Podcast: Risk Management: Bringing a Compliance Program to Life
Compliance programs are difficult to design, and implementing and enforcing policies and procedures is challenging, especially in complex, global organizations.
In this podcast, the first in a series on challenges and best practices in risk mitigation and management, litigation & enforcement partner Amanda Raad and ethics and compliance consultant Hui Chen, former Department of Justice compliance counsel, discuss how companies can transform policies into a culture of compliance. The podcast covers:
- The importance of identifying and defining your company's values
- How to ensure clarity in your policies and uncover potential violations
- What metrics are effective at assessing risk
- How to meaningfully address risk exposure and encourage compliance
Amanda Raad: Hello, and welcome to our podcast. This is the first in our series of podcasts focused on risk mitigation and management. My name is Amanda Raad, and I am a partner at Ropes & Gray in our litigation and enforcement practice. Joining me is Hui Chen, former Department of Justice compliance counsel, and currently an ethics and compliance consultant. In this podcast, we’re going to discuss how companies can bring a compliance program to life and how to meaningfully use the results from a risk assessment. Compliance programs are hard to design and companies spend lots of time just making policies, sometimes binders and binders and binders of policies which I'm sure have been delivered to you for evaluation. But actually making that policy come to life is a bit of a challenge and there's lots of processes that employees need to follow. How do you do that? How do you get from the written paper of the policy to actual compliance?
Hui Chen: This is where I think we need to start with values. And this is why I'm such a strong advocate for companies actually identifying their own values. And this is not the values that you put on a board that you hired a marketing consultant to write a slogan for, but this is the values that attract your employees to work there. This is the values that drive you to be the company that you are. And I think that's where, you know, you need to start because once you have a clear set of values, what you do is to make sure everything you do reflects those values. And one of my favorite things to talk about is, I often talk to rooms full of lawyers.
Amanda Raad: Very exciting as that is.
Hui Chen: And I also at times speak at law schools in a room full of law students. And I always ask them, "How many of you have read the United States Constitution from beginning to end?" Not the Bill of Rights, not, you know, the first ten amendments, but the whole Constitution which by the way is not that long. And I would say it's an extreme minority. Usually less than 10% of the room that would say that they actually have read the Constitution. But it's a living document. Why is it a living document? Because its values are reflected in our society and people fight for it. When the values are actually threatened, people speak up, people vote. people go to court – that's how we keep the Constitution a living document. And I think there are similarities because the Constitution is our nation's code of conduct. And people don't read it, but certainly, for example, during the last election everybody wanted to know how the electoral college worked. So as things come up, and as choices are made, people always go back to that founding document and because that's something that reflects our values. And I think companies really need to think about their values and their code of conduct and everything else they do in light of their own values.
Amanda Raad: And it sounds like in doing that, so the Constitution is equivalent, right, to the policies of a company? But I think I hear you saying that it can be teaching moments. That you will get things wrong. You will find things that happen that are contrary to the policy, and that’s okay.
Hui Chen: Absolutely, yes.
Amanda Raad: That's how you work through the things. That's how you make sure you stay true to your values. And that's how you kind of govern conduct.
Hui Chen: That's okay so long as you learn your lessons from it every time. And I think, you know, that's where absolutely you'll get it wrong, because we're all human. But we think, you know, the important thing is that we learn the lesson so that we don't make the same mistakes over and over.
Amanda Raad: And I imagine that practically speaking, trying to put this in practical terms, it means you have to actually be testing and looking to see if there are policy violations, what kind of policy violations there are. You have to be pulling all of that together.
Hui Chen: Exactly, yes.
Amanda Raad: Otherwise you have no idea whether it's understood.
Hui Chen: Absolutely. And one of the metrics, for example, that I know some compliance officers have used are, for example, the type of questions they get on help lines. Because to them help line questions in certain areas indicate where people seem to have, you know, confusions about and that's why they call the hot line or help line to ask the questions. I also know, for example, compliance officers who track the click rates through their web pages because if certain pages on certain topics are clicked more often in a particular time period, for example, that may be indication that there is a problem somewhere. That, you know, some team or some parts of the operation is having reasons to really look into what is the company saying on this particular topic, and that may give you an indication as to where you might want to look into.
Amanda Raad: And even changes over time, right?
Hui Chen: Exactly.
Amanda Raad: So if all of a sudden you have a market where there was open communication or that, you know, you were seeing things in a speak-up culture and it stops, or vise versa, right?
Hui Chen: Exactly, yes.
Amanda Raad: That’s all important going back to data.
Hui Chen: Absolutely, yes. Right, that’s right.
Amanda Raad: You've taken the data and you've worked with the employees and with the business to come up and actually complete an effective risk assessment. But then you come up with meaningful results. You have a lot of data you've pulled together. You have a lot of information that you've pulled together. It can be overwhelming. How do you pull that all together and action it so that you're actually responding to what you've found in a meaningful way?
Hui Chen: The key here is thinking back to the purpose of risk assessment, which is for you to understand the risk so that you can respond to it, and responding to it means a number of things. You can address issues that you believe to be emerging. You can set controls at the appropriate place. You can allocate your resources accordingly. So one of the things that I always find interesting is in many companies when you talk about, for example, anti-bribery and corruption, people immediately go to gifts and entertainment. So the next thing I would ask them is, "How much out of your total spend is actually on gifts and entertainment?" Very few companies, if any, have the majority of their spend, third-party spend, on gifts and entertainment. It's usually there are other areas of vendor spending and third-party spending that is significantly more risky than that if you just look at the financial data. So companies that, when they do anti-bribery and corruption, allocate disproportionate amount of resources to gifts and entertainment would be misusing their resources. So the idea is getting an understanding of where your risks really are and actually adjust your resources and, you know, resources not just in terms of money and people, but attention, to the places where those are needed the most.
Amanda Raad: And maybe the fact that companies focus so disproportionately on gifts and entertainment goes back to with thinking that that's what the regulators want you to address instead of actually looking at the risk in your particular company. Is that fair?
Hui Chen: I think some of it comes from people thinking, at least in the anti-bribery area, bribes, giving people money and, "Oh, that's what gifts are for." It's the whole sense of, you know, it's giving and therefore they look at the gifts and the meals and the hospitalities. You know, I'm not sure really what has accounted for this excessive focus, but I have always found that to be interesting. And let's, you know, take this also to another area. I mean, if you're talking about, for example, safety and health compliance, then you have to look at where the high risk activities are there. And, you know, you have office workers, for example, in an oil company, let's say, and rig workers. Clearly, rigs is where you need to pay more attention for your safety and health issues. And so I think, you know, the important thing is remember the purpose of risk assessment. It is to help guide your choices in terms of where to pay attention.
Amanda Raad: Thank you, Hui. For additional news and insights, please visit www.ropesgray.com. Thank you for listening.