CLIENT CONFERENCE

Carrie Penman, President, Ethical Leadership Group, NAVEX Global

Effective Interactions with Your Board of Directors – What Boards

Need and Want to Know

CLIENT CONFERENCE

CLIENT CONFERENCE

Effective Interactions with Your Board of Directors – What Boards Need and Want to Know

What are the roles and responsibilities of the Board?

How can the Board impact corporate culture?

Why do Boards need both briefings and training and what

should be included in each?

What are the biggest mistakes ethics and compliance officers

make with their Boards?

What questions should your Board should be asking you?

CLIENT CONFERENCE

Boards and executives are increasingly under

the microscope.

CLIENT CONFERENCE

Questions about you and your Board…

CLIENT CONFERENCE

1. I am Chief Ethics or Comp. Officer

2. I have ethics responsibilities

3. No.

About you and your Board…

Do you have ethics and/or compliance responsibilities for your

organization?

1. Yes I am the Chief Ethics or Compliance Officer for my

organization.

2. Yes, I have ethics/compliance responsibilities but am not

the Chief Ethics or Compliance Officer.

3. No.

CLIENT CONFERENCE

1. General counsel

2. Another member of exec. mgmt

3. Reports to exec. management

4. The Chief Executive Officer

5. A Committee of the Board

6. The Chair of the Board

7. A dual reporting relationship

8. Somewhere else

About you and your Board…

If you are the Chief Ethics and/or Compliance person - what is

your organizational reporting relationship?

1. General counsel

2. The CEO or another member of executive management

3. Someone who reports to executive management

4. A Committee of the Board of Directors

5. A dual reporting relationship with the Board and executive

management

6. Somewhere else

CLIENT CONFERENCE

About you and your Board…

CCO formally reports to the following individual(s)

7

Source: PWC State of Compliance 2012 benchmarking report

Per PWC State of Compliance 2011 study, 8% reported to the Audit Committee/Board

A - 33%

B - 31%

C - 3%

E - 5%

F - 19%

G - 10%

A - General Counsel / Legal

B - Audit Committee / Board of Directors

C - Chief Risk Officer

E - Chief Financial Officer

F - Chief Executive Officer

G - Other Executive

Number of respondents: 126

CLIENT CONFERENCE

1. Very engaged and knowledgeable

2. Somewhat engaged, not sure what to ask

3. They are polite…

4. Board engagement???

About you and your Board…

How engaged is your Board or Board Committee is in their

oversight responsibilities?

1. Very engaged and knowledgeable

2. Somewhat engaged but they aren’t sure what to ask

3. They are polite…

4. Board engagement???

5. I don’t know

CLIENT CONFERENCE

Two types of meetings with the Board

Program briefing (Periodically through the year)

o Risk assessment – risk areas; changes in risk

o Implementation of mitigation efforts

o Trends – internal and external

o Issues and concerns raised through the Program

o Executive session

Board training (every 1-2 years)

o Roles and responsibilities

o Role relevant

o Includes case studies

CLIENT CONFERENCE

Boards are people too, but…

Attention Span

Level in Company

CLIENT CONFERENCE

Biggest mistakes Ethics Officers make when dealing with their Boards:

Too much deference (to authority – executives and board)

Irrelevance (of information presented)

Lack of context (with information presented)

Narrow focus on the Sentencing Guidelines, especially Helpline,

code, training

Status reporters (rather than strategic business thinkers)

Failure to prioritize risks/concerns

Too much activity reporting; not enough relevant KPI’s/results info

Other scope issues:

• Coverage of compliance risk universe

• Hotline stats vs. all incidents

CLIENT CONFERENCE

Reasonable Oversight

Direct Access

Promoting an ethical organizational culture

Roles and responsibilities of Boards

CLIENT CONFERENCE

Roles and responsibilities of Boards

Reasonable oversight

Direct access

Promoting an ethical organizational culture

CLIENT CONFERENCE

Roles and responsibilities of the Board re: ethics and compliance

“Exercise reasonable oversight with respect to the

implementation and effectiveness of the compliance and ethics program.”

“Direct access” to the ethics officer

“Promote an organizational culture that encourages ethical conduct”

Receive “effective training . . . . appropriate to such individuals’ respective roles and responsibilities.”

Source: US Sentencing Guidelines

CLIENT CONFERENCE

Reasonable oversight: Full Board has knowledge and oversight of the Company’s key risks

areas

Full Board has knowledge of, and a Committee is delegated oversight responsibility, of E&C program

Oversight as the goal (not “honorary” board members or micro-managers)

Board leads by example and ensures accountability

o Practice the Company’s values and meet its compliance requirements

o Ensure that senior management is held accountable to the same standards as all employees

o Ensure that compensation/incentives reflects this accountability

CLIENT CONFERENCE

Reasonable oversight:

Ensure that Compliance and Ethics has:

o Right people

o Right resources

o Right support from management and the Board

o Right responsibilities and authorities

Provide long term perspective-- compass in a “glocalized” world; be mindful of the great reputation of the organization

Help set the tone; support a culture of integrity

Establish risk tolerance/appetite

Request and review information that provides evidence that risks are

effectively identified and managed

CLIENT CONFERENCE

Reasonable oversight: what we look for in Program effectiveness assessments:

Is the Board of Directors knowledgeable about the content and operation of the

program?

Does the Board exercise reasonable oversight of the implementation and

effectiveness of the Program and the organization’s culture?

Does the organization have a high-level person and a person with day-to-day

responsibility assigned to manage the program? Is there a defined relationship to

the Board of Directors?

Is the Board (or a committee thereof) accessible to individuals with day-to-day

responsibility including meeting with them in executive session?

Does the Board (or a committee thereof) receive timely reports of significant

issues and investigations involving the company or any elected officers?

CLIENT CONFERENCE

Reasonable oversight

Direct access

Promoting an ethical organizational culture

Roles and responsibilities of Boards

CLIENT CONFERENCE

What is real, direct access?

Is formal reporting enough?

Does formal reporting guarantee direct access?

Can you have direct access without formal reporting?

Have the events/circumstances that trigger a call been defined?

CLIENT CONFERENCE

Direct access

Four requirements to decrease in FSG culpability score:

1. Individual(s) with operational responsibility have direct reporting

obligations to governing authority

2. Program detected the offense

3. Organization reported the offense

4. No E&C program personnel involved

What are “direct reporting obligations”?

CLIENT CONFERENCE

You and your Board:

Does the Chief Ethics or Compliance Officer of your organization meet periodically with your Board or a Board Committee?

1. Yes, once a year

2. Yes, 2 times per year

3. Yes, more than 2 times per year

4. No

5. I don’t know

CLIENT CONFERENCE

You and your Board:

Does the Chief Ethics or Compliance Officer of your organization meet with the Board or a Board Committee in Executive session?

1. Yes, once a year

2. Yes, 2 times per year

3. Yes, more than 2 times per year

4. No

5. I don’t know

CLIENT CONFERENCE

Reasonable oversight

Direct access

Promoting an ethical organizational culture

Roles and responsibilities of Boards

CLIENT CONFERENCE

When a Rule, Policy or a Code conflicts

with an organization’s culture, the

culture trumps – and prevails most of

the time.

In order to have an effective ethics and

compliance program, a company needs

to pay as much attention to culture as

to policies, training, auditing, etc.

We know this: culture will trump compliance

CLIENT CONFERENCE

The challenge:

For many Board members, ethics and culture are not in their comfort zone

o “Give me a financial statement any day!”

o Not really sure what to ask you = quiet meetings

CLIENT CONFERENCE

The conversation about culture:

Explicit/concrete examples help –

o Responsibility or rules— Will people take personal

responsibility to address issues, or is it the job of somebody

else?

o Candor or quiet—Will people speak up if they see

questionable business conduct?

o Accountability or acquiescence—What happens to great

performers who violate the Code?

CLIENT CONFERENCE

Shaping a culture of integrity: talk to your Board about…

Knowing your culture(s)

−Employee perceptions (Surveys, focus groups, message boards)

−Customer and supplier perceptions (Surveys, social media)

−Reports of concern (Helpline data)

−HR processes

The language and branding shift

−Away from compliance on its own

−Toward integrity and “doing the right thing”

−Selling the vision

CLIENT CONFERENCE

Culture: what can/should the Board do:

• Send visible signals about behavioral expectations through

actions, including compensation

• Engage in conversations with leadership about corporate

culture

• Monitor overall corporate culture and subcultures

CLIENT CONFERENCE

Questions for Board consideration…

(From one of our Board training sessions)

What do you think are the Company’s cultural weak links?

What is the Board doing to set the culture tone?

CLIENT CONFERENCE

Types of Board interactions

Briefing

Training

CLIENT CONFERENCE

What do you tell them in briefings?

Issues and trends

Benchmarking – internal and external

What’s coming?

Status of the Company’s relationships with regulators

Full ethics, compliance, and reputational risk universe and any

anticipated changes

Audit and monitoring coverage

KPIs against your plan

CLIENT CONFERENCE

Discuss current events that could affect your organization:

Product Safety Impact of Subcontractors

on Reputation

Chairman Resigns; Ousted CEO to Meet With FBI

Dealing with Whistleblowers…Encouraging Reporting

Bad Behavior

A major discount retail chain faced a challenge when industry regulation changes impacted its marketing strategy. Bribery and Corruption Concerns

CLIENT CONFERENCE

Give them context when reviewing your program:

CLIENT CONFERENCE

Remember:

Boards expect outcome driven information –

Don’t just give them a laundry list of issues and statistics

– tell them if the clothes are cleaner.

CLIENT CONFERENCE

Types of Board Interactions

Briefing

Training

CLIENT CONFERENCE

1. Have had full training

2. Same training employees completed

3. Received a briefing on E&C Program

4. None

You and your Board:

Has your full Board received ethics and compliance training in the last two years?

1. Yes, they have had full role-relevant training that includes case studies of issues they may face as board members.

2. Yes, they have taken the same training that all Company employees have completed.

3. They have only received a briefing on our Ethics and Compliance Program.

4. No, they have not received any training.

5. I don’t know.

CLIENT CONFERENCE

Board training should be:

Role relevant

Effective

CLIENT CONFERENCE

Typical elements of Board training:

Frameworks for ethics and compliance programs (USSG, OECD, global requirements, risk based)

Board’s oversight responsibilities

Specific compliance and ethics environment and risks to the organization and to the Board

Creating a culture of integrity—challenges and building blocks - Board observations and potential areas of impact

Cases relevant to their roles and responsibilities

CLIENT CONFERENCE

They need to know (be trained) about issues they could face

Many CCO’s assume that boards know it already and are afraid to discuss Board-specific risks.

Boards need and want to talk about things like:

oConflicts of interest – personal and organizational

oInsider trading

oGifts, gratuities, influences

oRecognizing their unintended influence

oIssues that have happened with other companies and Boards

oExecutive accountability

What do you tell them in training?

CLIENT CONFERENCE

Use case studies and ask how they would respond:

You and they will be surprised to learn they aren’t as

aligned as they think they are…

CLIENT CONFERENCE

Case example: the anonymous letter…

Several members of the Board receive an anonymous letter stating that a local Company manager is “playing games with the books on a project in process in Corruptistan” but the letter provides no additional information about which project, who is involved, or

the specific alleged financial impropriety.

What should the Board do?

Does it matter that the report is anonymous?

What if the allegation involves a colleague at the Board table?

CLIENT CONFERENCE

Questions the Board should ask you…

What information do you get to give you comfort that compliance risks are covered?

Do leaders set the right tone? How are they perceived by employees?

Do we have a “make plan at all costs culture?” Is candor rewarded or punished? What about fear of retaliation?

How are we at discipline? Are top performers and high level people held accountable to the Code of Conduct in the same way as other employees?

Are there any risks that aren’t being addressed as they should be?

Do you have visibility to business unit compliance?

CLIENT CONFERENCE

Questions the Board should ask you…(cont.)

Do your businesses/functions have the resources you need to do

your job appropriately?

Do you feel you have access to the CEO and us whenever you need

it?

What trends in issue types or company locations are you seeing?

Is there anything we should know? What keeps you [ethics officer] up at night?

If you had another $1 million to spend, what would you do with it?

CLIENT CONFERENCE

Questions:

CLIENT CONFERENCE

Thank you!

Contact information:

Carrie Penman, President, Ethical Leadership Group

NAVEX Global

cpenman@NAVEXGlobal.com

45