +1 202 729 1627 [email protected]

Barbara Kipp US Ethics & Compliance Leader +1 617 530 4602 [email protected]

Princy Jain US Risk Assurance Services – Technology Leader +1 408 817 3870 [email protected]

www.pwc.com

Documents

Outside the box, inside the lines