10/3/2013

CREATING A COMPLIANCE PROGRAM FROM SCRATCH

Society of Corporate Compliance and Ethics

12th Annual Compliance & Ethics Institute
October 6, 2013

Larry Parsons, J.D., CCEP Art Weiss, J.D., CCEP-F, CCEP-I

Vice President, Ethics & Compliance Chief Compliance & Ethics Officer
McLane Company, Inc. TAMKO Building Products
Temple, Texas Joplin, Missouri

A leading manufacturer of residential and commercial roofing products,

waterproofing products, composite decking and railing systems, and cements and
coatings.

More than 65 years of success is the direct result of teamwork, enduring

relationships with customers, suppliers and employees, and our commitment to
Six Sigma continuous quality improvement with its foundation based on the total
quality management principles of Dr. W. Edwards Deming.

“Work hard, do your best, be fair and honest, and

believe in those around you.

E.L. Craig
TAMKO Founder 1944

1
 10/3/2013

MCLANE COMPANY HIGHLIGHTS

Grocery Supply Chain Solutions

Foodservice Supply Chain Solutions

Alcoholic Beverage Distribution

20,000+ Teammates

60+ Distribution Centers Throughout the U.S.

$40+ Billion in Revenue

A Berkshire Hathaway Company

OBJECTIVES

Planning Before Your First Day

Elements of an Effective Ethics and Compliance Program

Specific Activities During Your First 100 Days**

 Initial Program Assessment
 Meeting with Key Work Partners
 Presentation and Meeting Opportunities
 Education and Communications
 Helpline Analysis
 Risk Assessment Discussion

100 Day Plan

Initial Presentation of Findings and Recommendations to CEO, Board, Senior

Management**

**Note – Throughout this presentation are slides containing sample metrics and other data. The metrics and
other data in these slides were created by the presenter for illustration purposes only. The information was 4
not collected from an actual company or other organization.

2
 10/3/2013

BEFORE YOUR FIRST DAY

 Continue Company Research You Started Prior to Your Interview

 Company Website
 Look under “About [Company]” or Investor Relations
 Code of Conduct
 Corporate Citizenship Report
 EHS Policies
 Supplier Diversity
 Supplier Code of Conduct
 Biographies of key executives
 Analysts Presentations (if publicly traded)
 Key SEC Filings 10K and Proxy, Annual Report, Recent 8Ks (if
publicly traded)

BEFORE YOUR FIRST DAY (CONT.)

 Listen to Earnings Call (if publicly traded)

 Simple Internet Searches

 Run the company name and see what shows up
 www.sec.gov
 www.justice.gov

 Items to Request from Company

 Code
 Key Policies
 Information on Direct Reports (if any individuals identified to
report to new department)
 List of Key Competitors

 Draft of your Template 100 Day Plan (discussed in more detail

later in session) 6

3
 10/3/2013

KEY SOURCES - EFFECTIVE ETHICS AND COMPLIANCE PROGRAM

United States Sentencing Commission

Federal Sentencing Guidelines (2012)
Chapter 8, Sentencing of Organizations

United States Department of Justice

United States Attorneys’ Manual (August 2008)
Principles of Federal Prosecution of Business Organizations
Existence and effectiveness of a corporation’s pre-existing
§
compliance and ethics program ( 9-28.300 and 9-28.800)

Sarbanes-Oxley Act of 2002

§301 - Anonymous Reporting Line
§406 - Code of Ethics for Senior Financial Officers

KEY SOURCES - EFFECTIVE ETHICS AND COMPLIANCE PROGRAM

General Services Administration

Federal Acquisition Regulation (FAR),§ 52.203-13
Contractor Code of Business Ethics and Conduct

U.S. Department of Justice and

U.S. Securities and Exchange Commission
A Resource Guide to the
U.S. Foreign Corrupt Practices Act (2012)

Organisation for Economic Cooperation and

Development
Good Practice Guidance on Internal Controls,
Ethics, and Compliance (2009)

4
 10/3/2013

AN EFFECTIVE ETHICS AND COMPLIANCE PROGRAM

“To have an effective ethics and compliance program…an organization shall

(1) exercise due diligence to prevent and detect criminal conduct; and,
(2) otherwise promote an organizational culture that encourages ethical conduct and
a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented and
enforced so that the program is generally effective in preventing and detecting
criminal conduct.”

United States Sentencing Commission

Federal Sentencing Guidelines, 8B2.1 §

After articulating these general principles…

 the Guidelines list seven elements of an effective ethics and compliance program
(see Backup Materials at end of this set for actual language from Sentencing
Guidelines)
 U.S. ethics and compliance programs are structured around these seven elements
9

THE SEVEN ELEMENTS OF AN EFFECTIVE COMPLIANCE

AND ETHICS PROGRAM

1 2 3 4
Oversight,
Standards & Controls Effective Training Evaluation, Monitoring
Accountability &
& Communication & Auditing
Resources

• Vice President, Ethics and • Code of Business Conduct & • Employee Orientation • Global Compliance Hotline
Compliance Ethics • Senior Leadership Training • Internal Audit
• Reports to CEO • Compliance Policies • Regular Communication on • HR Compliance Audits
• Risk Committee • Employee Handbook Compliance Topics • Safety Audits
• Board Oversight • Employee Survey
• Adequate Funding and
Resources

5 6 7
Enforcement, Discipline Due Care in Response & Continuous
& Incentives Delegating Authority Improvement

• Beliefs and Values • Track Record of Integrity • Review & Amend Program
• Performance Mgt. System Prior to Delegation after Problems Occur
• Consistent Discipline for • Screening of New Hires • Lessons Learned
Violations • Controls on Authority Communications
• Periodic Risk Assessment

10

5
 10/3/2013

INITIAL PROGRAM ASSESSMENT

 What is a Program Assessment and Why Conduct One

 Build or Buy Decision

 Items to Review as Part of Initial Assessment

 Helpline Metrics and Trends
 Employee Engagement Survey Results
 Labor Relations Issues (Focus on Findings)
 Training Records
 Compliance and Ethics Communications
 Litigation
 Government Investigations
 Existing Functional Compliance Organizations
 Industry Issues
 Any Risk Assessment Results
 Internal Audit Findings on Compliance Issues
 Others?

11

INITIAL PROGRAM ASSESSMENT (CONT.)

 Using Findings of Program Assessment

 For Your Own Understanding on What is in Place (or Not)
 For Initial Program Recommendations
 Suggest Presentation in Form of “As Is” and “Future State” (see next
slides)
 Template Presentation Set Provided with Materials

 Formal Risk Assessment – Year One Priority

 Other Institute Sessions on Program Assessment

 P8 – Leveraging Compliance Program Assessments
 403 – Ethics Program Assessments

12

6
 10/3/2013

SAMPLE - RESPONSE & CONTINUOUS IMPROVEMENT

As Is: Future State:

Response: Review and amend programs and Response: Review and amend programs and
controls following an issue. Analyze root controls following an issue. Analyze root
cause and address the issue. cause and address the issue.

Communicate: Use incidents as teachable Communicate: Use incidents as teachable

moments moments

Continuous Improvement: Periodic review of Continuous Improvement: Same plus: Annual

policies and controls. Responses to audit or Biennial compliance program reviews;
results. Publication of best practices – already Creation of a Compliance Council of key
built into several compliance programs (DOT, compliance owners in existing programs (DOT,
Safety and Health, Food Safety, etc.) Food Safety, HR, etc.) to share best practices
and provide input on overall program.
Risk Assessment: Internal Audit
Risk Assessment: Develop and implement
periodic compliance risk assessment process

13

IDENTIFY RESOURCES

 Go To Sources for General Questions about Process,

Policies and Internal Contacts

 Administrative Support

 Human Resources Support

 IT Support

14

7
 10/3/2013

IDENTIFY AND MEET KEY WORK PARTNERS

 Legal

 Finance

 Internal Audit and Controls

 Risk Management

 Environmental Health and Safety

 Security

 Human Resources

 Information Technology

 Communications/Marketing/Branding

 General Managers/Business Leaders 15

TABLE EXERCISE #1

 What Information Should You Seek During these Initial

Meetings with Key Work Partners
 General Introductions
 Have Elevator Speech Ready – Your Role and Initial Plans
 Primary Purpose – Information Gathering

 Provide Template List of Questions for KWPs

 Work as a Group at Your Table to Identify Questions to

Add (5-7 minutes)

 Identify Spokesperson to Share Up to Three Additional

Questions with Entire Group 16

8
 10/3/2013

PRESENTATION OPPORTUNITIES

 Identify Opportunities to Market Your Program Internally

 Subset of Both Key Work Partner Meetings and Education and

Communications Plan
 Subject Matter
 Initial – Introduce Self and Plans for Program
 Later – Focus on Particular Compliance Area

 Possible Venues:
 Staff Meetings
 Communications Meetings
 All Hands Meetings
 Town Halls
 Leadership Meetings
 Management Training Sessions
17

EDUCATION AND COMMUNICATIONS

 Overview of Considerations Only

Focus on what you should do in first 100 days around education and
training
Topic deserves separate treatment
Consider other offerings available this week, including:
 P13 – Fixing your Ho-Hum Compliance Training
 208 Ethics and Communications: The Role of CCOs and CMOs in Creating
an Ethical Culture
 606 The Medium is the Message: Marketing Compliance and Ethics to Your
Workforce

Six General Principles:

1. Have a plan
2. Know thyself
3. Engage your audience
4. Use multiple and varied communication vehicles
5. Market your training
18
6. Spread the word

9
 10/3/2013

EDUCATION AND COMMUNICATION (CONT.)

 Assess Current Education and Communications

 Is there a training organization? If so, are they are a resource for you (or an
organization that you must work with to calendar and deliver training and
communications)

 Has the company delivered any courses on compliance and ethics topics in the
last three years? If so, what courses, what audience and what records of
completion exist, etc.? Have the courses been updated for current events and
changed company risks?

 Does the company regularly communicate to its employees on compliance and

ethics topics? If so:
 Who drafts the communications
 Who sends them out
 Who receives them
 What topics
 Based on a plan, or ad hoc
 Get samples from last couple of years
 Do any executives communicate on compliance and ethics topics

 Do you have the Luxury of Dedicated Communications Support? 19

EDUCATION AND COMMUNICATIONS (CONT.)

 Develop an initial training plan

What topics should you cover? Who should be educated?
Informed by Your Risk Assessment.
Build or Buy?
Ask yourself: What are we trying to accomplish?
Are you trying to raise awareness or create in-depth knowledge
Probably awareness on a broad scale, but expertise for certain
populations (i.e. lawyers)

 Develop a Communications Plan

Coordinated with your Education Plan
Multiple and varied delivery methods

 Pay attention to other corporate training initiatives

Avoid conflicts with other functions
Avoid training fatigue
20

10
 10/3/2013

EDUCATION AND COMMUNICATIONS - FINAL THOUGHTS 1

 Make training and communications interesting, relevant and

useful

 Choose examples that will be relevant to your target audience

(training salespeople and software developers with the same
material is a recipe for disaster)

 Keep training as short as reasonably necessary to get the message

across – strive for courses that are ½ hour or less

 Useful – are you really giving your employees something they can
use or just telling them what to be afraid of?

 Use stories whenever possible – real life examples are best –

adults retain most learning through storytelling.
21

EDUCATION AND COMMUNICATIONS - FINAL THOUGHTS 2

 Start early and be creative

 Find ways to make this stuff fun

 It’s OK to poke fun at ourselves

 People always enjoy humor and it is an effective training and

communications tool

 There are lots of ways to communicate and train – blogs, videos,

newsletters, in-person, web meetings, etc.

 Make sure to incorporate into new hire training, manager training

etc.

22

11
 10/3/2013

HELPLINE – GENERAL OBSERVATIONS

 Does your company have a Helpline for confidential reporting?

 If not, an early action for you is the implementation of a Helpline

 Full discussion of Helpline implementation beyond the scope of this
session
 Many vendors are ready to help you with this
 Benefits of using a third party solution
 Reporter Perceptions
 Confidentiality – ability to communicate with anonymous reporters
 Reports and Metrics

23

HELPLINE – DATA ANALYSIS

 If your company has a Helpline, your role includes:

 Analyzing date from Helpline for last couple of years to identify trends
 Reviewing the process around the Helpline (intake, investigation,
management of matters)
 In most cases, assuming overall responsibility for the Helpline
 Recommending changes to make it a more effective and useful tool

 Your Helpline can provide a wealth of information on key risk

areas and the general health of your program

 A key role for you is to analyze and translate this data for:
 Reporting to the Board and Senior Management
 Recommendations for Education and Communications
 Recommendations for Control Changes

24

12
 10/3/2013

HELPLINE - METRICS

 Some Metrics to Track and Report:

 Report Volume (Total, Regional, Country Specific, Other)
 Types of Reports (Broad Categories)
 Intake Method
 Prior Management Notification
 Anonymous Reports
 Case Handling
 Case Disposition
 Cycle Time

 All Third Party Solutions include some form of Reporting Function

 Key function to review when deciding on a vendor
 Most solutions permit some customization of reports

 Sample Reporting on Next Slides and in Template Slide Set

25

Helpline – Sample Metrics 1

HELPLINE CONTACTS

OBCE Contact Statistics 2008 2009 2010 2011 2012

Total Helpline Contacts 174 266 196 184 312

Anonymous Contacts 24% 33% 29% 26% 21%

Anonymous – No Action or
n/a n/a n/a n/a 25%
Investigation Warranted

Prior Management Notification n/a n/a n/a 56% 66%

26

13
 10/3/2013

Helpline – Sample Metrics 2

CASE HANDLING

40%

35% 34%

30%
26%
25% 24%
22% 22%
20% 19%
15% 16% 2011
15% 12%
10%
2012
10%

5%

0%
Immediate No Investigation Investigated, Investigated, No Referred
Response w/ or Action Corrective Action Contact to
Guidance Warranted Action Taken Warrented Resource

27

HELPLINE – SAMPLE METRICS 3

Sample Metrics Analysis

 Cycle Time
 2008 – 2010: More than 65% took more than 15 days; some were still open in 2011
 2012 – 90% closed in 14 days or less; 39% in 2 days or less

 Contacts Requesting Guidance or Approval

 2008-2010: Less than 2% of contacts
 2012: 21% of contacts

 2011 New CECO

 Changes in cycle time, types of contacts and disposition (hopefully)

 2012 All Employee Code of Business Conduct and Ethics Training

 Significant increase of contacts following training - anticipated

 New metrics not previously tracked

 Prior management notification
 Anonymous – no investigation or action warranted
28

14
 10/3/2013

RISK ASSESSMENT

The Federal Sentencing Guidelines, §8B2.1(c) provides:

Risk Assessment:
In implementing subsection (b), the organization shall periodically
assess the risk of criminal conduct and shall take appropriate steps
to design, implement, or modify each requirement set forth in
subsection (b) to reduce the risk of criminal conduct identified
through this process.

§
“Subsection (b)” referenced above is 8B2.1(b) of the Sentencing
Guidelines. This subsection is the part of the Sentencing Guidelines
that details the seven elements of an effective ethics and
compliance program.

29

RISK ASSESSMENT (CONT.)

 In sum: The requirement to conduct a periodic risk assessment overlays

and impacts each of the seven elements of an effective ethics and
compliance program described in the Sentencing Guidelines

 The Risk Assessment serves several purposes:

 At its simplest level, it identifies risks faced by your company
 At its next level, it quantifies the likelihood of the risk occurring
 At its next level, it quantifies the impact to the company if the risk
occurs (severity of risk)
 At another level, it can help quantify the velocity of the risk (speed of
onset, speed of impact, speed of company reaction)
 What is the company’s risk appetite
 What controls are in place to mitigate existing risks
 What additional controls should be put in place to mitigate unacceptable
risks (based on likelihood, severity, velocity and risk appetite)

 Consider whether to conduct the assessment under the privilege

30

15
 10/3/2013

RISK ASSESSMENT (CONT.)

 Mitigation decisions generally impact one or more of the seven

elements of your program
 e.g. the creation and communication of additional policies
 e.g., focused training on a specific compliance area for an at risk group
of employees
 e.g., closer monitoring of a particular business activity

 Specific expectations listed in Sentencing Guidelines comments;

 Assess periodically the risk that criminal conduct will occur;
 Assess the nature, seriousness and likelihood that conduct will occur;
 Evaluate prior history of issues within the company;
 Prioritize program activities based on this information; and
 Modify program to address results of risk assessment.

31

RISK ASSESSMENT - RESOURCES

 Resources for conducting a risk assessment

 Many vendors offer risk assessment solutions
 Sharing with colleagues
 Coordination with company’s enterprise risk management process
(caution: generally focused more on operational risk)
 In year one, consider an informal risk assessment process developed
through interviews with key work partners

 Sessions at this year’s CEI applicable to Risk Assessment process:

 106 Automation Tools for Compliance 2013
 704 Emerging Markets and Integrity Risk Management
 W1 Risk Management and Technology

32

16
 10/3/2013

YOUR FIRST 100 DAYS

 “100 Days” – Arbitrary, but what I have used in a couple of roles

 Everything presented so far has been focused on what you should

consider doing during your first 100 Days

 Important to have a specific plan about what you will do and to

communicate that plan to the CEO, Board and your manager (if
not the CEO or Board)

 Confirm that they understand your plans and agree with your
proposed actions

 Communications regarding progress to your 100 Day Plan

 Regular (I suggest weekly) with your direct manager – what you have
done in past week and plans for upcoming week
 Leading to presentation on initial assessment of program and
recommendations to CEO and Board (governing authority) 33

TABLE EXERCISE #2 – 100 DAY PLAN

 Suggest that you develop a draft 100 Day Plan within your first week or
two in your new role. Really suggest you have a draft created prior to
your first day

 The plan can be a living document – revise as you learn more about the
company

 We have provided a template 100 Day Plan based on our own experience
and what we have presented today

 Work as a group at your table to identify additions to 100 Day Plan (5-7
minutes)

 Identify spokesperson to share up to three additional questions with

entire group

 Take notes on your copy and keep for your use following the conference
34

17
 10/3/2013

INITIAL PRESENTATION TO CEO AND BOARD

 Soon after completion of first 100 days (doesn’t have to be 100

days, but should certainly be within first six months), meet with
CEO and Board to present initial findings and recommendations

 We have provided a template presentation for you to use in

presenting the information

 We are not going to go through the entire presentation, but

instead will go through a few of the key sections and provide some
recommendations on the process

 This is a key opportunity for you to both show the value you
are/will bring to the organization and to market the ethics and
compliance program

35

THOUGHTS ON INITIAL PRESENTATION

 What meeting?
 Is there already a forum for this presentation? Board meeting? Risk
Committee meeting? CEO Staff meeting?
 More than one presentation? To CEO Staff meeting and then Board?

 Who?
 If there is an obvious venue (e.g., CEO Staff meeting and/or Board
meeting), those attendees
 Since this session is focused on creating a program from scratch, part of
your recommendations might include creation of a Compliance
Committee
 Audience for your presentation
 Board of Directors
 Senior Management – CEO, COO, CFO, GC, Head of Internal Audit, Head of
HR, EHS, Communications and Marketing

36

18
 10/3/2013

INITIAL PRESENTATION (CONT.)

 Socialize all or part of presentation prior to meeting(s)

 With your direct manager
 With the CEO
 With any function head impacted by your recommendation (i.e., does
your recommendation appear critical of an existing process)
 You still need to make the hard recommendations, but avoid appearance
of an ambush

 The following slides are representative of key sections of a typical

presentation

 Reminder – the metrics and other data included in this sample

presentation were made up by the presenter. The information was
not collected from nor intended to represent findings at any
actual company or organization.

37

SAMPLE PRESENTATION - OBJECTIVES

Objectives of First Part:

 Review the current compliance and ethics landscape
 Provide an overview of data collected in initial assessment of existing
program

Objectives of Second Part:

 Provide an assessment of current program against attributes of an
effective ethics and compliance program
 Provide initial recommendations for enhancing the current program

Objectives of Third Part:

 Identify the specific actions for the next 12 months
 Propose timeline for remaining actions

38

19
 10/3/2013

SAMPLE PRESENTATION – BUSINESS CASE

The Business Case For Ethics and Compliance

 A targeted, well-resourced ethics and compliance program

delivers results in lower misconduct instances and higher
detection rates

 Building a strong culture that includes everyone encourages

reporting and discourages misconduct through transparency

 Understanding compliance risks is key to marshaling resources

effectively

39

SAMPLE PRESENTATION – BUSINESS CASE

76% of employees in business have observed a

high level of illegal/unethical conduct at work
in the last 12 months
KPMG Organizational Integrity Survey

75% of hotline calls to organizations using a

leading service provider were classified as
violations of law or policy.

40

20
 10/3/2013

A FOCUS ON ETHICS DRIVES RETURNS

Source: Ethisphere Institute

41

SAMPLE PRESENTATION – PROGRAM ASSESSMENT

Items Considered:

 Helpline Contacts
 Employee Engagement Survey
 Employee Focus Groups
 Senior Management Meetings
 Training Records
 Compliance and Ethics Communications
 Best Practices

42

21
 10/3/2013

SAMPLE PRESENTATION - CYCLE TIME

1% 3% 3%
7% 16%
10%
24%
15%
14%

23%
Less Than 24
hours
2 days or less

7 days or less
48% 36%
2010 14 days or less 2012

43

SAMPLE PRESENTATION – HELPLINE TRENDS

 2008 Internal Hotline

 Recordkeeping inconsistent
 Case follow-up missing or unclear

 2009 Reduction in Force

 Increase in contacts – particularly human resources
 Highest level of Sarbanes-Oxley type complaints – none validated

 2010 Implementation of Third Party Helpline Services

 Shift of primary intake method from phone/email to web form

 2011 New CECO

 Changes in cycle time, types of contacts and disposition

 2012 All Employee Code of Business Conduct and Ethics Training

 Significant increase of contacts following training - anticipated

44

22
 10/3/2013

SAMPLE PRESENTATION – EMPLOYEE ENGAGEMENT SURVEY

Note 1 – Survey data is more than four years old

Note 2 – Only 64% of employees completed the survey
Note 3 – Conducted focus groups at 12 locations in late 2011: validated the key findings below
Note 4 – Recommend conducting a new engagement survey in early 2014

Key Findings:

 I know where to seek advice if I have questions about the ethics of a specific action?
 Employees generally knew that there was a Code of Business Conduct and Ethics
 Employees not sure where to find a copy of the Code
 Employees knew of the Helpline, but thought it was only to report theft.

 I believe that all employees (including senior management) are held to the same ethical standards?
 In both survey results and focus groups, employees skeptical that both groups treated equally

 I believe that senior management behaves in an ethical manner?

 Employees believe that their own manages acts ethically, but senior management in general does not

 I have not felt pressure to compromise values, company policy, or the law to achieve financial goals?
 Significant response rate that employees have felt pressure, or knew someone who has been pressured
to compromise standards to meet financial goals

45

SAMPLE PRESENTATION -EDUCATION

2008 Code of Business Conduct and Ethics Training

Online course delivered to all employees worldwide: 20686
Completion rate: 62% (but recordkeeping not clear). Limited
follow-up to ensure completion.

2009-10 Virtually no Compliance or Ethics Education courses delivered.

Reasons: Reduction in Force/general economic conditions.

2011 Insider Trading for Managers. Employees enrolled: 1896.

Completion percentage: 66%. Minimal follow-up to ensure
completion.

2012 Code of Business Conduct and Ethics Training

All employees worldwide: 20436
In person for senior management. Enrolled: 312. Completion Rate: 99%
Online course for remaining employees. Enrolled 20124. Completion Rate: 93%
Reasons for completion rates: Tone at top and significant follow-up

46

23
 10/3/2013

SAMPLE PRESENTATION – PROGRAM CHANGES

1 2 3 4
Oversight,
Standards & Controls Effective Training Evaluation, Monitoring
Accountability &
& Communication & Auditing
Resources

• Chief Ethics and Compliance • Employee Orientation • Helpline in Place, Used and
• Compliance Policies –
Officer • All Employee Code Training Concerns Addressed
Updates in Process
• Reports to CEO • Senior Leadership Code • Internal Audit
• Internal Controls – Regular
• E&C Committee Review and Updates Training • HR Compliance Audits
• Board Oversight • Code of Business Conduct • Regular Communication on • Safety Audits
& Ethics – Revision Needed Compliance Topics • Employee Survey – Need to
• Adequate Resources
• Subject Specific Education Conduct New Survey

5 6 7
Enforcement, Discipline Due Care in Response & Continuous
& Incentives Delegating Authority Improvement

• Values Communicated • Track record of integrity • Review & amend program

prior to delegation – after problems occur
• Performance Mgt. System
process to confirm • Lessons Learned
• Consistent Discipline for
Violations • Screening of new hires • Annual Program Assessment –
• Controls on Authority First Today
• Appropriate Incentives
• Periodic Risk Assessment
47

SAMPLE - EVALUATION, MONITORING & AUDITING

As Is: Future State:

Helpline: Hotline. Communicated at Helpline: Same plus: Prominent Link on
Orientation and in Handbook and policies. Intranet for “Ways to Get Help” (supervisor,
Monitored by HR and Internal Audit HR, Open Door, Hotline). Monitor Hotline and
analyze for trends, follow through,
Audits: Internal Audit, HR Audits, Safety
documentation and closure of matters.
Audits, Food Safety Audits
Audits: Same plus: Expanded audits on
Program Assessment: Internal Audit Process
compliance issues. Goal will be to combine
Employee Survey: None with existing audits as appropriate.

Program Assessment: In progress. This is part

of that process. Will develop a metrics set for
use in evaluating the program.

Employee Survey: Work with HR to

obtain/analyze existing data. Consider
additional questions or modification of
existing questions related to ethics and
compliance

48

24
 10/3/2013

SAMPLE PRESENTATION – KEY INITIATIVES THIS YEAR

Code of Business Conduct and Ethics Revision

 Conduct Employee Focus Groups
 Benchmark Codes of Other Companies
 Engage Internal Partners – HR, Legal, Communications
 Identify and Engage External Partners

Conduct Risk Assessment

 Identify and Obtain Risk Assessment Tool
 Implement Risk Assessment
 Analyze Results and Develop Mitigation Plan
 Use Results in Code Drafting Process, Education Curriculum and
 Communications Plan

2013 Communications Plan

 Develop and Implement Communication Plan for Year

49

SAMPLE - THREE YEAR PLAN

2015
Employee Engagement Survey
Third Party Program Assessment
2014 Regional/Business CE Officers

Code of Conduct Rollout

Incentives
Internal Program Assessment
2013 Employee Engagement Survey
Regional CE Committees

Code of Conduct Revision

Risk Assessment*
Communications*
Education Curriculum*
Policies*
Board and Audit Committee*
* Annual Program Elements

50

25
 10/3/2013

CLOSING THOUGHTS

Glass, china and reputation are easily cracked, and never mended
well.
- Benjamin Franklin

It takes 20 years to build a reputation and five minutes to ruin it. If

you think about that you will do things differently.
- Warren Buffett

Prosecutors always – and I mean always – look through a company’s

compliance program. Examining a company’s compliance program is
one of the most significant areas of inquiry.
- Michael Volkov
Former Federal Prosecutor

51

• Ethics is knowing the difference between what you

have a right to do and what is right to do.
Potter Stewart
U.S. Supreme Court Justice

• Laws control the lesser man; right conduct controls the

greater one.
Mark Twain
Author

• Whenever you do a thing, act as if all the world were

watching.
Thomas Jefferson
Author of the Declaration
of Independence and
Third President of the U.S.

26
 10/3/2013

QUESTIONS…

BACK-UP MATERIALS

BACK-UP MATERIALS

54

27
 10/3/2013

FEDERAL SENTENCING GUIDELINES

Federal Sentencing Guidelines,§8B2.1(b)

1. [STANDARDS AND CONTROLS] - The organization shall establish standards and procedures to
prevent and detect criminal conduct.

2. [OVERSIGHT, ACCOUNTABILITY AND RESOURCES]

(A) The organization’s governing authority shall be knowledgeable about the content and
operation of the compliance and ethics program and shall exercise reasonable oversight with
respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an
effective compliance and ethics program, as described in this guideline. Specific individual(s)
within high-level personnel shall be assigned overall responsibility for the compliance and
ethics program.

(C) Specific individual(s) within the organization shall be delegated day-today operational
responsibility for the compliance and ethics program. Individual(s) with operational
responsibility shall report periodically to high-level personnel and, as appropriate, to the
governing authority, or an appropriate subgroup of the governing authority, on the
effectiveness of the compliance and ethics program. To carry out such operational
responsibility, such individual(s) shall be given adequate resources, appropriate authority,
and direct access to the governing authority or an appropriate subgroup of the governing
authority.
55

FEDERAL SENTENCING GUIDELINES

Federal Sentencing Guidelines,§8B2.1(b)

3. [DUE CARE IN DELEGATING AUTHORITY]

The organization shall use reasonable efforts not to include within the substantial authority
personnel of the organization any individual whom the organization knew, or should have
known through the exercise of due diligence, has engaged in illegal activities or other conduct
inconsistent with an effective compliance and ethics program.

4. [EFFECTIVE TRAINING AND COMMUNICATIONS]

(A) The organization shall take reasonable steps to communicate periodically and in a practical
manner its standards and procedures, and other aspects of the compliance and ethics
program, to the individuals referred to in subparagraph (B) by conducting effective training
programs and otherwise disseminating information appropriate to such individuals’ respective
roles and responsibilities.

(B) The individuals referred to in subparagraph (A) are the members of the governing
authority, high-level personnel, substantial authority personnel, the organization’s employees,
and, as appropriate, the organization’s agents.

56

28
 10/3/2013

FEDERAL SENTENCING GUIDELINES

Federal Sentencing Guidelines,§8B2.1(b)

5. [EVALUATION, MONITORING AND AUDITING]

The organization shall take reasonable steps—
(A) to ensure that the organization’s compliance and ethics program is followed, including
monitoring and auditing to detect criminal conduct;

(B) to evaluate periodically the effectiveness of the organization’s compliance and ethics
program; and

(C) to have and publicize a system, which may include mechanisms that allow for anonymity
or confidentiality, whereby the organization’s employees and agents may report or seek
guidance regarding potential or actual criminal conduct without fear of retaliation.

6. [ENFORCEMENT, DISCIPLINE AND INCENTIVES]

The organization’s compliance and ethics program shall be promoted and enforced consistently
throughout the organization through
(A) appropriate incentives to perform in accordance with the compliance and ethics program;
and

(B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take
reasonable steps to prevent or detect criminal conduct.

57

FEDERAL SENTENCING GUIDELINES

Federal Sentencing Guidelines,§8B2.1(b)

7. [RESPONSE AND CONTINUOUS IMPROVEMENT]

After criminal conduct has been detected, the organization shall take reasonable steps to
respond appropriately to the criminal conduct and to prevent further similar criminal conduct,
including making any necessary modifications to the organization’s compliance and ethics
program.

Federal Sentencing Guidelines, §8B2.1(c)

Risk Assessment:
In implementing subsection (b), the organization shall periodically assess the risk of criminal
conduct and shall take appropriate steps to design, implement, or modify each requirement set
forth in subsection (b) to reduce the risk of criminal conduct identified through this process.

58

29