Last week, Convercent hosted a webinar on one of compliance’s hottest topics: reporting. With the role of the compliance executive changing before our eyes and having greater access to the CEO and board of directors, reporting is more prevalent than ever. During the live webinar, How Better Reporting Changes the Game for Compliance, we heard from Philip Winterburn, Chief Product Officer at Convercent and two compliance executives Korin Neff, SVP and Corporate Compliance Officer at Wyndham Worldwide Corporation, and Michael Massiatte, former Compliance Counsel at Denbury on their take on this popular topic!
The webinar started with powerful stats on the state of reporting and why it is critical to be able to report on your compliance program. Did you know that written reports to the board are delivered at least quarterly nearly 60% of the time? Reporting upwards is reality—38% of CCOs report to the CEO and 79% have a dotted line to the board.
Consumers, business buyers and governments worldwide demand greater proof and transparency that companies are proactively addressing ethics and compliance. Compliance executives are expected to bring real intelligence to demonstrate and bolster the value of compliance to business performance through reporting and analytics. Sounds great, right? Well, unfortunately it isn’t that easy. A survey recently done by Compliance Week and Deloitte found that 35% of CCO cite data analytics and reporting as one of the top three most challenging aspects of their job. The big problem stems from current compliance technology being siloed and inefficient, tied together by email, file sharing, excel and manual or antiquated processes. One stat that really stood out is that 53% of organizations rely primarily on spreadsheets, documents and email to manage compliance. Through the reports, CCO’s are able to pull compliance data including how many cases were submitted or who completed their training, but by and large, the data isn’t allowing them to understand the message behind the numbers, creating information blindness and flat metrics.
Philip shared that the problem with information blindness and “flat” metrics is that it:
- Lacks context and doesn’t paint a full picture
- Doesn’t highlight contributing factors or root causes
- Won’t help you identify or address problematic cultural or behavioral issues
- Doesn’t offer the analytic depth or richness expected in the C-suite and boardroom
- Makes it difficult to measure and defend program ROI, effectiveness and improvements
- Compliance management is disjointed and reactive instead of cohesive, predictive, proactive and preventative
Philip concluded his portion with the importance of analytics versus reporting. Reporting is important to get data points, but to get away from the flat metrics you need analytics to understand the messages behind the data. To accomplish this, you need to have all your data in one integrated system working together so you can see correlations and trends within your compliance program.
With all of this information working together, CCOs are able get a deeper and more intelligent understanding of what is happening and can answer those harder questions like “What regions have elevated FCPA risk?” or “Have we been consistent in applying sanctions?” Bottom line, having everything integrated in one platform to see correlations, patterns and a 360-degree view on employees, you are able to make faster and better decisions to ultimately mitigate risk.
Surveys and insights are great. But how do they actually affect compliance professionals who are in the trenches dealing with this everyday? That’s why we brought in Michael Massiatte and Korin Neff. They shared their first-hand examples of how two very different compliance programs measure and report on the program, along with the impact it’s made in their organization.
Enhancing Denbury’s Compliance Program
Michael Massiatte, former Compliance Counsel at Denbury, explained that Denbury truly had a siloed approach to compliance reporting. Reporting was done through disparate systems and various departments, as HR owned the learning management system and internal audit managed code of conduct, disclosure and risk. As Michael’s role shifted and he was tasked with building out a compliance program, he knew right away he needed one-integrated platform to provide him with a holistic view of what was going on within the organization.
After looking at several different vendors, Denbury selected Convercent’s corporate compliance management software due to their powerful reporting capabilities and user-friendly platform. Michael mentioned that it was so intuitive and easy-to-use, he was able to launch their code-of-conduct through Convercent while he was away on a business trip in a very short timeframe. Through Convercent’s software, Michael was able to bring together critical parts of his compliance program and integrate the way he managed risks, delivered policies and managed cases and disclosures.
With a quick glance at his dashboard, he was able to tell that 71% of employees had completed and attested to the employee handbook.
With Convercent’s Policy Manager, Michael shared dashboards on how he was able to see his policy attestations and completions in real-time. He expressed that the organization was struggling with policies being presented in a handbook since it was hard to determine the last time it was reviewed. With a quick glance at his dashboard, he was able to tell that 71% of employees had completed and attested to the employee handbook and 29% didn’t. Luckily, it wasn’t in a spreadsheet and he was able to drill down and focus on the 29% of people who hadn’t attested, allowing him to send a reminder notification to that specific group and look into patterns and additional data to try and learn why they didn’t. This extra step moved Michael and Denbury’s compliance program from simply putting a band-aid on a problem to identifying the source of the issue and hopefully preventing it in the future.
Michael displayed an example of a heat map that helped him understand, collaborate and prioritize risks. One feature that Michael really focused on was the real-time updates and how he was constantly watching what was happening throughout his organization and monitoring the risk areas that needed more attention. He had a very small team and everything was fairly new, so having those insights on what to prioritize was game changing. For example, when he linked policies to the company’s identified risk areas, he found that a certain group of employees in Mississippi weren’t getting the proper training from upper management, which was the root cause of the policy violation issue.
Michael was able to simplify and standardize the compliance program by bringing their data to a centralized location. Once all the data was in one place, he was able to see what the biggest issue was and target training and policy deployments to a particular employee, function, location or region. Michael is very passionate about having the ability and vision to send certain messages to certain groups and could never have done this if he was looking at spreadsheets. The easy access to real time data allowed him to understand behavior versus just have data points.
Beyond better data and program analysis, Michael also took a fresh approach to conflict of interest management. Though the initiative (and the team’s use of Convercent’s Disclosure Manager) is fairly new, Michael shared the immediate benefit of being able to interact more quickly with disclosing parties. In the past, when disclosures were done by email, the internal audit team was not able to get back to the reporter right away since they were mixed in with day-to-day emails. Now, with disclosure reports in a centralized, dedicated space, Michael is able to get back to the employee quickly so they can do the right thing. He also has the chance to learn a lot more about a situation before it becomes an issue. Michael expressed that having a two-way dialogue really takes the fear out of calling a hotline since employees get the response in a timely fashion and in comprehensive way.
Using the Right Metrics for a Mature Program
Korin Neff spearheads the compliance program at Wyndham Worldwide Corporation. She shared how a more mature, robust program benefits from reporting and analytics. Korin made a very good point right away, that no matter how mature a program is, the landscape of compliance is ever-changing. Once you have metrics you can never sit back, relax and coast since you are continuously reporting on various things.
Reporting is such a must-have to the compliance department, but Korin took a step back and asked the question, “why should you measure and report.” The most obvious answer is, of course, to have the data to report to those audiences. But there are also other benefits to reporting. She noted the importance of measuring the effectiveness of a program in relation to determining her budget and key projects. Just like anything else, you have to substantiate why you are doing something and what the ROI is going to be, so to have metrics in your back pocket really helps senior leaders understand that in time this can save the company money.
Benchmarking was the second reason she discussed. With all the benchmarking reports and data that are released and studied, it is important to have your own data so you know where you fall and can compare your organization to others.
Lastly, she touched on monitoring the program and, similar to what Michael said, this allows her to get ahead of potential problems and risks by seeing trends and behaviors—not just a flat metric.
Knowing whom you are reporting to effects the data you analyze and should be used to determine the appropriate metrics to report. At Wyndham, Korin reports pertinent compliance metrics to both external and internal audiences.
As important as it is for the CCO to report to the board, she explained that it is also important to report to customers and business partners since they will only want to do business with an ethical and compliant organization. For example, it is very important that the hotel group is active in the anti-human trafficking, so being able to show results of training done by franchisees and anyone that manages a hotel is very important, she said.
On the other side, there are a number of internal stakeholders that she reports compliance metrics to. The board of directors wants different information than senior leadership and senior management wants different information than the compliance group, so it is always important to adjust your data depending on the audience.
Korin broke down how she measures and reports into five different categories, keeping the Federal Sentencing Guidelines at the forefront.
- Key metrics relating to compliance risk areas
- Compliance processes
- Risk based metrics
- Metrics involving compliance projects
- Limited metrics for efficiency
In the webinar, Korin shared what she reports on (at a high level) and expressed the importance of the Federal Sentencing Guidelines on how Wyndham Worldwide categorizes metrics.
Korin has seen various benefits from deep reporting, including achieving what she feels is an effective compliance program, boosting productivity, increasing transparency and improving processes.
The major takeaway message from all three speakers is that having metrics is one thing, but being able to act on them and deeply assess them can significantly help an organization in a multitude of ways.